Professional Documents
Culture Documents
Deploying Enterprise SIP Trunks With CUBE, CUCM - Cisco Live PDF
Deploying Enterprise SIP Trunks With CUBE, CUCM - Cisco Live PDF
LTRCOL-2310
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• SIP Trunking and CUBE Overview
• SIP Trunking Design & Deployment Models
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE
• CUBE Management & Troubleshooting
• Futures & Key Takeaways
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUBE Overview
SIP Trunking Overcomes TDM Barriers
• Improves Efficiency of interconnection between networks
• Simplifies PSTN interconnection with IP end-to-end
• Enables rich media services to employees, customers, partners
• Carries converged voice, video and data traffic
Service Provider
TDM Trunking
Enterprise 1 Enterprise 2
A IP IP A
TDM TDM
Enterprise 2
Enterprise 1
IP
SIP SP IP
CUBECUBE
CUBE
SIP SIP
Rich Media
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Why does an enterprise need an SBC ?
Enterprise 1 Enterprise 2
IP
SIP IP SIP
IP
CUBE CUBE
Rich Media (Real time Voice, Video, Screenshare etc.. ) Rich Media
SESSION
CONTROL SECURITY INTERWORKING DEMARCATION
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Cisco Unified Border Element – Router Integration
An Integrated Network Infrastructure Service
CUBE and Cisco Unified Border Element TDM Gateway
SRST Address Hiding
PSTN Backup
collocated: H.323 and SIP interworking
SCCP SRST DTMF interworking
on ISR G2 SIP security
w/CUBE is Transcoding
Voice Policy
CUBE
supported Note: An SBC appliance would
have only these features
SIP SRST on
ISR G2
w/CUBE is not
WAN & LAN IP Routing &
supported MPLS
Physical
Any SRST on Interfaces
ISR 4K with
CUBE SRST Unified CM
collocated is Conferencing and
not supported FW, IPS, Transcoding
VXML
QoS
Note: Some features/components may require additional licensing
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Primary CUBE Differentiators
• SBC integrated in the Router
• Leverages installed base and knowledge base
• Enables Flexible Deployment Models – Centralized or Distributed
• Broadest Scale of price performance
• Enables Flexible Deployment Models – Centralized or Distributed
• Allows optimal platform sizing for different size customers
• Integrated SBC and TDM Gateway
• Simplifies transition strategy from TDM to IP PSTN
• Voice Policy
• TDOS is a major security issue .
• White List / Black List is static and inadequate
• Integration with CTG Solutions
• CUCM recording solutions
• CVP call center solutions
• Expressway integration based on Use Cases
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
CUBE (Enterprise) Product Portfolio
50-150 ASR 1004/6 RP2
Introducing CUBE on ASR 1002-X
50-100 CSR
ASR 1001-X
vCUBE [Performance
dependent on vCPU and ISR 4451-X
memory] ISR 4431
20-35 3900E Series ISR-G2
(3925E, 3945E)
CPS
ISR 4351
17
8-12
2900 Series
ISR-G2 (2901, 2911, 2921, 2951) Note: SM-X-PVDM module
supported on XE3.16 or
<5
later for ISR 4K platforms
800 ISR
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Introducing IOS-XE Release 16
• New OS from the platform team with the intent of consolidating OS’ on different
product portfolio
• UX will be the same as IOS-XE, no difference to end user
• IOS-XE Release 16.3.1 support for UC (CUBE, CME, SRST)
Impacts XE based (ASR1K, ISR4K, and vCUBE) platforms
There will be no CUBE 11.5.1 for the XE based platforms [ASR1K, ISR4K,
vCUBE]. CUBE 11.5.2 (July 2016 release) will have newer and March 2016
features for the XE based platforms introduced in IOS-XE release 16.3.1
IOS-XE 16 requires a minimum of ASR1001-X, 1002-X, 1004/1006 RP2,
ESP20 (Embedded Service Processor, SIP40 (SPA Interface processor)
It will include all features up to and including IOS-XE 3.17 as well
• Due to new hardware requirements, customers will have the following migrations
options as IOS-XE 3.17 rebuilds will stop by June 2017
Replace unsupported ASR1K hardware and upgrade to IOS-XE 16.3.1 or later
and continue to enjoy new feature set/support for any issues
Drop using new feature set and move back to IOS-XE3.16 long maintenance
release for longer support
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
CUBE Software Release Mapping
ISR G2 ASR 1K / ISR-4K/vCUBE (CSR)
CUBE Vers. 2900/ 3900 FCS CUBE Vers. IOS XE Release FCS
11.1.0 15.5(3)M July 2015 11.1.0 3.16 15.5(3)S July 2015
11.5.0 15.6(1)T Nov 2015 11.5.0 3.17 15.6(1)S Nov 2015
CUBE CUBE
Vers.
2900/ 3900 FCS
Vers. IOS XE Release 16 2 FCS
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
CUBE Software Release Mapping – Earlier Releases
ISR G2 CUBE Ent ASR 1K Series
ASR Parity
CUBE Vers. 2900/ 3900 FCS with ISR CUBE Vers. IOS XE Release FCS
8.5 15.1(2)T July 2010 <50% 1.4 3.2 15.1(1)S Nov 2010
8.6 15.1(3)T Nov 2010 <50% 1.4.1 3.3 15.1(2)S March 2011
8.7 15.1(4)M April 2011 ~50% 1.4.2 3.4 15.1(3)S July 2011
8.8 15.2(1)T July 2011 ~70% 1.4.3 3.5 15.2(1)S Nov 2011
8.9 15.2(2)T Nov 2011 >80% 1.4.4 3.6 15.2(2)S Mar 2012
15.2(3)T/
9.0 Mar 2012 >85% 9.0 3.7 15.2(4)S July 2012
15.2(4)M
9.0.1 15.3(1)T Oct 2012 >95% 9.0.1 3.8 15.3(1)S Oct 2012
9.0.2 15.3(2)T Mar 2013 >95% 9.0.2 3.9 15.3(2)S Mar 2013
9.5.1 15.3(3)M1 Oct 2013 >95% 9.5.1 3.10.1 15.3(3)S1 Oct 2013
10.0.0 15.4(1)T Nov 2013 >95% 10.0.0 3.11 15.4(1)S Nov 2013
10.0.1 15.4(2)T Mar 2014 >95% 10.0.1 3.12 15.4(2)S Mar 2014
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
CUBE Software Release Mapping – Earlier Releases
ISR G2 CUBE Ent ASR 1K / ISR-4K Series
CUBE ASR Parity CUBE
2900/ 3900 FCS with ISR IOS XE Release FCS
Vers. Vers.
10.0.2 15.4(3)M July 2014 >95% 10.0.2 3.13 15.4(3)S July 2014
10.5.0 15.5(1)T Nov 2014 >95% 10.5.0 3.14 15.5(1)S Nov 2014
11.0.0 15.5(2)T Mar 2015 >95% 11.0.0 3.15 15.5(2)S Mar 2015
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
CUBE Interoperability
• Validated with Service
Providers World-Wide
• Independently Tested
with 3-Party PBXs in
tekVizion Labs
• Standards based
Verified by
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Cisco Unified Border Element
Leverage all the advantages Cisco can offer
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
CUBE Licensing
For Your
CUBE ISR(G2/4K), ASR and CSR Licensing Reference
Redundancy Licenses
Platform Single-Use Licenses
( 1 SKU for Active/Standby Pair)
FL-CUBEE-5 FL-CUBEE-5-RED
ISR G2 (2901, 2911, 2921, 2951, 3925, 3945,
FL-CUBEE-25 FL-CUBEE-25-RED
3925E, 3945E)
FL-CUBEE-100 FL-CUBEE-100-RED
FL-CUBEE-5 FL-CUBEE-5-RED
ISR-4K (4321, 4331, 4351, 4431, 4451)
FL-CUBEE-25 FL-CUBEE-25-RED
FL-CUBEE-100 FL-CUBEE-100-RED
FLASR1-CUBEE-100P FLASR1-CUBEE-100R
Cisco ASR1001-X, 1002-X, 1004 RP2, 1006 RP2 FLASR1-CUBEE-4KP FLASR1-CUBEE-4K-R
FLASR1-CUBEE-16KP FLASR1-CUBEE-16KR
http://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-border-
element/order_guide_c07_462222.html
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
CUBE Licensing FAQs
• What is a CUBE license?
CUBE is part of the UCK9 package on Cisco Routing platforms and is a Right-to-Use (RTU) license. There is no
licensing file to install to use the CUBE feature set. It is a paper/trust-based license on top of the Unified
Communications (UCK9) feature set that is enabled as discussed below.
• How to enable UCK9 (SRST, CME, CUBE, GW, etc) feature set of which CUBE is a
part of?
General information on IOS Software Activation (licensing) can be found here .
1. For ISR G2s/4K series, install the UCK9 package license to access all the voice features including CUBE. For SIP TLS/SRTP, SEC-K9
license is also required.
2. For ASR1K series, Advanced IP Services or Advanced Enterprise Services package/image needs to be installed for CUBE
3. For vCUBE (CUBE on CSR 1000v), APPX (no TLS/SRTP) or AX (ALL vCUBE features) package license needs to be installed to access
the CUBE feature set and upgrade from the default throughput of 100 kbps
4. For 8XX series, Advanced IP services or higher is needed to access the NanoCUBE feature set
5. Once the platform is ready, CUBE license needs to be purchased to start using the feature set
6. The RED SKUs require a separate SMARTNET and do not need any additional Single-Use case SKUs
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
CUBE Licensing FAQs – Cont’d
• What constitutes as a session?
A session is a single audio or a video call across the CUBE, regardless of call legs. Some vendors consider one
call as two sessions.
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Customer Deployment Scenario 1
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Customer Deployment Scenario 2
Geographic Redundancy - Two active CUBEs,
NO call preservation on failure of box BUT load
balancing
• Expecting 100 sessions across each Location,
and in case of one Location failing, expecting
newer 100 calls to failover to the other Location
• Licensing requirement : Two FL-CUBEE-100-RED
• No additional Single-Use SKUs are required
• If a box fails in this scenario, the calls on it are
lost . The load balancing algorithm ensures the
next call is sent to the non-failed site
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Customer Deployment Scenario 3
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Customer Deployment Scenario 4
Box-to-Box and Redundancy (call preservation on failure within location) and load
balancing/redundancy across locations
Expecting 100 sessions per Location
• Licensing requirement : Two FL-CUBEE-100-RED, one per Active/Standby pair. In total you will have 200-RED only and no additional
Single-use case SKUs are required.
Scenarios Covered
• If R1 or R3 went down, R2 or R4 respectively will take over
• If Location 1 (both R1 and R2) becomes unavailable, RED license allows newer calls to flow to Location 2. RED license
allows transfer not only within one redundant pair from Active to Standby, allowing call preservation, but also from one pair
to the other, that is from one Data Center to the other for new calls. In that case, Location 2 will handle 200 sessions. This
is called Dual Redundancy
Stateful Stateful
Preservation Preservation
Geographic Redundancy
Newer Calls
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Customer Deployment Scenario 5
In-box Hardware and Software Redundancy
• Licensing requirement : RED license is not required here, regular Single-
Use CUBE license covers all In-box Redundancies
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Agenda
• SIP Trunking and CUBE Overview
• SIP Trunking Design & Deployment Models
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE
• CUBE Management & Troubleshooting
• Futures & Key Takeaways
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SIP Trunking Design
and Deployment
Models
Cisco Session Management & CUBE
Essential Elements for Collaboration
• Security
• Cisco SME centralizes
network control IM, Presence,
Cisco Session
Management
Voicemail Video
• Centralizes dial plan
• Centralized applications 3rd Party IP TDM PBX
PBX
• Aggregates PBXs
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
CUBE/vCUBE Deployment Scenarios
TDM (Not available in vCUBE)
SIP Trunks SIP SIP Trunk SP VOIP
for PSTN
H.323 Services
Access CUBE
SBC
Standby
Partner API MediaSense Extending to Video and
Network- High Availability for Audio Calls
based CUBE
Media
SIP SIP SP IP
Recording
Solution SBC Network
RTP CUBE RTP
Active
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
NanoCUBE Deployment Scenarios
Service Provider
Call Control
NanoCUBE
CPE NANO- SIP NANO SIP SIP
Hosted CUBE
8xx
-CUBE
IAD
8xx
Service CUBE
SIP Trunking
Hosted Service SIP Trunking PRI To SIP
Small Enterprise Small Business Small Business
Business
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
The Centralized Model
Characteristics of Centralized Operational Benefits Challenges
• Central Site is the only location with • Centralizes Physical • Increased campus bandwidth, CAC,
SIP session connectivity to IP PSTN Operations latency; media optimization
• HA in campus
• Voice services delivered to Branch • Centralizes Dial-Peer
Offices over the Enterprise IP WAN Management • Survivability at branch (PSTN
connection at the branch)
(usually MPLS)
• Centralizes SIP Trunk • Emergency services
• Media traffic hairpins through Capacity
• Legal/Regulatory
central site between SP and
branches Centralized
IP PSTN
Enterprise
IP WAN
CUBE
Site-SP Media
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
The Distributed Model
Characteristics of Distributed Operational Benefits Challenges
• Each site has direct connection • Leverages existing branch • Distributed dial-peer
for SIP sessions to SP routers management
• Takes advantage of SP session • No media hair-pinning thru any • Distributed operational overhead
pooling, if offered by SP site
• IP addressing to Service Provider
• Media traffic goes direct from • Lower latency on voice or video from branch
each branch site to the SP
• Built-in Redundancy strategy
Distributed
• Quickest transition from
existing TDM
IP PSTN
Enterprise
IP WAN
CUBE
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
And the Hybrid Model
Characteristics of Hybrid Benefits
• Connection to SP SIP service is determined on a site by • Adaptable to site specific requirements
site basis to be either direct or routed through a regional
• Optimizes BW use on Enterprise WAN
site.
• Adaptable to regional SP issues
• Decision to route call direct or indirect based on various
criteria • Built-in redundancy strategy
• Media traffic goes direct from site to SP or hairpins
through another site, depending on branch configuration.
Hybrid
IP PSTN
Enterprise
IP WAN
CUBE CUBE
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
WEBEX CCA Solution using CUBE Enterprise
Requirements
• Replacement for TDM audio connection to WEBEX with
VOIP using SIP signaling.
WEBEX Quad • High capacity SIP media connectivity for WEBEX cloud ,
including telepresence integration.
CUBE How
A
• CUBE Reduces SIP protocol “chatter” between CUCM and
CUBE
Enterprise WEBEX cloud thru normalization.
IP WAN
(MPLS) • CUBE allows SIP sessions from ALL enterprise sites to
WEBEX to avoid “hairpin” media flows.
Headquarters
• CUBE support on ASR provides high performance for
signaling and media transport of WEBEX.
CUBE Benefit
CUBE CUBE
• Best possible WEB conference experience for Enterprise
Branch users, with most efficient network usage.
Office Branch Branch
Office Office Future Capabilities
• Integration with WEBEX One Touch for improved
telepresence session set up (i.e. one touch)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
In-Depth Explanation of SIP Deployment Models
New White Paper will be posted by the end of January at the following URL:
www.cisco.com/go/cube
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Agenda
• SIP Trunking and CUBE Overview
• SIP Trunking Design & Deployment Models
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE
• CUBE Management & Troubleshooting
• Futures & Key Takeaways
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUBE Call Flow
CUBE Call Processing
CUBE
Actively involved in the call treatment,
signaling and media streams
SIP B2B User Agent IP
Media Flow-Through IP
Media Flow-Around
Media Flow-Around
Digital Signal Processors (DSPs) are only Only Signaling is terminated by CUBE
required for transcoding (calls with Media bypasses the Cisco Unified Border
dissimilar codecs) Element
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Cisco Unified Border Element Basic Call Flow
voice service voip
mode border-element
allow-connections h323 to h323
Originating allow-connections h323 to sip Terminating
allow-connections sip to h323
Endpoint - allow-connections sip to sip
Endpoint –
1000 2000
Incoming VoIP Call Outgoing VoIP Call
CUBE
RTP (Audio)
1.1.1.1 10.10.10.10 20.20.20.20 2.2.2.2
BYE BYE
200 OK
200 OK
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Basic Show Commands for Active Calls
CUBE# show call active voice brief
121A : 17 13:02:24.215 IST Mon Jun 27 2011.1 +2040 pid:1 Answer 1000 active
dur 00:00:14 tx:0/0 rx:0/0
IP 1.1.1.1:6000 SRTP: off rtt:0ms pl:0/0ms lost:0/0/0 delay:0/0/0ms g711ulaw TextRelay: off
media inactive detected:n media contrl rcvd:n/a timestamp:n/a
long duration call detected:n long duration call duration:n/a timestamp:n/a VRF:VRF1
121A : 18 13:02:24.225 IST Mon Jun 27 2011.1 +2020 pid:2 Originate 2000 active
dur 00:00:14 tx:0/0 rx:0/0
IP 2.2.2.2:6001 SRTP: off rtt:0ms pl:0/0ms lost:0/0/0 delay:0/0/0ms g711ulaw TextRelay: off
media inactive detected:n media contrl rcvd:n/a timestamp:n/a
long duration call detected:n long duration call duration:n/a timestamp:n/a VRF:VRF2
Telephony call-legs: 0
SIP call-legs: 2
H323 call-legs: 0
Call agent controlled call-legs: 0
SCCP call-legs: 0
Multicast call-legs: 0
Total call-legs: 2
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
CUBE Architecture
ISR G2 vs ASR1K vs ISR 4K vs
vCUBE (CUBE on CSR)
ASR/ISR-4K & ISR-G2 Architecture Comparison
ASR/ISR-4K (IOS-XE) Architecture ISR G2 Architecture
CPU
IOS
RP Control Plane Control
Plane
IOS-XE IOS-XE
Signaling
Signaling
I/O I/O
Kernel Data Plane
ISR: Pkt fwd’ing and signaling are handled by the
Msg I/f same CPU
Media
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Introducing vCUBE (CUBE on CSR 1000v)
Architecture
• CSR (Cloud Services Router) 1000v runs on a Hypervisor – IOS
XE without the router
ESXi Container
Virtual CPU Memory Flash / Disk Console Mgmt ENET Ethernet NICs
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
vCUBE Considerations
• Explicit subscription of CPU and memory reservation is required which the OVA
for CSR1000V provides
• Disable Hyperthreading
• “vCUBE media performance depends on the underlying VM platform consistently
providing packet switching latency of less than 5ms. Given the platform resource
requirements and latency requirements are met, latency and jitter values observed
on a vCUBE would the same as the values obtained on a CUBE running on a
hardware platform, with a recommended hardware configuration and identical
software configuration, under the same network conditions.”
• 2 network interface required at the very minimum
• Specs based hardware supported but performance benchmarked for Cisco UCS B
and C series only
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
ASR, CSR & ISR-G2/4K Feature Comparison
General Platform Features ASR1K ISR-G2 4300/4400 (XE3.13.1) vCUBE (XE3.15+)
Redundancy-Group Redundancy-Group Redundancy-Group
High Availability Implementation HSRP Based
Infrastructure Infrastructure Infrastructure
TDM Trunk Failover/Co-
Not Available Exists Exists Not Available
existence
Media Forking XE3.8 15.2.1T XE3.10 Exists
Software MTP registered to
XE3.6 Exists Exists Exists
CUCM (Including HA Support)
DSP Card SPA-DSP PVDM3 PVDM4/SM-X-PVDM Not Available
Transcoder registered to CUCM Not Available Exists via SCCP Exists via SCCP (XE3.11) Not Available
Local Transcoder Interface SCCP or SCCP based on a separate
Transcoder Implementation SCCP and LTI
(LTI) LTI (starting IOS 15.2.3T) platform, CUCM controlled
Embedded Packet Capture Exists Exists Exists Exists
Web-based UC API XE3.8 15.2.2T Exists Exists
Noise Reduction & ASP Exists 15.2.3T Exists Not Available
Call Progress Analysis XE3.9 15.3.2T Exists Not Available
Standalone CME/SRST feature
Not Available Exists XE3.11 Not Available
set, not collocated with CUBE
SRTP-RTP Call flows Exists (NO DSPs needed) Exists (DSPs required) Exists (NO DSPs needed) Exists (No DSPs needed)
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
vCUBE
Installation using
OVA
vCUBE – CSR1000v Installation with OVA
• Download CSR1000v OVA from cisco.com
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
vCUBE – Download XE3.15 or later image
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
vCUBE – Deploy OVA
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
vCUBE – Installation Cont’d
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
vCUBE – Installation Cont’d
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
vCUBE – Choose Form factor
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
vCUBE Installation Cont’d
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
vCUBE – Assign LAN, WAN, and VM Network
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
vCUBE Installation Cont’d
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
vCUBE Installation – Edit Settings to add Serial Port
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
vCUBE Installation – Edit Settings to add Serial Port
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Serial Port – Connect via Network
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Serial Port – Define URL
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Serial Port – Verify Settings
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
vCUBE Installation – Power On VM
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Install process takes some time
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Install process takes some time
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
vCUBE – Initial Configuration
• Assign IP to VM Network Interface, Gig3 below, and enable console access with
“platform console serial” CLI, and set enable password
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
vCUBE – Initial Configuration – Telnet into Router
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Initial Configuration – Copy License File to Flash:
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Initial Configuration – Install License File
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Initial Configuration – Verify New Throughput Level
and boot CSR to the correct package
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
vCUBE Initial Setup – Voice CLI is now accessible
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Agenda
• SIP Trunking and CUBE Overview
• SIP Trunking Design & Deployment Models
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE
• CUBE Management & Troubleshooting
• Futures & Key Takeaways
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transitioning to Centralized SIP Trunking...
Re-purpose your existing Cisco voice gateway’s as Session Border Controllers
BEFORE SIP/H323/MGCP AFTER Media
Media SIP Trunks
Standby
SRST CME
CME
TDM PBX
Enterprise TDM PBX
Enterprise
Branch Offices Branch Offices
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Steps to transitioning...
SIP Trunk
Media • Step 1 – Configure IP PBX to route
Standby all calls (HQ and branch offices) to
the edge SBC
CUBE
A
Active IP PSTN • Step 2 – Get SIP Trunk details from
the provider
CUBE
Enterprise CUBE with High
Campus Availability • Step 3 – Enable CUBE application
MPLS
on Cisco routers
CUBE
A
Active IP PSTN
CUBE
Enterprise CUBE with High
Campus Availability
MPLS
• Configure CUCM to route all
PSTN calls (central and branch) PSTN is now
used only for
to CUBE via a SIP trunk emergency
SRST calls over
• Make sure all different patterns FXO lines
of
calls – local, long distance,
CME
international, emergency,
informational etc.. are pointing
TDM to
PBX
CUBE Enterprise
Branch Offices
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Step 2: Get details from SIP Trunk provider
Item SIP Trunk service provider requirement Sample Response
1 SIP Trunk IP Address (Destination IP Address for INVITES) 66.77.37.2 or DNS
2 SIP Trunk Port number (Destination port number for INVITES) 5060
3 SIP Trunk Transport Layer (UDP or TCP) UDP
4 Codecs supported G711, G729
5 Fax protocol support T.38
6 DTMF signaling mechanism RFC2833
7 Does the provider require SDP information in initial INVITE (Early offer Yes
required)
8 SBC’s external IP address that is required for the SP to 128.107.214.195
accept/authenticate calls (Source IP Address for INVITES)
9 Does SP require SIP Trunk registration for each DID? If yes, what is the No
username & password
10 Does SP require Digest Authentication? If yes, what is the username & No
password © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 3: Enable CUBE Application on Cisco routers
1. Enable CUBE Application
voice service voip
mode border-element license capacity 20 License count entered here not enforced though this CLI is
required to see “show cube” CLI output
allow-connections sip to sip By default IOS/IOS-XE voice devices do not allow an incoming
VoIP leg to go out as VoIP
CUBE
A
Active IP PSTN
CUBE
Enterprise
Campus
MPLS
LAN Dial-Peers WAN Dial-Peers
PSTN is now
• Dial-Peer – “static routing” table mapping phone numbers
used only forto interfaces or IP addresses
emergency calls
• LAN Dial-Peers – Dial-peers
SRST that are facing towards
overthe
FXO IP
linesPBX
for sending and
receiving calls to & from the PBX. Always bind LAN interface(s) on CUBE to LAN dial-
peers CME
• WAN Dial-Peers – Dial-peers that are facing towardsTDM PBX the SIP Trunk provider for sending
Enterprise Branch
& receiving calls to & from Offices
the ITSP. Always bind CUBE’s WAN interface(s) to WAN dial-
peer(s), ensuring SIP/RTP being source from the correct WAN interface(s)
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
WAN Dial-Peer Configuration
Inbound Dial-Peer for call legs from SP to CUBE
dial-peer voice 200 voip
description *** Inbound WAN side dial-peer *** Specific to your DID range
incoming called-number 702475….$
session protocol sipv2
assigned by the SP
voice-class sip bind control source gig0/1
voice-class sip bind media source gig0/1
Apply bind to all dial-peers when
codec g711ulaw CUBE has multiple interfaces.
dtmf-relay rtp-nte Gig0/1 faces SP.
no vad
Outbound Dial-Peer for call legs from CUBE to SP
dial-peer voice 201 voip Translation rule/profile to strip the
description *** Outbound WAN side dial-peer *** access code (9) before delivering
translation-profile outgoing Digitstrip the call to the SP
destination-pattern 91[2-9]..[2-9]......$
session protocol sipv2 Dial-peer for making long distance
voice-class sip bind control source gig0/1 calls to SP, based on NANP (North
voice-class sip bind media source gig0/1
American Numbering Plan)
session target ipv4:<SIP_Trunk_IP_Address>
codec g711ulaw Note: Separate outgoing DP to be created for Local, International,
dtmf-relay rtp-nte Emergency, Informational calls etc.
no vad
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
LAN Dial-Peer Configuration
Inbound Dial-Peer for call legs from CUCM to CUBE
dial-peer voice 100 voip
description *** Inbound LAN side dial-peer ***
CUCM sending 9 (access code) + All
incoming called-number 9T
session protocol sipv2 digits dialed
voice-class sip bind control source gig0/0
voice-class sip bind media source gig0/0
Apply bind to all dial-peers when
codec g711ulaw CUBE has multiple interfaces. Gig0/0
dtmf-relay rtp-nte faces CUCM.
no vad
Outbound Dial-Peer for call legs from CUBE to CUCM
dial-peer voice 101 voip
description *** Outbound LAN side dial-peer *** SP will be sending 10 digits (NANP)
destination-pattern 702475….$ based on your DID that is being
session protocol sipv2 delivered to CUCM
voice-class sip bind control source gig0/0
voice-class sip bind media source gig0/0
session target ipv4:<CUCM_IP_Address>
codec g711ulaw Default codec is G729 if none is
dtmf-relay rtp-nte specified
no vad
Note: If more than 1 CUCM cluster exists, you will have to create multiple such LAN dial-peers with “preference CLI” for CUCM redundancy/load balancing as the
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
traditional way to accommodate multiple trunks
SIP Normalization
SIP profiles is a mechanism to normalize or customize SIP at the
network border to provide interop between incompatible devices
SIP incompatibilities arise due to: Add user=phone for INVITEs
• A device rejecting an unknown header (value Incoming Outgoing
or parameter) instead of ignoring it CUBE
INVITE INVITE
sip:5551000@sip.com:5060 sip:5551000@sip.com:5060
• A device expecting an optional header SIP/2.0 user=phone SIP/2.0
value/parameter or can be implemented in
voice class sip-profiles 100
multiple ways request INVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0"
request REINVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0"
• A device sending a value/parameter that must
be changed or suppressed (“normalized”)
before it leaves/enters the enterprise to comply Modify a “sip:” URI to a “tel:” URI in INVITEs
with policies Incoming Outgoing
CUBE
INVITE INVITE
• Variations in the SIP standards of how to sip:2222000020@9.13.24.6:5060 tel:2222000020
achieve certain functions SIP/2.0 SIP/2.0
SIP INVITE that CUBE sends SIP INVITE that Service Provider expects
Sent: Sent:
INVITE sip:2000@9.44.44.4:5060 SIP/2.0 INVITE sip:2000@9.44.44.4:5060 SIP/2.0
……… ……….
Diversion: <sip:3000@9.44.44.4>;privacy=off; Diversion: <sip:4085266855@9.44.44.4>;
reason=unconditional;screen=yes privacy=off;reason=unconditional;screen=yes
……... ……….
m=audio 6001 RTP/AVP 0 8 18 101 m=audio 32278 RTP/AVP 18 8 101
a=rtpmap:0 PCMU/8000 a=rtpmap:0 PCMU/8000
2. Deletion
While deleting a rule User has to give complete no form of that rule.
If there are duplicate rules, always 1st one is deleted.
3. Modification
There is no direct way to modify an existing rule. User has to delete and reconfigure the profile.
4. Duplication
If the same profile/rules applied more than once, then the rules are be duplicated
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
SIP Profile Tagging Enhancement
New rule tagging mechanism is being introduced
1. Insertion :
New rules can be inserted at any position i.e at the beginning, at the end or in between existing rules
by specifying rule tag number.
2. Deletion :
Rules can be deleted by giving no form of the rule with just the tag number.
3. Modification :
Any of the existing rules can be modified by specifying the rule tag number.
4. Duplication :
When a rule with an existing tag number is applied again, the rule will be over-written, without creating
any duplicate rules.
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
SIP Profile Tagging Enhancement – Cont’d
A mechanism to automatically upgrade the legacy SIP Profile configurations to
the new rule format has been provided. The following exec CLI is being provided
to upgrade existing implementation
voice sip sip-profiles upgrade
A mechanism to automatically downgrade the SIP Profile configurations with the
rule tags to non-rule format has been provided. The following exe CLI has been
provided for this purpose
voice sip sip-profiles downgrade
Note: When SIP Profiles are configured in “rule <tag>” format and the IOS
version is migrated to a version which does not have this capability, then all the
SIP Profile configurations will be lost. Hence, it is advisable to execute voice
sip sip-profiles downgrade before IOS version migration.
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
SIP Profile Tagging – Configuration
• For tagging the rules, an additional option of “rule <tag>” has been provided
CUBE(config)#voice class sip-profiles 1
CUBE(config-class)#?
VOICECLASS configuration commands: The new
exit Exit from voice class configuration mode keyword “rule”
help Description of the interactive help system
no Negate a command or set its defaults
request sip request
response sip response “tag” to be
rule Specify the rule provided with
rule keyword
CUBE(config-class)#rule ?
<1-1073741823> Specify the rule tag
before The rule to be inserted before
CUBE(config-class)#rule 1 ?
request sip request
response sip response
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SIP Profile Tagging – Configuration Cont’d
• For inserting a rule between two rules, “before” option has been provided
CUBE(config)#voice class sip-profiles 1 For inserting a rule
CUBE(config-class)#rule before ?
between two rules, the
<1-1073741823> Specify the rule tag
new before keyword
CUBE(config-class)#rule before 3 ? is being introduced
request sip request
response sip response
• If rule <tag> option is used to configure a SIP Profile rule, then this rule can
be deleted by specifying just the tag number instead of specifying the entire
rule configuration.
CUBE(config)#voice class sip-profiles 1
CUBE(config-class)#no rule before <tag>
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Configuration Example
• For tagging the rules:
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Configuration Example continued….
• Auto-Downgrade : Exec command - “voice sip sip-profiles downgrade”
• Suppose we have the following rules configured:
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
SIP Profile
Support for Non-
Standard
Headers
SIP Profile support for Non-Standard Headers
Introducing support for adding/copying/removing/modifying non-
standard SIP headers using SIP profiles
A new 'WORD' option has been added to the SIP Profiles CLI chain to
allow the user to configure any non-standard SIP Header
CUBE(config)#voice class sip-profiles 1
CUBE(config-class)#request INVITE sip-header ?
Accept-Contact SIP header Accept-Contact The new “WORD”
……. option for specifying
Via SIP header Via unsupported headers
WORD Any other SIP header name
WWW-Authenticate SIP header WWW-Authenticate
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Transitioning to Distributed SIP Trunking Model..
Re-purpose your existing Cisco voice gateway’s as CUBE at every branch
SIP/H323 Trunks
Standby
Media
• SIP Trunks pointing to CUBE
A CUBE
Active
at each branch
SIP SP-1
• Call Routing change on
CUBE
Enterprise CUBE with High CUCM
Campus Availability
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Agenda
• SIP Trunking and CUBE Overview
• SIP Trunking Design & Deployment Models
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE
• CUBE Management & Troubleshooting
• Futures & Key Takeaways
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUBE Dial-Peers
Call Routing
Understanding Dial-Peer Matching Techniques:
LAN & WAN Dial-Peers
• LAN Dial-Peers – Dial-peers that are facing towards the IP PBX for sending
and receiving calls to & from the PBX. Should be bound to the LAN interface(s)
of CUBE to ensure SIP/RTP is sourced from the LAN IP(s) of the CUBE.
• WAN Dial-Peers – Dial-peers that are facing towards the SIP Trunk provider for
sending & receiving calls to & from the provider. Should be bound to WAN
interface(s) of CUBE.
Inbound LAN Dial-Peer Outbound Calls Outbound WAN Dial-Peer
A
CUCM SIP Trunk ITSP SIP Trunk
IP PSTN
CUBE
Inbound Calls
Outbound LAN Dial-Peer Inbound WAN Dial-Peer
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Understanding Inbound Dial-Peer Matching Techniques
Priority
Inbound LAN Dial-Peer Outbound Calls
Filter dial-peers based
on incoming VRF if A IP
0 configured and then 1
CUCM SIP Trunk SP SIP Trunk
PSTN
CUBE
to 3 below
Exact Pattern Inbound Calls
Match Based on URI match
Inbound WAN Dial-Peer
Host Name/IP
1 of an incoming Address Received:
INVITE message INVITE sip:654321@10.2.1.1 SIP/2.0
User portion of
URI Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
Match based on Phone-number of
tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
2 Called Number tel-uri From: "555" <sip:555@10.1.1.1:5060>;tag=1
To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
Match based on CSeq: 1 INVITE
3 Calling number Contact: sip:555@10.1.1.1:5060
Supported: timer
Max-Forwards: 70
4 Default Dial-Peer = 0 Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
........
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Understanding Inbound Dial-Peer Matching Techniques
Priority Inbound LAN Dial-Peer Outbound Calls
voice class uri 1001 sip
host ipv4:10.1.1.1 A CUCM SIP Trunk SP SIP Trunk IP
voice class uri 2001 sip PSTN
host ipv4:10.2.1.1 CUBE
A Inbound Calls
dial-peer voice 1 voip
incoming uri via 1001
Inbound WAN Dial-Peer
1 B Received:
dial-peer voice 2 voip
incoming uri request 2001 INVITE sip:654321@10.2.1.1 SIP/2.0
C dial-peer voice 3 voip Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
incoming uri to 2001 tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
From: "555" <sip:555@10.1.1.1:5060>;tag=1
D dial-peer voice 4 voip To: ABC <sip:654321@10.2.1.1:5060>
incoming uri from 1001
Call-ID: 1-23955@10.1.1.1
CSeq: 1 INVITE
dial-peer voice 5 voip Contact: sip:555@10.1.1.1:5060
2 incoming called-number 654321 Supported: timer
Max-Forwards: 70
dial-peer voice 6 voip Subject: BRKUCC-2934 Session
3 answer-address 555 Content-Type: application/sdp
Content-Length: 226
4 dial-peer voice 7 voip
destination-pattern 555
........
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Understanding Inbound Dial-Peer Matching Techniques
Priority Inbound LAN Dial-Peer Outbound Calls
voice class uri 1001 sip
host ipv4:10.1.1.1
voice class uri 2001 sip A CUCM SIP Trunk SP SIP Trunk IP
PSTN
host ipv4:10.2.1.1 CUBE
A dial-peer voice 1 voip Inbound Calls
incoming uri via 1001
Inbound WAN Dial-Peer
1 B dial-peer voice 2 voip
Received:
incoming uri request 2001
C INVITE sip:654321@10.2.1.1 SIP/2.0
dial-peer voice 3 voip Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
incoming uri to 2001 tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
D dial-peer voice 4 voip From: "555" <sip:555@10.1.1.1:5060>;tag=1
incoming uri from 1001 To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
CSeq: 1 INVITE
dial-peer voice 5 voip Contact: sip:555@10.1.1.1:5060
2 incoming called-number 654321
Supported: timer
Max-Forwards: 70
dial-peer voice 6 voip
3 answer-address 555
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
4 dial-peer voice 7 voip
destination-pattern 555
........
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Understanding Inbound Dial-Peer Matching Techniques
Priority Inbound LAN Dial-Peer Outbound Calls
voice class uri 1001 sip
host ipv4:10.1.1.1
A CUCM SIP Trunk SP SIP Trunk IP
voice class uri 2001 sip
PSTN
host ipv4:10.2.1.1 CUBE
A dial-peer voice 1 voip Inbound Calls
incoming uri via 1001
Inbound WAN Dial-Peer
1 B dial-peer voice 2 voip
incoming uri request 2001 Received:
INVITE sip:654321@10.2.1.1 SIP/2.0
C dial-peer voice 3 voip Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
incoming uri to 2001 From: "555" <sip:555@10.1.1.1:5060>;tag=1
D dial-peer voice 4 voip To: ABC <sip:654321@10.2.1.1:5060>
incoming uri from 1001
Call-ID: 1-23955@10.1.1.1
CSeq: 1 INVITE
dial-peer voice 5 voip
2 incoming called-number 654321
Contact: sip:555@10.1.1.1:5060
Supported: timer
Max-Forwards: 70
dial-peer voice 6 voip
3 answer-address 555
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
4 dial-peer voice 7 voip
destination-pattern 555
........
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Understanding Inbound Dial-Peer Matching Techniques
Priority Inbound LAN Dial-Peer Outbound Calls
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Understanding Inbound Dial-Peer Matching Techniques
Priority Inbound LAN Dial-Peer Outbound Calls
voice class uri 1001 sip
host ipv4:10.1.1.1 A CUCM SIP Trunk SP SIP Trunk IP
voice class uri 2001 sip PSTN
host ipv4:10.2.1.1 CUBE
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Understanding Inbound Dial-Peer Matching Techniques
Priority Inbound LAN Dial-Peer Outbound Calls
voice class uri 1001 sip
host ipv4:10.1.1.1 A CUCM SIP Trunk SP SIP Trunk IP
voice class uri 2001 sip PSTN
host ipv4:10.2.1.1 CUBE
A dial-peer voice 1 voip Inbound Calls
incoming uri via 1001 Inbound WAN Dial-Peer
1 B dial-peer voice 2 voip
incoming uri request 2001 Received:
dial-peer voice 3 voip INVITE sip:654321@10.2.1.1 SIP/2.0
C incoming uri to 2001 Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
dial-peer voice 4 voip
D incoming uri from 1001 From: "555" <sip:555@10.1.1.1:5060>;tag=1
To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
dial-peer voice 5 voip CSeq: 1 INVITE
2 incoming called-number 654321 Contact: sip:555@10.1.1.1:5060
Supported: timer
dial-peer voice 6 voip Max-Forwards: 70
3 answer-address 555 Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
4 dial-peer voice 7 voip
........
destination-pattern 555
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Understanding Inbound Dial-Peer Matching Techniques
Priority Inbound LAN Dial-Peer Outbound Calls
voice class uri 1001 sip
host ipv4:10.1.1.1 A CUCM SIP Trunk SP SIP Trunk IP
voice class uri 2001 sip PSTN
CUBE
host ipv4:10.2.1.1
A Inbound Calls
dial-peer voice 1 voip
incoming uri via 1001 Inbound WAN Dial-Peer
1 B dial-peer voice 2 voip
incoming uri request 2001 Received:
dial-peer voice 3 voip INVITE sip:654321@10.2.1.1 SIP/2.0
C incoming uri to 2001 Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
dial-peer voice 4 voip
D incoming uri from 1001 From: "555" <sip:555@10.1.1.1:5060>;tag=1
To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
dial-peer voice 5 voip
2 incoming called-number 654321
CSeq: 1 INVITE
Contact: sip:555@10.1.1.1:5060
dial-peer voice 6 voip
Supported: timer
3 answer-address 555 Max-Forwards: 70
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
4 dial-peer voice 7 voip Content-Length: 226
destination-pattern 555 ........
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Understanding Outbound Dial-Peer Matching Techniques
Priority Outbound WAN Dial-Peer
Outbound Calls
Match Based on DPG,
0 DPPP, COR/LPCOR if A CUCM SIP Trunk SP SIP Trunk IP
configured Exact Pattern PSTN
match CUBE
Match Based on URI of
Host Name/IP Inbound Calls
incoming INVITE Address
1 message & carrier-id Outbound LAN Dial-Peer
User portion of
target URI Received:
Phone-number of INVITE sip:654321@10.2.1.1 SIP/2.0
Match based on Called tel-uri Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
2 Number & carrier-id tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
Exact Pattern
target match
From: "555" <sip:555@10.1.1.1:5060>;tag=1
To: ABC <sip:654321@10.2.1.1:5060>
Match based on URI of Host Name/IP
Address Call-ID: 1-23955@10.1.1.1
3 an incoming INVITE CSeq: 1 INVITE
message User portion of Contact: sip:555@10.1.1.1:5060
URI Supported: timer
Match based on Called Phone-number of Max-Forwards: 70
4 number tel-uri Subject: BRKUCC-2934 Session
Content-Type: application/sdp
CSCua14749 – Carrier-id CLI not working on XE based Content-Length: 226
platforms ........
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Outbound Dial-Peer Matching Techniques
Priority Outbound WAN Dial-Peer
voice class uri 2001 sip Outbound Calls
host ipv4:10.2.1.1
A CUCM SIP Trunk SP SIP Trunk IP
1 dial-peer voice 1 voip PSTN
CUBE
destination uri 2001
Inbound Calls
carrier-id target orange
Outbound LAN Dial-Peer
dial-peer voice 2 voip
2 destination-pattern 654321 Received:
carrier-id target orange INVITE sip:654321@10.2.1.1 SIP/2.0
Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
voice class uri 2001 sip tag="cid:orange@10.1.1.1";branch=z9hG4bK-
host ipv4:10.2.1.1 23955-1-0
3 From: "555" <sip:555@10.1.1.1:5060>;tag=1
dial-peer voice 3 voip To: ABC <sip:654321@10.2.1.1:5060>
destination uri 2001 Call-ID: 1-23955@10.1.1.1
CSeq: 1 INVITE
Contact: sip:555@10.1.1.1:5060
dial-peer voice 4 voip Supported: timer
4 destination-pattern 654321 Max-Forwards: 70
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Understanding Outbound Dial-Peer Matching Techniques
Outbound WAN Dial-Peer
Priority
Outbound Calls
voice class uri 2001 sip
host ipv4:10.2.1.1
A CUCM SIP Trunk SP SIP Trunk IP
1 dial-peer voice 1 voip CUBE
PSTN
destination uri 2001
carrier-id target orange
Inbound Calls
Outbound LAN Dial-Peer
dial-peer voice 2 voip
Received:
2 destination-pattern 654321
INVITE sip:654321@10.2.1.1 SIP/2.0
carrier-id target orange Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
tag="cid:orange@10.1.1.1";branch=z9hG4bK-23955-1-0
voice class uri 2001 sip From: "555" <sip:555@10.1.1.1:5060>;tag=1
host ipv4:10.2.1.1 To: ABC <sip:654321@10.2.1.1:5060>
3 Call-ID: 1-23955@10.1.1.1
dial-peer voice 3 voip CSeq: 1 INVITE
destination uri 2001 Contact: sip:555@10.1.1.1:5060
Supported: timer
Max-Forwards: 70
dial-peer voice 4 voip
4 destination-pattern 654321
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
........
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Understanding Outbound Dial-Peer Matching Techniques
Outbound WAN Dial-Peer
Priority
voice class uri 2001 sip Outbound Calls
host ipv4:10.2.1.1
A CUCM SIP Trunk SP SIP Trunk IP
1 dial-peer voice 1 voip PSTN
destination uri 2001 CUBE
carrier-id target orange Inbound Calls
Outbound LAN Dial-Peer
dial-peer voice 2 voip
2 destination-pattern 654321
Received:
carrier-id target orange
INVITE sip:654321@10.2.1.1 SIP/2.0
Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
voice class uri 2001 sip tag="cid:orange@10.1.1.1";branch=z9hG4bK-23955-1-0
host ipv4:10.2.1.1 From: "555" <sip:555@10.1.1.1:5060>;tag=1
3 To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
dial-peer voice 3 voip
CSeq: 1 INVITE
destination uri 2001 Contact: sip:555@10.1.1.1:5060
Supported: timer
Max-Forwards: 70
dial-peer voice 4 voip Subject: BRKUCC-2934 Session
4 destination-pattern 654321 Content-Type: application/sdp
Content-Length: 226
........
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Understanding Outbound Dial-Peer Matching Techniques
Outbound WAN Dial-Peer
Priority Outbound Calls
voice class uri 2001 sip
host ipv4:10.2.1.1 A CUCM SIP Trunk SP SIP Trunk IP
1 dial-peer voice 1 voip CUBE
PSTN
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
CUBE Advanced Call
Routing
Understanding Outbound Dial-Peer Matching Techniques
Outbound WAN Dial-Peer
Priority Exact Pattern
Outbound Calls
match
Match Based on URI of A SIP Trunk SP SIP Trunk
Host Name/IP IP PSTN
incoming INVITE message Address
1 & carrier-id target CUBE
User portion of URI
Inbound Calls
Outbound LAN Dial-Peer
Phone-number of
Match based on Called tel-uri
Number & carrier-id target Received:
2 INVITE sip:654321@10.2.1.1 SIP/2.0
Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
Exact Pattern
match
tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
Match based on URI of an From: "555" <sip:555@10.1.1.1:5060>;tag=1
Host Name/IP
Address To: ABC <sip:654321@10.2.1.1:5060>
incoming INVITE message
3 Call-ID: 1-23955@10.1.1.1
User portion of URI CSeq: 1 INVITE
Contact: sip:555@10.1.1.1:5060
Phone-number of Supported: timer
Match based on Called tel-uri Max-Forwards: 70
number Subject: BRKUCC-2934 Session
4 Content-Type: application/sdp
Content-Length: 226
........
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Additional Headers for Outbound Dial-Peer Matching
Outbound WAN Dial-Peer
Match Based on URI of incoming INVITE message with Outbound Calls
or without carrier-id target
A SIP Trunk SP SIP Trunk
IP PSTN
Match based on CALLED Number with or without CUBE
carrier-id target
Inbound Calls
Received:
Match Based on TO Header of incoming INVITE INVITE sip:654321@10.2.1.1 SIP/2.0
Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
Match Based on VIA Header of incoming INVITE From: "555" <sip:555@10.1.1.1:5060>;tag=1
To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
Match based on DIVERSION Header of incoming CSeq: 1 INVITE
INVITE Contact: sip:555@10.1.1.1:5060
Supported: timer
Max-Forwards: 70
Match based on REFERRED-BY Header of incoming Subject: BRKUCC-2934 Session
INVITE Content-Type: application/sdp
Content-Length: 226
........
Match based on CALLING Number
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Introducing Outbound Dial-peer Provision Policy
• Flexibility to choose how outbound dial-peers are selected
• Dynamically set the priority based on Inbound dial-peers
• Additional Inbound Leg Headers for Outbound Dial-peer Matching
VIA FROM TO DIVERSION REFERRED-BY Calling Number
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Dial-peer Provision Policy Configuration
1. Define Voice Class Dial-peer Provision Policy
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Dial-peer Provision Policy Configuration For Your
– Cont’d Reference
Configuring a match command for an outbound dial-peer according to the provision policy rule
attribute configured
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Dial-peer Provision Policy Example – Match on FROM
voice class uri 10 sip dial-peer voice 20201 voip
user-id 555 description "Outbound dialpeer based on FROM"
destination uri-from 10
voice class uri 20 sip
host 10.2.1.1 dial-peer voice 20202 voip
description "Outbound dialpeer based on TO"
dial-peer voice 1000 voip destination uri-to 20
description "Inbound dialpeer. Choose outbound based on DPP 10"
destination provision-policy 10 dial-peer voice 10000 voip
description "Outbound dialpeer based on FROM and TO"
dial-peer voice 2000 voip destination uri-from 10
description "Inbound dialpeer. Choose outbound based on DPP 20" destination uri-to 20
destination provision-policy 20
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Dial-peer Provision Policy Example – Match on FROM
voice class uri 10 sip dial-peer voice 20201 voip
user-id 555 description "Outbound dialpeer based on FROM"
destination uri-from 10
voice class uri 20 sip
host 10.2.1.1 dial-peer voice 20202 voip
description "Outbound dialpeer based on TO"
dial-peer voice 1000 voip destination uri-to 20
description "Inbound dialpeer. Choose outbound based on DPP 10"
destination provision-policy 10 dial-peer voice 10000 voip
description "Outbound dialpeer based on FROM and TO"
dial-peer voice 2000 voip destination uri-from 10
description "Inbound dialpeer. Choose outbound based on DPP 20" destination uri-to 20
destination provision-policy 20
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Dial-peer Provision Policy Example – Match on FROM
voice class uri 10 sip dial-peer voice 20201 voip
user-id 555 description "Outbound dialpeer based on FROM"
destination uri-from 10
voice class uri 20 sip
host 10.2.1.1 dial-peer voice 20202 voip
description "Outbound dialpeer based on TO"
dial-peer voice 1000 voip destination uri-to 20
description "Inbound dialpeer. Choose outbound based on DPP 10"
destination provision-policy 10 dial-peer voice 10000 voip
description "Outbound dialpeer based on FROM and TO"
dial-peer voice 2000 voip destination uri-from 10
description "Inbound dialpeer. Choose outbound based on DPP 20" destination uri-to 20
destination provision-policy 20
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Dial-peer Provision Policy Example – Match on TO
voice class uri 10 sip dial-peer voice 20201 voip
user-id 555 description "Outbound dialpeer based on FROM"
destination uri-from 10
voice class uri 20 sip shutdown
host 10.2.1.1
dial-peer voice 20202 voip
dial-peer voice 1000 voip description "Outbound dialpeer based on TO"
description "Inbound dialpeer. Choose outbound based on DPP 10" destination uri-to 20
destination provision-policy 10
dial-peer voice 10000 voip
dial-peer voice 2000 voip description "Outbound dialpeer based on FROM and TO"
description "Inbound dialpeer. Choose outbound based on DPP 20" destination uri-from 10
destination provision-policy 20 destination uri-to 20
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Dial-peer Provision Policy Example – Match on TO
voice class uri 10 sip dial-peer voice 20201 voip
user-id 555 description "Outbound dialpeer based on FROM"
destination uri-from 10
voice class uri 20 sip shutdown
host 10.2.1.1
dial-peer voice 20202 voip
dial-peer voice 1000 voip description "Outbound dialpeer based on TO"
description "Inbound dialpeer. Choose outbound based on DPP 10" destination uri-to 20
destination provision-policy 10
dial-peer voice 10000 voip
dial-peer voice 2000 voip description "Outbound dialpeer based on FROM and TO"
description "Inbound dialpeer. Choose outbound based on DPP 20" destination uri-from 10
destination provision-policy 20 destination uri-to 20
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Dial-peer Provision Policy Example – Match on FROM & TO
voice class uri 10 sip dial-peer voice 20201 voip
user-id 555 description "Outbound dialpeer based on FROM"
destination uri-from 10
voice class uri 20 sip
host 10.2.1.1 dial-peer voice 20202 voip
description "Outbound dialpeer based on TO"
dial-peer voice 1000 voip destination uri-to 20
description "Inbound dialpeer. Choose outbound based on DPP 10"
destination provision-policy 10 dial-peer voice 10000 voip
description "Outbound dialpeer based on FROM and TO"
dial-peer voice 2000 voip destination uri-from 10
description "Inbound dialpeer. Choose outbound based on DPP 20" destination uri-to 20
destination provision-policy 20
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Dial-peer Provision Policy Example – Match on FROM & TO
voice class uri 10 sip dial-peer voice 20201 voip
user-id 555 description "Outbound dialpeer based on FROM"
destination uri-from 10
voice class uri 20 sip
host 10.2.1.1 dial-peer voice 20202 voip
description "Outbound dialpeer based on TO"
dial-peer voice 1000 voip destination uri-to 20
description "Inbound dialpeer. Choose outbound based on DPP 10"
destination provision-policy 10 dial-peer voice 10000 voip
description "Outbound dialpeer based on FROM and TO"
dial-peer voice 2000 voip destination uri-from 10
description "Inbound dialpeer. Choose outbound based on DPP 20" destination uri-to 20
destination provision-policy 20
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Dial-peer Provision Policy Example – Match on FROM & TO
voice class uri 10 sip dial-peer voice 20201 voip
user-id 555 description "Outbound dialpeer based on FROM"
destination uri-from 10
voice class uri 20 sip
dial-peer voice 20202 voip
host 10.2.1.1
description "Outbound dialpeer based on TO"
destination uri-to 20
dial-peer voice 1000 voip
description "Inbound dialpeer. Choose outbound based on DPP 10" dial-peer voice 10000 voip
destination provision-policy 10 description "Outbound dialpeer based on FROM and TO"
destination uri-from 10
dial-peer voice 2000 voip
destination uri-to 20
description "Inbound dialpeer. Choose outbound based on DPP 20"
destination provision-policy 20
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Destination Dial-peer Group
• Allows grouping of outbound dial-peers based on an incoming dial-peer, reducing
existing outbound dial-peer provisioning requirements
• Eliminates the need to configure extra outbound dial-peers that are sometimes
needed as workarounds to achieve desired call routing outcome
• Multiple outbound dial-peers are saved under a new “voice class dpg <tag>”. The
new “destination dpg <tag>” command line of an inbound voip dial-peer
can be used to reference the new dpg (dial-peer group)
• Once an incoming voip call is handled by an inbound voip dial-peer with an
active dpg, dial-peers of a dpg will then be used as outbound dial-peers for an
incoming call
• The order of outgoing call setups will be the sorted list of dial-peers from a dpg,
i.e, the destination-patterns of the outgoing dial-peers is not relevant for selection
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Destination Dial-peer Group Configuration
voice class dpg 10000 dial-peer voice 1001 voip
description Voice Class DPG for SJ destination-pattern 8888
dial-peer 1001 preference 1 session protocol sipv2
dial-peer 1002 preference 2 session target ipv4:10.1.1.1
dial-peer 1003 !
! dial-peer voice 1002 voip
dial-peer voice 100 voip destination-pattern 8888
description Inbound DP session protocol sipv2
incoming called-number 1341 session target ipv4:10.1.1.2
destination dpg 10000 !
dial-peer voice 1003 voip
destination-pattern 8888
session protocol sipv2
session target ipv4:10.1.1.3
1. Incoming Dial-peer is first
matched 2. Now the DPG associated with
the INBOUND DP is selected
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Outbound Dial-Peer Matching Criteria Summary
Priority Outbound WAN Dial-Peer
Outbound Calls
Match Based on DPG,
0 DPPP, COR/LPCOR if A CUCM SIP Trunk SP SIP Trunk
IP
configured Exact Pattern CUBE PSTN
match
Match Based on URI of Inbound Calls
Host Name/IP
incoming INVITE Address Outbound LAN Dial-Peer
1 message & carrier-id
User portion of
target Received:
URI
INVITE sip:654321@10.2.1.1 SIP/2.0
Phone-number of
Match based on Called tel-uri
Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
2 Number & carrier-id tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
target Exact Pattern From: "555" <sip:555@10.1.1.1:5060>;tag=1
match To: ABC <sip:654321@10.2.1.1:5060>
Match based on URI of Host Name/IP Call-ID: 1-23955@10.1.1.1
Address CSeq: 1 INVITE
3 an incoming INVITE
message User portion of
Contact: sip:555@10.1.1.1:5060
URI Supported: timer
Match based on Called Phone-number of
Max-Forwards: 70
Subject: BRKUCC-2934 Session
4 number tel-uri
Content-Type: application/sdp
CSCua14749 – Carrier-id CLI not working on XE based
Content-Length: 226
platforms ........
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Destination Server Group
• Supports multiple destinations (session targets) be defined in a group and applied to
a single outbound dial-peer
• Once an outbound dial-peer is selected to route an outgoing call, multiple
destinations within a server group will be sorted in either round robin or preference
[default] order
• This reduces the need to configure multiple dial-peers with the same capabilities but
different destinations. E.g. Multiple subscribers in a cluster
voice class server-group 1 dial-peer voice 100 voip
hunt-scheme {preference | round-robin} description Outbound DP
ipv4 1.1.1.1 preference 5 destination-pattern 1234
ipv4 2.2.2.2 session protocol sipv2
ipv4 3.3.3.3 port 3333 preference 3 codec g711ulaw
ipv6 2010:AB8:0:2::1 port 2323 preference 3 dtmf-relay rtp-nte
ipv6 2010:AB8:0:2::2 port 2222 session server-group 1
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Multiple Destination-Patterns Under Same
Outbound Dial-Peer voice class e164-pattern-map 100
e164 919200200.
e164 510100100.
e164 408100100. Provides the ability to combine multiple
Site A (919)200-2000
destination-patterns targeted to the
dial-peer voice 1 voip same destination to be grouped into a
Site B (510)100-1000
destination e164-pattern-map 100 single dial-peer
codec g729r8
Site C (408)100-1000 session target ipv4:10.1.1.1 Up to 5000 entries in a text file
INVITE sip:user@xyz.com
INVITE sip:user@xyz.com
SBC
CUBE
Enterprise
Enterprise xyz.com
abc.com
• By default, the host portion is replaced with the session target value of the matched
outbound dial-peer
• Enhancement : Outgoing INVITE has same request URI as received in Incoming INVITE.
This can be achieved by configuring ‘requri-passing’ in the outgoing dial-peer or
globally.
• Allows for peer-to-peer calling between enterprises using URIs
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
URI Based Dialing Enhancement – For Your
Reference
‘User’ portion non-E164 format
• For different hosts with the same ‘user’, multiple outgoing dial-peers had to be configured
• Enhancement : To support URIs with the same user portion but with different domains, only one
dial-peer per can be configured. Outgoing dial-peer needs to be configured with ‘session
target sip-uri’ instead of regular session target configuration. This will trigger DNS
resolution of the domain of incoming INVITE Req-URI and dynamically determine the session
target IP.
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Media Manipulation
Audio Transcoding and Transrating
iLBC, iSAC,
Speex Enterprise IP Phones:
SP VoIP VoIP G.711, G.729 20 ms,
CUBE G.722
G.729 30 ms
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Configuration for SCCP based Transcoding For Your
(ISR-G2/4K) Reference
1. Enabling dspfarm services 3. SCCP configuration
under voice-card
sccp local GigabitEthernet0/0
voice-card 1 sccp ccm <CUBE_internal_IP> identifier 1 version 7+
dspfarm ! Only ISR G2
dsp services dspfarm sccp
sccp ccm group 1
2. telephony-service configuration associate ccm 1 priority 1
telephony-service associate profile 1 register CUBE-XCODE
sdspfarm units 1
sdspfarm transcode sessions 128 4. dspfarm profile configuration
sdspfarm tag 1 CUBE-XCODE
max-ephones 10 dspfarm profile 1 transcode
max-dn 10 codec g711ulaw
ip source-address codec g711alaw
<CUBE_internal_IP> port 2000 codec g729r8
maximum sessions 10
associate application SCCP
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Configuration for LTI based Transcoding
(ISR-G2/4K & ASR)
1. Enabling dspfarm services
under voice-card
voice-card 0/1 Feature Notes:
dspfarm ! Only ISR G2 • This uses Local Transcoding Interface to
dsp services dspfarm communicate between CUBE and DSPs
• Also available on ISR-G2 starting IOS 15.2.3T
2. dspfarm profile configuration • Can only be used if CUBE invokes the DSP
for media services
dspfarm profile 1 transcode
codec g711ulaw • CUCM cannot invoke DSPs using this LTI
codec g711alaw interface
codec g729abr8
codec g729ar8
codec ilbc
maximum sessions 100
associate application CUBE
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
External/PSTN Call
Recording
External/PSTN Call Recording Options (no DSPs needed for Call-
Recording on CUBE)
• CUBE Controlled (Dial-peer based ORA)
• Based on Open Recording Architecture, metadata sent in Cisco Proprietary format from CUBE to Recorder
• Dial-peer controlled, IP-PBX independent
• Source of recorded media (RTP only) is always CUBE (External calls only). For SRTP-RTP calls, apply
media forking CLI on the RTP leg only.
• Records both audio and video calls and supported with CUBE HA (Inbox or box-2-box)
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
CUBE Controlled Recording Option – Media Forking
Dial-peer based – Open Recording Architecture (ORA)
• CUBE sets up a stateful SIP session
Cisco Search/Play demo app or Partner with MediaSense server
Application • After SIP dialog established, CUBE
forks the RTP and sends it for
MediaSense to record
Cisco MediaSense MediaSense
(authentication disabled w/o UCM) • With XE 3.10.1, Video calls supported
SIP
and CUBE HA for audio calls
CUBE CUBE
call threshold global [total/mem/cpu] calls low xx high yy If a call spike is detected,
call treatment on reject calls
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Call Admission Control at the edge...
CUBE provides various CAC mechanisms to safeguard your network from SIP based attacks and to enforce policies based on:
• Total calls • Maximum connections per destination
• CPU & Memory • Dial-peer or interface bandwidth
• Call spike detection
CUBE CUBE
call threshold global [total/mem/cpu] calls low xx high yy If a call spike is detected,
call treatment on reject calls
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Multiple Non-
Authenticated SIP
Trunks on a CUBE
Non-Authenticated SIP Trunking to more than one
Service Provider
SIP SP-1 Large enterprises are deploying more
(10.10.10.2)
than one SIP Trunk provider for:
A
Active • Alternate call routing
CUBE SIP SP-2
(20.20.20.2)
• Load balancing
Enterprise
Campus
MPLS
interface loopback1 dial-peer voice 20 voip
SIP SP-1’s ip address 10.10.10.1 255.255.255.0 description “Secondary path to SIP SP-2”
network destination-pattern 91[2-9]..[2-9]......
interface loopback2 session protocol sipv2
SIP SP-2’s
SRSTip address 20.20.20.1 255.255.255.0 session target ipv4:20.20.20.2
network preference 2
dial-peer voice 10 voip voice-class sip options-keepalive
description “Primary path to SIP SP-1” voice-class sip bind control source-interface loopback2
CME
destination-pattern 91[2-9]..[2-9]...... voice-class sip bind media source-interface loopback2
session protocol sipv2
session target ipv4:10.10.10.2 TDM PBX NOTE: Dual SPs can be used for outbound calls, but to
Enterprisesip options-keepalive
voice-class be utilised for inbound calls, arrangements between
Branch Offices
voice-class sip bind control source-interface loopback1 SPs required
voice-class sip bind media source-interface loopback1 LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Multiple
Authenticated/Register
ed SIP Trunks on a
CUBE
Multiple Instances of SIP-UA on a CUBE
Existing Implementation, prior to IOS 15.6(2)T and IOS-XE 16.3.1
• CUBE Configuration generally consists of
• Global – Everything under voice service voip
• Call Routing – Dial-peers (Any configuration under dial-peers always overrides Global config)
• SIP User Agent Config – Everything under sip-ua, applicable globally on the platform
• Prior to IOS 15.6(2)T / IOS-XE 16.3.1, CUBE could register multiple trunks only with
different realms as the “authentication” command only accepted different realms. If the
realms were the same, it just overwrote the username and password
• Now each credential/authentication pair can be defined under its own voice class tenant
so that the same realm can be used for authentication
ATT
VZN
SPT
• Virtual Routing and Forwarding (VRF) is an IP technology that allows for multiple
instances of a routing table to coexist on the same router at the same time as
opposed to a single global route table, allowing for multiple virtual networks within a
single network entity to isolate between media and data virtual networks
• Multi-VRF allows for the use of only one router to accomplish the tasks that
multiple routers usually perform
• Prior to IOS 15.6(2)T / IOS-XE 16.3.1, CUBE only supports a single VRF for Voice
[voice vrf vrfname]
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Multi-VRF and CUBE Enterprise
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Multi-VRF Aware Call Routing on CUBE
• CUBE allows intra and inter VRF routing of voice and video calls without the need of Route
Leaks improving security at the network level
• Overlapped IP addressing and Dial Plan with Multi VRF feature provides seamless integration
of networks
• Show command outputs enhanced to display the VRF ID’s for active voice and video calls
• Provision to configure RTP port ranges for each VRF and allocation of Local RTP ports based
upon VRF. Listen sockets on UDP, TCP and TLS transports based on the VRF
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Multi-VRF Design Considerations
• It is strongly recommended to deploy CUBE 11.5.2 or later [IOS 15.6(3)M, IOS-
XE 16.3.1] for Multi-VRF aware call routing as inbound dial-peers are filtered
based on the incoming VRF FIRST and then followed by the regular inbound
dial-peer matching. This ensures no potential routing issues will exist for
incoming INVITES or any out-of-dialog messages such as REGISTER,
OPTIONS, NOTIFY, etc
• Dial-peer bind statements are mandatory as the VRF association to a dial-peer
is based upon the interface sip bind and both Control and Media on a dial-peer
has to bind with the same VRF
• Whenever global sip bind interface associated with a VRF is
added/modified/removed, user should restart the sip services under
“voice service voip sip call service stop/no call service stop”
• Default incoming dial-peer (dial-peer 0) match is not supported with VRF
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Understanding Inbound Dial-Peer Matching Techniques
Priority
Inbound LAN Dial-Peer Outbound Calls
Filter dial-peers based
on incoming VRF if A
0 configured and then 1
CUCM SIP Trunk SP SIP Trunk
IP
CUBE PSTN
to 3 below
Exact Pattern Inbound Calls
match Inbound WAN Dial-Peer
Match Based on URI
Host Name/IP
1 of an incoming Address Received:
INVITE message INVITE sip:654321@10.2.1.1 SIP/2.0
User portion of Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
URI
Match based on tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
Phone-number of
2 Called Number tel-uri
From: "555" <sip:555@10.1.1.1:5060>;tag=1
To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
Match based on CSeq: 1 INVITE
3 Calling number
Contact: sip:555@10.1.1.1:5060
Supported: timer
Max-Forwards: 70
Default Dial-Peer = 0 Subject: BRKUCC-2934 Session
4 Content-Type: application/sdp
Content-Length: 226
........
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Multi-VRF Design Considerations – Cont’d
• Whenever destination server group is used with VRF, ensure that the server
group should have the candidates (i.e. session targets) belonging to the same
network as that of sip bind on the dial-peer where the server-group is
configured. Sample Configuration in notes section below
• Dial-peer group feature or COR (Class of Restriction) lists can be used to
restrict call routing to the same or group of VRFs (e.g. Overlapping Dial
plans)
• The DSP resources are a global pool and not reserved on a per VRF basis. It is
used on a first come first serve basis
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
For Your
Multi-VRF Feature Restrictions Reference
• CUBE + CME co-located with VRF and TDM-SIP gateway are not supported
• IPV6 with VRF is not supported on CUBE. Only IPv4 is supported with VRF
• Multi-VRF calls across CUBE are supported in SIP-SIP flow-through mode only and not
supported in flow-around mode. Media Anti-trombone is not supported with VRF
• Legacy global voice vrf and Multi VRF doesn’t co-exist. Customers using global voice vrf
have to remove the CLI in order to use Multi VRF feature
• UC Services API (CUCM NBR Recording) is not VRF aware. Works globally for all call
recordings and will not separate the call notification on a per VRF basis
• With Single/Multi VRF configured, DNS request will be at global (i.e. no vrf is associated with
the DNS request)
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
CUBE Multi VRF - Basic Configuration
Gig0/0/0 Gig0/0/1
VRF 1 VRF 2
CUBE
1. Configure VRF
2. Apply VRF under the interface/sub-interface
3. Bind the VRF associated interface to the dial-peer (VRF association by dial-peer bind CLI)
• Up to 54 different VRFs supported in 15.6(3)M and IOS-XE 16.3.1 or later releases
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
CUBE Multi VRF – Inbound dial-peer match
INVITE INVITE
VRF 1 VRF 2
sip:2000@7.44.44.13 CUBE
sip:2000@6.44.44.13
VRF1
voice-class sip bind all interface GigE0/0/0 voice-class sip bind all interface GigE0/0/1
incoming called-number 3000 incoming called-number 2000
dial-peer voice 100 voip dial-peer voice 200 voip
VRF2
voice-class sip bind all interface GigE0/0/0 voice-class sip bind all interface GigE0/0/1
destination-pattern 2000 destination-pattern 3000
session-target ipv4: 10.1.1.1 session-target ipv4:10.2.2.2
VRF2
voice-class sip bind all interface GigE0/0/0 voice-class sip bind all interface GigE0/0/1
incoming called-number 2000 Intra VRF incoming called-number 3000
Routing LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
CUBE Multi VRF – Routing w/ Overlapped Dial Plan
INVITE INVITE
sip:2000@10.1.1.1 sip:2000@10.1.1.1
INVITE INVITE
sip:2000@7.44.44.13 sip:2000@6.44.44.13
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
High Availability
CUBE High Availability Options
• Inbox redundancy
• ASR 1006, preserves signaling & media
• Stateful failover
• Local redundancy
ASR(config)#redundancy
ASR-RP2(config-red)#mode sso
ASR-RP2(config-red)#end
• L2 Box-to-Box redundancy
Active
• ISR G2/4K (Stateful failover)
• ASR 1001-X/2-X/4/6 (Stateful failover)
• Local redundancy (Both routers must be Virtual
CUBE
Virtual
SIP SP
physically located on the same Ethernet LAN) IP IP
• Not supported across data centers CUBE
• Only 1 RP and 1 ESP in ASR1006 Standby
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
CUBE HA Design Considerations on ISR-G2 for Box-to-Box
Redundancy
• Lower IP Address for ALL the interfaces (Gig0/0, Gig0/1, Gig0/2) should be on the same platform,
which is used as a tie breaker for the HSRP Active state
• Multiple HSRP Groups/Interfaces/sub-interfaces can be used on either LAN or WAN side
• Upto 6 multimedia lines in the SDP are checkpointed for CUBE HA
• SDP Passthru (upto 2 m-lines) calls are also checkpointed starting IOS 15.6(1)T
• TDM or SRST or VXML GW cannot be collocated with CUBE HA
• Both platforms must be connected via a physical Switch across all likewise interfaces for CUBE HA to
work, i.e. Gig0/0 of CUBE-1 and CUBE-2 must terminate on the same switch and so on
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
CUBE HA Design Considerations on ISR-G2 for Box-to-Box
Redundancy – Cont’d
• Cannot have WAN terminated on CUBEs directly or Data HSRP on either side. Both Active/Standby
must be in the same Data Center
• Both the CUBEs must be running on the same type of platform and IOS version and identical
configuration. Loopback interfaces cannot be used for bind as they are always up. Sub-interfaces are
supported for all interfaces. Port Channels are supported for all interfaces from IOS 15.6(3)M
• CUBE HA only checkpoints SIP/RTP Traffic. Support for Survivability.tcl preservation was added in
15.6(2)T for CVP deployments
• Out-of-band DTMF (Notify/KPML) will not work post switchover
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
CUBE HA Design Considerations on ISR-G2 for Box-to-Box
Redundancy – Cont’d
• CCB (courtesy callback) feature is not supported if a callback was registered with CVP and then a
switchover was done on CUBE. The CCB will not work in these scenarios.
• Recommended to configure TCP session transport for the SIP trunk between CVP and CUBE
• LTI based transcoding called flows including SRTP/RTP interworking preserved starting 15.5(2)T.
Requires same PVDM3 chip capacity on both active and standby in the same slot/subslot. CPA calls
(prior to being transferred to the agent), SCCP based media resources, Noise Reduction, ASP,
transrating calls are not checkpointed
• SRTP - RTP, SRTP - SRTP and SRTP passthru supported on ISR-G2
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
CUBE HA Design Considerations on ISR-G2 for Box-to-Box
Redundancy – Cont’d
CUBE 1 CUBE 2
CUBE-1> enable CUBE-2> enable
CUBE-1# configure terminal CUBE-2# configure terminal
CUBE-1(config)# ip vrf LAN-VRF Configure VRFs CUBE-2(config)# ip vrf LAN-VRF
CUBE-1(config)# rd 1:1 on the platform CUBE-2(config)# rd 1:1
CUBE-1(config)# ip vrf WAN-VRF (if applicable) CUBE-2(config)# ip vrf WAN-VRF
CUBE-1(config)# rd 2:2 CUBE-2(config)# rd 2:2
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
CUBE Configuration on ISR-G2 Box-to-Box Redundancy
CUBE 1 CUBE 2
interface GigabitEthernet0/0 interface GigabitEthernet0/0
description “Enterprise LAN” Inside interfaces : description “Enterprise LAN”
ip vrf forwarding LAN-VRF HSRP group 1 ip vrf forwarding LAN-VRF
ip address 10.10.1.11 255.255.255.0 VRF ID : LAN-VRF ip address 10.10.1.12 255.255.255.0
standby version 2 (if applicable) standby version 2
standby 1 ip 10.10.1.13 Interface can be standby 1 ip 10.10.1.13
standby delay minimum 30 reload 60 utilized as an HSRP standby delay minimum 30 reload 60
standby 1 preempt interface if no VRFs standby 1 preempt
standby 1 track 2 decrement 10 standby 1 track 2 decrement 10
standby 1 track 3 decrement 10 are required or
standby 1 track 3 decrement 10
standby 1 priority 50 configured standby 1 priority 50
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
CUBE Configuration on ISR-G2 Box-to-Box Redundancy
CUBE 1 CUBE 2
interface GigabitEthernet0/1 interface GigabitEthernet0/1
description “Enterprise WAN” description “Enterprise WAN”
ip vrf forwarding WAN-VRF ip vrf forwarding WAN-VRF
ip address 128.107.66.77 255.255.255.0
Outside
ip address 128.107.66.78 255.255.255.0
standby version 2 interfaces : standby version 2
standby 10 ip 128.107.66.79 HSRP group 10 standby 10 ip 128.107.66.79
standby delay minimum 30 reload 60 VRF ID : WAN- standby delay minimum 30 reload 60
standby 10 preempt standby 10 preempt
standby 10 track 1 decrement 10 VRF (if
standby 10 track 1 decrement 10
standby 10 track 3 decrement 10 applicable) standby 10 track 3 decrement 10
standby 10 priority 50 standby 10 priority 50
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
CUBE Configuration on ISR-G2 Box-to-Box Redundancy
CUBE 1 CUBE 2
interface GigabitEthernet0/2 interface GigabitEthernet0/2
description “HSRP Interface” description “HSRP Interface”
ip address 1.1.1.1 255.255.255.0 ip address 1.1.1.2 255.255.255.0
standby version 2 standby version 2
standby 100 ip 1.1.1.3 HSRP interfaces : standby 100 ip 1.1.1.3
standby delay minimum 30 reload 60 HSRP group 100 standby delay minimum 30 reload 60
standby 100 preempt CANNOT HAVE VRFs standby 100 preempt
standby 100 name CUBEHA associated standby 100 name CUBEHA
standby 100 track 1 decrement 10 standby 100 track 1 decrement 10
standby 100 track 2 decrement 10 standby 100 track 2 decrement 10
standby 100 priority 50 standby 100 priority 50
! !
Configure Interface
track 1 interface Gig0/0 line-protocol track 1 interface Gig0/0 line-protocol
Tracking (for line protocol
track 2 interface Gig0/1 line-protocol track 2 interface Gig0/1 line-protocol
on corresponding
track 3 interface Gig0/2 line-protocol track 3 interface Gig0/2 line-protocol
interfaces of the platform
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
CUBE Configuration on ISR-G2 Box-to-Box Redundancy
CUBE 1 CUBE 2
redundancy inter-device Define Redundancy scheme: Creates redundancy inter-device
scheme standby CUBEHA interdependency b/w CUBE scheme standby CUBEHA
voice service voip redundancy & HSRP
voice service voip
mode border-element mode border-element
allow-connections sip to sip Turn on CUBE Redundancy allow-connections sip to sip
redundancy redundancy
ipc zone default HSRP Interface - IPC configuration : ipc zone default
association 1 Allows the ACTIVE CUBE to tell the association 1
no shutdown STANDBY about the state of the calls. no shutdown
protocol sctp CONFIG SHOULD BE APPLIED on the protocol sctp
local-port 5000 LAN SIDE (to avoid SPLIT BRAIN) and a local-port 5000
local-ip 1.1.1.1 NON-VRF associated interface
local-ip 1.1.1.2
remote-port 5000 CANNOT HAVE VRFs remote-port 5000
remote-ip 1.1.1.2 associated with this interface remote-ip 1.1.1.1
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
CUBE Configuration on ISR-G2 Box-to-Box Redundancy
Configuration on Active and Standby
dial-peer voice 100 voip
description TO SERVICE PROVIDER Bind traffic destined to the outside (SP SIP trunk)
destination-pattern 9T to the outside Physical interface.
session protocol sipv2 This ensures that all RTP and SIP packets are
session target ipv4:y.y.y.y created with the virtual IP associated with the
voice-class sip bind control source-interface GigabitEthernet0/1 respective physical interface.
voice-class sip bind media source-interface GigabitEthernet0/1 CUBE HA does not work with loopback interfaces
! as they are always up
dial-peer voice 200 voip
description TO CUCM Bind traffic destined to the inside (CUCM or IP
destination-pattern 555…. PBX) to the inside Physical interface.
session protocol sipv2 This ensures that all RTP and SIP packets are
session target ipv4:10.10.1.10 created with the virtual IP associated with the
voice-class sip bind control source-interface GigabitEthernet0/0 respective physical interface.
voice-class sip bind media source-interface GigabitEthernet0/0
!
ip rtcp report interval 3000
!
gateway Configure media inactivity feature to clean up any
calls that may not disconnect after a failover
media-inactivity-criteria all
timer receive-rtcp 5
timer receive-rtp 86400
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
CUBE HA Design Considerations on ASR1K/ISR-4K/vCUBE
for Box-to-Box Redundancy
• Multiple traffic (SIP/RTP) interfaces (GE0/0/1, GE0/0/1) require interface tracking to be configured
• Upto 6 multimedia lines in the SDP are checkpointed for CUBE HA. SDP Passthru (upto 2 m-lines) calls
are also checkpointed starting IOS-XE 3.17
• No media-flow around or UC Services API (CUCM NBR) support for CUBE HA
• CUBE-HA preserves both signaling and media and is not supported over a crossover cable connection
for the RG-control/data link (GE0/0/2)
• Both platforms must be connected via a physical Switch across all likewise interfaces for CUBE HA to
work, i.e. GE0/0/0 of CUBE-1 and CUBE-2 must terminate on the same switch and so on. Multiple
interfaces/sub-interfaces can be used on either LAN or WAN side
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
CUBE HA Design Considerations on ASR1K/ISR-4K/vCUBE for
Box-to-Box Redundancy
• Cannot have WAN terminated on CUBEs directly or Data HA on either side. Both Active/Standby must
be in the same Data Center
• CUBE HA only checkpoints SIP/RTP Traffic. Support for Survivability.tcl preservation was added in IOS-
XE 3.17 for CVP deployments
• CCB (courtesy callback) feature is not supported if a callback was registered with CVP and then a
switchover was done on CUBE. The CCB will not work in these scenarios.
• Recommended to configure TCP session transport for the SIP trunk between CVP and CUBE
• Out-of-band DTMF (Notify/KPML) will not work post switchover
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
CUBE HA Design Considerations on ASR1K/ISR-4K/vCUBE for
Box-to-Box Redundancy
• LTI based transcoding called flows are preserved starting IOS-XE 3.15. Requires same SPA-DSP
module capacity on both active and standby in the same slot/subslot. CPA calls (prior to being
transferred to the agent), SCCP based media resources, Noise Reduction, ASP, transrating calls are
not checkpointed
• CUBE HA with RG Infra protocol is supported with VRFs configured. Traffic interfaces (SIP/RTP) can
have VRFs configured but RG Control/Data interface [GE0/0/2] cannot have any VRF associated with it
• VRF ID’s will be check pointed for the calls before and after switchover. VRF Configurations in both
active and standby routers have to be identical. This includes VRF based rtp port range as well
• SRTP - RTP, SRTP - SRTP supported partially. SRTP Passthru completely supported as packets
pass without encryption/decryption [See Note below]
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
CUBE HA Design Considerations on ASR1K/ISR-4K/vCUBE for
Box-to-Box Redundancy
• Upon failover, the previously ACTIVE CUBE goes through a reload by design, preserving
signaling/media
• Upon failover, starting IOS-XE3.11, the previously ACTIVE CUBE can be moved to a PROTECTED
state to avoid the reload
• Running configuration should always be saved to avoid losing it due to the reload by design when the
switchover happens
• It is mandatory to use separate interface for redundancy (RG Control/data, GE0/0/2). i.e interface used
for traffic cannot be used for HA keepalives and checkpointing
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
CUBE Configuration on ASR/ISR-4K/vCUBE Box-to-
Box Redundancy
CUBE 1 CUBE 2
CUBE-1> enable CUBE-2> enable
CUBE-1# configure terminal CUBE-2# configure terminal
CUBE-1(config)# ip vrf LAN-VRF Configure VRFs CUBE-2(config)# ip vrf LAN-VRF
CUBE-1(config)# rd 1:1 on the platform CUBE-2(config)# rd 1:1
CUBE-1(config)# ip vrf WAN-VRF (if applicable) CUBE-2(config)# ip vrf WAN-VRF
CUBE-1(config)# rd 2:2 CUBE-2(config)# rd 2:2
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
CUBE Configuration on ASR/ISR-4K/vCUBE Box-to-
Box Redundancy
CUBE 1 CUBE 2
Disables software redundancy redundancy
redundancy
For ASR1006: mode rpr mode none
mode none
application redundancy application redundancy
group 1 group 1
name voice-b2bha Configure RG name voice-b2bha
priority 100 failover threshold 75 Group for use priority 100 failover threshold 75
control GigabitEthernet 0/0/2 protocol 1 control GigabitEthernet 0/0/2 protocol 1
with CUBE HA
data GigabitEthernet 0/0/2 data GigabitEthernet 0/0/2
timers delay 30 reload 60 timers delay 30 reload 60
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
CUBE Configuration on ASR1K/ISR-4K/vCUBE Box-to-
Box Redundancy
CUBE 1 CUBE 2
track 1 interface GigabitEthernet 0/0/0 track 1 interface GigabitEthernet 0/0/0
line-protocol line-protocol
track 2 interface GigabitEthernet 0/0/1 track 2 interface GigabitEthernet 0/0/1
line-protocol Track interfaces line-protocol
to trigger
redundancy switchover redundancy
application redundancy application redundancy
group 1 group 1
track 1 shutdown track 1 shutdown
track 2 shutdown track 2 shutdown
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
CUBE Configuration on ASR1K/ISR-4K/vCUBE Box-to-
Box Redundancy
CUBE 1 CUBE 2
interface GigabitEthernet0/0/0 Inside interfaces : interface GigabitEthernet0/0/0
description “Enterprise LAN” description “Enterprise LAN”
Redundancy Interface ip vrf forwarding LAN-VRF
ip vrf forwarding LAN-VRF
Identifier 1 ip address 10.10.1.2 255.255.255.0
ip address 10.10.1.1 255.255.255.0
redundancy rii 1 VRF ID : LAN-VRF (if redundancy rii 1
redundancy group 1 ip 10.10.1.3 exclusive applicable) redundancy group 1 ip 10.10.1.3 exclusive
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
CUBE Configuration on ASR1K/ISR-4K/vCUBE Box-to-
Box Redundancy
CUBE 1 CUBE 2
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
CUBE Configuration on ASR1K/ISR-4K/vCUBE Box-to-
Box Redundancy
Configuration on Active and Standby
dial-peer voice 100 voip
description to-SIP-SP Bind traffic destined to the outside (SP SIP
destination-pattern 9T trunk) to the outside Physical interface to
session protocol sipv2 make sure it uses the virtual IP address as
session target ipv4:y.y.y.y the source-IP for all calls
voice-class sip bind control source-interface GigabitEthernet0/0/1
voice-class sip bind media source-interface GigabitEthernet0/0/1
!
dial-peer voice 200 voip Bind traffic destined to the inside (CUCM or
description to-CUCM IP-PBX) to the inside Physical interface
destination-pattern 555….
session protocol sipv2
session target ipv4:10.10.1.10
voice-class sip bind control source-interface GigabitEthernet0/0/0
voice-class sip bind media source-interface GigabitEthernet0/0/0
!
ip rtcp report interval 3000
! Configure media inactivity feature to
gateway clean up any calls that may not
media-inactivity-criteria all disconnect after a failover
timer receive-rtcp 5
timer receive-rtp 86400
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
Additional Supported options for CUBE HA
CUBE-1
PortChannel2
Gig0/0/0
Gig0/0/2.200
Gig0/0/2.100 – ITSP 1
Gig0/0/1
CUBE
Gig0/0/3 Gig0/0/4 ITSP 1
PortChannel34
redundancy
redundancy
redundancy
vPC
WAN
rii 1
rii 2
rii 3
Switch D Switch E Switch A Switch B Switch C Edge
vPC
PortChannel34
CUCM ITSP 2
Gig0/0/3 Gig0/0/4
Gig0/0/1
PortChannel2
Gig0/0/2.100
Gig0/0/2.200 – ITSP 2
Gig0/0/0 CUBE
CUBE-2
• The RG control data interfaces can be a sub interface that is part of the same port channel used for voice traffic. This will go to switch D and E
thereby eliminating the need for additional switches for RG control/data. This is provided there is sufficient bandwidth for voice + RG
data/control on the port channel (for example when using 10G)
• Multiple ITSPs or multiple trunks from the same ITSP can be terminated on the same CUBE ENT HA (ISR G2, ISR 4K, ASR 1K, vCUBE) pair
• Port Channel(s) can be used on the WAN/ITSP side as well as shown for the LAN side in the above© diagram with
2017 Cisco and/or L2 and
its affiliates. CEreserved.
All rights routerCisco
redundancy
Public
ASR B2B Redundancy : PROTECTED MODE
• Default failover redundancy behavior in a B2B HA pair is to reload the affected router to avoid out-of-sync
conditions/Split brain
• Starting XE3.11, an ASR can be configured to transition into PROTECTED mode
• In PROTECTED mode
o Bulk sync request, Call checkpointing, and incoming call processing are disabled
o The router in PROTECTED mode needs to be manually reloaded to come out of this state
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 202
CUBE SIP Trunk Monitoring with OOD Options message
A CUCM SIP Trunk SP SIP Trunk
SP SIP
CUBE
OOD Options
dial-peer voice 100 voip
voice-class sip options-keepalive
200 OK
up-interval 20 down-interval 20 retry 3
DP 100 =
INVITE ACTIVE Three timers that can be configured:
INVITE • up-Interval: OPTIONS keepalive
200 OK
200 OK timer interval for UP endpoint
• down-interval: OPTIONS keepalive
OOD Options timer interval for DOWN endpoint
• retry: Retry count for OPTIONS
Timeout – no keepalive transmission
response
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
OOD OPTIONS Ping Keepalive Enhancement
CUCM SIP Trunk SP SIP Trunk • Each dial-peer that has OPTIONS message
A SP SIP configured sends out a separate message, even
CUBE
if the session targets are same
OOD Options (DP 100)
200 OK • Network bandwidth and process runtime are
DP 100 : Session Target IPv4:1.1.1.1 wasted in CUBE and remote targets to sustain
INVITE INVITE (DP 100)
duplicate OOD OPTIONS Ping heartbeat
200 OK keepalive connection
200 OK
OOD Options (DP 200) • Consolidate SIP OOD Options Ping connections
200 OK by grouping SIP dial-peers with same OOD
Options Ping setup
DP 200: Session Target IPv4:1.1.1.1
OOD Options (DP 300) • New CLI : “voice class sip-keepalive-
200 OK profile <tag>” is used to define OOD
OPTIONS Ping setup
DP 300: Session Target IPv4:1.1.1.1
OOD Options (DP 400) • Consolidated SIP OOD Options Ping connection
200 OK will then be established with a target for multiple
SIP dial-peers with the same target and OOD
DP 400: Session Target IPv4:1.1.1.1 Options Ping profile setup
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
OOD OPTIONS Ping Keepalive Enhancement -
Configuration
voice class sip-options-keepalive 1 Sample Show command output
description UDP Options consolidation CUBE#sh voice class sip-options-keepalive 1
down-interval 49
Voice class sip-options-keepalive: 1 AdminStat: Up
up-interval 180
retry 7 Description: UDP Options consolidation
Single OOD Option
transport udp Ping Group applied Transport: udp Sip Profiles: 0
to multiple dial-peers Interval(seconds) Up: 180 Down: 49
dial-peer voice 1 voip with same session
Retry: 7
destination-pattern 6666 targets
session protocol sipv2
session target ipv4:10.104.45.253 Peer Tag Server Group OOD SessID OOD Stat IfIndex
voice-class sip options-keepalive profile 1 -------- ------------ ---------- -------- -------
1 4 Active 9
dial-peer voice 2 voip
destination-pattern 5555 2 4 Active 10
session protocol sipv2 OOD SessID: 4 OOD Stat: Active
session target ipv4:10.104.45.253 Target: ipv4:10.104.45.253
voice-class sip options-keepalive profile 1
Transport: udp Sip Profiles: 0
• With OOD Options Ping Keepalive group, an options ping keepalive connection is established on per remote target base as opposed
an options ping keepalive connection established per dial-peer basis. Up to 10,000 “voice class sip-options-keepalive <tag>” can be
defined per system
• Either legacy “sip options-keepalive” or the new “sip options-keepalive profile <tag>” can be configured on a dial-peer. Dial-peers with
Destination Server Group instead of Session Target IP must use Options Keepalive Profile and not the legacy CLI.
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
SIP Trunk to TDM PSTN Failover
• Collocated Cisco Unified Border Element and TDM GW offers:
• Alternate call routing path (upon congestion or SIP Trunk failure)
• Easy SIP Trunking migration
SIP Trunk
(Primary)
SP
SBC VoIP
IP CUBE
TDM Trunk
• Deployed in small to medium sized (Secondary)
dial-peer voice 10 voip
enterprise networks description “Primary path to SIP Trunk provider”
• Deployed at branch locations for destination-pattern 91[2-9]..[2-9]......
session protocol sipv2
PSTN calls during survivability session target ipv4:10.10.10.1
voice-class sip options-keepalive
mode
• Deployed at branch locations for dial-peer voice 20 pots
description “Secondary path to PSTN”
destination-pattern 91[2-9]..[2-9]......
emergency services preference 2
port 0/0/0:23
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
Video Suppression
Video Suppression
INVITE w/
audio only
A SP
CUBE
SIP
SBC
• When CUBE receives video capabilities as part of SDP, it passes them across by
default
• This feature adds a mechanism on CUBE to allow only audio and image (for T.38
fax) media capabilities and drop all other media capabilities like video,
application m-lines etc. while routing calls to service providers
»Only supported for SIP-SIP calls not in SDP Passthru mode
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
MMoH
Multicast MoH to Unicast MoH Conversion- CUBE
Multicast MoH Unicast MoH
Hold A ♬ ♬ ♬ ♬ ♬ SP
SIP
CUBE
Active Call
ccm-manager music-on-hold
ip multicast-routing distributed
“ip pim dense-mode” under interface
• Extends the ability for enterprises to play Multicast MoH to Service Providers
• CUBE converts Multicast MoH from the MoH server to unicast MoH streamed to
the service provider
• Provides the ability to play Multicast MoH over the WAN from the MoH server at
the HQ to the CUBE at the remote branch (distributed architecture), saving WAN
bandwidth
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 210
Contact Center
Features
Mid-call codec renegotiation
Provider supports both
G.711 G.711 and G.729 codecs
CVP 2 1
3
Call Xfer (signaling only) G.711 G.729 /
G.711
SIP SP SIP
CUBE
4
G.729
G.729
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
Mid-call Xcoder Insert/Drop
Provider supports only
G.711 G.729 codec
CVP 2 1
3 Transcoder Inserted
Call Xfer (signaling only) G.711 G.729 /
G.711
SIP SP SIP
CUBE
4
G.729
G.729 Transcoder Dropped
1. REFER
A
CUBE will pass across the
SIP SP Refer message “as-is” without
CUBE
2. REFER
any modification
CVP
1. REFER
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 214
REFER Handling Enhancement
• A new CLI, “refer consume”, has been added to the SIP dial peer.
• The final decision to consume or pass-through REFER is determined based on this new
CLI option configured on the Refer-To dial-peer.
“supplementary-service sip refer” “refer consume” Outcome
Configured globally or Configured at dial-
at inbound dial-peer peer that matches
‘refer-To’
Yes (default) No (default) REFER Pass-through
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
Call Progress Analysis on SIP Trunks Sent:
Received:
INVITE sip:2776677@9.41.35.205:5060
UPDATE SIP/2.0
sip:sipp@9.42.30.151:7988;transport=UDP SIP/2.0
Via: SIP/2.0/UDP
Via: SIP/2.0/UDP 9.41.35.205:5060;branch=z9hG4bK6F26CF
9.42.30.151:7988;branch=z9hG4bK-16368-1-0
……………..
…………….
event=detected
--uniqueBoundary
status=Asm
Content-Type: application/x-cisco-cpa
pickupT=2140
Content-Disposition: signal;handling=optional
maxActGlitchT=70
numActGlitch=12
Events=FT,Asm,AsmT,Sit
valSpeechT=410
CPAMinSilencePeriod=608
maxPSSGlitchT=40
CPAAnalysisPeriod=2500
numPSSGlitch=1
CPAMaxTimeAnalysis=3000
silenceP=290
CPAMaxTermToneAnalysis=15000
termToneDetT=0
CPAMinValidSpeechTime=112
SIP Dialer noiseTH=1000
actTh=32000
SIP SP
CVP CUBE
CUBE detects fax tone
Transcoder Inserted
Contact Center Dialer will then instruct to detect tones
Configuration on CUBE:
CUBE on whether to
connect the call to an agent voice service voip
or disconnect the call by CUBE will then cpa
sending REFER, RE-INVTE, connect/disconnect the
BYE, CANCEL etc. call appropriately
dspfarm profile 1 transcode universal
call-progress analysis
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 216
CUBE Security
Note
• CUBE version 11.5.0 [IOS 15.6(1)T, IOS-XE 3.17] or later was used to
develop the best practices included in the CUBE Security presentation,
unless a specific version is mentioned on a slide
• The CUBE Configuration guide is the comprehensive resource for
security configuration and more
• All best practices around Cisco IOS/IOS-XE Routers apply to CUBE as
well
• CUBE Configuration generally consists of
• Global – Everything under voice service voip
• Call Routing – Dial-peers (Any configuration under dial-peers always overrides Global config)
• SIP User Agent Config – Everything under sip-ua
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 218
Collaboration Deployment
Enterprise LAN ITSP WAN (SIP Provider)
PSTN (PRI/FXO)
Unified CM TDM Backup
(Not available in vCUBE)
PSTN
CUBE
SIP
H.323
RTP
MediaSense
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 219
CUBE/GW
Security
Overview
CUBE Voice Security Protection per Design Specs
DOS Identity / Service Theft
• B2BUA – L7 Voice Application Code • SIP Digest Authentication
Inspection L7 Protocol-independent memory structures holding call • SIP Hostname Validation
state and attributes (CLID, Called #, Codec…)
• Call Volume/BW • SIP Trunk Register
Limiting (CAC) • CDR
• Call Codec • Toll Fraud
Limiting Dial-peer Dial-peer • Co-resident IOS: ACLs, COR
• SIP Malformed
Inspection
• SIP Listen Port DTMF xlation SIP/H.323 Privacy
SIP/H.323
Codec Filtering Protocol
Configuration Protocol • SIP Header Manipulation
Xcoding Control Stack
• RTP Malformed Stack • Authentication and
• Topology Hiding encryption (media) – SRTP
• Co-resident IOS: RTP RTP • Authentication and
Library Library
ACLs, FW, IPS encryption (signaling) – TLS
DSP API • Co-resident IOS: All VPN
TCP UDP TLS TCP UDP TLS features
DSP Hardware
Signaling Media
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 221
Five Layers of Security in CUBE
EXTERNAL
SECURITY
Policy
APPLICATION LAYER
Dialpeer
Matching
Voice Trust
List
NETWORK LAYER
Access
Control Lists
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 222
CUBE Security Best Practices Summary
• IP TRUST LIST: Don’t respond to any SIP INVITEs if not originated
from an IP address specified in this trust list
• CALL THRESHOLD: Protect against CPU, Memory & Total Call spike
• CALL SPIKE PROTECTION: Protect against spike of INVITE
messages within a sliding window
• BANDWIDTH BASED CAC: Protect against excessive media
• MEDIA POLICING: Protect against negotiated Bandwidth overruns and
RTP Floods
• USE NBAR POLICIES: Protect against overall SIP, RTP flood attacks
from otherwise “trusted” sources
• DEFINE VOICE POLICIES: identify patterns of valid phone calls that
might suggest potential abuse.
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 223
Topology Used in this section
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 224
Topology/Address Hiding
10.10.1.10 10.10.1.11 128.107.214.21 66.66.66.66
MPLS
SP IP
Inside Network
CUBE SBC
• Requirements
• Maintain connectivity without exposing the IP network details
• B2BUA provides complete topology hiding on signaling and media
• Maintains security and operational independence of both networks
• Provides implicit NAT service by substituting Cisco Unified Border Element IP
addresses on all traffic
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 225
SIP Trunk to ITSP
Sample
Item SIP Trunk service provider requirement
Response
1 SIP Trunk IP Address (Destination IP Address for INVITES) 20.1.1.2 or DNS
2 SIP Trunk Port number (Destination port number for INVITES) 5060
3 SIP Trunk Transport Layer (UDP or TCP) UDP
4 Codecs supported G711, G729
5 Fax protocol support T.38
6 DTMF signaling mechanism RFC2833
7 Does the provider require SDP information in initial INVITE (Early offer required) Yes
8 SBC’s external IP address that is required for the SP to accept/authenticate calls 20.1.1.1
(Source IP Address for INVITES)
9 Does SP require SIP Trunk registration for each DID? If yes, what is the No
username & password
10 Does SP require Digest Authentication? If yes, what is the username & password No
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 226
IP Trust List for Signaling
1. Enable CUBE Application
voice service voip
mode border-element license capacity 20 License count entered here not enforced though
this CLI is required to see “show cube” CLI output
allow-connections sip to sip By default IOS/IOS-XE voice devices do not allow
an incoming VoIP leg to go out as VoIP
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 228
Configure Call Routing on CUBE
Standby CUBE with High
Availability
CUBE
A
Active IP PSTN
CUBE
Enterprise
Campus
MPLS
LAN Dial-Peers WAN Dial-Peers
PSTN is now
used only for
• Dial-Peer – “static routing” table mapping phone numbers
emergency callsto interfaces or IP addresses
SRST over FXO lines
• LAN Dial-Peers – Dial-peers that are facing towards the IP PBX for sending and
receiving calls to & from the PBX
CME
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 229
Understanding Dial-Peer Matching Techniques:
LAN & WAN Dial-Peers
• LAN Dial-Peers – Dial-peers that are facing towards the IP PBX for sending
and receiving calls to & from the PBX
• WAN Dial-Peers – Dial-peers that are facing towards the SIP Trunk provider for
sending & receiving calls to & from the provider
A
CUCM SIP Trunk ITSP SIP Trunk
IP PSTN
CUBE
Inbound Calls
Outbound LAN Dial-Peer Inbound WAN Dial-Peer
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 230
WAN Dial-Peer Configuration
Inbound Dial-Peer for call legs from SP to CUBE
dial-peer voice 100 voip Specific to your DID range
description *** Inbound WAN side dial-peer ***
assigned by the SP
incoming called-number 70247595..$
OR No “incoming called-number . ”
incoming uri via tag
session protocol sipv2
Apply bind to all dial-peers when
voice-class sip bind control source gig0/1 CUBE has multiple interfaces.
voice-class sip bind media source gig0/1 Gig0/1 faces SP.
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 231
LAN Dial-Peer Configuration
Inbound Dial-Peer for call legs from CUCM to CUBE
dial-peer voice 300 voip
description *** Inbound LAN side dial-peer ***
CUCM sending 9 (access code) + All
incoming called-number 9T
session protocol sipv2 digits dialed
voice-class sip bind control source gig0/0
voice-class sip bind media source gig0/0
Apply bind to all dial-peers when
codec g711ulaw CUBE has multiple interfaces. Gig0/0
dtmf-relay rtp-nte faces CUCM.
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 233
SIP Listening Port Protection
Default SIP Listen ports are 5060 (UDP/TCP) and 5061 (TLS)
These ports are well-known and can be the target of attacks
Change the SIP Listen port to a different setting that is not well-known
Global setting, i.e. single port per router can be configured
Cannot configure the same listening port for both UDP/TCP and TLS
Cannot reconfigure a SIP listen port when calls are active
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 234
RTP Port Range and Phantom Packets
A phantom packet is a valid RTP packet meant for the CUBE or Voice TDM gateway without an
existing signaling session
When a phantom packet is received by the VoIP RTP layers of the gateways, the packet is punted
to the UDP process to check if it is required by any other applications causing performance issues
A malicious attacker can also send a large number of phantom/rogue packets to impact CPU
Configure VoIP port range for phantom packets. If a phantom packet is received on the configured
port, the VoIP RTP layer can safely drop the packet. If a phantom packet is received on any other
port, the VoIP RTP layer punts the packet to the UDP process.
RTP port range on ISR G2 is from 16K to 32K, and 8K to 48K on ISR 4K, ASR1K, and vCUBE
voice service voip
rtp-port range 16384 32766
! applies to the global port table which is all ipaddress outside of the media-address ranges
media-address range 10.10.1.11 10.10.1.11 port-range 16384 32766 Internal Interface
media-address range 128.107.214.21 128.107.214.21 port-range 16384 32766 External Interface
! the port-range here decides which ports to be used for this media-range
port-range 16384 32766
! used to drop phantom packets within this port-range, no impact on which ports to use
sip
source filter ! Filter out incoming incorrect remote addr/port RTP packets
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Close Unused Session Transport Mechanisms
• Close Unused H.323/SIP Ports and Transport Mechanisms
• By default these ports are open when a voice-enabled software load is
deployed on the router (either as a PRI gateway or Cisco UBE).
sip-ua
no transport tcp
no transport udp
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 236
SIP Registration/Digest Authentication
• SIP Registration: A SP SIP trunk requiring a registration sequence is
more secure than one that doesn’t. However, many SPs do not
currently support or offer SIP registration.
sip-ua
credentials username 1001 password 0822455D0A16 realm cisco.com
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 237
Call Admission Control at the edge...
CUBE provides various CAC mechanisms to safeguard your network from SIP based attacks and to enforce policies based on:
• Total calls • Maximum connections per destination
• CPU & Memory • Dial-peer or interface bandwidth
• Call spike detection
CUBE CUBE
call threshold global [total/mem/cpu] calls low xx high yy If a call spike is detected,
call treatment on reject calls
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 238
Call Admission Control at the edge...
CUBE provides various CAC mechanisms to safeguard your network from SIP based attacks and to enforce policies based on:
• Total calls • Maximum connections per destination
• CPU & Memory • Dial-peer or interface bandwidth
• Call spike detection
CUBE CUBE
call threshold global [total/mem/cpu] calls low xx high yy If a call spike is detected,
call treatment on reject calls
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 239
Call Admission Control Based on Total Calls, CPU
and Memory usage
• CUBE provides various different CAC mechanisms – based on Total
calls, CPU Utilization & Memory utilization
Configuration on CUBE
Step1 : Set the threshold for Total-Calls
call threshold global total-calls low <low-threshold> high <high-threshold>
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 240
Call Admission Control Based on Total Calls, CPU
and Memory usage
Configuration on CUBE
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 241
Call Admission Control based on Call spikes
Call spike CAC monitors call arrival rate over a moving window of time; calls
exceeding the configured rate threshold are rejected
Protection against unexpected high call volumes, and INVITE-based DOS
attacks
Can be configured globally or on a per dial-peer level
Error code will be sent when a call spike occurs
This error code is also configurable globally or on a per dial-peer level
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 242
Call Admission Control based on Call spikes
Configuration on CUBE
call spike call-number [steps number-of-steps size milliseconds]
SIP SP A
CUBE
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 243
Call Admission Control based on Bandwidth
Bandwidth based CAC feature provides a mechanism to limit number of SIP calls
based on the aggregate media bandwidth limit either at:
Dial-Peer level or,
Interface level
Provides the ability to configure the SIP error response code for calls rejected by this
feature
Examples:
Call #1 – 80Kbps
Call #2 – 80 Kbps dial-peer voice 1 voip
max-bandwidth 160
Call #3 – 80 Kbps
CUBE Call #3 Rejected by CUBE
At Dial-Peer level At Interface level
dial-peer voice 1 voip !
destination-pattern 2... CUBE# call threshold interface GigabitEthernet0/0 int-
max-bandwidth 160 bandwidth low 120 high 160
session protocol sipv2 !
session target ipv4:9.44.44.9:6080
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 244
Media Policing to protect against RTP Floods
Leaky Bucket Algorithm (LBA) checks RTP payload in the
RTP packet against the expected negotiated rate in SIP
signaling and identify violation if any
LBA identifies violation and triggers policing actions on
violated rtp packets.
Policing actions can be one of the following:
Drop all violated packets
Drop all the violated packets as well as disconnect call
once it reaches the configured number of violations, or
Ignore the violations
SYSLOG and SNMP trap can be generated to inform
violation to the system administrator.
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 245
NBAR to protect against SIP flooding and UDP
attacks at opened RTP ports
Interface configuration
interface GigabitEthernet0/0-1 ! Both Internal and External interfaces
service-policy input throttle
global configuraiton
class-map match-any rtp
match protocol rtp
class-map match-any sip
match protocol sip
!
policy-map throttle
class sip
police 8000
class rtp
police 150000
class class-default
police 8000
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 246
Control Plane Policing (CoPP) – To prevent packet
flooding/Large Rate of packet arrival
ip access-list extended coppacl-udp-icmp
permit udp any host 10.10.1.11 range 16384 32767
permit udp any host 128.107.214.21 range 16384 32767
permit icmp any host 10.10.1.11 range 16384 32767
permit icmp any host 128.107.214.21 range 16384 32767
!
class-map match-all copp-rtp-icmp
match access-group name coppacl-udp-icmp
!
policy-map copp-policy-rtp-icmp
class copp-rtp-icmp
police rate 100 pps conform-action transmit exceed-action drop
!
control-plane
service-policy input copp-policy-rtp-icmp
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 247
Proposed Network Topology for Integrated Voice Gateway /
Voice Policy Solution based on UC Services API
SIP
MGCP
H323
IP RTP
CUBE +
TDM GW
Service
Provider
TDM
VOIP
Network
Private
TDM Protocols Call Control
CUCM
API features for Media
API features for control & stats,
TDM & VOIP including Media
Signaling Forking
Voice Policy
SRE Distribution &
ETM Voice Aggregation Secure Logix
Policy Voice Policy
Appliance Server
http://www.cisco.com/c/dam/en/us/products/collateral/unified-communications/unified-border-element/tdos_brochure.pdf
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 248
Voice Security Attacks
CUBE Protection with an External Voice Policy
Threat / Use Case Mitigation Action provided by CUBE w/ SecureLogix
IVR cycling with repeating DTMF tones in Detect repeated DTMF tones that cause cycling, then take policy action
WAVE files (disconnect, transfer)
Harassing Calls Detect multiple phone calls from same phone # (or exchange), then take
policy action (disconnect, record)
Contact Center abuse Detect unusual activity from specific phone # or exchange, then take policy
action (transfer, record)
Unauthorized Modem Usage Detect Modem traffic, then take policy action (disconnect)
911 Notification Detect 911 activity then take policy action (send alert)
Toll Fraud Detect secondary dial tones then take policy action (disconnect)
Social Network Attacks Detect call patterns from area codes or exchange then take policy
Unauthorized FAX usage Limit time of day usage on FAX
Inappropriate use of phones Detect phone calls to 900 area codes and disconnect
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 249
Firewall : General Guidelines
• Purchase SIP Trunking services from a trusted SP
• Use an external Firewall for connections that have both voice and data, though most customers just
use a dedicated circuit for voice
• Have the firewall rules work on data (i.e. Non port 5060 and non UDP port) (setup firewall rules on
CUBE to drop anything that is not voice)
• Use a voip trust list
• When it comes to have colocation of Firewall with CUBE on the same platform, ZBFW is only
supported on ISR G2 with CUBE collocated and not with ASR1K/ISR4K/CSR1000v (vCUBE) series
• Having an MPLS for terminating only SIP traffic from a trusted provider should be sufficient and CUBE
basically acts as a Voice Firewall (address/topology hiding). An external Firewall is still supported and
assumes
• UDP RTP port range and SIP signaling port range is opened up to CUBE
• CUBE is agnostic to the underlying IP path and cannot be behind a NAT
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 250
CUBE Firewall Deployment Scenarios
F/W
between SIP SIP Trunk SP VOIP
CUBE and H.323
CUBE SBC Services
ITSP
F/W between
CUBE and SIP SIP Trunk SP VOIP
rest of H.323 SBC Services
Enterprise UC CUBE
Network
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 251
Zone-based Firewall (ISR G2)
Global configuraiton
class-map match-any throttle_rtp
match protocol rtp
class-map type inspect sip match-any options-png
class-map type inspect sip match-any sip-match
class-map type inspect sip match-any options-ping policy-map type inspect sip throttle-Policy
match request method invite class type inspect sip options-throttle
class-map type inspect match-any sip-protocol rate-limit 2
match protocol sip policy-map throttle
class-map type inspect sip match-any options-throttle class sip
match request method options police 20000
class-map match-any sip class throttle_rtp
match protocol sip police 150000
! class class-default
police 8000
zone security inside policy-map throttle_rtp
zone security outside policy-map type inspect nonoptions-throttle
zone-pair security in2out source inside destination class type inspect sip-protocol
outside inspect
service-policy type inspect nonoptions-throttle service-policy sip throttle-Policy
zone-pair security out2in source outside destination class class-default
inside drop
service-policy type inspect nonoptions-throttle !
zone-pair security selfout source self destination
outside
service-policy type inspect nonoptions-throttle
zone-pair security outself source outside destination
self
service-policy type inspect nonoptions-throttle
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 252
Improving Security through Multi-VRF Call Routing
• Virtual Routing and Forwarding (VRF) is an IP technology that allows for multiple
instances of a routing table to coexist on the same router at the same time as
opposed to a single global route table, allowing for multiple virtual networks within a
single network entity to isolate between media and data virtual networks
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 253
Multi-VRF Aware Call Routing on CUBE
• Multi-VRF allows for the use of only one router to accomplish the tasks that multiple routers usually
perform as it provides logical separation of routing instances/tables (and by the implication address
space) within one router, that is, each VRF has its own routing table as opposed to a single global
route table
• CUBE allows intra and inter VRF routing of voice and video calls between Service providers and
customer networks
• Security can be improved by deploying Multi VRF at the network level
• IP address and Overlapped Dial Plan with Multi VRF feature provides seamless integration of
networks. CUBE can route VoIP calls across different VRF’s without the need of Route Leaks
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 254
SIP TLS Support
with SRTP
Secure SIP
• Requires deploying both SIP TLS (secure signaling) and SRTP (secure media)
• SRTP-RTP Interworking requires DSPs (secure transcoder) only on ISR G2s. DSPs are not needed
for SRTP-RTP interworking on ISR 4K, ASR 1K, and vCUBE
• CUBE initially supported only TLS v1.0 with following Cipher Suites
SSL_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_AES_128_CBC_SHA
• CUBE now supports TLS v1.2 with the following Cipher Suites
TLS_DHE_RSA_WITH_AES_128_CBC_SHA1
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS v1.2 is backward compatible ( fallback to TLS v1.0 / TLS v1.1 )
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 256
TLS Cipher Suite Category
• Default Ciphers – TLS_RSA_WITH_RC4_128_MD5,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA1,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• Strict Ciphers – TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA1,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• ECDSA Ciphers – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 257
SRTP Support
• CUBE and DSP initially provided SRTP support for the following crypto suites:
AES_CM_128_HMAC_SHA1_32
AES_CM_128_HMAC_SHA1_80
• Since DSP doesn’t support these new crypto suites – CUBE will provide signaling and
media pass-through for the unsupported crypto suites
• CUBE will now be able to pass across crypto attributes (containing any unsupported
crypto suites) as well as media packets (encrypted with unsupported crypto suites)
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 258
SRTP Passthrough Configuration (Unsupported
Crypto Suites)
• A CLI has been enhanced to configure/enable pass-through of
unsupported crypto suites:
Global Configuration:
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 259
SIP TLS/SRTP support for Microsoft Skype for Business
(Lync) Interop
TLS 1.2 support on CUBE
• Secure SIP signaling from either/both Microsoft Skype4Business (Lync) Business to Business
clients or CUCM endpoints to CUBE
• Requires CUBE 11.5 or later
CUCM
Cluster
Cisco A
End Point
Internet
IP-PSTN Consumer to Business
CUBE
Lync
Client
SIP over TLS 1.2
Lync
Server SIP over TCP/UDP
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 260
Voice Security Attacks
CUBE Protection at Various Layers (1 of 4)
SBC Threat / Network Layer (protects at entry point Application Layer (CUBE)
in the network)
Security Protection built in the B2BUA layer
Requirement ACLs, NBAR, CoPP
Calls/Traffic from Access Control Lists (ACLs) to Allow/Deny Toll Fraud prevention using
untrusted sources Explicit Sources of Calls
a. IP Trust Lists [IOS 15.1(2)T]
a. Only allow service provider’s SBC to
b. Silent-discard CLI – TDoS attack
initiate traffic from PSTN side
mitigation [IOS 15.3(3)M]
b. Only allow your enterprise call agent
c. Topology/Address Hiding for both
(CUCM) to initiate traffic from internal
media and signaling
network side
d. SIP Trunk Registration/Authentication
c. Modifiable port range
– prevents session hijacking
Close unused H323/SIP ports and transport
e. Option to change well known listening
DoS/TDoS Attacks mechanisms.
sip-ua
ports
no transport tcp f. Explicit incoming/outgoing dial-peer
no transport udp
matching
open RTP ports, and crafted packets © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Voice Security Attacks
CUBE Protection at Various Layers (2 of 4)
SBC Threat / Network Layer (protects at entry point Application Layer (CUBE)
in the network)
Security Protection built in the B2BUA layer
Requirement ACLs, NBAR, CoPP
Large Rate of packet Control Plane Policing (CoPP policy) • CAC mechanisms based on
arrival, flooding implemented with ACLs – limits the rate of CPU/memory/bandwidth utilization and
packets and mitigates attacks from otherwise total number of calls
Trustred Sources
• Call Spike monitors call arrival rate over
a moving window of time
• UC Services API, External Voice Policy,
SecureLogix Solution (SIP Flooding)
Rogue/Phantom RTP / Deep packet inspection with ACL and NBAR • Define media address and RTP port
RTCP packets Policing ranges
• Source filter - Filters out incoming
incorrect remote address/port RTP
Packets
• Automatic checks by IOS Voice code on
Call-ID, RTP sequence numbers, SSRC
Malformed RTP / RTCP NBAR Policing to classify them as invalid RTP Library check in the IOS Voice code, 262
packets DSP check
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Voice Security Attacks
CUBE Protection at Various Layers (3 of 4)
SBC Threat / Network Layer (protects at entry point Application Layer (CUBE)
in the network)
Security Protection built in the B2BUA layer
Requirement ACLs, NBAR, CoPP
Encrypted signaling or • Service Providers provide SIP trunks over • TLS signed INVITES / Digest
media secure VPN Authentication
• IPSec for untrusted WAN segments, deploy • TLS to non-TLS, SRTP Passthru,
TLS/SRTP internally SRTP/RTP interworking
• Optional : Front end CUBE with an external • SHA1-80, SHA1-128, SHA1-256 crypto
FW suite
• Most SPs do not offer encrypted SIP
Trunks today
Rogue BYEs Policed with ACLs and Control Plane Policing Automatic checks at signaling Protocol
(ie Bye with Random Stack, Call Leg Transaction checks within
CallID) IOS Voice code
Eavesdropping/Privacy Encryption SIP-TLS with sRTP, UC Services API,
External Voice Policy, SecureLogix Solution
263
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 263
Voice Security Attacks
CUBE Protection at Various Layers (4 of 4)
SBC Threat / Network Layer (protects at entry point Application Layer (CUBE)
in the network)
Security Protection built in the B2BUA layer
Requirement ACLs, NBAR, CoPP
Service Theft ACLs • Class of Restriction
IPSec • Toll Fraud prevention mechanisms listed
above
• SIP Trunk Registration
(authentication/credentials CLI)
• SIP Hostname Validation
• Encryption (TLS with SRTP)
• Monitor CDR from CUBE to scan for call
patterns and volumes that may indicate
unauthorized use
• UC Services API, External Voice Policy,
SecureLogix Solution
• TCL (blacklist/whitelist), PIN
authorization
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 264
Agenda
• SIP Trunking and CUBE Overview
• SIP Trunking Design & Deployment Models
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE
• CUBE Management & Troubleshooting
• Futures & Key Takeaways
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Monitoring
CUBE Monitoring
• Network Management Tools can be used to monitor key CUBE Some Network Management Tools:
statistics like SIP Trunk status, Trunk utilization, Call Arrival Rate,
Call Success/Failure count, voice quality metrics etc.. - Cisco Unified Operations Manager
- Arcana Networks
• Network Management Tools can send SNMP Queries to CUBE - Solarwinds
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 267
CUBE Monitoring For Your
Reference
SIP Trunk Status SIP Trunk Status SIP OOD Options Ping, CLI dial-peer status
Traffic Reports (Calls, Call Arrival Rate CUBE 1.4: CISCO-VOICE-DIAL-CONTROL-MIB, cvCallRateMonitor
Sessions, Capacity Planning,
Errors)
DIAL-CONTROL-MIB, dialCtlPeerStatsSuccessCalls, dialCtlPeerStatsAcceptCalls,
Call Success/Failure dialCtlPeerStatsFailCalls, dialCtlPeerStatsRefuseCalls
CISCO-SIP-UA-MIB, cSipStatsErrClient, cSipStatsErrServer, cSipStatsGlobalFail
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 268
Also see BRKNMS-2333
Also see BRKUCC-2670
Prime Collaboration
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 269
Prime Collaboration
CUBE Provisioning with Templates
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 270
Prime Collaboration - Assurance
CUBE Features Benefits matrix
Features Benefits
Monitoring Cisco Unified Has built in knowledge to auto-discover the CUBE system.
Border Element It will also enable administrator to monitor CPU and DSP intensive tasks
(CUBE)
like Transcoding and MTP session usage. Administrator will get notified
when usage crosses the configured threshold.
Detecting SIP trunk Outage Accurate Option Ping Method based CUBE SIP Trunk outage detection
Pro-actively Monitoring Incoming or Outgoing Call stats to understand call traffic pattern
SIP trunk Utilization Incoming or Outgoing Utilization to understand trunk usage pattern
Detecting DSP failure Detects and notifies when a DSP chip/card fails that might potentially
cause service disruption such as call drop due to unavailability for
resources for transcoding.
Call Performance metrics Additional CUBE KPIs such as call stats for deeper monitoring
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 271
Prime Collaboration
CUBE Performance metrics
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 272
Prime Collaboration - Assurance
CUBE SIP Trunk Usage Monitoring
• Monitors both individual SIP trunk
usage and Aggregated SIP Route
Group usage
• Provides 7 days trend graph
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 273
Prime Collaboration Assurance
CUBE Performance metrics
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 274
Prime Collaboration - Analytics
CUBE SIP Trunk Capacity Planning report
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 275
Prime Collaboration - Analytics
CUBE SIP Trunk Busy Hour Erlang Capacity Planning report
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 276
Introducing ManageExpress® Border Manager
• Simplified provisioning
and management
• Uniform policies across all SBCs
• Real time 911/211 alerting
and monitoring
• Voice quality monitoring
• Reduce operational costs
• Available on the Cisco price list
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 277
Topology with Real Time Monitoring
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 278
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 279
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 280
Voice Quality Metrics
Voice Call Quality Monitoring on CUBE
• Three mechanism exist to monitor call quality statistics
1. End of call statistics in BYE message, 5 critical call parameters (MoSQe, Delay,
Jitter, Loss, OoO)
2. End of call CDRs if configured
3. Real time export of 30+ AQM via Flexible NetFlow
CDR Example or MIB file: CISCO-VOICE-DIAL-CONTROL-MIB
<MOS-Con>4.4072</MOS-Con>
<round-trip-delay>1 ms</round-trip-delay>
<receive-delay>64 ms</receive-delay>
<voice-quality-total-packet-loss>0.0000 %</ voice-quality-total-packet-loss>
< voice-quality-out-of-order>0.0000 %</ voice-quality-out-of-order>
• CDR will be sent to Radius server at the end of a call if AAA accounting is
configured
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 282
Audio Quality Monitor using Flexible NetFlow
• AQM uses FNF to export up to 30 voice quality metrics measured by “media monitoring” CLI
• To help the NetFlow collector to process the flow record, AQM also reports call related
information such as calling number, called number, call setup time, etc
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 283
For Your
FNF Configuration Reference
flow record type performance-monitor aqm collect application voice r-factor 1
match ipv4 source address collect application voice r-factor 2
match ipv4 destination address collect application voice mos conversation
match transport source-port collect application voice mos listening
match transport destination-port collect application voice concealment-ratio average
collect application voice number called collect application voice jitter configured type
collect application voice number calling collect application voice jitter configured minimum
collect application voice setup time collect application voice jitter configured maximum
collect application voice call duration collect application voice jitter configured initial
collect application voice rx bad-packet collect application voice rx early-packet count
collect application voice rx out-of-sequence collect application voice rx late-packet count
collect application voice codec id collect application voice jitter buffer-overrun
collect application voice play delay current collect application voice packet conceal-count
collect application voice play delay minimum !
collect application voice play delay maximum
collect application voice sip call-id
collect application voice router global-call-id
collect application voice delay round-trip
collect application voice delay end-point
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 284
For Your
FNF Configuration – Cont’d Reference
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 285
For Your
Viewing AQM Reference
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 286
AQM viewing through ARCANA’s MEBM
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 287
AQM stats per network segment
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 288
Incremental metrics are provided through out the call
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 289
Troubleshooting
Troubleshooting of Calls
show cube status
Is CUBE Active ? CUBE-Version : 9.0
SW-Version : 15.2.1T, Platform 2911
HA-Type : none
Licensed-Capacity : 200
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 291
CUBE Debugging
• When debugging in IOS, configure logging buffered to a fairly large value
(based on available memory)
• Disable logging to the console with command ‘no logging console’
• Enable timestamps for debugs
• Make sure router has NTP enabled
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 292
SIP EO Debug
Sent: Example Internal External
INVITE sip:1000@20.1.1.2:5060 SIP/2.0 Network Network
Via: SIP/2.0/UDP 20.1.1.1:5060;branch=z9hG4bK1216FC SIP SP
Remote-Party-ID: <sip:2000@20.1.1.1>;party=calling;screen=no;privacy=off 10.1.1.1 CUBE 20.1.1.1
From: <sip:2000@20.1.1.1>;tag=48AE80-CD8 B2B User 20.1.1.2
To: <sip:1000@20.1.1.2> Agent
Date: Wed, 22 Jun 2011 12:33:15 GMT
Call-ID: A2F9661D-9C0211E0-803289BC-624E6E32@9.44.44.71
Supported: timer,resource-priority,replaces,sdp-anat
Min-SE: 1800 Outbound INVITE message
Cisco-Guid: 2734093693-2617381344-2150402492-1649307186
User-Agent: Cisco-SIPGateway/IOS-12.x
Sent with destination number as 1000 and IP address
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, 20.1.1.2 on port 5060
SUBSCRIBE, NOTIFY, INFO, REGISTER Calling number is 2000 with source IP address of call is
......... 20.1.1.1
......... Cisco-GUID uniquely identifies this call leg
v=0
o=CiscoSystemsSIP-GW-UserAgent 2026 314 IN IP4 9.44.44.71
s=SIP Call “c” parameter identifies the IP address (20.1.1.1) that the
c=IN IP4 20.1.1.1 peer device should send the media to
t=0 0 “m” parameter identifies:
m=audio 16950 RTP/AVP 18 101 the type of call (audio)
c=IN IP4 20.1.1.1
a=rtpmap:18 G729/8000
port number for media (16950)
a=fmtp:18 annexb=no payload type for the 1st preferred codec (18 for G729)
a=rtpmap:8 PCMA/8000 dtmf (101 for RFC2833)
a=rtpmap:101 telephone-event/8000 “a’” parameter identifies all the codecs and other
a=fmtp:101 0-15 descriptors for this call leg
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 293
SIP EO Debug
Example
INVITE
To: <sip:1000@20.1.1.2>
Date: Wed, 22 Jun 2011 12:33:15 GMT
Agent
.........
v=0 “c”with
Sent parameter identifies the
destination IP address (20.1.1.1) that the
number
o=CiscoSystemsSIP-GW-UserAgent 2026 314 IN IP4 9.44.44.71 peer device should send the media to
s=SIP Call
as 1000 and IP address
“m” parameter identifies:
c=IN IP4 20.1.1.1 20.1.1.2
theon
typeport 5060
of call (audio)
t=0 0 port number for media (16950)
m=audio 16950 RTP/AVP 18 101
payload type for the 1st preferred codec (18 for G729)
c=IN IP4 20.1.1.1
a=rtpmap:18 G729/8000 dtmf (101 for RFC2833)
a=fmtp:18 annexb=no “a’” parameter identifies all the codecs and other
a=rtpmap:8 PCMA/8000 descriptors for this call leg
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 295
SIP EO Debug
Example
Sent: Internal External
INVITE sip:1000@20.1.1.2:5060 SIP/2.0 Network Network
Via: SIP/2.0/UDP 20.1.1.1:5060;branch=z9hG4bK1216FC SIP SP
10.1.1.1 20.1.1.1
Remote-Party-ID: <sip:2000@20.1.1.1>;party=calling;screen=no;privacy=off CUBE
From: <sip:2000@20.1.1.1>;tag=48AE80-CD8 B2B User 20.1.1.2
To: <sip:1000@20.1.1.2> Agent
Date: Wed, 22 Jun 2011 12:33:15 GMT
Call-ID: A2F9661D-9C0211E0-803289BC-624E6E32@9.44.44.71 Outbound INVITE message
Supported: timer,resource-priority,replaces,sdp-anat Sent with destination number as 1000 and IP address
From: <sip:2000@20.1.1.1>;tag=48AE80-CD8
Min-SE: 1800
Cisco-Guid: 2734093693-2617381344-2150402492-1649307186
20.1.1.2 on port 5060
User-Agent: Cisco-SIPGateway/IOS-12.x Calling number is
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, 2000 with source IP
SUBSCRIBE, NOTIFY, INFO, REGISTER address of call is 20.1.1.1
......... Cisco-GUID uniquely identifies this call leg
.........
a=rtpmap:8 PCMA/8000
Date: Wed, 22 Jun 2011 12:33:15 GMT
Call-ID: A2F9661D-9C0211E0-803289BC-624E6E32@9.44.44.71 Outbound INVITE message
a=rtpmap:101 telephone-event/8000
Supported: timer,resource-priority,replaces,sdp-anat Sent with destination number as 1000 and IP address
Min-SE: 1800
a=fmtp:101 0-15
Cisco-Guid: 2734093693-2617381344-2150402492-1649307186
20.1.1.2 on port 5060
User-Agent: Cisco-SIPGateway/IOS-12.x Calling number is
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, 2000 with source IP address of call is 20.1.1.1
SUBSCRIBE, NOTIFY, INFO, REGISTER Cisco-GUID uniquely identifies this call leg
.........
.........
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 301
For Your
Reference
CUBE Per-Call Debugging (PCD)
1. Define buffers and buffer sizes 4. Export debug buffer content
per-call num-buffer <num> per-call export primary [flash | ftp |
per-call buffer-size debug <num> http | pram | rcp | tftp] secondary
[flash | ftp | http | pram | rcp | tftp]
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 302
IOS Embedded Packet capture on ISR-G2
Provides ability to do packet captures only for interested traffic from within IOS
Step 1. Configure capture profile
ip traffic-export profile BRKUCC2934 mode
capture Create profile with
bidirectional name “BRKUCC2934”
incoming access-list 123
outgoing access-list 123 Create access-lists to define “interesting” traffic
In this eg, only SIP Traffic (TCP/UDP port 5060) is
access-list 123 permit udp any any eq 5060 being captured
access-list 123 permit tcp any any eq 5060
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 303
IOS Embedded Packet capture (.. cont’d)
Step 3. Export the pcap file to a server
router# traffic-export interface fa0/0 copy Export the contents of the
ftp://x.x.x.x/BRKUCC2934_capture.pcap buffer to an external FTP
server as a PCAP file
Step 4. Display ladder diagram
(with Wireshark)
Example:
show call history stats cps
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 306
Call History Stats – Graphical or Tabular form
Last 60 sec, 60 minutes, 72 hours
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 307
Ability to sort dial-peers
show run dial-peer sort
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 308
Total Number of Active Concurrent Calls
Total Number of Active Calls
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 309
Avoiding Non-Call-Context Debug Logs
• Many times SIP debugs contain unrelated debugs that are not useful in
debugging issues related to call failures
• Starting CUBE 10.0.1, non-call-context debugs will not be printed when
debug ccsip is issued
• This applies to messages originating from CUBE. Non-call context
INBOUND messages towards CUBE will still be printed when
debug ccsip is issued.
• If a message is not part of any call, that debug will not be printed
• Affected messages: OPTIONS, REGISTER, SUBSCRIBE/NOTIFY
• To see the above OUTBOUND messages in debugs, issue the following
command
debug ccsip non-call
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 310
Debugging Made Easier
Categorize Debugs based on Severity
Existing SIP debugs have become Router# debug ccsip level <critical | info |
too verbose and un-manageable. To notify | verbose>
minimize verbosity, the SIP-INFO
debugs are further categorized
based on functionality and Level
Severity Level Description
Categories only applicable when
CCSIP INFO or ALL debug is 1 Critical Feature specific Errors, things going wrong,
enabled resource failures that does not fail call as such
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 311
Debugging Made Easier
Categorize Debugs based on Functionality
Categorization based on
Functionality Router# debug ccsip feature < audio | cac |
1. Audio/video/sdp/control config | control | dtmf | fax | line | misc |
2. Configuration /sip-transport misc-features | parse | registration | sdp-
3. CAC negotiation | sdp-passthrough | sip-profiles |
4. DTMF/FAX/Line-side sip-transport | srtp | supplementary-services
5. Registration | transcoder | video >
6. Sdp - passthrough
7. Sip-profile/SRTP/transcoder
Example: enabling DTMF and audio debugs only with default log level is considered.
DTMF(32) debug code
CUBE#sh debugging
CCSIP SPI: SIP info debug tracing is enabled (filter is OFF)
CCSIP SPI: audio debugging for ccsip info is enabled (active) Audio(2) debug code
CCSIP SPI: dtmf debugging for ccsip info is enabled (active)
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 313
Agenda
• SIP Trunking and CUBE Overview
• SIP Trunking Design & Deployment Models
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE
• CUBE Management & Troubleshooting
• Futures & Key Takeaways
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Trunk Evolution – Cutting edge designs
Media Manipulation & Optimization Cloud Connected Audio
Improved quality of speech
by Noise Cancellation, Customer
Acoustic shock prevention Speech corrupted with Network
background noise
SIP Trunk to
IP Cloud
Webex
Cisco
peerin
WebEx
A g
iPOP
SIP Trunk SP Cisco WebEx
CUBE Collaboration Cloud conne
ction
»https://cisco.box.com/cube
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 316
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
LTRCOL-2310 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 318
Thank you