Brkcol 2125

SIP Trunking Design &
Deployment for On-prem and

Webex Calling (VAR Channel)
Hussain Ali, CCIE# 38068 (Voice, Collaboration)
Technical Marketing Engineer
Dilip Singh, CCIE# 16545 (Collaboration)

Technical Leader
BRKCOL-2125
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• CUBE Overview, Deployments, and SIP Trunk Sizing

• CUBE Licensing Updates
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE (Call Routing, Multi-Tenancy)
• Call Recording & Intro to CUBE Media Proxy
• Securing Collab deployments with CUBE
• Webex Calling (VAR Channel) – Local Gateway (LGW)
CUBE Overview,
Deployments, and
SIP Trunk Sizing
On-Prem Collaboration Deployment
DEMARC
Enterprise LAN ITSP WAN (SIP Provider)
PSTN (PRI/FXO)
Unified CM
TDM Backup
(Not available in
10.10.1.21 vCUBE)
10.10.1.20
66.77.37.2
Gig0/0
PSTN
Gig0/1
CUBE 128.107.214.195
SIP
H.323
DEMARC
RTP
Calls Per Second : Short duration 30 sec CHT
CUBE (Enterprise) Product Portfolio [Not to Scale]
ASR 1004/6 RP2
50-150
ASR 1002-X ASR 1006-X

ASR 1001-X w/RP2
50-100 Starting IOS-
XE 16.9
ISR 4451-X
20-35 Introducing CUBE
on ISR4461
~ IOS-XE 17.2.1
15-20
CUBE on CSR
ISR 4431
8-12
vCUBE
ISR 4351
ISR-4K (4321, 4331)

<5
Introducing CUBE on ISR1100s

IOS-XE 16.12.1+
4000
4 <50 500-600 900-1000 2000-2500 4500-6000 7000-10,000 12K-14K 14-16K
Active Concurrent Voice Calls Capacity BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
CUBE Software Release Mapping
CUBE Initial IOS-XE Release for this CUBE Subsequent IOS-XE Release for
Version version and Release date this CUBE version
11.5.2 16.3.2/16.4.1 Nov 2016 16.3.3 - 16.3.9 / 16.4.2 – 16.4.3
11.6.0 16.5.1 March 2017 16.5.1b – 16.5.3
12.0.0 16.6.1 July 2017 16.6.2 – 16.6.6
12.0.0 16.7.1 Nov 2017 16.7.2 – 16.7.3
12.1.0 16.8.1 March 2018 16.8.2 – 16.8.3
12.1.0 16.9.1 July 2018 16.9.2 – 16.9.4 – 16.9.5
12.5.0 16.10.1a Nov 2018 16.10.2 – 16.10.3
12.6.0 16.11.1a March 2019 -
12.7.0 16.12.1c July 2019 16.12.1a – 16.12.2
12.7.1 17.1.1 Nov 2019 -
TBD 17.2.1 March 2020 -
14.0 17.3.1 July 2020 -
TBD 17.4.1 Nov 2020 -
Platform Roadmap [Subject to Change]
• CUBE Support for ISR 4461 –
March 2020 – IOS-XE 17.2.1
• CUBE support for RP3/ESP100 for the

ASR 1000 series platforms that utilize
RP3 and ESP100
• CUBE Support for ASR1002-HX – March

2020 – IOS-XE 17.2.1
Sizing On-prem
Enterprise CUBE
deployments
NOTE : Sizing information is only intended as a
guideline. Actual session count will vary based
on the number of features turned on the
ISR/ASR/CSR along with CUBE and the IOS-
XE version being used.
Numbers listed subject to change
General Guidelines
CUBE Sizing Guidelines
• All deployments for CUBE must be done with the following memory:
• 16GB of memory for ASR1K series – 8 GB (Control Plane memory) for ISR4400 series
• 4 GB for ISR4300 series – 2 GB for ISR G2 series
• Session count (end to end calls through CUBE) is dependent on the amount of
memory in the box. Numbers listed in the datasheet are based on above
memory requirements being satisfied
• CUBE Media Proxy cannot be co-located with CUBE Enterprise
• CUBE HA has less than 5% impact on number of sessions under full load
• 1 S/W MTP session on the platform = 1 CUBE IPT session
• Complex call flows (Cisco UCCE) can reduce CPS and session count.
With IOS-XE 16.12+, there is significant performance gain for
UCCE call flows
CUBE Sizing Guidelines
• SRTP with SIP TLS : Numbers will vary based on crypto algorithm
and codec used
• SIP Header manipulation through SIP profiles has less than 5%
impact on number of sessions. Impact of SDP manipulation will be
slightly higher compared to SIP headers. For example, 6% for
changing the codec order in the m-lines
• Media forking for call recording can have a 50% impact on IPT
session count regardless of the call type (IPT or UCCE) being
recorded on CUBE Enterprise. This includes SIPREC, CUBE ORA
with Cisco MediaSense, and CUCM NBR.
• Performance numbers will be published for long lived (July)
releases. [16.9, 16.12, 17.3, etc]
Basic IP Telephony Audio Calls
CUBE IP Telephony Session Capacity Summary
CUBE SIP-SIP Audio Session Count Sustainable
Platform Sessions (Flow-thru) IOS-XE 16.12+ CPS
1CSR1Kv - Based on tests using Cisco UCS ® C240 host with Intel ®
Xeon ® 6132 2.60GHz processors running VMware ESXi 6.0.
IOS-XE 16.6 or earlier RTP(G711)-RTP(G711) IOS-XE 16.12+
1100 series (Default DRAM) N/A 500 5
4321 100 500 4
4331 500 1000 10
4351 1000 2000 13
4431 3000 3000 15
4451 6000 6000 40
4461 N/A ~10000 (17.2.1) ~60
CSR1Kv – 1 vCPU1 (4 GB) 900 1000 5
CSR1Kv - 2 vCPU1 (4 GB) 900 3000 20
CSR1Kv - 4 vCPU1 (8 GB) 3250 6000 30
ASR1001-X 12000 12000 50
ASR1002-X 14000 14000 55
ASR1004/6/6-X RP2/ESP40 16000 BRKCOL-2125 16000 70
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Encrypted Audio Calls
SRTP-RTP
SRTP-SRTP
CUBE Encrypted IPT Session Capacity (IOS-XE 16.12+)
Platform Session Capacity Encrypted Audio
Impact of
1CSR1Kv - Based on tests using Cisco UCS C240
®
(IOS-XE 16.12+) calls w/SHA1_80 CPS
host with Intel ® Xeon ® 6132 2.60GHz processors
running VMware ESXi 6.0.
sRTP to IPT
RTP(G711)-RTP(G711) sRTP(G711)-RTP(G711)
1100 series (Default DRAM) 500 40% 300 2

4321 500 40% 300 1
4331 1000 40% 600 3
4351 2000 62.5% 750 4
4431 3000 75% 750 4
4451 6000 65% 2100 (16.12.2) 6
4461 ~10000 (17.2.1) 1% 9900 55
CSR1Kv – 1 vCPU1 (4 GB) 1000 70% 300 1
CSR1Kv - 2 vCPU1 (4 GB) 3000 67% 1000 6
CSR1Kv - 4 vCPU1 (8 GB) 6000 82% 1080 6
ASR1001-X 12000 79% 2500 13
ASR1002-X 14000 55% 6500 36
ASR1004/6/6-X RP2/ESP40 16000 78% 3500
Session Capacity Encrypted Audio
Platform (IOS-XE 16.12.1)
Impact of
calls w/GCM128 CPS
sRTP to IPT
1CSR1Kv - Based on tests using Cisco UCS ® C240 host with Intel
® Xeon ® 6132 2.60GHz processors running VMware ESXi 6.0.

4321 (4 GB) 500 40% 300 1
4331 (4 GB) 1000 40% 600 3
4351 (4 GB) 2000 62.5% 750 4
4431 (8 GB) 3000 75% 750 4
4451 (8 GB) 6000 65% 2100 6
CSR1Kv – 1 vCPU1 (4 GB) 1000 70% 300 1
CSR1Kv - 2 vCPU1 (4 GB) 3000 67% 1000 6
CSR1Kv - 4 vCPU1 (8 GB) 6000 82% 1080 6
ASR1001-X (16 GB) 12000 80% 2400 13
ASR1002-X (16 GB) 14000 57% 6000 32
ASR1004/6/6-X RP2/ESP40 16000 80% 3200
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
Session Capacity Encrypted Audio
Platform Impact of
1CSR1Kv- Based on tests using Cisco UCS ® C240 host with Intel (IOS-XE 16.12.1) calls w/GCM256 CPS
sRTP to IPT
®
Xeon ® 6132 2.60GHz processors running VMware ESXi 6.0.


4321 (4 GB) 500 40% 300 2
4331 (4 GB) 1000 40% 600 4
4351 (4 GB) 2000 62.5% 750 4
4431 (8 GB) 3000 75% 750 4
4451 (8 GB) 6000 65% 2100 6
CSR1Kv – 1 vCPU1 (4 GB) 1000 70% 300 1
CSR1Kv - 2 vCPU1 (4 GB) 3000 67% 1000 6
CSR1Kv - 4 vCPU1 (8 GB) 6000 82% 1080 6
ASR1001-X (16 GB) 12000 83% 2000 10
ASR1002-X (16 GB) 14000 68% 4500 25
ASR1004/6/6-X RP2/ESP40 16000 83% 2700
15
Impact of
1CSR1Kv - Based on tests using Cisco UCS C240 host
®
(IOS-XE 16.12.1) SHA1_80 – GCM128 CPS
with Intel ® Xeon ® 6132 2.60GHz processors running
RTP(G711)-RTP(G711)
sRTP to IPT
VMware ESXi 6.0. sRTP(G711) - sRTP(G711)

4321 (4 GB) 500 70% 150 1
4331 (4 GB) 1000 70% 300 2
4351 (4 GB) 2000 81% 375 2
4431 (8 GB) 3000 87.5% 375 2
4451 (8 GB) 6000 91% 540 3
CSR1Kv – 1 vCPU1 (4 GB) 1000 85% 150 1
CSR1Kv - 2 vCPU1 (4 GB) 3000 83.3% 500 3
CSR1Kv - 4 vCPU1 (8 GB) 6000 91% 540 3
ASR1001-X (16 GB) 12000 92% 1000 6
ASR1002-X (16 GB) 14000 79% 3000 16
ASR1004/6/6-X RP2/ESP40 16000 91% 1500
9
Impact of
1CSR1Kv - Based on tests using Cisco UCS ® C240 host
(IOS-XE 16.12.1) SHA1_80 – GCM256 CPS
with Intel ® Xeon ® 6132 2.60GHz processors running
RTP(G711)-RTP(G711)
sRTP to IPT
VMware ESXi 6.0. sRTP(G711) - sRTP(G711)

4321 (4 GB) 500 70% 150 1
4331 (4 GB) 1000 70% 300 2
4351 (4 GB) 2000 81% 375 2
4431 (8 GB) 3000 87.5% 375 2
4451 (8 GB) 6000 91% 540 3
CSR1Kv – 1 vCPU1 (4 GB) 1000 85% 150 1
CSR1Kv - 2 vCPU1 (4 GB) 3000 83.3% 500 3
CSR1Kv - 4 vCPU1 (8 GB) 6000 91% 540 3
ASR1001-X (16 GB) 12000 92% 1000 5
ASR1002-X (16 GB) 14000 82% 2500 14
ASR1004/6/6-X RP2/ESP40 16000 91%
BRKCOL-2125
1500
8
Encrypted Video Calls
SRTP-RTP
SRTP-SRTP
CUBE Encrypted Video Session Capacity
[H.264 QCIF (15 FPS, 64 kbps)] - (IOS-XE 16.12+)
Encrypted video Encrypted video
Platform
calls w/SHA1_80 CPS calls w/GCM128 CPS
sRTP(G711)-RTP(G711) sRTP(G711)-RTP(G711)
1100 series (Default DRAM) 100 1 50 1

4321 (4 GB) 100 1 50 1
4331 (4 GB) 180 1 100 1
4351 (4 GB) 180 1 120 1
4431 (8 GB) 180 1 100 1
4451 (8 GB) 540 3 180 1
CSR1Kv – 1 vCPU1 (4 GB) 180 1 180 1
CSR1Kv - 2 vCPU1 (4 GB) 180 1 540 1
CSR1Kv - 4 vCPU1 (8 GB) 540 3 540 3
ASR1001-X (16 GB) 900 5 360 2
ASR1002-X (16 GB) 2300 13 900 5
ASR1004/6/6-X RP2/ESP40 1250 7 540
3
Platform
Encrypted video Encrypted Video calls
calls w/GCM256 CPS SHA1_80 – GCM128 CPS
sRTP(G711)-RTP(G711) sRTP(G711) - sRTP(G711)
1100 series (Default DRAM) 50 1 50 1

4321 (4 GB) 50 1 50 1
4331 (4 GB) 100 1
4351 (4 GB) 110 1 130 1
4431 (8 GB) 100 1 115 1
4451 (8 GB) 180 1 180 1
CSR1Kv – 1 vCPU1 (4 GB) 180 1 180 1
CSR1Kv - 2 vCPU1 (4 GB) 180 1 180 1
CSR1Kv - 4 vCPU1 (8 GB) 540 3 180 1
ASR1001-X (16 GB) 360 2 360 2
ASR1002-X (16 GB) 900 5 900 5
ASR1004/6/6-X RP2/ESP40 540 3 540
3
Platform Encrypted Video Calls

1CSR1Kv - Based on tests using Cisco UCS ® C240 host with Intel ® Xeon ® SHA1_80 – GCM256 CPS
6132 2.60GHz processors running VMware ESXi 6.0.
sRTP(G711) - sRTP(G711)
1100 series (Default DRAM) 50 1

4321 (4 GB) 50 1
4331 (4 GB) 110 1
4351 (4 GB) 130 1
4431 (8 GB) 115 1
4451 (8 GB) 180 1
CSR1Kv – 1 vCPU1 (4 GB) 180 1
CSR1Kv - 2 vCPU1 (4 GB) 180 1
CSR1Kv - 4 vCPU1 (8 GB) 180 1
ASR1001-X (16 GB) 360 2
ASR1002-X (16 GB) 900 5
ASR1004/6/6-X RP2/ESP40 (16 GB) 540 3
Contact Center Calls
CUBE Session Capacity for UCCE (IOS-XE 16.12+)
Platform Session Capacity UCCE Capacity UCCE Call Capacity Impact
RTP(G711)-RTP(G711) UCCE
(IOS-XE 16.12+) of UCCE
1CSR1Kv - Based on tests using Cisco UCS
(Prior to IOS-XE
CPS
® C240 host with Intel ® Xeon ® 6132
2.60GHz processors running VMware ESXi

RTP(G711)-RTP(G711) 16.12) (IOS-XE 16.12+) to IPT
6.0
1100 series 500 N/A 500 0% 5

4321 500 125 500 0% 3
4331 1000 250 1000 0% 7
4351 2000 500 1500 25% 8
4431 3000 750 1800 40% 10
4451 6000 1500 3600 40% 20
4461 ~10000 (17.2.1) N/A 4680 53% 26
CSR1Kv – 1 vCPU1 1000 250 500 50% 3
CSR1Kv - 2 vCPU1 3000 750 3000 0% 20
CSR1Kv - 4 vCPU1 6000 1500 4250 29% 24
ASR1001-X 12000 3000 4250 65% 24
ASR1002-X 14000 3500 4250 70% 24
ASR1004/6/6-X RP2 16000 4000 4500 72%
25
Sample ISR4K CUBE Sizing
• An enterprise is considering a 4451-X for their
collab deployment with the following requirements:
• 500 Unencrypted IPT calls
4451 Ratio to %age
• 100 Contact Center (CC) calls 6000 IPT Calls IPT calls IMPACT
• Record all CC calls = 100 IPT Calls IPT Calls 1 N/A
• 50 SRTP-RTP audio calls with SHA1-80 UCCE 1.67 40%
• 100 SRTP-SRTP audio calls Recorded legs 1.0 50%
SRTP-RTP 2.86 65%
500 Unencrypted IPT calls * 1.00 = 500 SRTP-SRTP 11.11 91%
+ 100 Contact Center calls * 1.67 = 167
+ Record all CC calls = 100 IPT Calls * 1.00 = 100
+ 50 SRTP-RTP audio calls with SHA1-80 * 2.86 = 143
+ 100 SRTP-SRTP audio calls * 11.11 = 1111
TOTAL Capacity in terms of IPT count = 2021
Agenda

CUBE Licensing
Updates
New CUBE Licensing Offer
What is Smart Licensing?
• Smart Licensing is a Cisco wide initiative that provides a License Inventory
Management System which provides Customers, Cisco, and Selected
Partners with information about License Ownership and Use
• All licenses are delivered directly to your cloud based Cisco Smart
Software Manager (CSSM) account allowing you to control where they are
used and monitor how they are used.
• Smart Licenses do not require registration, so no more PAKs
• Smart licenses entitle the CUSTOMER, not the product instance.
Licenses are not node locked.
• Licenses are pooled for flexible
use by devices registered to the
same account
Cisco Unified Border Element (CUBE)
SIP Trunking to a Provider
• The Cisco Unified Border Element

(CUBE) feature set delivers Session
PE-SBC Border Control (SBC) functionality for
Cisco IOS router platforms, enabling
highly secure voice and video
MPLS, VPN, connectivity between an enterprise IP
Internet network and service provider trunk
SIP Service
services.
Connection Certified
demarcation • CUBE performs four critical functions of
an SBC:
IP-PBX • Policy based session management
Premise-based
Call control • Security enforcement
• Protocol and media interworking
• Network demarcation
Simplifying the CUBE Trunk Offer
Current: EoS
15 June
Simplified:
100+ PIDs 2019 2 options, 3 PIDs!
CUBE License – 5 Sessions CUBE License –ASR 100 Sessions Red
(FL-CUBEE-5) (FLASR1-CE-100R)
CUBE License –5 Sessions Red CUBE License –ASR 500 Sessions Red CUBE Trunk Standard License
(FL-CUBEE-5-RED) (FLASR1-CE-500R) – 1 Session
CUBE License – 25 Sessions CUBE License –ASR 1,000 Sessions Red (CUBE-T-STD) +SWSS
(FL-CUBEE-25) (FLASR1-CE-1KR)
CUBE License –25 Sessions Red CUBE License –ASR 4,000 Sessions Red
CUBE Trunk Redundant License
(FL-CUBEE-25-RED) (FLASR1-CE-4KR) – 1 Session
CUBE License – 100 Sessions CUBE License –ASR 16,000 Sessions Red (CUBE-T-RED) +SWSS
(FL-CUBEE-100) (FLASR1-CE-16KR)
CUBE License –100 Sessions Red CUBE License – C1 ASR 100 Sessions
Upgrade to Trunk Redundant
(FL-CUBEE-100-RED) (C1-A-ASR1CUBEE100P) +SWSS License – 1 Session
CUBE License – Cisco ONE (1 Session)
+SWSS
CUBE License – C1 ASR 100 Sessions Red
+SWSS
(CUBE-T-RED-UP) +SWSS
(C1-CUBEE-STD) (C1-A-ASR1CUBEE100R)
CUBE License–Cisco ONE (1 Session Red) CUBE License – C1 ASR xxxx Sessions xx CUBE session licenses are common
(C1-CUBEE-RED) +SWSS (C1-A-ASR1CUBEE…) +SWSS
across ISR, CSR and ASR platforms and
------ ------ can be pooled in a Smart Virtual Account
Note: Platform technology licenses are required to enable CUBE functionality. See later slide.
As part of migration to Smart and SWSS enabled licensing for CUBE, all $0 licenses from router bundles will be removed by end of April 2019. Product Bulletin for
the same can be accessed at https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-border-element/bulletin-c25-742073.html
New CUBE Offer with Smart Licensing
Cisco Unified Border Element (CUBE) Smart License Options

Top Level “L-CUBE”
Simplified New New
Trunk Offer Lineside Offer Media Proxy
CUBE Standard Trunk License
1 Session (CUBE-T-STD)
+SWSS CUBE Lineside License +SWSS CUBE Media Proxy License +SWSS
1 Session (CUBE-L-STD) 1 Forked Session (CUBE-

CUBE Redundant Trunk License
1 Session (CUBE-T-RED)
+SWSS MP-RED)
Upgrade to Redundant Trunk License
+SWSS
1 Session (CUBE-T-RED-UP)
Cisco Software Support Service (SWSS) is required for a minimum of 12 months when purchasing
CUBE session license(s).
SWSS provides access to software maintenance, updates, upgrades, and technical support
Note: Platform technology licenses are required to enable CUBE functionality. See later slide.
Lineside
Third Party Call
Control in SP Cloud
New • CUBE Lineside features compliment
Offer
hosted call control solutions with:
• SIP proxy registration of IP phones (Cisco MPP or
PE-SBC
3rd party).
• Service continuity should the hosted service
become unavailable.
Business
Internet
Lineside Note: NanoCUBE RTU licenses will remain
Connection Certified
demarcation available for ISR800 series products only.
CUBE Lineside
Hosted
SIP Service IP
Cloud-based Phones
call control
Media Proxy
New • Standalone application that extends CUBE trunk session
Offer forking to allow a call to be replicated up to five times for
media recording redundancy & load balancing and call
analytics.
• Supports Mandatory and Optional recorder policy

Recording
Server 1
• Mandatory: Media proxy tries to fork to the mandatory
recorder first. Forking to the remaining recorders will only
Customer happen after the connection to the first recorder is
CUBE CUBE Media
SBC Proxy Recording successful.
Server 2
• Optional: Default policy. Media proxy will establish
connection to all recorders, even if any of the recorders fail.
Recording
Unified CM Employee Server 3 • Secured forking (SRTP – SRTP)
• CUBE Media Proxy Call Scenarios:

• External calls (inbound/outbound from/to ITSP, PSTN calls)
• Internal calls (on-prem calls)
• Contact center
The Road To Smart Licensing
IOS XE IOS XE IOS XE IOS XE IOS XE
16.5 to 16.9 16.10 16.11 to 17.1 17.2 17.3
Only CSSM CSSM

Smart
Optional Option Register Register SLE
Licensing (Platform) Required Required
Paper Paper Static Dynamic Dynamic

CUBE Config Count Count
RTU RTU
Licenses only only
Smart Smart Smart
Licenses Licenses Licenses
CUBE Node Node

Pooled Pooled Pooled
Entitlement Locked Locked
CUBE Trunk – Road to Smart Licensing (SL)
• IOS XE 16.9 and earlier: Smart is optional for the platform (UCK9,
SecK9). CUBE not enabled for SL
• IOS XE 16.10: Smart is the only platform option. CUBE not formally
supported for SL
• IOS XE 16.11 - 17.1: CUBE fully supported for SL. CSSM registration
is required - SIP stack will be disabled in "Eval Expired" licensing state.
Reported licenses manually configured using 'mode border-element
command'. No policing or enforcement of CUBE license usage
(provided platform is registered).
• IOS XE 17.2 (March 2020): As above, but "mode border-element
license capacity" deprecated and replaced with a dynamic use
calculation.
Migration Offers for CUBE Licenses
CiscoONE CiscoONE RTU RTU
Licenses Licenses Licenses Licenses
without with and EoS and
SWSS SWSS Platform Current
Platform
No migration
No migration Use PUT to No Migration 100% license
New licenses purchase $0 New licenses discount
required with migration required with when
SWSS SKUs SWSS purchased
with SWSS
More information on Sales Connect

Agenda

CUBE Architecture
Physical vs Virtual
Virtual CUBE (CUBE on CSR 1000v)
Architecture
• CSR (Cloud Services Router) 1000v runs on a Hypervisor – IOS
XE without the router
ESXi Container
RP (control plane) ESP (data plane) FFP code
Chassis Mgr. QFP Client Chassis Mgr.

IOS-XE Forwarding Mgr. / Driver Forwarding Mgr.
CUBE signaling CUBE media processing

Kernel (incl. utilities)
Virtual CPU Memory Flash / Disk Console Mgmt ENET Ethernet NICs
CSR 1000v (virtual IOS-XE)
Hypervisor vSwitch NIC
X86 Multi-Core CPU Memory Banks Hardware GE … GE

Virtual CUBE (CUBE on CSR 1000v) – Cont’d
• CSR1000v is a virtual machine, running on x86 server (no specialized
hardware) with physical resources are managed by hypervisor and shared
among VMs
• Requires APPX (No TLS/SRTP) or AX (All vCUBE features) CSR licensing
package to access voice CLI and increase throughput from 100 kbps
default. CUBE Licensing follows ASR1K SKUs and still trust based
• No DSP based features (transcoding/inband-RFC2833 DTMF/ASP/NR)
available
• vCUBE tracks only the next vSwitch interface resulting in SSO of vCUBE-HA
only due to software failures (active vCUBE crashing/reloading)
• vCUBE Tested Reference Configurations [UCS base-M2-C460, C220-M3S,
ESXi 5.1.0 & 5.5.0]. ESXi 6.0 supported with IOS-XE 16.3.1 or later
Applicable Roadmap [Subject to Change]
• March 2021– IOS-XE 17.5.1
• CUBE support in AWS / Azure
Agenda

• Webex Calling – Local Gateway (LGW)
Step 1:
Configure CUCM to route calls to the edge SBC
SIP Trunk Pointing to CUBE
Standby
CUBE
A
Active IP PSTN
CUBE
Enterprise CUBE with High
Campus Availability
MPLS
• Configure CUCM to route all PSTN
PSTN is now
calls (central and branch) to CUBE
used only for
(Gig0/0
SRST
in our slides) via a SIP trunk
emergency
calls over
FXO lines
• Make sure all different patterns of
calls – local,
CME long distance,
international, emergency,TDM PBX
informational
Enterprise etc.. are pointing to
Branch Offices
CUBE BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Step 2: Get details from SIP Trunk provider
Item SIP Trunk service provider requirement Sample Response
1 SIP Trunk IP Address (Destination IP Address for INVITES) 66.77.37.2 or DNS
2 SIP Trunk Port number (Destination port number for INVITES) 5060
3 SIP Trunk Transport Layer (UDP or TCP) UDP
4 Codecs supported G711, G729
5 Fax protocol support T.38
6 DTMF signaling mechanism RFC2833
7 Does the provider require SDP information in initial INVITE (Early Yes
offer required)
8 SBC’s external IP address that is required for the SP to
128.107.214.195
accept/authenticate calls (Source IP Address for INVITES)
9 Does SP require SIP Trunk registration for each DID? If yes, what is No
the username & password
10 Does SP require Digest Authentication? 408-944-7700
Step 3: Enable CUBE Application on Cisco routers
1. Enable CUBE Application
voice service voip
mode border-element license capacity 20  Required for Smart Licensing Today
allow-connections sip to sip  By default IOS/IOS-XE voice devices do not allow
an incoming VoIP leg to go out as VoIP
2. Configure any other global settings to meet SP’s requirements

voice service voip
media bulk-stats  To increment Rx/Tx counters on IOS-XE based platforms. W/O this CLI,
it will show 0/0 (CPU intensive CLI)
sip
early-offer forced
3. Create a trusted list of IP addresses to prevent toll-fraud
voice service voip
ip address trusted list  Applications initiating signaling towards CUBE, e.g. CUCM, CVP,
ipv4 66.77.37.2 ! ITSP SIP Trunk Service Provider’s SBC. IP Addresses from dial-peers with “session target
ipv4 10.10.1.20 ! CUCM ip” or Server Group are trusted by default and need not be populated here
sip
silent-discard untrusted  Default configuration starting XE 3.10.1 /15.3(3)M1 to mitigate TDoS Attack
Step 4: Configure Call routing on CUBE
10.10.1.20
66.77.37.2
10.10.1.21 128.107.214.195
• Dial-Peer – “static routing” table mapping phone numbers to interfaces or IP addresses
• LAN Dial-Peers – Dial-peers that are facing towards the IP PBX for sending and receiving call
legs to and from the PBX. Always bind LAN interface(s) on CUBE to LAN dial-peers, ensuring
SIP/RTP is sourced from the intended LAN interfaces(s)
• WAN Dial-Peers – Dial-peers that are facing towards the SIP Trunk provider for sending and
receiving call legs to and from the ITSP. Always bind CUBE’s WAN interface(s) to WAN dial-
peer(s).
• July 2020 – IOS-XE 17.3.1
• CUBE to be enabled for Opus codec negotiation
• Trust List will be bypassed for validated CN/SAN
• Nov 2020 – IOS-XE 17.4.1

• DNS Informed Trust lists
• H.323 Deprecation
SIP Normalization
SIP profiles is a mechanism to normalise or customise SIP at the
network border to provide interop between incompatible devices
SIP incompatibilities arise due to: Add user=phone for INVITEs
• A device rejecting an unknown header (value Incoming Outgoing
or parameter) instead of ignoring it CUBE
INVITE INVITE
sip:5551000@sip.com:5060 sip:5551000@sip.com:5060
• A device expecting an optional header SIP/2.0 user=phone SIP/2.0
value/parameter or can be implemented in
voice class sip-profiles 100
multiple ways rule 1 request INVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0"
rule 2 request REINVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0"
• A device sending a value/parameter that
must be changed or suppressed Modify a “sip:” URI to a “tel:” URI in INVITEs
(“normalised”) before it leaves/enters the
enterprise to comply with policies Incoming Outgoing
CUBE
INVITE INVITE
• Variations in the SIP standards of how to sip:2222000020@9.13.24.6:5060 tel:2222000020
achieve certain functions SIP/2.0 SIP/2.0

• With CUBE 10.0.1 SIP Profiles rule 10 request INVITE sip-header SIP-Req-URI modify "sip:(.*)@[^ ]+" "tel:\1"
rule 20 request INVITE sip-header From modify "<sip:(.*)@.*>" "<tel:\1>"
can be applied to inbound SIP rule 30 request INVITE sip-header To modify "<sip:(.*)@.*>" "<tel:\1>"
messages as well
More information at http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-border-element/118825-technote-sip-00.html
• Nov 2020 – IOS-XE 17.4.1
• Conditional SIP Header modification, i.e. apply SIP profile if
a certain condition(s) is/are met. E.g., remove diversion
header if content in diversion header contains 41 but NOT
no-answer
request ANY sip-header Diversion remove

"(/==/41)(/!=/no-answer)”
Agenda

CUBE Dial-Peers
Advanced Call Routing
dial-peer voice 100 voip dial-peer voice 201 voip
description *Inbound LAN dial-peer. From CUCM to CUBE* description *Outbound WAN dial-peer. From CUBE to SP*
session protocol sipv2 destination-pattern 81[2-9]..[2-9]......$
incoming called-number 8T session protocol sipv2
voice-class sip bind control source-interface Gig0/0 session target ipv4:10.1.40.11
voice-class sip bind media source-interface Gig0/0 session transport udp
dtmf-relay rtp-nte voice-class sip bind control source-interface Gig0/1
codec g711ulaw voice-class sip bind media source-interface Gig0/1
no vad dtmf-relay rtp-nte
codec g711ulaw
no vad
Inbound LAN Dial-Peer Outbound WAN Dial-Peer
Outbound Calls
A
CUCM SIP Trunk ITSP SIP Trunk
G0/0 CUBE G0/1
198.18.133.3 10.1.40.11
Outbound LAN Dial-Peer Inbound Calls Inbound WAN Dial-Peer

description *Outbound LAN dial-peer. From CUBE to CUCM* description *Inbound WAN dial-peer. From Provider to CUBE*
translation-profile outgoing CUBE_to_CUCM session protocol sipv2
incoming uri via 200
destination-pattern +1408944....$
voice-class sip bind control source-interface Gig0/1
session protocol sipv2
voice-class sip bind media source-interface Gig0/1
session target ipv4:198.18.133.3 dtmf-relay rtp-nte
voice-class sip bind control source-interface Gig0/0 codec g711ulaw
voice-class sip bind media source-interface Gig0/0 no vad
dtmf-relay rtp-nte
codec g711ulaw voice class uri 200 sip
no vad host ipv4:10.1.40.11
• July 2020 – IOS-XE 17.3.1
• Operational DP binding (enhancement CSCve59988) –
DP – support live bindings on dial-peers and tenants with
no active calls
• Nov 2020 – IOS-XE 17.4.1
• Codec Reordering with Voice class codec priority list, i.e.,
rewrite codec list for EO-EO sessions according to VCC
priority list, ignoring incoming SDP’s codec order
Understanding Inbound Dial-Peer Matching Techniques
Priority
Inbound LAN Dial-Peer Outbound Calls
Exact Pattern
Match Based on match A CUCM SIP Trunk SP SIP Trunk
IP
1 URI of an incoming Host Name/IP CUBE PSTN
INVITE message Address
Inbound Calls
Inbound WAN Dial-Peer
User portion of
2 Match based on URI Received:
Called Number Phone-number of INVITE sip:654321@10.2.1.1 SIP/2.0
tel-uri Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
3 Match based on From: "555" <sip:555@10.1.1.1:5060>;tag=1
Calling number To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
4 Default Dial-Peer 0 CSeq: 1 INVITE
Contact: sip:555@10.1.1.1:5060
Supported: timer
Max-Forwards: 70
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
........
Outbound Dial-Peer Matching Criteria Summary
Priority Outbound WAN Dial-Peer
Outbound Calls
Match Based on DPG,
0 DPPP, COR/LPCOR if A CUCM SIP Trunk SP SIP Trunk
IP
configured CUBE PSTN
Exact Pattern Outbound LAN Inbound Calls
match Dial-Peer
Match Based on Host Name/IP Received:
1 URI of incoming Address INVITE sip:654321@10.2.1.1 SIP/2.0

Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
INVITE message User portion of URI tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
From: "555" <sip:555@10.1.1.1:5060>;tag=1
Phone-number of To: ABC <sip:654321@10.2.1.1:5060>
tel-uri Call-ID: 1-23955@10.1.1.1
CSeq: 1 INVITE
Match based on
2 Contact: sip:555@10.1.1.1:5060
Called Number Supported: timer
Max-Forwards: 70
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
........
Destination Server Group
• Supports multiple destinations (session targets) be defined in a group and
applied to a single outbound dial-peer
• Once an outbound dial-peer is selected to route an outgoing call, multiple
destinations within a server group will be sorted in either round robin or
preference [default] order
• This reduces the need to configure multiple dial-peers with the same
capabilities but different destinations. E.g. Multiple subscribers in a cluster
voice class server-group 1 dial-peer voice 100 voip

hunt-scheme {preference | round-robin} description Outbound DP
ipv4 1.1.1.1 preference 5 destination-pattern 1234
ipv4 2.2.2.2 session protocol sipv2
ipv4 3.3.3.3 port 5065 preference 3 codec g711ulaw
ipv6 2010:AB8:0:2::1 port 5065 preference 3 dtmf-relay rtp-nte
ipv6 2010:AB8:0:2::2
session server-group 1
* DNS target not supported in server group © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
• July 2020 – IOS-XE 17.3.1

• Server Groups will offer huntstop based on configurable
SIP response codes (e.g. 404) to prevent hunting to the
next entry within the server group along with the dial-peer
Multiple Number Patterns Under Same
Incoming/Outgoing Dial-peer
voice class e164-pattern-map 300
e164 200. Up to 1000 entries
e164 510100100. in a pattern map
Site A 2000
e164 408100100.
Site B (510)100-1000 dial-peer voice 1 voip
description Inbound DP via Calling
Site C (408)100-1000 incoming calling e164-pattern-map 300
codec g729r8
G729 Sites
A SIP Trunk SP SIP Trunk IP PSTN
CUBE
Up to 5000 entries in a text file
Site A (919)200-2010 voice class e164-pattern-map 400 ! This is an example of the contents
url flash:e164-pattern-map.cfg of E164 patterns text file stored
Site B (510)100-1010
in flash:e164-pattern-map.cfg
dial-peer voice 2 voip 9192002010

Site C (408)100-1010
description Outbound DP via Called 5101001010
4081001010
G711 Sites destination e164-pattern-map 400 <blank line>
codec g711ulaw © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Destination Dial-peer Group
voice class dpg 10000 dial-peer voice 1001 voip
description Voice Class DPG for SJ destination-pattern BAD
dial-peer 1001 preference 1 session protocol sipv2
dial-peer 1002 preference 2 session target ipv4:10.1.1.1
dial-peer 1003 !
! dial-peer voice 1002 voip
dial-peer voice 100 voip destination-pattern BAD.BAD
description Inbound DP session protocol sipv2
incoming called-number 1341 session target ipv4:10.1.1.2
destination dpg 10000 !
dial-peer voice 1003 voip
Received: destination-pattern BAD.BAD.BAD
INVITE sip:1341@CUBE-IP-ADDRESS:5060 session protocol sipv2
session target ipv4:10.1.1.3
1. Incoming Dial-peer is first
Sent: matched 2. Now the DPG associated with
INVITE sip:1341@10.1.1.3:5060 the INBOUND DP is selected
Multi-Tenancy
Multiple Tenants on CUBE
• Every Registrar/User Agent/ITSP connected to CUBE can be

considered a Tenant to CUBE
• Allows specific global configurations (CLI under sip-ua) for multiple
tenants such as specific SIP Bind for REGISTER messages
• Allows differentiated services for different tenants
“Voice class Tenant” Overview
• Most configs under “sip-ua” and “voice service voip” added in “voice class tenant <tag>”,
e.g. Registrar and Credentials CLI under tenant using different bind and outbound proxy
Prior to Multi Tenancy
sip-ua
registrar 1 ipv4:60.60.60.60:9051 expires 3600 Global OB Proxy and Bind
registrar 2 ipv4:70.70.70.70:9052 expires 3600
credentials username aaaa password 7 06070E204D realm aaaa.com
credentials username bbbb password 7 110B1B0715 realm bbbb.com E164 - aaaa Registrar - 1
voice service voip
outbound-proxy ipv4:10.64.86.35:9057
bind control source-interface GigabitEthernet0/1 E164 - bbbb Registrar - 2
With Voice Class Tenant (Multi-Tenancy)

voice class tenant 1
registrar 1 ipv4:60.60.60.60:9051 expires 3600 OB Proxy 1 & Bind-1
credentials username aaaa password 7 06070E204D realm aaaa.com E164 - aaaa Registrar - 1
bind control source-interface GigabitEthernet0/0
registrar 1 ipv4:70.70.70.70:9052 expires 3600
OB Proxy 2 & Bind-2
credentials username bbbb password 7 110B1B0715 realm bbbb.com E164 - bbbb Registrar - 1
Configuring Voice Class Tenant
• Configure voice class tenant
voice class tenant 1 Add new voice class
registrar 1 ipv4:10.64.86.35:9052 expires 3600 tenant
credentials username aaaa password 7 06070E204D realm aaaa.com
credentials number bbbb username bbbb password 7 110B1B0715 realm bbbb.com
bind media source-interface GigabitEthernet0/0
copy-list 1
early-offer forced
• Apply tenant to the desired dial-peer

destination-pattern 111
session protocol sipv2
session target ipv4:10.64.86.35:9051
session transport udp Apply Tenant to a
voice-class sip tenant 1 Dial-peer
Agenda
External/PSTN
Call Recording
External/PSTN Call Recording Options
• CUBE Controlled (Dial-peer based SIPREC)
• SIPREC based, CUBE sends metadata in XML format
• Dial-peer controlled, IP-PBX independent
• Source of recorded media (RTP only) is always CUBE (External calls only).
• Records both audio and video calls and supported with CUBE HA
• CUCM NBR (Network Based Recording)

• CUCM Controlled & triggered, requires UC Services API be enabled on CUBE
• Audio calls only
• Source of Recorded Media can be CUBE (Gateway Preferred) or Phone based
(BiB)
Introducing
CUBE Media
Proxy
Existing Recording Architectures
• Current recording architectures allow only one fork from each leg
(in-leg/out-leg) to only one recorder
• No support for forking secure RTP stream
• MiFiD II Compliance requirements:
• Support for more than one recorders
• High Availability (Redundancy)
• Secure forking
• Call scenarios support
• External calls (inbound/outbound from/to ITSP, PSTN calls)
• Internal calls (on-prem calls)
• Contact center
• Common Metadata
CUBE Media Proxy: Overview
• Media proxy is based on CUBE architecture
• Supports the same ISR 4Ks, ASR1Ks, CSR1K on which CUBE is supported
today
• Call Recording mechanism (triggers) is CUCM NBR based (GW based and
Phone BiB)
• Media proxy is designed to fork media to multiple recorders i.e. multiple
forked legs, and supports up to 5 recorders
• CUBE Media Proxy High Availability is also supported
• CUSP (Optional) supports Media proxy with recorder redundancy and load
balancing
• Secured forking (SRTP – SRTP) for Phone Based (BiB) recording
CUCM NBR GW forking to
Media Proxy
Recorder1
6
RTP
Recorder2
Media Proxy
RTP
5
Speech Analytics
1 SIP
CUBE RTP
2 0. CUCM registers to CUBE as an external XMF Application (using UC GW services API – CUCM NBR)
1,2. Initial call setups via CUBE-Ent
3. CUCM sets up SIP (recording) session with CUBE Media Proxy (offer/answer) with dummy port
4. MP destination IP/port obtained in Step-3 relayed by CUCM to CUBE via XMF API interface (HTTP)
5. CUBE-Ent starts to fork media streams to the MP (target ip/port received in Step-4). MP accepts RTP because of
Media latching in the inbound leg from CUCM
6. MP sets up SIP recording sessions with the 3 Recorders for multi-fork.
The ingress media stream from CUBE-Ent is then multi-forked by MP towards the 3 recorders simultaneously using
the destination ip/ports as negotiated in the SIP offer/answer b/w MP and the Recorders.
CUBE Media Proxy: Design requirements
• Video call Recording is not supported today
• Secure media (SRTP) forking of non-secure calls is not supported
• CUBE Media Proxy and CUBE cannot be co-located
• Mid-call signaling updates from Recorders are not supported
• Early offer from CUCM to Media Proxy is required
• No support for SRTP fallback
• Media Proxy sends metadata to the recorders (FROM header)
CUBE Media Proxy Capacities
Media Proxy: Capacity for Various Platforms (IOS-XE 16.12+)
Platform Max IPT (CUBE Media Proxy Capacity)

Calls Number of Recorders
One Two Three Four Five
1100 (Default DRAM) / 4321 (4GB) 500 350
4331 (4GB) 1000 700
4351 (4 GB) 2000 900
4431 (8 GB - CP) 3000 1000
4451 (8 GB - CP) 6000 3000
CSR1Kv – 1 vCPU1 (4 GB) 1000 90
CSR1Kv - 2 vCPU1 (4 GB) 3000 1100
CSR1Kv - 4 vCPU1 (8 GB) 6000 TBD
1002-X (16 GB) 14000 4500
1004/6/6-X RP2/ESP40 (16 GB) 16000 4500
• July 2020 – IOS-XE 17.3.1

• SIPREC support for Media Proxy
Agenda

Security
Updates
Secure SIP Trunks with CUBE
LAN WAN
Gig0/0/0 Gig0/0/1
SIP TLS TCP/UDP SP IP
RTP Network
SRTP CUBE
• Interworking between all three transport types is supported : UDP/TCP/TLS

• IOS-XE based platforms do not require DSPs for SRTP-RTP interworking
• TLS Exclusivity can be configured with “transport tcp tls v1.2”
• NGE Crypto supported for SRTP-SRTP (IOS-XE 16.5.2) [Crypto A – Crypto
B], SRTP-RTP, SRTP pass-thru
IOS-XE 16.11.1 or later Security Readiness changes
• For IOS-XE 16.11.1 or later, a master key must be pre-configured for
passwords before it can used in authentication, credentials and/or
shared-secret CLIs
• Its mandatory to specify the encryption type for the password
• Type 6 passwords are encrypted using AES cipher and user defined
master key
• Master key is never displayed in the configuration
• If master key configuration is removed, Type 6 passwords can never

by decrypted which may result in authentication failure
IOS-XE 16.11.1+ Security Configuration Requirement
LocalGateway#conf t
LocalGateway(config)#key
config-key password-encrypt Password123
LocalGateway(config)#password encryption aes
• If master key is not pre-configured, there will be an error shown when the
password is configured
LocalGateway(config-sip-ua)#authentication username ali password 0 hussain123
Failed type 6 encryption on password

• If password type 0 is used, it will be stored as type 6 AES encrypted password in
configuration
LocalGateway#show run | include credentials

credentials number Hussain6346_LGU username Hussain2572_LGU password
6 FbG\XYVJV\cPeMhMRFSFNINTIMZecQPD_Bbg realm BroadWorks
IOS-XE 16.11.1 Security Configuration Requirement
• Dial-peer, SIP-UA, Tenants, and STUN authentication credentials/shared
secrets will use the new Secure reversible encryption Type 6 AES format
password
LocalGateway(config-sip-ua)#authentication username ali password ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
• Type 6 only accepts password formats such as ”

YXMOEfOePAJhNCKXbU^CYYAR^aJJ`Sa_S”. Hence recommendation is to use
password type 0 which will be saved as type 6 in the configuration
• The encryption type 7 is supported in IOS XE Release 16.11.1a, but will be

deprecated in the later releases
Agenda

Webex Calling
(VAR Channel)
Local Gateway (LGW)
Webex Calling (VAR) - Local Gateway Deployment
• Enables BYoPSTN option for Webex
Calling
• Provides connectivity to a customer-
owned PSTN service
Cisco Webex Calling
• May also provide connectivity to an on-
premises IP PBX or dedicated SBC/PSTN
Internet GW
• Endpoint registration is NOT proxied
PSTN
through Local Gateway, unlike CUBE
Customer Site Lineside. Endpoints directly register to
Local
Gateway Webex Calling over the Internet.
SBC or • All communication between Webex
IP PBX Webex Calling Endpoints
Calling and endpoints/LGW is secured
(SIP TLS/sRTP)© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Local Gateway
Platform Support • Cisco CUBE (for IP-based connectivity) or
Cisco IOS Gateway (for TDM-based connectivity)
Local Gateway (LGW) • Hardware and software requirements:
• ISR 4321, 4331, 4351, 4431, 4451 (IOS XE 16.9(4) and
16.12.2 or later)
• IOS-XE 16.10.x is not supported as Local Gateway for
any platform
• CSR 1000v (vCUBE) (IOS XE 16.9(4) and 16.12.2
or later)
• ISR 1100 (IOS-XE 16.12.2 or later)
• CUBE calling licenses included in Webex Calling Flex License
Note: platform requirements driven by

CUBE IOS-XE GW encryption/decryption needs (signaling/media to Webex
Calling is always secure)
Local Gateway
Feature Support and Platform Sizing
• Standard CUBE feature support (no sRTP-
Sustainable
Platform RTP
need for dedicated hardware) Sessions
CPS
• Numbers in the table assume ISR1100 300 2

dedicated Local GW ISR4321 300 1
• Standard platform sizing using ISR4331 600 3
sRTP-RTP concurrent session ISR4351 750 4
numbers (based on IOS-XE
16.9(4)/16.12.2). CSR1000v based on ISR4431 750 4
16.9.3 ISR4451 2160 6
• Number of corresponding users CSR1000V (1 vCPU) 300 1
depends on BHCA etc CSR1000v (2 vCPU) 1000 6
Reference: https://cisco.box.com/CUBE-Enterprise
CSR1000V (4 vCPU) 1080 6
Local Gateway
PSTN Connectivity Options
2 3
IP
PSTN
Cisco Webex Calling
PSTN
Provisioning Layer
TDM
1 Load Network
Balancers Functions
PSTN Local Gateway Access Cisco Webex Calling
On-premises (CUBE/IOS GW) Network
SBC or IP PBX Certificate
Peering
Access SBC
Webex Calling Endpoints SBC
Customer Site
Local Gateway
Security and Authentication
2
1 Cisco Trusted Core Root Bundle Provision SIP digest credentials
Download signed (Public CA trust anchors) generated by Webex Calling on LGW
CA root bundle Cisco PKI
from Cisco PKI Cisco Webex Calling
PSTN Provisioning Layer

(offline)
1 SIP Digest
IP or TDM Credentials
4
3 Load Network
Balancers Functions
Local
Gateway Access Cisco Webex Calling
(CUBE/IOS GW) Network
2
Certificate
Peering
3 Access SBC
Webex Calling Endpoints
TLS connection: LGW SBC 4
validates SBC certificate Webex Calling authenticates LGW
Customer Site using CA root bundle registration with SIP digest
Local Gateway
Firewall and NAT traversal
Customer Pinholes for outbound traffic
Customer Site Firewall (return traffic uses same flow)
Local Gateway
(CUBE/IOS GW) Internet
Cisco Webex Calling
• In most cases, Local Gateway and endpoints can sit on internal customer
network using private IP addresses with NAT (media latching in Access SBC)
• Firewall needs to allow outbound traffic (SIP, RTP/UDP, HTTP) to specific IP
addresses/ports (see Cisco Webex Calling firewall and network configuration guide)
Local Gateway
Firewall and NAT traversal – IP Addresses and Ports (NA)
LGW
Cisco Webex North America
Customer
Site Calling Region
Purpose Source IP Source ports Protocol Dest IP Dest ports
199.59.65.0/25
LGW Cisco Webex 199.59.66.0/25
SIP signaling 8000-65535 TLS TCP 8934
Calling facing interface 199.59.70.0/25
199.59.71.0/25
199.59.65.0/25
LGW Cisco Webex 199.59.66.0/25
RTP media 8000-48000* UDP 19560-65535
Calling facing interface 199.59.70.0/25
199.59.71.0/25
*: Default range. Can be reduced based on number of concurrent sessions (4 UDP ports per session)
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cloudCollaboration/broadcloud/webexcalling/customers/cisco-webex-calling-configuration-
guide/cisco-webex-calling-configuration-guide_chapter_01101.html
Establishing Secure Connectivity b/w LGW and Webex
Calling
Local GW
Import Cisco Webex Calling root CA certificate Cisco Webex Calling
Setup the credentials and trustpoint
Initiate TLS Connection
Certificate from Cisco Webex Calling
LocalGW validates using root CA bundle
Persistent TLS Connection

REGISTER
401
REGISTER (w/credentials)
200 OK
Local Gateway DDTSs to keep in mind
• CSCvq38104 : Webex Calling - TDM-IP - Hold/Resume from Webex Calling causes one-
way audio – Fixed in 16.9.4 and 16.12.2
• CSCvo91685 : CUBE doesn't send INVITE to Registrar to which CUBE is registered (With
tcp as the transport, if the TCP session terminates abruptly, CUBE attempts registration only
after registration refresh timer expires) – Fixed in 16.9.4 and 16.12.2
• CSCvj90605 : One-way audio/ No-Way Audio during secure calls SRTP-SRTP /SRTP-RTP
after HA switchover / CSCvo13094 :Webex SRTP ROC Preservation Changes – Fixed in
16.12.
• CSCvq63632 : LGW/CUBE/TDM memory leak when STUN is enabled – Fixed in 16.9.4 and
16.12.2
• CSCvq31872 : LGW - Call-Hold failure as 401 is wrongly processed – Fixed in 16.9.4 and
16.12.2
• CSCvi48253 : Self-signed certificates expire on 00:00 1 Jan 2020 UTC – Does not apply
as we do not need to create self signed certificates for LGW.
• Standalone LGW deployments : Recommended to use IOS-XE 16.12.2
• LGW HA deployments or Standalone 1100 series : Recommended

© 2020 Cisco and/or itsto use
affiliates. 16.12.2
All rights reserved. Cisco Public
Webex Calling PSTN Options
BYOPSTN with Partner-Hosted Local Gateway
PSTN PSTN
Provider Y Provider Z
Customer 1’s Customer 2’s
SIP Trunk SIP Trunk
Virtualized
Local GW’s
Cloud Hosted
Internet Cisco Webex Calling
Customer 1 Customer 2
• Partner hosts and manages customer’s
Local Gateway (e.g., vCUBE) - connected
OTT to Webex Calling
Webex Calling Endpoints Webex Calling Endpoints
• Not recommended if on-premises PBX or
SBC is present (requires VPN between
Partner DC and customer network)
Onboarding
process
Onboarding
Local
Gateway:
Step 1. Control Hub
1a. Log in to customer portal and navigate to Services
1b. Navigate to Locations under Call options
1c. Select an existing Location or Add Location
1d. Local gateway configuration. Click Edit and Read the
warning that pops up. Click Continue
1e. Choose between Cloud Connected PSTN or LGW
1f. Can either create a new local gateway or select
existing one by clicking Manage
1g. Once the
customer has
selected the
desired local
gateway, they can
save the local
gateway for the
given site.
Parameters on this display
required for onboarding LGW
in Step 2
1h. Click Retrieve Username and Reset Password. Click
Done
Select
Phone
Number
Porting
Confirmation
and Click
Save
1i. Local gateway has been assigned to the Location
Onboarding
Local
Gateway:
Step 2. Control Hub
parameters into Cisco
IOS-XE platform
Control Hub Connection Parameters 
LGW CLI Config
registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls
credentials number Hussain6346_LGU username Hussain2572_LGU password 0 meX7]~)VmF
realm BroadWorks
authentication username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks
authentication username Hussain2572_LGU password 0 meX7]~)VmF realm 40462196.cisco-
bcld.com
sip-server dns:40462196.cisco-bcld.com
connection-reuse
srtp-crypto 200
session transport tcp tls
url sips
error-passthru
bind control source-interface GigabitEthernet0/0/1
bind media source-interface GigabitEthernet0/0/1
no pass-thru content custom-sdp
sip-profiles 200
outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com
…
rule 1 request ANY sip-header SIP-Req-URI modify "sips:" "sip:"
rule 10 request ANY sip-header To modify "<sips:" "<sip:"
rule 11 request ANY sip-header From modify "<sips:" "<sip:"
rule 12 request ANY sip-header Contact modify "<sips:(.*)>" "<sip:\1;transport=tls>"
rule 13 response ANY sip-header To modify "<sips:" "<sip:"
rule 14 response ANY sip-header From modify "<sips:" "<sip:"
rule 15 response ANY sip-header Contact modify "<sips:" "<sip:"
rule 16 request ANY sip-header From modify ">" ";otg=hussain2572_lgu>"
rule 17 request ANY sip-header P-Asserted-Identity modify "<sips:" "<sip:"
Onboarding
Local
Gateway:
Step 3. Call Routing
on Local Gateway
Call Routing on Local Gateway
• IP based Call Routing on Local Gateway has three key
considerations
1. All call routing is E.164 based
2. Whether the customer site(s) is also utilizing an on-prem IP

PBX such as Cisco UCM and the SIP trunking from an ITSP is
terminating on LGW itself or a dedicated SBC.
3. CUCM’s SIP Trunk towards LGW will utilize port 5065 to

distinguish from SIP Trunks pointing to a PSTN GW/CUBE (port
5060), which may be co-resident with the Local Gateway itself
1. LGW
Deployment
Options w/o an
on-prem IP PBX
Call Routing
Single Local Gateway (can be shared across multiple
sites)
Local GW routes calls Cisco Webex

coming from Cisco Webex Webex Calling sends calls that
Calling
Calling to the PSTN (and do not match the customer’s
vice versa) Webex Calling destinations to
the Local GW
Internet
PSTN
Customer A
PSTN gateway may
be dedicated or
(Existing Local
co-resident with PSTN GW) Gateway
Local GW
Local Gateway call routing to dedicated PSTN GW/SBC or IP PSTN
Local Gateway
Existing SBC /
Cisco Webex Calling
PSTN GW IP PSTN
voice class uri 200 sip
voice class uri 100 sip pattern dtg=hussain2572.lgu
host <pstn ip address> ! pattern uniquely identifies a Local gateway site within an
! Or existing SBC / PSTN GW ! Enterprise Trunk Group OTG/DTG from Control Hub

description Incoming dial-peer from IP PSTN description Incoming dial-peer from Webex Calling
incoming uri via 100 incoming uri request 200
destination dpg 200 destination dpg 100
voice class dpg 200 voice class dpg 100

description Incoming IP PSTN(DP100) to WxC(DP201) description Incoming WxC(DP200) to IP PSTN(DP101)
dial-peer 201 preference 1 dial-peer 101 preference 1

description Outgoing dial-peer to IP PSTN description Outgoing dial-peer to Webex Calling
destination-pattern BAD.BAD destination-pattern BAD.BAD
session target ipv4: <pstn ip address> session target sip-server
2b. Local Gateway call routing to and from IP PBX
Local Gateway
Cisco Webex Calling
IP PSTN voice class uri 200 sip
pattern dtg=hussain2572.lgu
! pattern uniquely identifies a Local gateway site
! within an Enterprise, Trunk Group OTG/DTG from
! Control Hub

Unified CM description Incoming dial-peer from WxC
incoming uri request 200
INVITE Received by Local Gateway destination dpg 300
from Webex Calling
Received:
INVITE sip:+16785551234@198.18.1.226:5061;transport=tls;dtg=hussain2572_lgu SIP/2.0
Via: SIP/2.0/TLS 199.59.70.30:8934;branch=z9hG4bK2hokad30fg14d0358060.1
CUBE Support for
Webex Edge for Meetings
Webex Edge Audio
Cisco Webex Edge Audio
• CUBE Support starting IOS-XE 16.12.2
Meeting
Cisco Webex Edge

Unified CM Audio
Z
CUBE
IP Phone
Customer
Premises Signaling
Media Path
Key Takeaways & Roadmap (subject to change)
• Microsoft Teams Direct Routing Certification for CUBE (WIP)
• Fax detect on IOS-XE
• Programmability (CUBE Yang modelling)
• mVRF media bypass and support for 100 VRFs
• TLS Server Name Indication and Server side SAN validation
• DTMF masking for contact center
• Email ASK-CUBE@EXTERNAL.CISCO.COM with your Box.com

account id (email) for access to the Box.com links below. Free Box.com
account is fine as well
• Complete feature Presentations, Lab Guide, Hands-on Lab access & Application Notes
https://cisco.box.com/CUBE-Enterprise
https://cisco.box.com/WebexCalling
Virtual Space via Webex Teams
New Contact Preference in Support Case Manager
Demo video
New contact preference Faster Resolution

Available in Support Case Customer and engineer
Manager for S3 and S4 TAC cases. have real-time conversations.
Easier to share files and
engage experts.
Conversation Transcripts Better Customer Satisfaction

Customer can view the Removes the back and forth nature of
way a specific issue was email communication.
solved at any time.
Available for the following services:
Solution Support
"Fast response time, easy interface and SP Advantage
quick resolution. Simple and effective”. TS Advantage
High Touch Expert Care
Customer feedback Collaboration Software Support (SWSS)
Thank you
Reference slides
Licensing
CUBE Version 12.x
Deployment Examples /
Smart Licensing Scenarios
Customer Deployment Scenario 1a
Separate Deployments:
• Two active CUBEs in separate locations Location 1
• No Box to Box redundancy (Redundancy Group HA) Active
• No load balancing
50 Calls
• Each location processes up to 50 concurrent sessions.

License Requirement:
Location 2
• 100 x CUBE-T-STD Active
• CUBE platforms may register to: 50 Calls
• The same Virtual Account holding a common pool of 100 licenses
• Different Virtual Accounts, each with 50 licenses
Customer Deployment Scenario 1b
Separate Deployments: Location 1
• Two active CUBEs in the same location
• No Box to Box redundancy (Redundancy Group HA) Active
• No load balancing 50 Calls
• Each CUBE processes up to 50 concurrent sessions.
• 100 x CUBE-T-STD
• CUBE platforms may register to: Active
• The same Virtual Account holding a common pool of 100 licenses 50 Calls
• Different Virtual Accounts, each with 50 licenses
Customer Deployment Scenario 2a
Geographic Load Balancing:
• Two active CUBEs in separate locations Location 1
• No Box to Box redundancy (Redundancy Group HA)
• Load balancing b/w locations provided by SP
Active
• Total call load across both locations up to 200 concurrent
sessions. 200 Calls
License Requirement: Location 2
• CUBE platforms register to the same Virtual Account holding
a common pool of licenses Active
Customer Deployment Scenario 2b
Load Balancing within a location:
Location 1
• Two active CUBEs in the same location
• No Box to Box redundancy (Redundancy Group HA)
• Load balancing between CUBEs provided by SP or with
CUSP Active
• Total call load across both CUBEs up to 200 concurrent 200 Calls
sessions.
• CUBE platforms register to the same Virtual Account Active
holding a common pool of licenses
Customer Deployment Scenario 3
Box to Box High Availability (HA) with Call Preservation: Location 1

• Active and Standby CUBEs in HA Redundancy Group
(RG)
• Both CUBEs must be in the same layer 2 network 250 Calls
Active
• Total call load up to 250 concurrent sessions.
Stateful
License Requirement: Standby
• 250 x CUBE-T-RED
• Both CUBE platforms register to the same Virtual
Account holding a common pool of licenses
Customer Deployment Scenario 4a Location 1
Box to Box High Availability with Call Preservation within a

location and geographic load balancing across locations: Active
Stateful
• One pair of High Availability CUBEs in RG at each site HA Pair 1
• Geographic load balancing across locations provided by SP Standby
• Total call load up to 600 concurrent sessions across locations

• If an active CUBE fails, stateful failover of local load to standby
• If location 1 fails, all associated calls fail. Total load serviced by 600 Calls Location 2
active CUBE at site 2

• 600 x CUBE-T-RED Active
Stateful
HA Pair 2
• All CUBE platforms register to the same Virtual Account holding Standby
a common pool of licenses
Customer Deployment Scenario 4b Location 1
Box to Box High Availability with Call Preservation and load

balancing within a location:
Active
Stateful
• Two pairs of High Availability CUBEs in separate RGs at the HA Pair 1
same site Standby
• Load balancing across HA pairs provided by SP or with CUSP
• Total call load for location up to 600 concurrent sessions
• If an active CUBE fails, stateful failover of local load to standby
600 Calls
• If HA pair 1 fails, all associated calls fail. Total load serviced by
active CUBE in HA pair 2
License Requirement: Active
Stateful
• 600 x CUBE-T-RED HA Pair 2
• All CUBE platforms register to the same Virtual Account Standby
Inbox Hardware or Software Redundancy: ASR1006/1006-x
Hardware Redundancy
• Stateful Switchover (SSO): ASR1006 with dual route
processors (control plane) and dual ESPs (forwarding
plane)
• Route Processor Redundancy (RPR): ASR1001/2/4 with
Dual Forwarding Plane Hardware
software redundancy.
Dual Control Plane Hardware
• Both options provide stateful failover.
• Required call volume up to 350 concurrent sessions.
License Requirement: Active IOS Standby IOS
• Active route processor registers to Smart virtual account ASR1001/2/4
Software Redundancy
• Standby route processor takes over registration on
failover
Third Party Call Control Hosted
in SP Cloud
SIP
Lineside registration proxy and survivability Service
Cloud-based
• A customer using a cloud call control service uses CUBE PE-SBC call control
for lineside optimization and survivability.
• A CUBE platform is deployed at four customer sites. Business
• Each site has 25 handsets that register to the cloud Internet
service.
A Lineside CUBE at each of the 4 locations
• 100 x CUBE-L-STD
• All CUBE platforms register to the same Virtual Account 25 handsets at each of the 4 locations
Media Proxy: Location 1

• A media proxy platform used to fork calls to 3
150 Recordings
recording servers.
• Total concurrent call load is 50 calls.
License Requirement: Media Proxy
Active
• 150 x CUBE-MP-RED
50 Calls
• Only redundant licenses are available for
Media Proxy
Media Proxy:
• Active and Standby CUBE Media Proxies in HA
Redundancy Group (RG) Location 1
• Both Media Proxies must be in the same layer 2
network
Media Proxy
• Total call load for HA pair 150 calls, each forked 3 Active
Stateful
times. HA Pair 1
Standby
• If active Media Proxy fails, stateful failover of all
calls to standby 150 Calls
Media Proxy
• 450 x CUBE-MP-RED
• Both Media Proxy platforms register to the same
Virtual Account holding a common pool of licenses
Media Proxy:
• A media proxy platform used to fork calls to 3
Location 1
recording servers.
150 Recordings
• Total concurrent call load is 50 calls from CUBE
triggered using CUCM NBR
License Requirement: Media Proxy
• 150 x CUBE-MP-RED for Media Proxy

CUBE
• 50 X CUBE-T-STD for PSTN calls through CUBE Active
• Only redundant licenses are available for Media 50 Calls
Proxy
Reference slides
Webex Calling
2. LGW
Deployment
Options with an
IP PBX e.g. UCM
Call Routing
With an IP PBX/CUCM
• CUCM routes incoming calls to
local destinations or to the PSTN
• Webex Calling sends calls
(per existing dial plan)
Cisco Webex that do not match the
• Add route/translation patterns to Calling customer’s Webex Calling
send calls for Webex Calling to destinations to the Local GW
Local GW (normalized as +E.164’s)
• Includes PSTN numbers and
Internet CUCM internal extensions
PSTN (unknown to Webex Calling)
Customer Site
PSTN gateway may Local GW routes calls
be dedicated or coming from Webex
co-resident with PSTN
CUCM Calling to CUCM (and
GW
Local GW Local GW vice versa)
2a. Unified CM with Dedicated PSTN GW
(Preferred Option)
• Webex Calling routes all calls that do
not match Customer’s Webex Calling
destinations to the Local GW
Cisco Webex assigned to the site
Calling • Includes PSTN destinations and CUCM
internal extensions
• Local GW routes all calls coming

Internet from Webex Calling to CUCM (and
PSTN
vice versa)
Customer Site • CUCM routes calls to locally-

registered phones or to the PSTN via
a different SBC/GW
Existing
SBC / CUCM • Also possible to use the same router as
PSTN GW Local GW Local GW and PSTN gateway/SBC
2a. Local Gateway call routing to/from CUCM w/Dedicated PSTN
Existing SBC /
Local Gateway
5065
5060
PSTN GW
Cisco Webex Calling
Unified CM
voice class uri 300 sip voice class uri 200 sip
pattern :5065 pattern dtg=hussain2572.lgu
! pattern matches the CUCM signaling via port for Webex
! Calling trunk to distinguish from PSTN SIP trunk at 5060 ! pattern uniquely identifies a Local gateway site within
! an Enterprise, Trunk Group OTG/DTG from Control Hub
description Incoming dial-peer from CUCM to WxC dial-peer voice 200 voip
incoming uri via 300 description Incoming dial-peer from Webex Calling
destination dpg 200 incoming uri request 200
destination dpg 300
voice class dpg 200
description Incoming CUCM (DP300) to WxC(DP201) voice class dpg 300
dial-peer 201 preference 1 description Incoming WxC (DP200) to CUCM(DP301)
dial-peer 301 preference 1
description Outgoing dial-peer to CUCM
destination-pattern BAD.BAD dial-peer voice 201 voip
session server-group 301 description Outgoing dial-peer to Webex Calling
destination-pattern BAD.BAD
voice class server-group 301 session target sip-server
ipv4 <cucm-node-1> port 5065
ipv4 <cucm-node-5> port 5065 BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
2b. Unified CM with Co-located PSTN GW/SBC and
Local Gateway
• BroadCloud routes all calls that do not

match Customer’s BroadCloud
destinations to the Local GW assigned to
the site
• Includes PSTN destinations and on-net
calls towards CUCM internal extensions
Internet • Local GW routes all calls to Unified CM
PSTN • Unified CM routes calls to locally-
Customer Site registered phones or to the PSTN back
via the Local GW, which has PSTN/SBC
functionality co-located
CUCM
CUBE and LGW Webex Calling Endpoints
2b. Unified CM with Co-located PSTN GW/SBC and
Local Gateway
• Webex Calling routes all calls
that do not match Customer’s
Webex Calling destinations to
Cisco Webex the Local GW assigned to the
Calling site
• Includes PSTN destinations and
on-net calls towards CUCM
Internet internal extensions
PSTN • Local GW routes all calls to

Unified CM
Customer Site
• Unified CM routes calls to
locally-registered phones or to
CUCM
the PSTN back via the Local GW,
CUBE and LGW Webex Calling Endpoints
which has PSTN/SBC
functionality co-located
Local Gateway
Cisco Webex Calling

voice class uri 100 sip IP PSTN • Incoming calls matched based on
5060
host <pstn ip address>
via URI
dial-peer voice 100 voip • Calls inbound from CUCM over 2
description Incoming dial-peer from PSTN
incoming uri via 100 trunks to distinguish b/w PSTN and
destination dpg 302 Webex Calling destinations. The via
Unified CM
URI match is done based on port
• Outgoing calls routed via DPG and
Server-groups
voice class dpg 302
dial-peer 305 preference 1 dial-peer voice 305 voip
description Outgoing dial-peer to CUCM for inbound from PSTN
voice class server-group 305 destination-pattern BAD.BAD
ipv4 <cucm-node-1> session server-group 305
ipv4 <cucm-node-2>
ipv4 <cucm-node-3>
ipv4 <cucm-node-4>
ipv4 <cucm-node-5>
Local Gateway
Cisco Webex Calling
5065
IP PSTN
pattern dtg=hussain2572.lgu
! pattern uniquely identifies a Local gateway site
Received: ! within an Enterprise, Trunk Group OTG/DTG from
! Control Hub
INVITE
sip:+16785551234@198.18.1.226:5061;transp
ort=tls;dtg=hussain2572_lgu SIP/2.0 description Incoming dial-peer from WxC
Via: SIP/2.0/TLS Unified CM incoming uri request 200
199.59.70.30:8934;branch=z9hG4bK2hokad30 destination dpg 300
fg14d0358060.1
dial-peer voice 301 voip voice class dpg 300
description Outgoing dial-peer to CUCM for inbound from WxC dial-peer 301 preference 1
session server-group 301 voice class server-group 301
Local Gateway
Cisco Webex Calling
IP PSTN
5060
description Outgoing dial-peer to PSTN
session target ipv4:<pstn ip address>
voice class dpg 100 Unified CM


pattern <cucm-nodes-ip-address and port-regex-for-pstn>
ex: pattern 10\.1\.2\..*:5060 matches 10.1.2.X:5060 range

description Incoming dial-peer from CUCM for IP PSTN
destination dpg 100
Local Gateway
Cisco Webex Calling
IP PSTN
5065
description Outgoing dial-peer to WxC
session-target sip-server
Unified CM
voice class dpg 200
pattern <cucm-nodes-ip-address and port-regex-for-WxC>
description Incoming dial-peer from CUCM for WxC
destination dpg 200
voice class uri 100 sip Local Gateway
host <pstn ip address>
dial-peer voice 100 voip Cisco Webex Calling

description Incoming dial-peer from PSTN
incoming uri via 100 voice class uri 200 sip
destination dpg 302 IP PSTN pattern dtg=hussain2572.lgu
5065
5060
! pattern uniquely identifies a Local gateway site within an
voice class dpg 100 ! Enterprise, Trunk Group OTG/DTG from Control Hub
description Incoming dial-peer from WxC
dial-peer voice 101 voip incoming uri request 200
description Outgoing dial-peer to PSTN destination dpg 300
session target ipv4:<pstn ip address> voice class dpg 200
Unified CM dial-peer voice 201 voip

voice class uri 302 sip description Outgoing dial-peer to WxC
pattern <cucm-nodes-ip-address and port-regex-for-pstn> destination-pattern BAD.BAD
session-target sip-server
voice class dpg 300 dial-peer voice 302 voip
dial-peer 301 preference 1 voice class uri 300 sip
description Incoming dial-peer from CUCM for pstn pattern <cucm-nodes-ip-address and port-regex-for-WxC>
incoming uri via 302 ex: pattern 10\.1\.2\..*:5065 matches 10.1.2.X:5065 range
voice class server-group 301 destination dpg 100
ipv4 <cucm-node-1> port 5065 dial-peer voice 300 voip
ipv4 <cucm-node-5> port 5065 description Incoming dial-peer from CUCM for Webex Calling
dial-peer voice 301 voip incoming uri via 300
description Outgoing dial-peer to CUCM for inbound from WxC destination dpg 200
voice class dpg 302
dial-peer 305 preference 1 destination-pattern BAD.BAD
session server-group 301 • Incoming calls matched based on via URI.
…
voice class server-group 305 • Calls inbound from CUCM over 2 trunks to
ipv4 <cucm-node-1> dial-peer voice 305 voip distinguish b/w PSTN/Webex Calling. The via
ipv4 <cucm-node-5> description Outgoing dial-peer to CUCM for inbound from PSTN
URI match is done based on port
session server-group 305 • Outgoing calls routed via DPG and Server-
groups
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you

Brkcol 2125

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkcol 2125

Uploaded by

Copyright:

Available Formats

SIP Trunking Design &

Deployment for On-prem and

Dilip Singh, CCIE# 16545 (Collaboration)

• CUBE Overview, Deployments, and SIP Trunk Sizing

ASR 1002-X ASR 1006-X

ISR-4K (4321, 4331)

Introducing CUBE on ISR1100s

• CUBE support for RP3/ESP100 for the

• CUBE Support for ASR1002-HX – March

1100 series (Default DRAM) 500 40% 300 2

1100 series (Default DRAM) 500 40% 300 2

Xeon ® 6132 2.60GHz processors running VMware ESXi 6.0.

1100 series (Default DRAM) 500 40% 300 2

1100 series (Default DRAM) 500 70% 150 1

1100 series (Default DRAM) 500 70% 150 1

1100 series (Default DRAM) 100 1 50 1

1100 series (Default DRAM) 50 1 50 1

Platform Encrypted Video Calls

1100 series (Default DRAM) 50 1

2.60GHz processors running VMware ESXi

1100 series 500 N/A 500 0% 5

• CUBE Overview, Deployments, and SIP Trunk Sizing

• The Cisco Unified Border Element

Cisco Unified Border Element (CUBE) Smart License Options

1 Session (CUBE-L-STD) 1 Forked Session (CUBE-

• Supports Mandatory and Optional recorder policy

• CUBE Media Proxy Call Scenarios:

Only CSSM CSSM

Paper Paper Static Dynamic Dynamic

CUBE Node Node

More information on Sales Connect

• CUBE Overview, Deployments, and SIP Trunk Sizing

RP (control plane) ESP (data plane) FFP code

Chassis Mgr. QFP Client Chassis Mgr.

CUBE signaling CUBE media processing

CSR 1000v (virtual IOS-XE)

Hypervisor vSwitch NIC

X86 Multi-Core CPU Memory Banks Hardware GE … GE

• CUBE Overview, Deployments, and SIP Trunk Sizing

2. Configure any other global settings to meet SP’s requirements

• Dial-Peer – “static routing” table mapping phone numbers to interfaces or IP addresses

• Nov 2020 – IOS-XE 17.4.1

voice class sip-profiles 100

request ANY sip-header Diversion remove

• CUBE Overview, Deployments, and SIP Trunk Sizing

Outbound LAN Dial-Peer Inbound Calls Inbound WAN Dial-Peer

1 URI of incoming Address INVITE sip:654321@10.2.1.1 SIP/2.0

voice class server-group 1 dial-peer voice 100 voip

• July 2020 – IOS-XE 17.3.1

dial-peer voice 2 voip 9192002010

• Every Registrar/User Agent/ITSP connected to CUBE can be

With Voice Class Tenant (Multi-Tenancy)

• Apply tenant to the desired dial-peer

• CUCM NBR (Network Based Recording)

Platform Max IPT (CUBE Media Proxy Capacity)

• July 2020 – IOS-XE 17.3.1

• CUBE Overview, Deployments, and SIP Trunk Sizing

• Interworking between all three transport types is supported : UDP/TCP/TLS

• Its mandatory to specify the encryption type for the password

• Master key is never displayed in the configuration

• If master key configuration is removed, Type 6 passwords can never

Failed type 6 encryption on password

LocalGateway#show run | include credentials