BRKCOL-2125.pdf

#CLUS
Hussain Ali, CCIE# 38068 (Voice, Collaboration)
Technical Marketing Engineer
Dilip Singh, CCIE# 16545 (Collaboration)
Technical Leader
SIP Trunking Design &
Deployment for On-prem
and Webex Calling(VAR Channel)
BRKCOL-2125

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
Find this session in the Cisco Live Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
Webex Teams will be moderated
by the speaker until June 16, 2019.
1
2
3
4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
#CLUS
Cisco Webex Teams
cs.co/ciscolivebot#
3
BRKCOL-2125

#CLUS
Agenda
• CUBE Overview, Deployments, and SIP Trunk Sizing
• CUBE Licensing Updates
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE (Call Routing, Multi-Tenancy)
• Call Recording & Intro to CUBE Media Proxy
• Securing Collab deployments with CUBE
• Webex Calling (VAR Channel) – Local Gateway (LGW)
4
BRKCOL-2125

CUBE Overview,
Deployments, and
SIP Trunk Sizing

#CLUS
On-Prem Collaboration Deployment
TDM Backup
(Not available in
vCUBE)
Unified CM
CUBE SIP
H.323
RTP
PSTN
Enterprise LAN ITSP WAN (SIP Provider)
PSTN (PRI/FXO)
DEMARC
DEMARC
Gig0/0
Gig0/1
10.10.1.20
66.77.37.2
128.107.214.195
10.10.1.21
6
BRKCOL-2125

#CLUS
CUBE (Enterprise) Product Portfolio
2900 Series
ISR-G2 (2901, 2911, 2921, 2951)
ASR 1004/6 RP2
Active Concurrent Voice Calls Capacity
Calls
Per
Second
<5
8-12
50-150
14-16K
<50 500-600 900-1000
3900 Series ISR-G2 (3925, 3945)
17
3900E Series ISR-G2
(3925E, 3945E)
2000-2500
20-35
4
800 ISR
7000-10,000
50-100
12K-14K
ASR 1002-X
4500-6000
ISR 4451-X
ASR 1001-X
4000
ISR 4431
ISR-4K (4321, 4331)
ISR 4351
Introducing CUBE on
CSR
vCUBE [Performance
dependent on vCPU and
memory]
ASR 1006-X
w/RP2
Starting IOS-
XE 16.9
CUBE support for
ISR1100 – IOS-XE
16.12.1 or later
7
BRKCOL-2125

#CLUS
ISR G2 ASR 1K / ISR-4K/vCUBE (CSR)
CUBE
Vers.
2900/
3900
FCS
CUBE
Vers. IOS XE Release 16 2 FCS
11.5.2 15.6(3)M1 Dec 2016 11.5.23 16.3.2/16.4.13 Nov 2016
EOL EOL EOL 11.6.0 16.5.1 Mar 2017
EOL EOL EOL 12.0.0 16.6.1 July 2017
EOL EOL EOL 12.0.0 16.7.1 Nov 2017
EOL EOL EOL 12.1.0 16.8.1 Mar 2018
EOL EOL EOL 12.2.0 16.9.1 July 2018
EOL EOL EOL 12.5.0 16.10.1a Nov 2018
EOL EOL EOL 12.6.0 16.11.1 Mar 2019
EOL EOL EOL 12.7.0 16.12.1 July 2019
CUBE Software Release Mapping
2 IOS-XE 16 requires a minimum of ASR1001-X, 1002-X, 1004/1006 RP2, ESP20 (Embedded Service Processor, SIP40 (SPA Interface processor)
3 IOS-XE release 16.2.1 does not support CUBE functionality on the platforms. There is no CUBE version 11.5.1 for the XE based platforms. All CUBE features from 11.5.0 (IOS-XE 3.17) and earlier versions
along with CUBE 11.5.1 (March 2016 release) on ISR G2 are included in CUBE release 11.5.2 for the IOS-XE based platforms, IOS-XE release 16.3.1 [July 2016 release]
8
BRKCOL-2125

Sizing On-prem
Enterprise CUBE
deployments
NOTE : Sizing information is only
intended as a guideline. Actual
session count will vary based on the
number of features turned on the
ISR/ASR/CSR along with CUBE and
the IOS-XE version being used.

#CLUS
CUBE Session Capacity Summary
Platform CUBE SIP-SIP IPT Sessions (Audio)
1100 series Coming soon
2901 – 4321 100
2911 – 2921 200 – 400
4331 500
2951 600
3925 – 3945 800 – 950
4351 1000
3925E – 3945E 2100 – 2500
4431 3000
4451 6000
ASR1001-X 12000
ASR1002-X 14000
ASR1004/1006/1006-X RP2 16000
For Your
Reference
• Flow thru
• RTP-RTP
• IPT
• 711-711
10

#CLUS
CUBE ENT on ISR 4K Series
Audio Session Capacity with Additional Features: XE16.6 and later
Platform
(Memory4)
CPS1 Total # of
Flow-thru
calls5
SW
MTP3
CUBE +
SW
MTP3
(Estimates)
CUBE + Xcoding2
Xcoded Calls w/
PVDM4-256
Simultaneous
Non-Xcoded Calls
4321 (4GB) 4 100 250 71 100 CUBE FT sessions
maxed
4331 (4GB) 8 500 600 250 128 372
4351 (4 GB) 10 1000 1000 500 128 872
4431 (8 GB - CP) 15 3000 1500 750 128 2872
4451 (8 GB - CP) 40 6000 3000 1500 128 5872
1. CPS and session counts listed are independently tested. Session capacities [Total # of Flow-thru calls] can be achieved at about half
the CPS listed in the Calls Per Second (CPS) column.
2. Transcoding is limited by DSP capacity. ISR4K has one PVDM4 motherboard slot and 128 sessions is based on a single PVDM4-256.
(G729r8-G711)
3. S/W MTP numbers are for standalone SW MTP sessions and CUBE+SWMTP numbers are for the maximum number of CUBE sessions
supported with each session utilizing a SW MTP on the same platform
4. All tests were done with 4 GB of RAM with the exception of 4451/4431 where 8 GB was used [8GB CP and 2GB DP]
5. Total calls are derived with 180 seconds call hold time
11
BRKCOL-2125

#CLUS
CUBE Sizing Guidelines
• All deployments for CUBE Ent must be done with 16GB of memory for
ASR1K series, 8 GB (Control Plane memory) for ISR4400 series, 4 GB for
ISR4300 series, and 2 GB for ISR G2 series
• Session count (end to end calls through CUBE) is dependent on the
amount of memory in the box. Numbers listed in the datasheet assume
above memory requirements are being satisfied
• CPS is dependent on the CPU of the platform
• Complex call flows (Cisco UCCE) can reduce CUBE CPS and session count
by upto 75% on ISR 4K/ASR1K series
• Media forking for call recording can have a 50% impact on IPT session
count regardless of the call type (IPT or UCCE) being recorded
12
BRKCOL-2125

#CLUS
Sample ISR4K CUBE Sizing
• An enterprise is looking for an SBC to support 800 IP
telephony sessions and an additional 100 Cisco
Contact Center agent calls. All CC calls must be
recorded. G711 is used throughout but 50 remote
agent phones will require G729r8. Additionally their
CUCM will require 200 S/W MTP sessions.
• 800 IP telephony sessions = +800 IPT calls
• 100 Contact Center calls = +400 IPT calls
• A call that needs to be recorded = an IPT call, +100
IPT calls (Call Recording)
• PVDM4-128 for transcoding (From DSP Calculator)
• 1 S/W MTP session ~ 1 CUBE IPT session, +200 IPT
calls (S/W MTP sessions)
Platform
CPS CUBE
Sessions
4321 4 100
4331 8 500
4351 10 1000
4431 15 3000
4451 40 6000
TOTAL = 1500 CUBE sessions
But CPS expected is 20
Deploy a 4451 or two
4351s w/CUSP
13
BRKCOL-2125

#CLUS
Agenda
14
BRKCOL-2125

#CLUS
• Smart Licensing is a Cisco wide initiative that provides a License Inventory
Management System which provides Customers, Cisco, and Selected
Partners with information about License Ownership and Use
• All licenses are delivered directly to your cloud based Cisco Smart
Software Manager (CSSM) account allowing you to control where they are
used and monitor how they are used. Not an enforcement tool
• Smart Licenses do not require registration, so no more PAKs
• Smart licenses entitle the CUSTOMER, not the product instance.
Licenses are not node locked.
• Licenses are pooled for
flexible use by devices
registered to the same account
New Unified Border Element Licensing Offer
What is Smart Licensing?
BRKCOL-2125 16

#CLUS
Cisco Unified Border Element (CUBE)
SIP Trunking to a Provider
• The Cisco Unified Border Element
(CUBE) feature set delivers Session
Border Control (SBC) functionality for
Cisco IOS router platforms, enabling
highly secure voice and video
connectivity between an enterprise IP
network and service provider trunk
services.
• CUBE performs four critical functions
of an SBC:
• Policy based session management
• Security enforcement
• Protocol and media interworking
• Network demarcation
BRKCOL-2125 17

#CLUS
Note: Platform technology licenses are required to enable CUBE functionality. See later slide.
Simplifying the CUBE Trunk Offer
CUBE License – 5 Sessions
(FL-CUBEE-5)
CUBE License –5 Sessions Red
(FL-CUBEE-5-RED)
(FL-CUBEE-25)
(FL-CUBEE-25-RED)
(FL-CUBEE-100-RED)
(FL-CUBEE-100)
CUBE License–Cisco ONE (1 Session Red)
(C1-CUBEE-RED) +SWSS
CUBE License – Cisco ONE (1 Session)
(C1-CUBEE-STD) +SWSS
------
CUBE License –ASR 100 Sessions Red
(FLASR1-CE-100R)
CUBE License –ASR 500 Sessions Red
(FLASR1-CE-500R)
CUBE License –ASR 1,000 Sessions Red
(FLASR1-CE-1KR)
(FLASR1-CE-4KR)
(FLASR1-CE-16KR)
CUBE License – C1 ASR 100 Sessions Red
(C1-A-ASR1CUBEE100R) +SWSS
CUBE License – C1 ASR 100 Sessions
(C1-A-ASR1CUBEE100P) +SWSS
CUBE License – C1 ASR xxxx Sessions xx
(C1-A-ASR1CUBEE…) +SWSS
------
Current:
100+ PIDs
Simplified:
2 options, 3 PIDs!
CUBE session licenses are common
across ISR, CSR and ASR platforms and
can be pooled in a Smart Virtual Account
CUBE Trunk Redundant License
– 1 Session
(CUBE-T-RED)
CUBE Trunk Standard License
– 1 Session
(CUBE-T-STD)
Upgrade to Trunk Redundant
License – 1 Session
(CUBE-T-RED-UP)
+SWSS
EoS
15 June
2019
+SWSS
+SWSS
As part of migration to Smart and SWSS enabled licensing for CUBE, all $0 licenses from router bundles will be removed by end of April 2019. Product Bulletin for
the same can be accessed at https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-border-element/bulletin-c25-742073.html
18
BRKCOL-2125

#CLUS
New CUBE Offer with Smart Licensing
CUBE Media Proxy License
1 Forked Session (CUBE-MP-
RED)
Cisco Unified Border Element (CUBE) Smart License Options
Top Level “L-CUBE”
+SWSS
Trunk Lineside Media Proxy
Simplified New
Offer
New
Offer
Cisco Software Support Service (SWSS) is required for a minimum of 12 months when purchasing
CUBE session license(s).
SWSS provides access to software maintenance, updates, upgrades, and technical support
Note: Platform technology licenses are required to enable CUBE functionality. See later slide.
CUBE Lineside License
1 Session (CUBE-L-STD)
+SWSS
CUBE Standard Trunk License
1 Session (CUBE-T-STD)
+SWSS
CUBE Redundant Trunk License
1 Session (CUBE-T-RED)
+SWSS
Upgrade to Redundant Trunk License
1 Session (CUBE-T-RED-UP) +SWSS
19
BRKCOL-2125

#CLUS
• CUBE Lineside features
compliment hosted call control
solutions with:
• SIP proxy registration of IP
phones (Cisco MPP or 3rd party).
• Service continuity should the
hosted service become
unavailable.
Note: NanoCUBE RTU licenses will remain
available for ISR800 series products only.
Lineside
New
Offer
Third Party Call
Control in SP Cloud
BRKCOL-2125 20

#CLUS
• Standalone application that extends CUBE trunk
session forking to allow a call to be replicated up to
five times for media recording redundancy & load
balancing and call analytics.
• Supports Mandatory and Optional recorder policy
• Mandatory: Media proxy tries to fork to the mandatory
recorder first. Forking to the remaining recorders will
only happen after the connection to the first recorder is
successful.
• Optional: Default policy. Media proxy will establish
connection to all recorders, even if any of the recorders
fail.
• Secured forking (SRTP – SRTP)
• CUBE Media Proxy Call Scenarios:
• External calls (inbound/outbound from/to ITSP, PSTN
calls)
• Internal calls (on-prem calls)
• Contact center
Media Proxy
CUBE
SBC
CUBE Media
Proxy
Customer
Unified CM
Recording
Server 1
Recording
Server 3
Recording
Server 2
Employee
New
Offer
BRKCOL-2125 21

#CLUS
CUBE Trunk Licensing – Transition Plan
• July 2018 release (16.9.1) default is Classic Licensing mode (RTU)
• Nov 2018 - CUBE version 12.5 or later: (IOS-XE 16.10), CUBE Trunk Licenses
are Smart enabled, though CUBE feature use is still RTU (Right-to-Use). So
even though the box will be registered to CSSM, it won't demand any CUBE
licenses. It will however, request UCK9, SECK9 etc.
• March ‘19 - IOS-XE Release 16.11 (CUBE 12.6)/ July ‘19 -16.12 (CUBE 12.7)
– Trunk Licenses Smart Only (session usage is reported to CSSM based on
mode border-element license capacity <session_count>.
Lineside/CUBE Media Proxy remain RTU (not consumed in Smart accounts) till
a future release
• Future release (~ Nov’19) will report CUBE Trunk usage based on actual
consumption
• Effective June 15, 2019, ALL RTU Licenses go EoS
22
BRKCOL-2125

#CLUS
CUBE Trunk Licensing – Flow
• Evaluation period (90 days, non-renewable)
• Starts when the feature is enabled and counted in Unidentified or
Unregistered state.
• Must register with CSSM before Eval expiry to avoid service disruption.
To Register with CSSM use CLI license smart register idtoken
<token_id>
• Auth requests
• Successful : Results in either Authorized/In-Compliance or Out of
compliance response - (renewed every 30 days)
• Failure: Goes to Auth Expired state, retry for 90 days for successful
Auth before service is disrupted.
23
BRKCOL-2125

CUBE Version 12.x
Deployment Examples /
Smart Licensing Scenarios

#CLUS
Customer Deployment Scenario 1a
Separate Deployments:
• Two activeCUBEs in separate locations
• No Box to Box redundancy (Redundancy Group
HA)
• No load balancing
• Each location processes up to 50 concurrent
sessions.
License Requirement:
• 100 x CUBE-T-STD
• CUBE platforms may registerto:
• The same VirtualAccount holdinga common pool of
100 licenses
• Different VirtualAccounts, each with 50 licenses
Location 1
Location 2
Active
50 Calls
Active
50 Calls
25
BRKCOL-2125

#CLUS
Location 1
Customer Deployment Scenario 1b
Separate Deployments:
• Two activeCUBEs in the same location
HA)
• No load balancing
• Each CUBE processes up to 50 concurrent
sessions.
• CUBE platforms may registerto:
• The same Virtual Account holding a common pool of 100
licenses
• Different Virtual Accounts, each with 50 licenses
Active
50 Calls
Active
50 Calls
26
BRKCOL-2125

#CLUS
Geographic Load Balancing:
• Two activeCUBEs in separate locations
• No Box to Box redundancy (Redundancy Group HA)
• Load balancing b/w locations providedby SP
• Total call load across both locations up to 200
concurrent sessions.
• CUBE platforms registerto the same VirtualAccount
holding a common pool of licenses
Location 1
Location 2
Active
200 Calls
Active
27
BRKCOL-2125

#CLUS
Load Balancing withina location:
• Two activeCUBEs in the same location
HA)
• Load balancing between CUBEs providedby SP or
with CUSP
• Total call load across both CUBEs up to 200
concurrent sessions.
• CUBE platforms registerto the same Virtual
Account holding a common pool of licenses
Active
200 Calls
Active
Location 1
28
BRKCOL-2125

#CLUS
Customer Deployment Scenario 3
Box to Box HighAvailability (HA) withCall
Preservation:
• Activeand Standby CUBEs in HARedundancy
Group (RG)
• Both CUBEs mustbe in the same layer 2 network
• Total call load up to 250 concurrent sessions.
• 250 x CUBE-T-RED
• Both CUBE platforms register to the same Virtual
Location 1
Active
Standby
250 Calls
Stateful
29
BRKCOL-2125

#CLUS
Box to Box High Availability withCall Preservation within a
location and geographic load balancing across locations:
• One pair of HighAvailability CUBEs in RG at each site
• Geographic load balancing across locations provided by SP
• Total call load up to 600 concurrent sessions across locations
• If an active CUBE fails, stateful failover of local load to standby
• If location 1 fails, all associated calls fail. Total load serviced by
active CUBE at site 2
• All CUBE platforms register to the same Virtual Account holding a
common pool of licenses
Location 1
Active
Standby
Stateful
Location 2
Active
Standby
Stateful
600 Calls
HA Pair 1
HA Pair 2
30
BRKCOL-2125

#CLUS
Box to Box HighAvailability withCall Preservation
and load balancing withina location:
• Two pairs of HighAvailability CUBEs in separate RGs at
the same site
• Load balancing across HApairs provided by SP or with
CUSP
• Total call load for location up to 600 concurrent sessions
• If an active CUBE fails, stateful failover of local load to
standby
• If HApair 1 fails, all associated calls fail. Total load
serviced by active CUBE in HApair 2
• All CUBE platforms register to the same Virtual Account
holding a common pool of licenses
Location 1
Active
Standby
Stateful
Active
Standby
Stateful
600 Calls
HA Pair 1
HA Pair 2
31
BRKCOL-2125

#CLUS
Inbox Hardware or Software Redundancy:
• Stateful Switchover (SSO):ASR1006 with dual route
processors (control plane) and dual ESPs (forwarding
plane)
• Route Processor Redundancy (RPR):ASR1001/2/4
with software redundancy.
• Both options provide stateful failover.
• Required call volume up to 350 concurrent sessions.
• Active route processor registers to Smart virtual
account
• Standby route processor takes over registration on
failover
ASR1006/1006-x
Hardware Redundancy
Dual Forwarding Plane Hardware
Dual Control Plane Hardware
ASR1001/2/4
Software Redundancy
Active IOS Standby IOS
32
BRKCOL-2125

#CLUS
Lineside registrationproxy and survivability
• Acustomerusing a cloud call control serviceuses
CUBE for lineside optimization and survivability.
• ACUBE platform is deployed at four customersites.
• Each site has 25 handsets that registerto the cloud
service.
• 100 x CUBE-L-STD
• All CUBE platforms register to the same Virtual
Third Party Call Control
in SP Cloud
33
BRKCOL-2125

CUBE Version 12.x
License Migration
Classic CUBE (RTU) to
CUBE Smart Licenses

#CLUS
Migration Overview
• The following scenarios describe the valid migration paths to CUBE
Session Smart Licenses for customers that have purchased
Classic CUBE Right To Use (RTU) Session Licenses in the past.
• Take the time to understand each CUBE licensing migration case
to set expectations accordingly.
35
BRKCOL-2125

#CLUS
CUBE Migration Case A:
Legacy Platforms with RTU
Platform ISR G1, ISR G2, ASR1001, ASR1002
Licenses From: CUBE Classic Right To Use (RTU) Session Licenses
To: CUBE Version 12 Smart Session Licenses with SWSS
Migration • RTU licenses are node locked to the router for which they were purchased.
• Session Licenses may be used perpetually while the customer continues to use
their router, but have no residual value beyond this.
• Customers wishing to migrate to a newer hardware platform must
purchase new licenses using L-CUBE with a minimum of 12 months
SWSS.
Note • ISR G1 Hardware End of Support: 31 October 2016
• ISR G2 Hardware End of Support: 31 December 2022
• ASR1001/2 Hardware End of Support: 30 April 2021
36
BRKCOL-2125

#CLUS
CUBE Migration Case B:
Current Platforms with RTU
Platform ISR4000, ASR1001-X, ASR1002-X, ASR1004(RP2), ASR1006(RP2), CSR1000V
Licenses From: CUBE Classic Right To Use (RTU) Session Licenses
Migration • RTU session licenses are intended to provide perpetual entitlement for the platform for
which they were purchased.
• Customers wishing to use IOS XE software beyond version 16.9 may apply to purchase
replacement session licenses as follows:
a) RTU session licenses must have been purchased after 1 October 2014.
b) Sales Order details for RTU purchases must be provided.
c) At least 12 months SWSS must be purchased for all new session
licenses.
A DSA for purchase of new licenses with up to 100% discount may be
requested if conditions a, b and c are met.
Notes If preferred, customers may continue to use CUBE 12.x (IOS XE 16.9.x software) with their
RTU licenses. Net new licenses would be required when upgrading to CUBE 14 in 2020.
37
BRKCOL-2125

#CLUS
CUBE Migration Case C:
Cisco ONE licenses
Platform All Cisco ONE™ Compatible Platforms
Licenses From: Cisco ONE Classic Right to Use (RTU) CUBE Session Licenses
Migration • Cisco ONE CUBE licenses provide RTU entitlement for their
associated platform.
• If covered by an active Cisco ONE SWSS contract, licenses may be
transferred to any compatible Cisco ONE licensed platform.
• Cisco ONE SWSS provides entitlement to router software upgrades.
• With Active Cisco ONE SWSS Cover, customers:
a) Migrate to Smart enabled L-CUBE licenses using the Product
Update Tool
b) Renew support with Collaboration SWSS for new licenses
• Without Active Cisco ONE SWSS Cover, refer to Case A or B.
Notes Customers with active Cisco ONE SWSS are encouraged to upgrade
licenses as soon as possible and not wait for their contract to expire.

#CLUS
Agenda
39
BRKCOL-2125

CUBE Architecture
ISR G2 vs ASR1K
vs ISR 4K vs
vCUBE (CUBE on
CSR1000v)

#CLUS
• CSR (Cloud Services Router) 1000v runs on a Hypervisor – IOS
XE without the router
Console Mgmt ENET Ethernet NICs
Flash / Disk
Memory
Virtual CPU
RP (control plane)
Chassis Mgr.
Forwarding Mgr.
IOS-XE
Kernel (incl. utilities)
ESP (data plane)
Chassis Mgr.
Forwarding Mgr.
QFP Client
/ Driver
FFP code
Hypervisor
Hardware
vSwitch NIC
GE GE
…
X86 Multi-Core CPU Memory Banks
ESXi Container
CUBE signaling CUBE media processing
CSR 1000v (virtual IOS-XE)
Virtual CUBE (CUBE on CSR 1000v)
Architecture
41
BRKCOL-2125

#CLUS
Virtual CUBE (CUBE on CSR 1000v) – Cont’d
• CSR1000v is a virtual machine, running on x86 server (no specialized hardware) with
physical resources are managed by hypervisor and shared among VMs
• Requires APPX (No TLS/SRTP) or AX (All vCUBE features) CSR licensing package to
access voice CLI and increase throughput from 100 kbps default. CUBE Licensing
follows ASR1K SKUs and still trust based
• No DSP based features (transcoding/inband-RFC2833 DTMF/ASP/NR) available
• vCUBE tracks only the next vSwitch interface resulting in SSO of vCUBE-HA only
due to software failures (active vCUBE crashing/reloading)
• vCUBE Tested Reference Configurations [UCS base-M2-C460, C220-M3S, ESXi
5.1.0 & 5.5.0]. ESXi 6.0 supported with IOS-XE 16.3.1 or later

#CLUS
Agenda
• Webex Calling – Local Gateway (LGW)
43
BRKCOL-2125

#CLUS
Step 1:
Configure CUCM to route calls to the edge SBC
SIP Trunk Pointing to CUBE
Standby
IP PSTN
A
TDM PBX
SRST
CME
MPLS
Enterprise
Branch Offices
Enterprise
Campus
CUBE with High
Availability
Active
CUBE
CUBE
PSTN is now
used only for
emergency
calls over
FXO lines
• Configure CUCM to route all PSTN
calls (central and branch) to CUBE
(Gig0/0 in our slides) via a SIP trunk
• Make sure all different patterns of
calls – local, long distance,
international, emergency,
informational etc.. are pointing to
CUBE 44
BRKCOL-2125

#CLUS
Step 2: Get details from SIP Trunk provider
Item SIP Trunk service provider requirement Sample Response
1 SIP Trunk IP Address (Destination IP Address for INVITES) 66.77.37.2 or DNS
2 SIP Trunk Port number (Destination port number for INVITES) 5060
3 SIP Trunk Transport Layer (UDP or TCP) UDP
4 Codecs supported G711, G729
5 Fax protocol support T.38
6 DTMF signaling mechanism RFC2833
7 Does the provider require SDP information in initial INVITE (Early
offer required)
Yes
8 SBC’s external IP address that is required for the SP to
accept/authenticate calls (Source IP Address for INVITES)
128.107.214.195
9 Does SP require SIP Trunk registration for each DID? If yes, what is
the username & password
No
10 Does SP require Digest Authentication? 408-944-7700
45
BRKCOL-2125

#CLUS
Step 3: Enable CUBE Application on Cisco routers
voice service voip
mode border-element license capacity 20  Required for Smart Licensing
allow-connections sip to sip  By default IOS/IOS-XE voice devices do not allow
an incoming VoIP leg to go out as VoIP
2. Configure any other global settings to meet SP’s requirements
voice service voip
media bulk-stats  To increment Rx/Tx counters on IOS-XE based platforms. W/O this CLI,
it will show 0/0 (CPU intensive CLI)
sip
early-offer forced
3. Create a trusted list of IP addresses to prevent toll-fraud
voice service voip
ip address trusted list  Applications initiating signaling towards CUBE, e.g. CUCM, CVP,
ipv4 66.77.37.2 ! ITSP SIP Trunk Service Provider’s SBC. IP Addresses from dial-peers with “session target
ipv4 10.10.1.20 ! CUCM ip” or Server Group are trusted by default and need not be populated here
sip
silent-discard untrusted  Default configuration starting XE 3.10.1 /15.3(3)M1 to mitigate TDoS Attack
1. Enable CUBE Application
46
BRKCOL-2125

#CLUS
Step 4: Configure Call routing on CUBE
• Dial-Peer – “static routing” table mapping phone numbers to interfaces or IP addresses
• LAN Dial-Peers – Dial-peers that are facing towards the IP PBX for sending and receiving call
legs to and from the PBX. Always bind LAN interface(s) on CUBE to LAN dial-peers, ensuring
SIP/RTP is sourced from the intended LAN interfaces(s)
• WAN Dial-Peers – Dial-peers that are facing towards the SIP Trunk provider for sending and
receiving call legs to and from the ITSP. Always bind CUBE’s WAN interface(s) to WAN dial-
peer(s).
10.10.1.21 128.107.214.195
66.77.37.2
10.10.1.20
47
BRKCOL-2125

#CLUS
SIP Normalization
More information at http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-border-element/118825-technote-sip-00.html
Incoming Outgoing
INVITE
sip:5551000@sip.com:5060
user=phone SIP/2.0
INVITE
sip:5551000@sip.com:5060
SIP/2.0
voice class sip-profiles 100
request INVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0"
request REINVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0"
Add user=phone for INVITEs
Modify a “sip:” URI to a “tel:” URI in INVITEs
Incoming Outgoing
INVITE
tel:2222000020
SIP/2.0
INVITE
sip:2222000020@9.13.24.6:5060
SIP/2.0
request INVITE sip-header SIP-Req-URI modify "sip:(.*)@[^ ]+" "tel:1"
request INVITE sip-header From modify "<sip:(.*)@.*>" "<tel:1>"
request INVITE sip-header To modify "<sip:(.*)@.*>" "<tel:1>"
CUBE
CUBE
SIP profiles is a mechanism to normalise or customise SIP at the
network border to provide interop between incompatible devices
SIP incompatibilities arise due to:
• A device rejecting an unknown header (value
or parameter) instead of ignoring it
• A device expecting an optional header
value/parameter or can be implemented in
multiple ways
• A device sending a value/parameter that
must be changed or suppressed
(“normalised”) before it leaves/enters the
enterprise to comply with policies
• Variations in the SIP standards of how to
achieve certain functions
• With CUBE 10.0.1 SIP Profiles
can be applied to inbound SIP
messages as well
48
BRKCOL-2125

#CLUS
SIP Profile Configuration Example
• For tagging the rules:
rule 1 request INVITE sip-header Contact Modify “(.*)” “1;temp=xyz”
rule 2 request INVITE sip-header Supported Add “Supported: ”
• For inserting a rule between two rules using “before” option:
rule before 2 request INVITE sip-header To Modify “(.*)” “1;temp=abc”
rule 1 request INVITE sip-header Contact Modify “(.*)” “1;temp=xyz”
rule 2 request INVITE sip-header To Modify “(.*)” “1;temp=abc”
rule 3 request INVITE sip-header Supported Add “Supported: ”
before
option
The new rule has
been inserted
between #1 and
#3
49
BRKCOL-2125

#CLUS
Agenda
50
BRKCOL-2125

CUBE Dial-Peers
Advanced Call Routing

#CLUS 52
dial-peer voice 100 voip
description *Inbound LAN dial-peer. From CUCM to CUBE*
session protocol sipv2
incoming called-number 8T
voice-class sip bind control source-interface Gig0/0
voice-class sip bind media source-interface Gig0/0
dtmf-relay rtp-nte
codec g711ulaw
no vad
CUCM SIP Trunk ITSP SIP Trunk
CUBE
A
Outbound Calls
Outbound WAN Dial-Peer
Inbound LAN Dial-Peer
Inbound WAN Dial-Peer
Inbound Calls
Outbound LAN Dial-Peer
description *Outbound WAN dial-peer. From CUBE to SP*
destination-pattern 81[2-9]..[2-9]......$
session target ipv4:10.1.40.11
session transport udp
dtmf-relay rtp-nte
codec g711ulaw
no vad
198.18.133.3
description *Inbound WAN dial-peer. From Provider to CUBE*
incoming uri via 200
dtmf-relay rtp-nte
codec g711ulaw
no vad
voice class uri 200 sip
host ipv4:10.1.40.11
description *Outbound LAN dial-peer. From CUBE to CUCM*
translation-profile outgoing CUBE_to_CUCM
destination-pattern +1408944....$
dtmf-relay rtp-nte
codec g711ulaw
no vad
10.1.40.11
G0/0 G0/1

#CLUS
CUCM SIP Trunk SP SIP Trunk
CUBE
A
Inbound LAN Dial-Peer
IP
PSTN
Inbound WAN Dial-Peer
Inbound Calls
Outbound Calls
Match based on
Called Number
Match based on
Calling number
1
Match Based on URI
of an incoming
INVITE message
Default Dial-Peer = 0
Exact Pattern
match
Host Name/IP
Address
User portion of
URI
Phone-number of
tel-uri
Received:
INVITE sip:654321@10.2.1.1 SIP/2.0
Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
From: "555" <sip:555@10.1.1.1:5060>;tag=1
To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
CSeq: 1 INVITE
Contact: sip:555@10.1.1.1:5060
Supported: timer
Max-Forwards: 70
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
........
2
3
4
Priority
Understanding Inbound Dial-Peer Matching Techniques
53
BRKCOL-2125

#CLUS
Outbound Dial-Peer Matching Criteria Summary
Match based on
Called Number
CUCM SIP Trunk SP SIP Trunk
CUBE
A
Outbound LAN
Dial-Peer
IP
PSTN
Outbound WAN Dial-Peer
Inbound Calls
Outbound Calls
1
2
Exact Pattern
match
Host Name/IP
Address
User portion of URI
Phone-number of
tel-uri
Priority
Match Based on
URI of incoming
INVITE message
0
Match Based on DPG,
DPPP, COR/LPCOR if
configured
Received:
INVITE sip:654321@10.2.1.1 SIP/2.0
Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
tag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
From: "555" <sip:555@10.1.1.1:5060>;tag=1
To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
CSeq: 1 INVITE
Contact: sip:555@10.1.1.1:5060
Supported: timer
Max-Forwards: 70
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
........
54
BRKCOL-2125

#CLUS
Destination Server Group
• Supports multiple destinations (session targets) be defined in a group and
applied to a single outbound dial-peer
• Once an outbound dial-peer is selected to route an outgoing call, multiple
destinations within a server group will be sorted in either round robin or
preference [default] order
• This reduces the need to configure multiple dial-peers with the same
capabilities but different destinations. E.g. Multiple subscribers in a cluster
55
voice class server-group 1
hunt-scheme {preference | round-robin}
ipv4 1.1.1.1 preference 5
ipv4 2.2.2.2
ipv4 3.3.3.3 port 5065 preference 3
ipv6 2010:AB8:0:2::1 port 5065 preference 3
ipv6 2010:AB8:0:2::2
* DNS target not supported in server group
description Outbound DP
destination-pattern 1234
codec g711ulaw
dtmf-relay rtp-nte
session server-group 1

#CLUS
Multiple Number Patterns Under Same
Incoming/Outgoing Dial-peer
SIP Trunk SP SIP Trunk
CUBE
IP PSTN
A
(408)100-1010
(510)100-1010
(919)200-2010
2000
(510)100-1000
(408)100-1000
voice class e164-pattern-map 300
e164 200.
e164 510100100.
e164 408100100.
description Inbound DP via Calling
incoming calling e164-pattern-map 300
codec g729r8
voice class e164-pattern-map 400
url flash:e164-pattern-map.cfg
description Outbound DP via Called
destination e164-pattern-map 400
codec g711ulaw
! This is an example of the contents
of E164 patterns text file stored
in flash:e164-pattern-map.cfg
9192002010
5101001010
4081001010
<blank line>
Site A
Site B
Site C
Site A
Site B
Site C
G729 Sites
G711 Sites
Up to 5000 entries in a text file
56
Up to 1000 entries
in a pattern map

#CLUS
Destination Dial-peer Group
voice class dpg 10000
description Voice Class DPG for SJ
dial-peer 1001 preference 1
dial-peer 1003
!
description Inbound DP
incoming called-number 1341
destination dpg 10000
destination-pattern BAD
!
destination-pattern BAD.BAD
!
destination-pattern BAD.BAD.BAD
1. Incoming Dial-peer is first
matched 2. Now the DPG associated with
the INBOUND DP is selected
Received:
INVITE sip:1341@CUBE-IP-ADDRESS:5060
Sent:
INVITE sip:1341@10.1.1.3:5060
57
BRKCOL-2125

#CLUS
Multiple Tenants on CUBE
• Every Registrar/User Agent/ITSP connected to CUBE can be
considered a Tenant to CUBE
• Allows specific global configurations (CLI under sip-ua) for multiple
tenants such as specific SIP Bind for REGISTER messages
• Allows differentiated services for different tenants
59
BRKCOL-2125

#CLUS
“Voice class Tenant” Overview
Prior to Multi Tenancy
sip-ua
registrar 1 ipv4:60.60.60.60:9051 expires 3600
credentials username aaaa password 7 06070E204D realm aaaa.com
credentials username bbbb password 7 110B1B0715 realm bbbb.com
voice service voip
outbound-proxy ipv4:10.64.86.35:9057
bind control source-interface GigabitEthernet0/1
With Voice Class Tenant (Multi-Tenancy)
voice class tenant 1
credentials username bbbb password 7 110B1B0715 realm bbbb.com
E164 - aaaa
E164 - bbbb
Registrar - 1
Registrar - 2
E164 - aaaa
E164 - bbbb
Registrar - 1
Registrar - 1
OB Proxy 1 & Bind-1
OB Proxy 2 & Bind-2
• Most configs under “sip-ua” and “voice service voip” added in “voice class tenant <tag>”,
e.g. Registrar and Credentials CLI under tenant using different bind and outbound proxy
Global OB Proxy and Bind
60
BRKCOL-2125

#CLUS
Configuring Voice Class Tenant
• Configure voice class tenant
credentials number bbbb username bbbb password 7 110B1B0715 realm bbbb.com
bind media source-interface GigabitEthernet0/0
copy-list 1
early-offer forced
• Apply tenant to the desired dial-peer
destination-pattern 111
session target ipv4:10.64.86.35:9051
session transport udp
voice-class sip tenant 1
Apply Tenant to a
Dial-peer
Add new voice class
tenant
61
BRKCOL-2125

#CLUS
Agenda
62
BRKCOL-2125

#CLUS
External/PSTN Call Recording Options
• CUBE Controlled (Dial-peer based SIPREC)
• Based on SIPREC (RFC 6341, 7245, Metadata-draft-17, Protocol-draft-15), CUBE
sends metadata in XML format
• Dial-peer controlled, IP-PBX independent
• Source of recorded media (RTP only) is always CUBE (External calls only). For
SRTP-RTP calls, apply media forking CLI on the RTP leg only.
• Records both audio and video calls and supported with CUBE HA (Inbox or box-2-
box)
• CUCM NBR (Network Based Recording)
• CUCM Controlled, requires CUCM 10+ and UC Services API be enabled on CUBE
• Recording triggered by CUCM and this mode records only Audio calls
• Source of Recorded Media can be CUBE or Endpoint (BiB), CUBE as source
desired for PSTN calls
64
BRKCOL-2125

#CLUS
• Current recording architectures allow only one fork from each leg (in-
leg/out-leg) to only one recorder
• No support for forking secure RTP stream
• MiFiD II Compliance requirements:
• Support for more than one recorders
• High Availability (Redundancy)
• Secure forking
• Call scenarios support
• External calls (inbound/outbound from/to ITSP, PSTN calls)
• Internal calls (on-prem calls)
• Contact center
• Common Metadata
Existing Recording Architectures
66
BRKCOL-2125

#CLUS
• Media proxy is based on CUBE architecture
• Supports the same ISR 4Ks, ASR1Ks, CSR1K on which CUBE is supported
today
• Call Recording mechanism (triggers) is CUCM NBR based (GW based and
Phone BiB)
• Media proxy is designed to fork media to multiple recorders i.e. multiple
forked legs, and supports up to 5 recorders
• CUBE Media Proxy High Availability is also supported
• CUSP (Optional) supports Media proxy with recorder redundancy and load
balancing
• Secured forking (SRTP – SRTP)
CUBE Media Proxy: Overview
67
BRKCOL-2125

#CLUS
SIP
SIP
SP SIP
CUBE
RTP
RTP
Recorder1
CUCM NBR GW forking to Media Proxy
Media Proxy
Recorder2
Speech Analytics
RTP
CUCM NBR – GW
based recording
CUBE Media Proxy Prerequisites:
• IOS-XE: 16.10.1a or later
• Unified Communication Manager: 12.5+
• Validated with Verint recording solution
68
BRKCOL-2125

#CLUS
SIP
SIP
SP SIP
CUBE
RTP
Recorder1
Phone BiB forking to CUBE Media Proxy
Media Proxy Recorder2
Recorder3
RTP
Phone BiB
CUBE Media Proxy Prerequisites:
• IOS-XE: 16.10.1a or later
• Unified Communication Manager: 12.5+
• Validated with Verint recording solution
69
BRKCOL-2125

#CLUS
• Video call Recording is not supported today
• Secure media (SRTP) forking of non-secure calls is not supported
• CUBE Media Proxy and CUBE cannot be co-located
CUBE Media Proxy: Design requirements
70
BRKCOL-2125

#CLUS
CUBE Media Proxy: Capacity for Various Platforms
71
Platform Max
CUBE
Calls
(CUBE Media Proxy Capacity)
Number of Recorders
One Two Three Four Five
4321 (4GB) 100 50 25 10 5 2
4331 (4GB) 500 250 125 60 30 15
4351 (4 GB) 1000 500 250 125 60 30
4431 (8 GB - CP) 3000 1500 750 375 185 90
4451 (8 GB - CP) 6000 3000 1500 750 375 185
1004/1006/
1006-X RP2 (16 GB)
16000 4500 3500 2500 2100 1800
BRKCOL-2125

#CLUS
Media Proxy:
• Amedia proxy platform used to fork calls
to 3 recording servers.
• Total concurrent call load is 50 calls.
• 150 x CUBE-MP-RED
• Only redundant licenses are available for
Media Proxy
Location 1
Active
50 Calls
Media Proxy
150
Recordings
72
BRKCOL-2125

#CLUS
Media Proxy:
• Active and Standby CUBE Media Proxies in HA
Redundancy Group (RG)
• Both Media Proxies must be in the same layer 2
network
• Total call load for HApair 150 calls, each forked
3 times.
• If active Media Proxy fails, stateful failover of all
calls to standby
• 450 x CUBE-MP-RED
• Both Media Proxy platforms register to the same
Virtual Account holding a common pool of
licenses
Location 1
Active
Standby
Stateful
HA Pair 1
150 Calls
Media Proxy
Media Proxy
73
BRKCOL-2125

#CLUS
Media Proxy:
• Amedia proxy platform used to fork calls to 3
recording servers.
• Total concurrent call load is 50 calls from
CUBE triggered using CUCM NBR
• 150 x CUBE-MP-RED for Media Proxy
• 50 X CUBE-T-STD for PSTN calls through
CUBE
• Only redundant licenses are available for
Media Proxy
Location 1
Active
50 Calls
Media Proxy
CUBE
150
Recordings
74
BRKCOL-2125

#CLUS
Agenda
75
BRKCOL-2125

#CLUS
Secure SIP Trunks with CUBE
CUBE
Gig0/0/1
Gig0/0/0
SP IP
Network
LAN WAN
TCP/UDP
SRTP
SIP TLS
RTP
• Interworking between all three transport types is supported : UDP/TCP/TLS
• IOS-XE based platforms do not require DSPs for SRTP-RTP interworking
• TLS Exclusivity can be configured with “transport tcp tls v1.2”
• NGE Crypto supported for SRTP-SRTP (IOS-XE 16.5.2) [Crypto A – Crypto
B], SRTP-RTP, SRTP pass-thru
77
BRKCOL-2125

#CLUS
IOS-XE 16.11.1 or later Security Readiness changes
• For IOS-XE 16.11.1 or later, a master key must be pre-configured for
passwords before it can used in authentication, credentials and/or
shared-secret CLIs
• Its mandatory to specify the encryption type for the password
• Type 6 passwords are encrypted using AES cipher and user defined
master key
• Master key is never displayed in the configuration
• If master key configuration is removed, Type 6 passwords can never
by decrypted which may result in authentication failure
78
BRKCOL-2125

#CLUS
IOS-XE 16.11.1+ Security Configuration Requirement
LocalGateway#conf t
LocalGateway(config)#key config-key password-encrypt Password123
LocalGateway(config)#password encryption aes
• If master key is not pre-configured, there will be an error shown when the
password is configured
LocalGateway(config-sip-ua)#authentication username ali password 0 hussain123
Failed type 6 encryption on password
• If password type 0 is used, it will be stored as type 6 AES encrypted password in
configuration
LocalGateway#show run | include credentials
credentials number Hussain6346_LGU username Hussain2572_LGU password
6 FbGXYVJVcPeMhMRFSFNINTIMZecQPD_Bbg realm BroadWorks
79
BRKCOL-2125

#CLUS
IOS-XE 16.11.1 Security Configuration Requirement
• Dial-peer, SIP-UA, Tenants, and STUN authentication credentials/shared
secrets will use the new Secure reversible encryption Type 6 AES format
password
LocalGateway(config-sip-ua)#authentication username ali password ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
• Type 6 only accepts password formats such as ”
YXMOEfOePAJhNCKXbU^CYYAR^aJJ`Sa_S”. Hence recommendation is to use
password type 0 which will be saved as type 6 in the configuration
• The encryption type 7 is supported in IOS XE Release 16.11.1a, but will be
deprecated in the later releases
80
BRKCOL-2125

#CLUS
Agenda
81
BRKCOL-2125

Webex Calling
(VAR Channel)
Local Gateway (LGW)

#CLUS
The Cisco Webex Calling Platform
• Fully-featured cloud PBX powered by proven technology
• Deployed in Geo-redundant Cisco Data Centers
• Partner sells the service, owns customer relationship
• Cisco owns and supports platform and service, can bring opportunities
INTERNET
Webex Calling Endpoints
Customer 1
Customer 2
83
Cisco Webex as the Platform
previously called BroadCloud
BRKCOL-2125

#CLUS
PSTN Options
Service Provider PSTN
• PSTN access through peering with the Webex Calling partner’s
service (common to all customers for that partner)
• PSTN service bundled with Webex Calling service by the partner
INTERNET Peering
Network
Partner X’s PSTN
Customer 1
Customer 2
Partner X’s Offer
Webex Calling (SP) – previously BroadCloud Calling
Webex Calling (VAR)
84
Cisco Webex Calling
BRKCOL-2125

#CLUS
PSTN Options
BYOPSTN with Local Gateway
• PSTN access through a Local Gateway device at customer site and
the customer’s PSTN service (SIP Trunk, PRI, …)
• PSTN service decoupled from Webex Calling service
Customer 1
PSTN
Access
Network
Partner X’s Offer
(future) Webex Calling (SP) – previously BroadCloud Calling
Webex Calling (VAR) – previously just Webex Calling
85
Cisco Webex Calling
BRKCOL-2125

#CLUS
Webex Calling PSTN Options
BYOPSTN with Partner-Hosted Local Gateway
Internet
• Partner hosts and manages customer’s
Local Gateway (e.g., vCUBE) in own Data
Center, connected OTT to Webex Calling
• Not recommended if on-premises PBX or
SBC is present (requires VPN between
Partner DC and customer network)
PSTN
Provider Z
PSTN
Provider Y
Customer 1
Customer 2
Customer 2’s
SIP Trunk
Customer 1’s
SIP Trunk
Partner X’s Data Center
Virtualized
Local GW’s
(future) Webex Calling (SP)
Webex Calling (VAR)
86
Cisco Webex Calling
BRKCOL-2125

#CLUS
PSTN Options
BYOSIP (Future)
Access
Network
• PSTN access through per-customer peering with SIP trunk
providers (independent of Webex Calling partner)
• PSTN service may be decoupled from Webex Calling service
PSTN
Provider Z
PSTN
Provider Y
Peering
Network
Customer 1
Customer 2
Partner X’s Offer
(future) Webex Calling (SP)
(future) Webex Calling (VAR)
Customer 1’s
SIP Trunk
Customer 2’s
SIP Trunk
87
Cisco Webex Calling
BRKCOL-2125

#CLUS
• Enables BYoPSTN option for Webex Calling
• Provides connectivity to a customer-owned
PSTN service
• May also provide connectivity to an on-
premises IP PBX or dedicated SBC/PSTN GW
• Endpoint registration is NOT proxied through
Local Gateway, unlike CUBE Lineside.
Endpoints directly register to BroadCloud over
the Internet.
• All communication between BroadCloud and
endpoints/LGW is secured (SIP TLS/sRTP)
Webex Calling (VAR Channel): Local Gateway
Customer Site
PSTN
Local
Gateway
Internet
SBC or
IP PBX
Cisco Webex Platform
(previously BroadCloud)
BRKCOL-2125 88

#CLUS
• Cisco CUBE (for IP-based connectivity) or
Cisco IOS Gateway (for TDM-based connectivity)
• Hardware and software requirements:
• ISR 4321, 4331, 4351, 4431, 4451 (IOS XE 16.9(3) and
16.11.1 or later)
• IOS-XE 16.10.x is not supported as Local Gateway for any platform
• CSR 1000v (vCUBE) (IOS XE 16.9(3) and 16.11.1 or later)
• ISR 1100 (July/August 2019 – IOS-XE 16.12.1 or later)
• CUBE calling licenses included in Webex Calling
Flex License
Note: platform requirements driven by encryption/decryption needs
(signaling/media to BroadCloud is always secure)
Local Gateway
Product Support in Phase 1
CUBE IOS-XE GW
Local Gateway (LGW)
BRKCOL-2125 89

#CLUS
• Standard CUBE feature support (no
need for dedicated hardware)
• Numbers in the table assume
dedicated Local GW
• Standard platform sizing using
sRTP-RTP concurrent session
numbers (based on IOS-XE 16.9(3))
• Number of corresponding users
depends on BHCA etc
Local Gateway
Feature Support and Platform Sizing
Reference: https://cisco.box.com/CUBE-Enterprise
Platform
sRTP-RTP
Sessions
ISR4321 40
ISR4331 125
ISR4351 250
ISR4431 750
ISR4451 1500
CSR1000V (1 vCPU) 225
CSR1000V (4 vCPU) 800
ISR1100 Series future
BRKCOL-2125 90

#CLUS
Access
Network
Local Gateway
Signaling, Media, and PSTN Connectivity Options
Provisioning Layer
Cisco BroadWorks
Access
SBC
Peering
SBC
Load
Balancers
Network
Functions
Customer Site
On-premises
SBC or IP PBX
PSTN
TDM
PSTN
IP
PSTN
Certificate
91
BRKCOL-2125

#CLUS
Local Gateway
Security and Authentication
Provisioning Layer
Cisco BroadWorks
Access
SBC
Peering
SBC
Load
Balancers
Network
Functions
Access
Network
Customer Site
PSTN
IP or TDM
Download signed
CA root bundle
from Cisco PKI
1 Cisco Trusted Core Root Bundle
(Public CA trust anchors)
1
2
Provision SIP digest credentials
generated by BroadCloud on LGW
2
TLS connection: LGW
validates SBC certificate
using CA root bundle
3
BroadCloud authenticates LGW
registration with SIP digest
4
3
4
Certificate
SIP Digest
Credentials
(offline)
92
BRKCOL-2125

#CLUS
Internet
• In most cases, Local Gateway and endpoints can sit on internal customer
network using private IP addresses with NAT (media latching in BroadCloud
SBC)
• Firewall needs to allow outbound traffic (SIP, RTP/UDP, HTTP) to specific IP
addresses/ports (see BroadCloud firewall and network configuration guide)
Local Gateway
Firewall and NAT traversal
Customer Site
Pinholes for outbound traffic
(return traffic uses same flow)
Customer
Firewall
BRKCOL-2125 93

#CLUS
Local Gateway
Firewall and NAT traversal – IP Addresses and Ports
(North America)
Customer
Site
Purpose Source IP Source ports Protocol Dest IP Dest ports
SIP signaling
LGW BroadCloud
facing interface
8000-65535 TLS TCP
199.59.65.0/25
199.59.66.0/25
199.59.70.0/25
199.59.71.0/25
8934
RTP media
LGW BroadCloud
facing interface
8000-48000* UDP
199.59.65.0/25
199.59.66.0/25
199.59.70.0/25
199.59.71.0/25
19560-65535
LGW
*: Default range. Can be reduced based on number of concurrent sessions (4 UDP ports per session)
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cloudCollaboration/broadcloud/webexcalling/customers/cisco
-webex-calling-configuration-
guide/cisco-webex-calling-configuration-guide_chapter_01101.html
North America
Region
BRKCOL-2125 94

Onboarding
Local
Gateway:
Step 1. Control Hub

#CLUS
1a. Log in to customer portal and navigate to
Services
97

#CLUS
1b. Navigate to Locations under Call options
BRKCOL-2125 98

#CLUS
1c. Local gateway configuration is on the footer of
the site card
BRKCOL-2125 99

#CLUS
1d. Can either create a new local gateway or select
existing one
BRKCOL-2125 100

#CLUS
1e. Once the customer has selected the desired local gateway,
they can save the local gateway for the given site.
Parameters on this display required for onboarding LGW in Step 2
101

#CLUS
1f. Local gateway has been assigned to the site
102
BRKCOL-2125

Onboarding
Local
Gateway:
Step 2. Control Hub
parameters into Cisco
IOS-XE platform

#CLUS
registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls
credentials number Hussain6346_LGU username Hussain2572_LGU password 0 meX7]~)VmF
realm BroadWorks
authentication username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks
authentication username Hussain2572_LGU password 0 meX7]~)VmF realm 40462196.cisco-
bcld.com
sip-server dns:40462196.cisco-bcld.com
connection-reuse
srtp-crypto 200
session transport tcp tls
url sips
error-passthru
bind control source-interface GigabitEthernet0/0/1
bind media source-interface GigabitEthernet0/0/1
no pass-thru content custom-sdp
sip-profiles 200
outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com
…
rule 1 request ANY sip-header SIP-Req-URI modify "sips:" "sip:"
rule 10 request ANY sip-header To modify "<sips:" "<sip:"
rule 11 request ANY sip-header From modify "<sips:" "<sip:"
rule 12 request ANY sip-header Contact modify "<sips:(.*)>" "<sip:1;transport=tls>"
rule 13 response ANY sip-header To modify "<sips:" "<sip:"
rule 14 response ANY sip-header From modify "<sips:" "<sip:"
rule 15 response ANY sip-header Contact modify "<sips:" "<sip:"
rule 16 request ANY sip-header From modify ">" ";otg=hussain2572_lgu>"
rule 17 request ANY sip-header P-Asserted-Identity modify "<sips:" "<sip:"
Parameters from Step 1e  LGW
CLI Config
104

Onboarding
Local
Gateway:
Step 3. Call Routing
on Local Gateway

#CLUS
• IP based Call Routing on Local Gateway has three key
considerations
1. All call routing is E.164 based
2. Whether the customer site(s) is also utilizing an on-prem IP PBX
such as Cisco UCM and the SIP trunking from an ITSP is
terminating on LGW itself or a dedicated SBC.
3. CUCM’s SIP Trunk towards LGW will utilize port 5065 to
distinguish from SIP Trunks pointing to a PSTN GW/CUBE (port
5060), which may be co-resident with the Local Gateway itself
Call Routing on Local Gateway
BRKCOL-2125 106

1. LGW
Deployment
Options w/o an
on-prem IP PBX

#CLUS
Call Routing
Single Local Gateway (can be shared across multiple
sites)
Customer A
PSTN
Local
Gateway
(Existing
PSTN GW)
BroadCloud sends calls that
do not match the customer’s
BroadCloud destinations to
the Local GW
Local GW routes calls
coming from BroadCloud to
the PSTN (and vice versa)
PSTN gateway may
be dedicated or
co-resident with
Local GW
108
BRKCOL-2125

#CLUS
host <pstn ip address>
! Or existing SBC / PSTN GW
description Incoming dial-peer from IP PSTN
destination dpg 200
voice class dpg 200
description Incoming IP PSTN(DP100) to BCLD(DP201)
description Outgoing dial-peer to IP PSTN
session target ipv4: <pstn ip address>
pattern dtg=hussain2572.lgu
! pattern uniquely identifies a Local gateway site within an
! Enterprise Trunk Group OTG/DTG from Control Hub
description Incoming dial-peer from BroadCloud
incoming uri request 200
destination dpg 100
voice class dpg 100
description Incoming BCLD(DP200) to IP PSTN(DP101)
description Outgoing dial-peer to BroadCloud
session target sip-server
Local Gateway
Local Gateway call routing to dedicated
PSTN GW/SBC or IP PSTN
IP PSTN
Existing SBC /
PSTN GW
109

2. LGW
Deployment
Options with an
IP PBX e.g. UCM

#CLUS
Call Routing
With an IP PBX/CUCM
Customer Site
PSTN
Local GW
PSTN
GW CUCM
• BroadCloud sends calls that
do not match the customer’s
BroadCloud destinations to
the Local GW
• Includes PSTN numbers and
CUCM internal extensions
(unknown to BroadCloud)
• CUCM routes incoming calls to
local destinations or to the PSTN
(per existing dial plan)
• Add route/translation patterns to
send calls for BroadCloud to Local
GW (normalized as +E.164’s)
Local GW routes calls
coming from BroadCloud
to CUCM (and vice
versa)
PSTN gateway may
be dedicated or
co-resident with
Local GW
111
BRKCOL-2125

#CLUS
2a. Unified CM with Dedicated PSTN GW
(Preferred Option)
• BroadCloud routes all calls that do
not match Customer’s BroadCloud
destinations to the Local GW
assigned to the site
• Includes PSTN destinations and CUCM
internal extensions
• Local GW routes all calls coming
from BroadCloud to CUCM (and vice
versa)
• CUCM routes calls to locally-
registered phones or to the PSTN
via a different SBC/GW
• Also possible to use the same router as
Local GW and PSTN gateway/SBC
Customer Site
PSTN
Local GW
Existing
SBC /
PSTN GW
CUCM
BRKCOL-2125 112

#CLUS
pattern :5065
! pattern matches the CUCM signaling via port for Webex
! Calling trunk to distinguish from PSTN SIP trunk at 5060
description Incoming dial-peer from CUCM to BCLD
destination dpg 200
voice class dpg 200
description Incoming CUCM (DP300) to BCLD(DP201)
description Outgoing dial-peer to CUCM
ipv4 <cucm-node-1> port 5065
! pattern uniquely identifies a Local gateway site within
! an Enterprise, Trunk Group OTG/DTG from Control Hub
destination dpg 300
voice class dpg 300
description Incoming BCLD (DP200) to CUCM(DP301)
session target sip-server
Local Gateway
2a. Local Gateway call routing to/from CUCM w/Dedicated PSTN
Unified CM
Existing SBC /
PSTN GW
5060
5065
BRKCOL-2125
113

#CLUS
2b. Unified CM with Co-located PSTN GW/SBC
and Local Gateway • BroadCloud routes all calls that
do not match Customer’s
BroadCloud destinations to the
Local GW assigned to the site
• Includes PSTN destinations and
on-net calls towards CUCM
internal extensions
• Local GW routes all calls to
Unified CM
• Unified CM routes calls to
locally-registered phones or to
the PSTN back via the Local
GW, which has PSTN/SBC
functionality co-located
PSTN
CUCM
CUBE and LGW
Customer Site
BRKCOL-2125 114

#CLUS
description Incoming dial-peer from PSTN
destination dpg 302
Local Gateway
2b. Local Gateway call routing to and from IP PBX
description Outgoing dial-peer to CUCM for inbound from PSTN
voice class dpg 302
ipv4 <cucm-node-1>
ipv4 <cucm-node-2>
ipv4 <cucm-node-3>
ipv4 <cucm-node-4>
ipv4 <cucm-node-5>
• Incoming calls matched based on
via URI
• Calls inbound from CUCM over 2
trunks to distinguish b/w PSTN and
BroadCloud destinations. The via
URI match is done based on port
• Outgoing calls routed via DPG and
Server-groups
IP PSTN
Unified CM
5060
115

#CLUS
Local Gateway
description Outgoing dial-peer to CUCM for inbound from Bcloud
voice class dpg 300
IP PSTN
Unified CM
! pattern uniquely identifies a Local gateway site
! within an Enterprise, Trunk Group OTG/DTG from
! Control Hub
destination dpg 300
5065
Received:
INVITE
sip:+16785551234@198.18.1.226:5061;transp
ort=tls;dtg=hussain2572_lgu SIP/2.0
Via: SIP/2.0/TLS
199.59.70.30:8934;branch=z9hG4bK2hokad30
fg14d0358060.1
116

#CLUS
pattern <cucm-nodes-ip-address and port-regex-for-pstn>
ex: pattern 10.1.2..*:5060 matches 10.1.2.X:5060 range
description Outgoing dial-peer to PSTN
session target ipv4:<pstn ip address>
voice class dpg 100
Local Gateway
description Incoming dial-peer from CUCM for IP PSTN
destination dpg 100
IP PSTN
Unified CM
5060
BRKCOL-2125 117

#CLUS
Local Gateway
pattern <cucm-nodes-ip-address and port-regex-for-bcloud>
description Incoming dial-peer from CUCM for BCloud
destination dpg 200
IP PSTN
Unified CM
session-target sip-server
voice class dpg 200
5065 BRKCOL-2125 118

#CLUS
pattern <cucm-nodes-ip-address and port-regex-for-pstn>
description Incoming dial-peer from PSTN
destination dpg 302
voice class dpg 100
description Outgoing dial-peer to PSTN
session target ipv4:<pstn ip address>
Local Gateway
description Incoming dial-peer from CUCM for pstn
destination dpg 100
description Outgoing dial-peer to CUCM for inbound from BroadCloud
description Outgoing dial-peer to CUCM for inbound from PSTN
voice class dpg 300
voice class dpg 302
…
ipv4 <cucm-node-1>
ipv4 <cucm-node-5>
pattern <cucm-nodes-ip-address and port-regex-for-bcloud>
description Incoming dial-peer from CUCM for bcloud
destination dpg 200
• Incoming calls matched based on via URI.
• Calls inbound from CUCM over 2 trunks to
distinguish b/w PSTN/BroadCloud. The via URI
match is done based on port
• Outgoing calls routed via DPG and Server-
groups
IP PSTN
Unified CM
! pattern uniquely identifies a Local gateway site within an
! Enterprise, Trunk Group OTG/DTG from Control Hub
destination dpg 300
voice class dpg 200
session-target sip-server
5065
5060

#CLUS
Terminology – Summary (Reference)
• Broadworks - Cloud PBX and UC application software from Broadsoft.
Purchased, branded, and deployed by SPs primarily
• Spark Call – Was also rebranded to Webex Calling about 2 years ago
• BroadCloud – Broadworks hosted in Broadsoft DCs (now Cisco data
centers). Rebranded to Cisco Webex as the Platform
• BroadCloud Calling – Cloud calling service sold by SP channel along
with PSTN service from the SP. Now known as Webex Calling (SP
Channel)
• Webex Calling powered by BroadCloud requires a Local gateway for
PSTN. Now known as Webex Calling (VAR Channel)
• Local Gateway (LGW) – Can be a CUBE or Voice GW (PRI-IP)
120
BRKCOL-2125

#CLUS
Key Takeaways & Roadmap (subject to change)
• Newer platforms support such as ISR1100 (July 2019), ISR4461, ASR RP3
• Fax detect on IOS-XE, Opus, Programmability (CUBE Yang model), mTLS
• Enterprise SBC (Cisco Unified Border Element – CUBE, Local Gateway - LGW) are
essential components of on-prem and Cloud-based Collaboration deployments
• Over 37,000 Enterprise customers all over the Globe
• Proven interoperability with 3rd party PBX vendors and different service providers around the
world (more than 165 countries)
• Email ASK-CUBE@EXTERNAL.CISCO.COM with your Box.com
account id (email) for access to the Box.com links below. Free Box.com
account is fine as well
• Complete feature Presentations, Lab Guide, Hands-on Lab access & Application Notes
https://cisco.box.com/CUBE-Enterprise
https://cisco.box.com/WebexCalling 121

Complete your
online session
evaluation
• Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
#CLUS BRKCOL-2125 122

#CLUS
Continue your education
123
BRKCOL-2125
Related sessions
Walk-in labs
Demos in the
Cisco campus
Meet the engineer
1:1 meetings

BRKCOL-2125.pdf

Recommended

Recommended

More Related Content

Similar to BRKCOL-2125.pdf

Similar to BRKCOL-2125.pdf (20)

Recently uploaded

Recently uploaded (20)

BRKCOL-2125.pdf