#CiscoLive
Deploying SIP Trunks with Cisco
Unified Border Element (CUBE)
Hussain Ali, CCIE# 38068 (Voice, Collaboration)
Technical Marketing Engineer
Dilip Singh, CCIE# 16545 (Collaboration)
Technical Leader
DGTL-BRKCOL-2125
#CiscoLive
Agenda
•
CUBE Overview, Deployments, and SIP Trunk Sizing
•
CUBE Licensing Updates
•
CUBE Architecture (Physical & Virtual)
•
Transitioning to SIP Trunking using CUBE
•
Advanced features on CUBE (Call Routing, Multi-Tenancy)
•
Call Recording & Intro to CUBE Media Proxy
•
Securing Collab deployments with CUBE
•
Futures & Key Takeaways
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
3
CUBE Overview and
Deployments
Enterprise
LAN
ITSP
WAN (SIP Provider)
PSTN (PRI/FXO)
TDM Backup
(Not available in
vCUBE)
10.10.1.21
Gig0/0
PSTN
Gig0/1
128.107.214.195
DEMARC
CUBE
#CiscoLive
66.77.37.2
10.10.1.20
Unified CM
DEMARC
On-Prem Collaboration Deployment (CUBE-T-STD)
SIP
H.323
RTP
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
5
CUBE LineSide (previously NanoCUBE) Deployment
Scenarios (CUBE-L-STD)
Service Provider
Call Control
CUBE LineSide
Hosted Service
Small Business
CPE
NANOCUBE
8xx
SIP
SIP
SIP
IAD
8xx
CUBE
CUCM
NANOCUBE
PRI
SIP
SIP
TDM PBX
IP PBX
SIP Trunking
Small Business
Enterprise
Hosted Service
Small Business
SIP Trunking
Small Business
PRI To SIP
• CUBE Lineside replaces NanoCUBE for the current CUBE platforms
• https://www.cisco.com/c/en/us/products/routers/800-series-routers/eos-eol-notice-listing.html
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
Branch CUBE Deployment with SRST Provisioned (CUBE-T-STD)
Branch with Unified SRST Provisioned
on the same platform as CUBE
Unified CM
LAN Dial-Peers
WAN Dial-Peers
CUBE
Gig0/0
Data
Center
PSTN
Enterprise
IP WAN
Gig0/1
RTP
SIP - Trunkside
SIP - Lineside
SIP Endpoints
Enterprise
LAN
ITSP
#CiscoLive
DGTL-BRKCOL-2125
WAN (SIP Provider)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Enabling compliance recording
w/CUBE Media Proxy (CUBE-MP-RED)
Recorder1
6
RTP
CUCM 12.5+
Recorder2
RTP
Media Proxy
5
Speech Analytics
1
CUBE
2
SIP
RTP
0. CUCM registers to CUBE as an external XMF Application (using UC GW services API – CUCM NBR)
1,2. Initial call setups via CUBE-Ent
3. CUCM sets up SIP (recording) session with CUBE Media Proxy (offer/answer) with dummy port
4. MP destination IP/port obtained in Step-3 relayed by CUCM to CUBE via XMF API interface (HTTP)
5. CUBE-Ent starts to fork media streams to the MP (target ip/port received in Step-4). MP accepts RTP because of Media latching in the
inbound leg from CUCM
6. MP sets up SIP recording sessions with the 3 Recorders for multi-fork.
The ingress media stream from CUBE-Ent is then multi-forked by MP towards the 3 recorders simultaneously using the destination
ip/ports as negotiated in the SIP offer/answer
and the Recorders. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
DGTL-BRKCOL-2125
#CiscoLive b/w MP
Webex Calling - Local Gateway Deployment
• Enables BYoPSTN option for Webex Calling
• Provides connectivity to a customer-owned PSTN
service
Cisco Webex Calling
• May also provide connectivity to an on-premises
IP PBX or dedicated SBC/PSTN GW
• Endpoint registration is NOT proxied through
Internet
PSTN
Customer Site
• All communication between Webex Calling and
Local
Gateway
SBC or
IP PBX
Local Gateway, unlike CUBE Lineside. Endpoints
directly register to Webex Calling over the
Internet eliminating the need for endpoint
survivability.
endpoints/LGW is secured (SIP TLS/sRTP)
Webex Calling Endpoints
• IOS-XE 16.10.x not supported.
Latest IOS-XE 16.12 or 16.9 release recommended
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
Deploying Cisco Webex Edge Audio w/CUBE
High level overview
Cisco
Unified CM
1. On-premises telephone dials the Webex
Webex Edge
Audio
meeting number or gets a call back from
the Webex meeting to get connected by
audio into the meeting.
Meeting
Z
CUBE
2. Signaling is routed via the on-premises
call control device (Unified CM) through
the CUBE to Webex Meetings audio
service.
IP Phone
Customer
Premises
3. Audio media (the sound) is routed from
Signaling
Media Path
#CiscoLive
the Webex meeting to CUBE and then to
the on-premises phone for callback and
the reverse for call in.
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Cisco UCM Cloud
PSTN interconnect via customer premises/Local Gateway
Cisco
UCM Cloud
• Customer/partner provides dual
connections to Equinix for redundancy
• Cisco® UCM Cloud has a redundant
connection to Equinix at all colocations
Signaling
Media
• Customer has a local gateway
(CUBE/PSTN GW) on premises to
connect to the preferred PSTN
provider
• SIP trunks are connected to the UCM
Cloud service from the customer’s
local gateway
Equinix
MPLS
SD-WAN
VPN
PSTN
Customer Premises
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
CUBE High Availability as Local Gateway
Layer 2 box-to-box redundancy
=
CUBE-1
GE0/0/0 –
GE0/0/1 –
10.10.1.10
•
redundancy
rii 1
Keepalives
GE0/0/2 –
GE0/0/2 –
GE0/0/0 –
20.20.1.3
CUCM LAN
Virtual IP
CUBE
redundancy
rii 2
10.10.1.3
Cisco Webex Calling
Internet
WAN Edge
WAN
Virtual IP
GE0/0/1 –
CUBE
CUBE-2
40462196.cisco-bcld.com
IP PSTN
Y.Y.Y.Y
LGW HA solution with layer 2 box-to-box redundancy for call preservation
•
CUBE HA Active/standby model using virtual IP addresses
•
Applicable to ISR 4K and vCUBE only
•
Acts as a single Local Gateway from Webex Calling point of view
•
Support for Webex Calling deployments available from IOS-XE 16.12.2
•
LGW HA cannot have TDM or analog interfaces
#CiscoLive co-located
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
12
CUBE Interoperability Portal for application note
•
•
•
Validated with Service
Providers World-Wide
Independently Tested
with 3-Party PBXs in
tekVizion Labs
Standards based
Verified by
Proven Interoperability and Interworking with
Service Providers Worldwide
Cisco Interoperability Portal:
www.cisco.com/go/interoperability
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
Microsoft Teams Direct Routing – Solution Overview
•
•
•
Media Bypass Disabled/Off
(Without Media ByPass)
Media traverses Microsoft’s Cloud
Media Processor
Media always flows through CUBE
Microsoft Provided
Internet
SIP
TLS
sRTP
PSTN
SIP UDP/RTP
Customer Provided
#CiscoLive
Teams Client
CUBE
DGTL-BRKCOL-2125
Teams Client
Customer Site
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
CUBE Product Portfolio
Calls Per Second : Short duration 30 sec CHT
CUBE (Enterprise) Product Portfolio [Not to Scale]
ASR 1004/6/6-X RP2
50-150
ASR 1002-X
ASR 1001-X
50-100
ISR 4451-X
Starting IOS-XE 16.6
Introducing CUBE
on ISR4461
IOS-XE 17.2.1r
20-35
IOS-XE 17.x does not
support ESP 20
15-20
ISR 4431
8-12
ASR 1006-X
w/RP3 +
ESP40/ESP100
CUBE on CSR
vCUBE
ISR 4351
ISR-4K (4321, 4331)
<5
ISR1100s
IOS-XE 16.12.1+
4
<50
500-600
900-1000
2000-2500
4000
4500-6000
7000-10,000
12K-14K
14-16K
Active Concurrent Voice Calls Capacity
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
16
CUBE Software Release Mapping
CUBE Software Release Mapping
CUBE Version
11.5.2
11.6.0
12.0.0
12.0.0
12.1.0
12.1.0
12.5.0
12.6.0
12.7.0
12.7.1
12.8.0
14.0
TBD
Initial IOS-XE Release for this CUBE version
and Release date
16.3.2/16.4.1
Nov 2016
16.5.1
March 2017
16.6.1
July 2017
16.7.1
Nov 2017
16.8.1
March 2018
16.9.1
July 2018
16.10.1a
Nov 2018
16.11.1a
March 2019
16.12.1c
July 2019
17.1.1
Nov 2019
17.2.1r
March 2020
17.3.1
July 2020
17.4.1
Nov 2020
#CiscoLive
DGTL-BRKCOL-2125
Subsequent IOS-XE Release for this
CUBE version
16.3.3 - 16.3.9 / 16.4.2 – 16.4.3
16.5.1b – 16.5.3
16.6.2 – 16.6.8
16.7.2 – 16.7.3
16.8.2 – 16.8.3
16.9.2 – 16.9.4 – 16.9.5
16.10.2 – 16.10.3
16.11.1b
16.12.1a – 16.12.3 – 16.12.4
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
SIP Trunk Sizing
Sizing CUBE
Enterprise OnPrem deployments
NOTE : Sizing information
is only intended as a
guideline. Actual session
count will vary based on
the number of features
turned on the ISR/ASR/CSR
along with CUBE and the
IOS-XE version being used.
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
Testing Methodology
Testing Benchmark guidelines
•
Collab Calls – Refers to basic IP telephony calls, e.g., IP Phone registered to UCM making
a PSTN call via a SIP trunk to CUBE
•
Contact Center (UCCE) Calls – Inbound PSTN calls on CUBE (ingress CUBE) for CVP
treatment
•
Platform is tested with a linear/constant call presentation rate - the presented CPS value
- with one type of call flow. Call Hold Time (CHT) is set for 180 seconds
•
CPS is the maximum sustainable average presentation rate. Higher instantaneous
presentation rates are possible, but this is not tested.
•
Tests focus on the number of successful simultaneous or concurrent active call handling
at around 70% CPU and memory utilization. Buffer allows for other features that might
be configured / required in IOS-XE
•
All CUBE platforms are tested with static IP routing configured for the next hop
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
General Guidelines
CUBE Sizing Guidelines
•
All deployments for CUBE must be done with the following memory:
•
16GB of memory for ASR1K series – 8 GB (Control Plane memory) for ISR4400 series
•
4 GB for ISR4300 series – 2 GB for ISR G2 series
•
Session count (end to end calls through CUBE) is dependent on the amount of memory
in the box. Numbers listed in the datasheet are based on above memory requirements
being satisfied
•
CUBE Media Proxy cannot be co-located with CUBE Enterprise
•
CUBE HA has less than 5% impact on number of sessions under full load
•
CUBE + IOS based S/W MTP co-location: 1 S/W MTP session on the platform = 1 CUBE
IPT session, when specific data tables are not available, and not to exceed total CUBE
Collab numbers combined
•
Complex call flows (Cisco UCCE) can reduce CPS and session count. With IOS-XE
16.12+, there is significant performance gain for UCCE call flows
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
CUBE Sizing Guidelines
•
SRTP with SIP TLS : Numbers will vary based on crypto algorithm and codec
used
•
SRTP pass-thru session count and CPS same as RTP-RTP call flows
•
SIP Header manipulation through SIP profiles has less than 5% impact on
number of sessions. Impact of SDP manipulation will be slightly higher
compared to SIP headers. For example, 6% for changing the codec order in
the m-lines
•
Media forking for call recording can have a 50% impact on IPT session count
regardless of the call type (IPT or UCCE) being recorded on CUBE Enterprise.
This includes SIPREC, CUBE ORA with Cisco MediaSense, and CUCM NBR.
•
Performance numbers will be published for long lived (July) releases. [16.9,
16.12, 17.3, etc]
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
Call Admission Control (CAC)
•
Call processing capacity for any CUBE instance will be influenced by several
considerations, including software version, features configured and the platform
itself
•
To ensure that calls continue to be processed reliably, configure Call Admission
Control as follows to reject calls when use of system resources exceeds 80%. Refer
to the CUBE Configuration Guide for further details
enable
conf t
call threshold global cpu-avg low 75 high 80
call threshold global total-mem low 75 high 80
call treatment on
end
•
show call active total-calls lists the total number of concurrent
calls on a CUBE platform
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
Collab Calls Basic IP Telephony Audio Calls
CUBE IP Telephony Session Capacity Summary
Platform
1CSR1Kv
Xeon
- Based on tests using Cisco UCS ® C240 host with Intel ®
6132 2.60GHz processors running VMware ESXi 6.0.
®
1100 series (Default DRAM)
4321
4331
4351
4431
4451
4461
CSR1Kv – 1 vCPU1 (4 GB)
CSR1Kv - 2 vCPU1 (4 GB)
CSR1Kv - 4 vCPU1 (8 GB)
ASR1001-X
ASR1002-X
ASR1006-X RP3 ESP40/ESP100
ASR1004/6/6-X RP2/ESP40
CUBE SIP-SIP Audio
Sessions (Flow-thru)
Session Count IOS-XE
16.12+
IOS-XE 16.6 or earlier
RTP(G711)-RTP(G711)
N/A
100
500
1000
3000
6000
N/A
900
500
500
1000
2000
3000
6000
10000 (17.2.1r)
1000
900
3250
12000
14000
16000
16000
#CiscoLive
BRKCOL-2125
3000
6000
12000
14000
16000
16000
Sustainable CPS
IOS-XE 16.12+
5
4
10
13
15
40
55
5
20
30
50
55
65
70
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
Collab Calls Encrypted Audio Calls
SRTP-RTP
SRTP-SRTP
CUBE Encrypted IPT Session Capacity (IOS-XE 16.12+)
Platform
1CSR1Kv ®
Based on tests using Cisco UCS ® C240 host with Intel
Xeon ® 6132 2.60GHz processors running VMware ESXi 6.0.
1100 series (Default DRAM)
4321
4331
4351
4431
4451
4461
CSR1Kv – 1 vCPU1 (4 GB)
CSR1Kv - 2 vCPU1 (4 GB)
CSR1Kv - 4 vCPU1 (8 GB)
ASR1001-X
ASR1002-X
ASR1004/6/6-X RP2/ESP40
Session Capacity
16.12+)
(IOS-XE
RTP(G711)-RTP(G711)
500
500
1000
2000
3000
6000
10000 (17.2.1r)
1000
3000
6000
12000
14000
16000 #CiscoLive
Impact of
sRTP to IPT
40%
40%
40%
62.5%
75%
65%
1%
70%
67%
82%
79%
55%
78%
Encrypted Audio calls
w/SHA1_80
CPS
sRTP(G711)-RTP(G711)
300
300
600
750
750
2100 (16.12.2)
9900
300
1000
1080
2700
6500
3500
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
2
1
3
4
4
11
55
1
6
6
13
36
20
CUBE Encrypted IPT Session Capacity (IOS-XE 16.12+)
Platform
1CSR1Kv
- Based on tests using Cisco UCS ® C240 host with Intel ® Xeon ®
6132 2.60GHz processors running VMware ESXi 6.0.
Session Capacity (IOSXE 16.12.1)
RTP(G711)-RTP(G711)
1100 series (Default DRAM)
4321 (4 GB)
4331 (4 GB)
4351 (4 GB)
4431 (8 GB)
4451 (8 GB)
CSR1Kv – 1 vCPU1 (4 GB)
500
500
1000
2000
3000
6000
1000
CSR1Kv - 2 vCPU1 (4 GB)
3000
CSR1Kv - 4 vCPU1 (8 GB)
ASR1001-X (16 GB)
ASR1002-X (16 GB)
ASR1004/6/6-X RP2/ESP40
6000
12000
14000
16000
#CiscoLive
Impact of
sRTP to IPT
Encrypted Audio
calls w/GCM128
sRTP(G711)-RTP(G711)
40%
40%
40%
62.5%
75%
65%
70%
67%
300
300
600
750
750
2100
300
82%
1080
2400
6000
3200
80%
57%
80%
CPS
1000
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
2
1
3
4
4
11
1
6
6
13
32
18
CUBE Encrypted IPT Session Capacity (IOS-XE 16.12+)
Platform
1CSR1Kv -
Based on tests using Cisco UCS ® C240 host with Intel ® Xeon ® 6132
2.60GHz processors running VMware ESXi 6.0.
1100 series (Default DRAM)
4321 (4 GB)
4331 (4 GB)
4351 (4 GB)
4431 (8 GB)
4451 (8 GB)
CSR1Kv – 1 vCPU1 (4 GB)
CSR1Kv - 2 vCPU1 (4 GB)
CSR1Kv - 4 vCPU1 (8 GB)
ASR1001-X (16 GB)
ASR1002-X (16 GB)
ASR1004/6/6-X RP2/ESP40
Session Capacity (IOSXE 16.12.1)
RTP(G711)-RTP(G711)
500
500
1000
2000
3000
6000
1000
3000
6000
12000
14000
16000
#CiscoLive
Impact of
sRTP to IPT
40%
40%
40%
62.5%
75%
65%
70%
67%
82%
83%
68%
83%
Encrypted Audio calls
w/GCM256
CPS
sRTP(G711)-RTP(G711)
300
300
600
750
750
1080
300
1000
1080
2000
4500
2700
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
2
2
4
4
4
6
1
6
6
10
25
15
CUBE Encrypted IPT Session Capacity (IOS-XE 16.12+)
Platform
1CSR1Kv -
Based on tests using Cisco UCS ® C240 host with Intel ®
Xeon 6132 2.60GHz processors running VMware ESXi 6.0.
®
1100 series (Default DRAM)
4321 (4 GB)
4331 (4 GB)
4351 (4 GB)
4431 (8 GB)
4451 (8 GB)
CSR1Kv – 1 vCPU1 (4 GB)
CSR1Kv - 2 vCPU1 (4 GB)
CSR1Kv - 4 vCPU1 (8 GB)
ASR1001-X (16 GB)
ASR1002-X (16 GB)
ASR1004/6/6-X RP2/ESP40
Session Capacity
(IOS-XE 16.12.1)
RTP(G711)-RTP(G711)
500
500
1000
2000
3000
6000
1000
3000
6000
12000
14000
16000 #CiscoLive
Impact of sRTP
to IPT
BRKCOL-2125
70%
70%
70%
81%
87.5%
91%
85%
83.3%
91%
92%
79%
91%
Encrypted Audio
SHA1_80 – GCM128
CPS
sRTP(G711) - sRTP(G711)
150
150
300
375
375
540
150
500
540
1000
3000
1500
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
1
1
2
2
2
3
1
3
3
6
16
9
CUBE Encrypted IPT Session Capacity (IOS-XE 16.12+)
Platform
1CSR1Kv -
Based on tests using Cisco UCS ® C240 host with Intel ®
Xeon ® 6132 2.60GHz processors running VMware ESXi 6.0.
1100 series (Default DRAM)
4321 (4 GB)
4331 (4 GB)
4351 (4 GB)
4431 (8 GB)
4451 (8 GB)
CSR1Kv – 1 vCPU1 (4 GB)
CSR1Kv - 2 vCPU1 (4 GB)
CSR1Kv - 4 vCPU1 (8 GB)
ASR1001-X (16 GB)
ASR1002-X (16 GB)
ASR1004/6/6-X RP2/ESP40
Session Capacity (IOS-XE
16.12.1) RTP(G711)-RTP(G711)
500
500
1000
2000
3000
6000
1000
3000
6000
12000
14000
16000#CiscoLive
Impact of
sRTP to IPT
BRKCOL-2125
70%
70%
70%
81%
87.5%
91%
85%
83.3%
91%
92%
82%
91%
Encrypted Audio
SHA1_80 – GCM256
CPS
sRTP(G711) - sRTP(G711)
150
150
300
375
375
540
150
500
540
1000
2500
1500
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
34
1
1
2
2
2
3
1
3
3
5
14
8
Encrypted Video Calls
SRTP-RTP
SRTP-SRTP
CUBE Encrypted Video Session Capacity
[H.264 QCIF (15 FPS, 64 kbps)] - (IOS-XE 16.12+)
Platform
1CSR1Kv -
Based on tests using Cisco UCS ® C240 host with Intel ® Xeon ®
6132 2.60GHz processors running VMware ESXi 6.0.
1100 series (Default DRAM)
4321 (4 GB)
4331 (4 GB)
4351 (4 GB)
4431 (8 GB)
4451 (8 GB)
CSR1Kv – 1 vCPU1 (4 GB)
CSR1Kv - 2 vCPU1 (4 GB)
CSR1Kv - 4 vCPU1 (8 GB)
ASR1001-X (16 GB)
ASR1002-X (16 GB)
ASR1004/6/6-X RP2/ESP40
Encrypted video calls
w/SHA1_80
CPS
sRTP(G711)-RTP(G711)
100
100
180
180
180
540
180
180
540
900
2300
1250
#CiscoLive
BRKCOL-2125
Encrypted video calls
w/GCM128
CPS
sRTP(G711)-RTP(G711)
1
1
1
1
1
3
1
1
3
5
13
7
50
50
100
120
100
180
180
540
540
360
900
540
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
1
1
1
1
1
1
1
1
3
2
5
3
36
CUBE Encrypted Video Session Capacity
[H.264 QCIF (15 FPS, 64 kbps)] - (IOS-XE 16.12+)
Platform
1CSR1Kv -
Based on tests using Cisco UCS ® C240 host with Intel ® Xeon ®
6132 2.60GHz processors running VMware ESXi 6.0.
1100 series (Default DRAM)
4321 (4 GB)
4331 (4 GB)
4351 (4 GB)
4431 (8 GB)
4451 (8 GB)
CSR1Kv – 1 vCPU1 (4 GB)
CSR1Kv - 2 vCPU1 (4 GB)
CSR1Kv - 4 vCPU1 (8 GB)
ASR1001-X (16 GB)
ASR1002-X (16 GB)
ASR1004/6/6-X RP2/ESP40
Encrypted video calls
w/GCM256
CPS
sRTP(G711)-RTP(G711)
50
50
100
110
100
180
180
180
540
360
900
540#CiscoLive
Encrypted Video calls
SHA1_80 – GCM128
CPS
sRTP(G711) - sRTP(G711)
BRKCOL-2125
1
1
1
1
1
1
1
1
3
2
5
3
50
50
1
1
130
115
180
180
180
180
360
900
540
1
1
1
1
1
1
2
5
3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
CUBE Encrypted Video Session Capacity
[H.264 QCIF (15 FPS, 64 kbps)] - (IOS-XE 16.12+)
Platform
1CSR1Kv -
Encrypted Video Calls
SHA1_80 – GCM256
Based on tests using Cisco UCS ® C240 host with Intel ® Xeon ® 6132 2.60GHz
processors running VMware ESXi 6.0.
1100 series (Default DRAM)
4321 (4 GB)
4331 (4 GB)
4351 (4 GB)
4431 (8 GB)
4451 (8 GB)
CSR1Kv – 1 vCPU1 (4 GB)
CSR1Kv - 2 vCPU1 (4 GB)
CSR1Kv - 4 vCPU1 (8 GB)
ASR1001-X (16 GB)
ASR1002-X (16 GB)
ASR1004/6/6-X RP2/ESP40 (16 GB)
CPS
sRTP(G711) - sRTP(G711)
#CiscoLive
BRKCOL-2125
50
50
110
130
115
180
180
180
180
360
900
540
1
1
1
1
1
1
1
1
1
2
5
3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
Contact Center Calls
CUBE Session Capacity for UCCE (IOS-XE 16.12+)
Platform
1CSR1Kv -
Based on tests using Cisco UCS ® C240
host with Intel ® Xeon ® 6132 2.60GHz processors
running VMware ESXi 6.0
1100 series
4321
4331
4351
4431
4451
4461
CSR1Kv – 1 vCPU1
CSR1Kv - 2 vCPU1
CSR1Kv - 4 vCPU1
ASR1001-X
ASR1002-X
ASR1004/6/6-X RP2
Session Capacity
(IOS-XE 16.12+)
UCCE Capacity
(Prior to IOS-XE 16.12)
RTP(G711)-RTP(G711)
500
500
1000
2000
3000
6000
10000 (17.2.1)
1000
3000
6000
12000
14000
16000
N/A
125
250
500
750
1500
N/A
250
750
1500
3000
3500
4000
#CiscoLive
BRKCOL-2125
UCCE Call Capacity
(IOS-XE 16.12+)
Impact of
UCCE to
IPT
UCCE
CPS
500
500
1000
1500
1800
3600
4680
500
3000
4250
4250
4250
4500
0%
0%
0%
25%
40%
40%
53%
50%
0%
29%
65%
70%
72%
5
3
7
8
10
20
26
3
20
24
24
24
25
RTP(G711)-RTP(G711)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
Sample ISR4K CUBE Sizing
•
An enterprise is considering a 4451-X for their collab
deployment with the following requirements:
• 500 Unencrypted IPT calls
4451
Ratio to
• 100 Contact Center (CC) calls
6000 IPT Calls IPT calls
• Record all CC calls = 100 IPT Calls
IPT Calls
1
• 50 SRTP-RTP audio calls with SHA1-80
UCCE
1.67
• 100 SRTP-SRTP audio calls
Recorded legs
1.0
SRTP-RTP
500 Unencrypted IPT calls * 1.00 = 500
SRTP-SRTP
+ 100 Contact Center calls * 1.67 = 167
+ Record all CC calls = 100 IPT Calls * 1.00 = 100
+ 50 SRTP-RTP audio calls with SHA1-80 * 2.86 = 143
+ 100 SRTP-SRTP audio calls * 11.11 = 1111
TOTAL Capacity in terms of IPT count = 2021
#CiscoLive
DGTL-BRKCOL-2125
%age
IMPACT
N/A
40%
50%
2.86
65%
11.11
91%
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
41
Agenda
•
CUBE Overview, Deployments, and SIP Trunk Sizing
•
CUBE Licensing Updates
•
CUBE Architecture (Physical & Virtual)
•
Transitioning to SIP Trunking using CUBE
•
Advanced features on CUBE (Call Routing, Multi-Tenancy)
•
Call Recording & Intro to CUBE Media Proxy
•
Securing Collab deployments with CUBE
•
Futures & Key Takeaways
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
CUBE Licensing
Platform Licensing prior to enabling CUBE
Before CUBE can be configured and licensed, platform technology and
throughput licensing is required.
• Ensure appropriate license for using TLS on the platform is enabled
• For Cisco ISR 1000 and Cisco ISR4000 series, UCK9 and SecurityK9 are required
•
license boot level uck9
license boot level securityk9
•
For Cisco Cloud Services Router 1000 series virtual routers, configure both the
feature and required throughput levels. Example below displays CLI required for
1Gbps throughput, how to increase memory configuration, and enabling AX
package (all licensed options)
license boot level ax
platform hardware throughput level MB 1000
platform memory add 4000
•
For Cisco ASR1000 series routers, Advanced IP services is required
license boot level advipservices
license boot level adventerprise
#CiscoLive
DGTL-BRKCOL-2112
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
44
CUBE Licensing Offer
What is Smart Licensing?
• Smart Licensing is a Cisco wide initiative that provides a License Inventory Management
System which provides Customers, Cisco, and Selected Partners with information about
License Ownership and Use
• All licenses are delivered directly to your cloud based Cisco Smart Software Manager (CSSM)
account allowing you to control where they are used and monitor how they are used.
• Smart Licenses do not require registration, so no more PAKs
• Smart licenses entitle the CUSTOMER, not the product instance. Licenses are not node
locked.
• Licenses are pooled for flexible use by devices registered to the same account
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
Cisco Unified Border Element (CUBE)
SIP Trunking to a Provider
• The Cisco Unified Border Element (CUBE)
feature set delivers Session Border Control
(SBC) functionality for Cisco IOS router
platforms, enabling highly secure voice and
video connectivity between an enterprise IP
network and service provider trunk services.
PE-SBC
MPLS, VPN,
Internet
SIP Service
Connection
Premise-based
Call control
• CUBE performs four critical functions of an
SBC:
• Policy based session management
Certified
demarcation
• Security enforcement
• Protocol and media interworking
IP-PBX
• Network demarcation
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
Simplifying the CUBE Trunk Offer
Current:
100+ PIDs
Simplified:
EoS
15 June
2019
2 options, 3 PIDs!
CUBE License – 5 Sessions
CUBE License –ASR 100 Sessions Red
(FL-CUBEE-5)
(FLASR1-CE-100R)
CUBE License –5 Sessions Red
CUBE License –ASR 500 Sessions Red
(FL-CUBEE-5-RED)
(FLASR1-CE-500R)
CUBE License – 25 Sessions
CUBE License –ASR 1,000 Sessions Red
(FL-CUBEE-25)
(FLASR1-CE-1KR)
CUBE License –25 Sessions Red
CUBE License –ASR 4,000 Sessions Red
(FL-CUBEE-25-RED)
(FLASR1-CE-4KR)
CUBE Trunk Redundant License
– 1 Session
CUBE License – 100 Sessions
CUBE License –ASR 16,000 Sessions Red
(CUBE-T-RED)
(FL-CUBEE-100)
(FLASR1-CE-16KR)
CUBE License –100 Sessions Red
CUBE License – C1 ASR 100 Sessions
(FL-CUBEE-100-RED)
CUBE License – Cisco ONE (1 Session)
(C1-CUBEE-STD)
CUBE License–Cisco ONE (1 Session Red)
(C1-CUBEE-RED)
------
CUBE Trunk Standard License
– 1 Session
(CUBE-T-STD)
+SWSS
CUBE License – C1 ASR 100 Sessions Red
CUBE License – C1 ASR xxxx Sessions xx
+SWSS
(CUBE-T-RED-UP)
+SWSS
(C1-A-ASR1CUBEE100R)
+SWSS
CUBE session licenses are common
across ISR, CSR and ASR platforms and
can be pooled in a Smart Virtual Account
+SWSS
(C1-A-ASR CUBEE…)
+SWSS
Upgrade to Trunk Redundant
License – 1 Session
+SWSS
(C1-A-ASR1CUBEE100P)
+SWSS
------
Note: Platform technology licenses are required to enable CUBE functionality. See later slide.
As part of migration to Smart and SWSS enabled licensing for CUBE, all $0 licenses from router bundles will be removed by end of April 2019. Product Bulletin for
the same can be accessed at https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-border-element/bulletin-c25-742073.html
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
What’s included in a Trunk License?
One Inbound leg
Any protocol, any media
Secure Media
Encrypt, decrypt, Re-encrypt
Multiple media sessions per call
One Outbound leg
Any protocol, any media
Media Transcoding, Transrating
& DTMF Interworking
Call handling policy via XCC API
One SIP Forked leg
Local or API controlled
Advanced header manipulation
Stateful High Availability*
* Requires CUBE Redundant Trunk license
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
CUBE Offers with Smart Licensing
Cisco Unified Border Element (CUBE) Smart License Options
Top Level “L-CUBE”
Simplified
New
Offer
Trunk
CUBE Standard Trunk License
1 Session (CUBE-T-STD)
+SWSS
CUBE Redundant Trunk License
1 Session (CUBE-T-RED)
+SWSS
Upgrade to Redundant Trunk License
1 Session (CUBE-T-RED-UP)
+SWSS
New
Offer
Lineside
CUBE Lineside License
1 Session (CUBE-L-STD)
+SWSS
Media Proxy
CUBE Media Proxy License
1 Forked Session (CUBE-MPRED)
+SWSS
Cisco Software Support Service (SWSS) is required for a minimum of 12 months when purchasing
CUBE session license(s).
SWSS provides access to software maintenance, updates, upgrades, and technical support
Note: Platform technology licenses are required to enable CUBE functionality. See later slide.
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
49
Cisco Unified Border Element (CUBE)
Lineside
• CUBE Lineside features compliment
Third Party Call Control
in SP Cloud
New
Offer
hosted call control solutions with:
• SIP proxy registration of IP phones
(Cisco MPP or 3rd party).
• Service continuity should the hosted
service become unavailable.
PE-SBC
Business
Internet
Lineside
Connection
CUBE Lineside
Hosted
SIP Service
Cloud-based
call control
Note: Lineside licenses do not entitle use of
trunk features.
Certified
demarcation
Note: NanoCUBE RTU licenses will remain
available for ISR800 series products only.
IP
Phones
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
50
Cisco Unified Border Element (CUBE)
Media Proxy
• Standalone application that extends CUBE trunk session
forking to allow a call to be replicated up to five times
for media recording redundancy & load balancing and
call analytics.
New
Offer
• Supports Mandatory and Optional recorder policy
•
Mandatory: Media proxy tries to fork to the mandatory
recorder first. Forking to the remaining recorders will only
happen after the connection to the first recorder is successful.
•
Optional: Default policy. Media proxy will establish connection
to all recorders, even if any of the recorders fail.
Recording
Server 1
Customer
CUBE
SBC
CUBE Media
Proxy
Recording
Server 2
• Secured forking (SRTP – SRTP)
• CUBE Media Proxy Call Scenarios:
Unified CM
•
External calls (inbound/outbound from/to ITSP, PSTN calls)
•
Internal calls (on-prem calls)
•
Contact center
#CiscoLive
DGTL-BRKCOL-2125
Employee
Recording
Server 3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
The Road To Smart Licensing
IOS XE
16.6 to 16.9
IOS XE
16.10
Smart
Licensing
Optional
Smart
Licensing
Mandatory
Platform
Technology
Licensing
CUBE
Licensing
Paper
RTU only
•
•
Paper
RTU only
IOS XE
16.11 to 17.1
IOS XE
17.2 to 17.3
Smart Licensing mode is mandatory
Continued CSSM registration required to enable CUBE
features
Smart Licensing only*
Trunk license requests
set by manual
configuration
No license policing
(Calls continue if out
of compliance)
Smart Licensing only*
Trunk license requests
set dynamically by
usage
No license policing
(Calls continue if out
of compliance)
*From IOS XE 16.11 Smart License offers are required for all CUBE features.
Trunk license usage only is reported to CSSM at this time.
CSR1000v (Virtual Router running vCUBE)#CiscoLive
requires Smart
Licensing
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
License Reporting
•
•
•
•
•
•
License consumption reporting in IOS XE releases 16.11, 16.12 and 17.1 are manually
configured using the mode border-element license capacity
command.
With these releases, license capacity reporting is both static and optional
CUBE platforms must be registered to the Smart Licensing server, even if license
capacity is not configured. Call processing will be shut down if a device is not
registered and the evaluation period has expired.
Call processing will not be limited if the number of sessions exceeds the license
capacity configuration, nor if the license request is ‘out of compliance’.
Some of the scenarios in the following slides describe license pooling. To ensure that
the correct number of licenses are consumed from the virtual account, it is suggested
that the average number of licenses required is configured on each device. The
“Configured for” information provides guidance on how to configure this.
Starting IOS XE release 17.2.1, license use is calculated dynamically and the license
capacity option has been deprecated.
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
53
CUBE Version 12.x
Deployment Examples / Smart
Licensing Scenarios
Session quantities in the following example scenarios
are provided for illustration purposes only.
Refer to CUBE performance documentation when
selecting an appropriate platform to meet required
call processing loads.
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
Customer Deployment Scenario 1a
#CiscoLive
DGTL-BRKCOL-2125
Active
50 Calls
Location 2
Active
50 Calls
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configured for
50 licenses
• The same Virtual Account holding a common pool of 100 licenses
• Different Virtual Accounts, each with 50 licenses
Location 1
Configured for
50 licenses
Separate Deployments
• Two active CUBEs in separate locations
• No Box to Box redundancy (Redundancy Group HA)
• No load balancing
• Each location processes up to 50 sessions at any time.
License Requirement:
• 100 x CUBE-T-STD
• CUBE platforms may register to:
56
Customer Deployment Scenario 1b
#CiscoLive
DGTL-BRKCOL-2125
Active
50 Calls
Active
50 Calls
Configured for
50 licenses
• The same Virtual Account holding a common pool of 100 licenses
• Different Virtual Accounts, each with 50 licenses
Location 1
Configured for
50 licenses
Separate Deployments
• Two active CUBEs in the same location
• No Box to Box redundancy (Redundancy Group HA)
• No load balancing
• Each CUBE processes up to 50 sessions at any time.
License Requirement:
• 100 x CUBE-T-STD
• CUBE platforms may register to:
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
57
Customer Deployment Scenario 2a
DGTL-BRKCOL-2125
Active
200 Calls
Location 2
Configured for
100 licenses
#CiscoLive
Location 1
Configured for
100 licenses
Geographic (Active-Active) Load Balancing
• Two active CUBEs in separate locations
• No Box to Box redundancy (Redundancy Group HA)
• Load balancing provided by SP or with CUSP
• Total call load across both locations up to 200
concurrent sessions.
License Requirement:
• 200 x CUBE-T-STD
• CUBE platforms register to the same Virtual Account
holding a common pool of licenses
Active
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
58
Customer Deployment Scenario 2b
DGTL-BRKCOL-2125
Active
200 Calls
Configured for
100 licenses
#CiscoLive
Location 1
Configured for
100 licenses
Active-Active Load Balancing within a location
• Two active CUBEs in the same location
• No Box to Box redundancy (Redundancy Group HA)
• Load balancing provided by SP or with CUSP
• Total call load across both CUBEs up to 200
concurrent sessions.
License Requirement:
• 200 x CUBE-T-STD
• CUBE platforms register to the same Virtual Account
holding a common pool of licenses
Active
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
59
Customer Deployment Scenario 3
Active
Standby
Configured for
250 licenses
DGTL-BRKCOL-2125
250 Calls
Stateful
#CiscoLive
Location 1
Configured for
250 licenses
Box to Box High Availability (HA) with Call
Preservation
• Active and Standby CUBEs in HA Redundancy Group
(RG)
• Both CUBEs must be in the same layer 2 network
• Total call load up to 250 concurrent sessions.
License Requirement:
• 250 x CUBE-T-RED
• Both CUBE platforms register to the same Virtual
Account holding a common pool of licenses
• Only the active CUBE reports license usage
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
60
Customer Deployment Scenario 4a
Location 1
HA Pair 1
Standby
Configured for
300 licenses
Location 2
Configured for
300 licenses
Active
HA Pair 1
Standby
Configured for
300 licenses
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stateful
DGTL-BRKCOL-2125
Active
Stateful
#CiscoLive
Configured for
300 licenses
Box to Box High Availability with Call Preservation within a
location and geographic load balancing across locations
• One pair of High Availability CUBEs in RG at each site
• Geographic load balancing provided by SP or with CUSP
• Total call load up to 600 concurrent sessions across locations
• If an active CUBE fails, stateful failover of local load to
standby
600 Calls
• If location 1 fails, all associated calls fail. Total load serviced
by active CUBE at site 2
License Requirement:
• 600 x CUBE-T-RED
• All CUBE platforms register to the same Virtual Account
holding a common pool of licenses
• Only active CUBEs reports license usage
61
Customer Deployment Scenario 4b
HA Pair 1
Standby
Configured for
300 licenses
600 Calls
Configured for
300 licenses
Active
HA Pair 1
Standby
Stateful
Configured for
300 licenses
DGTL-BRKCOL-2125
Active
Stateful
#CiscoLive
Configured for
300 licenses
Box to Box High Availability with Call Preservation and
load balancing within a location
• Two pairs of High Availability CUBEs in separate RGs at
the same site
• Load balancing across HA pairs provided by SP or with
CUSP
• Total call load for location up to 600 concurrent sessions
• If an active CUBE fails, stateful failover of local load to
standby
• If HA pair 1 fails, all associated calls fail. Total load
serviced by active CUBE in HA pair 2
License Requirement:
• 600 x CUBE-T-RED
• All CUBE platforms register to the same Virtual Account
holding a common pool of licenses
Location 1
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
62
Customer Deployment Scenario 4c
Primary Site
HA Pair 1
Standby
Configured for
250 licenses
DR Site
Configured for
250 licenses
DGTL-BRKCOL-2125
Active
Stateful
#CiscoLive
Configured for
250 licenses
Box to Box High Availability with Call Preservation within a primary
location with load transfer to minimal, virtualized DR site
• One pair of High Availability CUBEs in RG at primary site processing all
calls during normal operation
500 Calls
• If the active CUBE fails, stateful failover of load to standby at primary site
• Traffic rerouted to Disaster Recovery site by SP on complete failure of
primary site
• Total call load up to 500 concurrent sessions
License Requirement:
• 500 x CUBE-T-RED
• All CUBE platforms register to the same Virtual Account holding a
common pool of licenses
• Active CUBEs report license usage
• Redundant licenses cover standard license requirement from DR site.
Smart Account will show license borrowing of 250 STD licenses from the
RED pool.
Active
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
63
Customer Deployment Scenario 5
Inbox Hardware or Software Redundancy
• Stateful Switchover (SSO): ASR1006 with dual route
processors (control plane) and dual ESPs (forwarding plane)
• Route Processor Redundancy (RPR): ASR1001/2/4 with
software redundancy
• Both options provide stateful failover
• Required call volume up to 350 concurrent sessions.
License Requirement:
• 350 x CUBE-T-STD
• Active route processor registers to Smart virtual account
• Standby Route Processor takes over registration on failover
#CiscoLive
DGTL-BRKCOL-2125
ASR1006/1006-x
Hardware Redundancy
Dual Forwarding Plane Hardware
Dual Control Plane Hardware
Active IOS
Standby IOS
ASR1001/2/4
Software Redundancy
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
64
Customer Deployment Scenario 6
Lineside registration proxy and survivability
• A customer using a cloud call control service uses
CUBE for lineside optimization and survivability.
• A CUBE platform is deployed at four customer sites.
• Each site has 25 handsets that register to the cloud
service.
License Requirement:
• 100 x CUBE-L-STD
• All CUBE platforms register to the same Virtual
Account holding a common pool of licenses
• Note: CUBE line side license use is not currently
reported to CSSM.
#CiscoLive
Third Party Call Control in SP
Cloud
PE-SBC
Hosted
SIP
Service
Cloud-based
call control
Business
Internet
A Lineside CUBE at each of the 4 locations
DGTL-BRKCOL-2125
25 handsets at each of the 4 locations
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
65
CUBE Version 12.x
License Migration
Classic CUBE (RTU) to CUBE Smart
Licenses
Migration Overview
•
The following scenarios describe the valid migration paths to CUBE Session
Smart Licenses for customers that have purchased Classic CUBE Right To
Use (RTU) Session Licenses in the past.
•
Take the time to understand each CUBE licensing migration case to set
expectations accordingly.
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
67
CUBE Migration Case A:
Legacy Platforms with Classic RTU Licenses
Platform
ISR G1 (2800/3800), ISR G2 (2900/3900), ASR1001, ASR1002
Licenses
From: CUBE Classic Right To Use (RTU) Session Licenses
To: CUBE Version 12 Smart Session Licenses with SWSS
Migration
•
•
Note
Classic RTU CUBE session licenses are node locked to the router for which they were
purchased.
RTU Session Licenses remain valid for as long as the customer uses their router and the
model has not reached End of Support. Licenses have no residual value beyond this point
•
Customers wishing to migrate to a newer hardware platform must purchase
new licenses using L-CUBE with a minimum of 12 months SWSS.
•
•
•
ISR G1 Hardware End of Support: 31 October 2016
ISR G2 Hardware End of Support: 31 December 2022
ASR1001/2 Hardware End of Support: 30 April 2021
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
68
CUBE Migration Case B:
Current Platforms with Classic RTU Licenses
Platform
ISR4000, ASR1001-X, ASR1002-X, ASR1004(RP2), ASR1006(RP2), CSR1000V
Licenses
From: CUBE Classic Right To Use (RTU) Session Licenses
To: CUBE Version 12 Smart Session Licenses with SWSS
Migration
•
Classic RTU session licenses are intended to provide perpetual entitlement for the
hardware platform for which they were purchased.
•
Customers wishing to use software beyond IOS-XE version 16.9.x may apply to purchase
replacement CUBE version 12 session licenses as follows:
a) The same or more RTU session licenses must have been purchased since 1 Oct
2014.
b) Sales Order details for RTU purchases must be provided.
c) At least 12 months SWSS must be purchased at standard customer discount for all
CUBE session licenses ordered.
A discount of up to 100% on CUBE license PIDs will be supported through a DSA if
conditions a, b and c are met and documented in the deal request.
Notes
The migration offer detailed above will remain available until the End of Sale of CUBE Version 12
licenses (early 2021). Thereafter, standard discounts will apply for the purchase of all CUBE licenses and
support. Customers may continue to use#CiscoLive
CUBE 12.1DGTL-BRKCOL-2125
(IOS XE 16.9.x) ©with
Classic RTU session licenses.
69
2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUBE Migration Case C:
Cisco ONE RTU licenses
Platform
All Cisco ONE™ Compatible Platforms
Licenses
From: Cisco ONE Classic Right to Use (RTU) CUBE Session Licenses
To: CUBE Version 12 Smart Session Licenses with SWSS
Migration
•
•
•
•
•
Notes
Cisco ONE CUBE session licenses (C1-CUBE*) provide RTU entitlement for their
associated platform.
If covered by an active Cisco ONE SWSS contract, licenses may be transferred to any
compatible Cisco ONE licensed platform.
Cisco ONE SWSS provides entitlement to router software upgrades.
With Active Cisco ONE SWSS Contract Coverage, customers:
a) Migrate to Smart enabled CUBE Version 12 session licenses (MIG-CUBE-C1-STD
& MIG-CUBE-C1-RED) using My Cisco Enhancements (MCE)
b) Renew support with Collaboration SWSS for CUBE session licenses
Without Active Cisco ONE SWSS Contract Coverage, refer to Case A or B. This
includes all ‘free’ CUBE licenses included with C1 bundles.
Customers with an active Cisco ONE SWSS contract are encouraged to update their CUBE Cisco ONE
RTU licenses to Smart as soon as possible and not wait for their contract to expire.
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
70
Migration Offers for CUBE Licenses
CiscoONE
Licenses
without
SWSS
No migration
New licenses
required with
SWSS
RTU
Licenses
and EoS
Platform
CiscoONE
Licenses
with SWSS
Use PUT to
purchase $0
migration SKUs
RTU
Licenses
and
Current
Platform
No Migration
New licenses
required with
SWSS
No migration
100% license
discount when
purchased with
SWSS
More information on Sales Connect
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
71
Agenda
•
CUBE Overview, Deployments, and SIP Trunk Sizing
•
CUBE Licensing Updates
•
CUBE Architecture (Physical & Virtual)
•
Transitioning to SIP Trunking using CUBE
•
Advanced features on CUBE (Call Routing, Multi-Tenancy)
•
Call Recording & Intro to CUBE Media Proxy
•
Securing Collab deployments with CUBE
•
Futures & Key Takeaways
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
72
CUBE Architecture
Physical vs Virtual
Virtual CUBE (CUBE on CSR 1000v)
Architecture
• CSR (Cloud Services Router) 1000v runs on a Hypervisor – IOS XE without
the router
ESXi Container
ESP (data plane)
RP (control plane)
IOS-XE
Chassis Mgr.
Forwarding Mgr.
QFP Client
/ Driver
CUBE signaling
FFP code
Chassis Mgr.
Forwarding Mgr.
CUBE media processing
Kernel (incl. utilities)
Virtual CPU
Memory
Flash / Disk
Console
Mgmt ENET
Ethernet NICs
CSR 1000v (virtual IOS-XE)
Hypervisor
X86 Multi-Core CPU
Memory Banks
vSwitch NIC
Hardware
#CiscoLive
GE
BRKCOL-2125
…
GE
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
74
Virtual CUBE (CUBE on CSR 1000v) – Cont’d
• CSR1000v is a virtual machine, running on x86 server (no specialized hardware) with
physical resources are managed by hypervisor and shared among VMs
• Requires APPX (No TLS/SRTP) or AX (All vCUBE features) CSR licensing package to
access voice CLI and increase throughput from 100 kbps default. CUBE Licensing uses
L-CUBE top level SKU
• No DSP based features (transcoding/inband-RFC2833 DTMF/ASP/NR) available
• vCUBE tracks only the next vSwitch interface resulting in SSO of vCUBE-HA only due to
software failures (active vCUBE crashing/reloading)
• vCUBE Tested Reference Configurations [UCS base-M2-C460, C220-M3S, ESXi 5.1.0 &
5.5.0]. ESXi 6.0 supported with IOS-XE 16.3.1 or later
• ESXi 6.7 supported with IOS-XE 17.3.1 or later
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
75
Applicable Roadmap [Subject to Change]
•
March 2021– IOS-XE 17.5.1
• CUBE support in AWS / Azure
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
76
Agenda
•
CUBE Overview, Deployments, and SIP Trunk Sizing
•
CUBE Licensing Updates
•
CUBE Architecture (Physical & Virtual)
•
Transitioning to SIP Trunking using CUBE
•
Advanced features on CUBE (Call Routing, Multi-Tenancy)
•
Call Recording & Intro to CUBE Media Proxy
•
Securing Collab deployments with CUBE
•
Futures & Key Takeaways
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
77
Step 1:
Configure CUCM to route calls to the edge SBC
SIP Trunk Pointing to CUBE
Standby
A
CUBE
Active
IP PSTN
CUBE
Enterprise
Campus
CUBE with High
Availability
MPLS
• Configure CUCM to route all PSTN calls
PSTN is now
(central and branch) to CUBE (Gig0/0
in
used only for
emergency
ourSRST
slides) via a SIP trunk
calls over
FXO lines
• Make sure all different patterns of calls –
CME distance, international,
local, long
emergency, informational etc..
are
TDM PBX
Enterprise
pointing
to CUBE
Branch Offices
#CiscoLive
BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
78
Step 2: Get details from SIP Trunk provider
Item
SIP Trunk service provider requirement
Sample Response
1
SIP Trunk IP Address (Destination IP Address for INVITES)
66.77.37.2 or DNS
2
SIP Trunk Port number (Destination port number for INVITES)
5060
3
SIP Trunk Transport Layer (UDP or TCP)
UDP
4
Codecs supported
G711, G729
5
Fax protocol support
T.38
6
DTMF signaling mechanism
RFC2833
7
Does the provider require SDP information in initial INVITE (Early
offer required)
Yes
8
SBC’s external IP address that is required for the SP to
accept/authenticate calls (Source IP Address for INVITES)
9
Does SP require SIP Trunk registration for each DID? If yes, what is
the username & password
No
10
Does SP require Digest Authentication?
408-944-7700
#CiscoLive
BRKCOL-2125
128.107.214.195
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
79
Step 3: Enable CUBE Application on Cisco routers
1. Enable CUBE Application
voice service voip
mode border-element
allow-connections sip to sip
→ Enables CUBE, capacity keyword has been deprecated.
→ By default IOS/IOS-XE voice devices do not allow an incoming
VoIP leg to go out as VoIP
2. Configure any other global settings to meet SP’s requirements
voice service voip
media bulk-stats →
To increment Rx/Tx counters on IOS-XE based platforms. W/O this CLI,
it will show 0/0 (CPU intensive CLI)
sip
early-offer forced
3. Create a trusted list of IP addresses to prevent toll-fraud
voice service voip
ip address trusted list →
ipv4 66.77.37.2 ! ITSP SIP Trunk
ipv4 10.10.1.20 ! CUCM
sip
silent-discard untrusted →
Applications initiating signaling towards CUBE, e.g. CUCM, CVP,
Service Provider’s SBC. IP Addresses from dial-peers with “session target
ip” or Server Group are trusted by default and need not be populated here
Default configuration starting XE 3.10.1 /15.3(3)M1 to mitigate TDoS Attack
#CiscoLive
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
80
66.77.37.2
10.10.1.20
Step 4: Configure Call routing on CUBE
128.107.214.195
10.10.1.21
• Dial-Peer – “static routing” table mapping phone numbers to interfaces or IP addresses
• LAN Dial-Peers – Dial-peers that are facing towards the IP PBX for sending and receiving call legs
to and from the PBX. Always bind LAN interface(s) on CUBE to LAN dial-peers, ensuring SIP/RTP is
sourced from the intended LAN interfaces(s)
• WAN Dial-Peers – Dial-peers that are facing towards the SIP Trunk provider for sending and
receiving call legs to and from the ITSP. Always bind CUBE’s WAN interface(s) to WAN dial-peer(s).
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
81
OPUS codec support on CUBE
OPUS codec support on CUBE [IOS-XE 17.3.1]
•
Opus Codec is supported for both secure and non-secure calls
• RTP-to-RTP, SRTP-to-SRTP, SRTP-to-RTP, and RTP-to-SRTP.
•
Opus codec defines the optional media format (fmtp) parameters in a call under
codec profile:
• maxaveragebitrate
• maxplaybackrate
• Stereo
• sprop-maxcapturerate
• sprop-stereo
• Usedtx
• useinbandfec
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
83
OPUS codec considerations
•
Transcoding and Transrating with OPUS is not supported on CUBE
•
If the received SDP has multiple fmtp lines, then only the first fmtp line is passed in the
outbound INVITE.
•
Media recording isn’t supported with Extended Media Forking (XMF) [CUCM Network
based recording Gateway Preferred]
•
SIPREC is supported
•
RTP payload-type [opus number] — under dial-peer configuration mode to support OPUS
as supported codec.
•
•
From IOS-XE 17.3.1, the default payload type for opus is reserved to 114. Previously 114 was
reserved for cisco-codec-aacld, which has now been moved to 112. Beginning IOS-XE 17.3.1, default
payload type for cisco-codec-aacld is 112
Codec profile configuration is not mandatory unless in a DO-EO call. Since CUBE is the
offeror in a DO-EO call, it will make use of FMTP parameters from the profile.
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
84
OPUS Configurations
Dial-peer level configuration:
CUBE(config)#dial-peer voice 786 voip
CUBE(config-dial-peer)#codec opus profile 2
CUBE(config-dial-peer)#rtp payload-type opus 114 (default value is 114)
Global config level
CUBE(config)#codec profile 2 opus
CUBE(conf-codec-profile)#fmtp "fmtp:114 maxplaybackrate=16000; spropmaxcapturerate=16000; maxaveragebitrate=20000; stereo=1; sprop-stereo=0;
useinbandfec=0; usedtx=0“
Voice class codec config level
CUBE(config)#voice class codec 80
CUBE(config-class)#codec preference 1 opus profile 2
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
85
Applicable Roadmap [Subject to Change]
•
Nov 2020 – IOS-XE 17.4.1
• Codec Reordering with Voice class codec priority list, i.e.,
rewrite codec list for EO-EO sessions according to VCC priority
list, ignoring incoming SDP’s codec order
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
86
SIP Normalization
SIP profiles is a mechanism to normalize or customize SIP at the
network border to provide interop between incompatible devices
SIP incompatibilities arise due to:
Add user=phone for INVITEs
• A device rejecting an unknown header (value or
Incoming
parameter) instead of ignoring it
• A device expecting an optional header
value/parameter or can be implemented in multiple
ways
INVITE
sip:5551000@sip.com:5060
SIP/2.0
Outgoing
CUBE
INVITE
sip:5551000@sip.com:5060
user=phone SIP/2.0
voice class sip-profiles 100
rule 1 request INVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0"
rule 2 request REINVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0"
• A device sending a value/parameter that must be
changed or suppressed (“normalised”) before it
leaves/enters the enterprise to comply with policies
• Variations in the SIP standards of how to achieve
certain functions
• With CUBE 10.0.1 SIP Profiles can be
applied to inbound SIP messages as
well
Modify a “sip:” URI to a “tel:” URI in INVITEs
Incoming
INVITE
sip:2222000020@9.13.24.6:5060
SIP/2.0
Outgoing
CUBE
INVITE
tel:2222000020
SIP/2.0
voice class sip-profiles 100
rule 10 request INVITE sip-header SIP-Req-URI modify "sip:(.*)@[^ ]+" "tel:\1"
rule 20 request INVITE sip-header From modify "<sip:(.*)@.*>" "<tel:\1>"
rule 30 request INVITE sip-header To modify "<sip:(.*)@.*>" "<tel:\1>"
More information at http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-border-element/118825-technote-sip-00.html
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
87
Applicable Roadmap [Subject to Change]
•
Nov 2020 – IOS-XE 17.4.1
• Conditional SIP Header modification, i.e. apply SIP profile if a
certain condition(s) is/are met. E.g., remove diversion header if
content in diversion header contains 41 but NOT no-answer
request ANY sip-header Diversion remove
"(/==/41)(/!=/no-answer)”
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
88
Agenda
•
CUBE Overview, Deployments, and SIP Trunk Sizing
•
CUBE Licensing Updates
•
CUBE Architecture (Physical & Virtual)
•
Transitioning to SIP Trunking using CUBE
•
Advanced features on CUBE (Call Routing, Multi-Tenancy)
•
Call Recording & Intro to CUBE Media Proxy
•
Securing Collab deployments with CUBE
•
Futures & Key Takeaways
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
89
CUBE Dial-Peers
Advanced Call Routing
dial-peer voice 100 voip
dial-peer voice 201 voip
description *Inbound LAN dial-peer. From CUCM to CUBE*
description *Outbound WAN dial-peer. From CUBE to SP*
destination-pattern 81[2-9]..[2-9]......$
session protocol sipv2
session protocol sipv2
incoming called-number 8T
session target ipv4:10.1.40.11
voice-class sip bind control source-interface Gig0/0
session transport udp
voice-class sip bind media source-interface Gig0/0
voice-class sip bind control source-interface Gig0/1
dtmf-relay rtp-nte
voice-class sip bind media source-interface Gig0/1
codec g711ulaw
dtmf-relay rtp-nte
no vad
codec g711ulaw
no vad
Inbound LAN Dial-Peer
A
Outbound Calls
CUCM SIP Trunk
G0/0
CUBE
Outbound WAN Dial-Peer
ITSP SIP Trunk
G0/1
10.1.40.11
198.18.133.3
Outbound LAN Dial-Peer
Inbound Calls
Inbound WAN Dial-Peer
dial-peer voice 200 voip
dial-peer voice 101 voip
description *Inbound WAN dial-peer. From Provider to CUBE*
description *Outbound LAN dial-peer. From CUBE to CUCM*
session protocol sipv2
translation-profile outgoing CUBE_to_CUCM
incoming uri via 200
destination-pattern +1408944....$
voice-class sip bind control source-interface Gig0/1
session protocol sipv2
voice-class sip bind media source-interface Gig0/1
session target ipv4:198.18.133.3
dtmf-relay rtp-nte
voice-class sip bind control source-interface Gig0/0
codec g711ulaw
voice-class sip bind media source-interface Gig0/0
no vad
dtmf-relay rtp-nte
voice class uri 200 sip
codec g711ulaw
91
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
#CiscoLive
host ipv4:10.1.40.11
no vad
Operational Dial-peer
binding
Live-Bind of Interfaces [CSCve59988]
•
CUBE allows to configure the source IP address of signalling and
media packets by specifying an interface bind at the global (voice
service voip), or at the dial-peer, or at the tenant (voice
class tenant) level
•
Interface with an active call if bound to a new dial-peer on CUBE,
does not take effect in pre IOS-XE 17.3.1 release
•
Additionally “bind all” cli is not present at the dial-peer level
prior to IOS-XE 17.3.1
•
Beginning IOS-XE 17.3.1, live (active calls on the same interface) bind
of an interface can now be done at both the dial-peer and the tenant
level
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
93
Pre IOS-XE 17.3.1 behavior output
•
Live-bind of interface at dial-peer level: Interface has live calls using a different
dial-peer and trying to bind the same interface on a new dial-peer
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
94
IOS-XE 17.3.1 behavior output
•
Live-bind of interface at dial-peer level: Interface has live calls using a
different dial-peer and trying to bind the same interface on a new dialpeer
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
95
Bind all CLI at the dial-peer level
•
Bind all CLI was present only at the Global and the Tenant levels
Prior to IOS-XE 17.3.1
CUBE(config-dial-peer)#voice-class sip bind ?
control
bind only SIP control packets
media
bind only SIP media packets
Starting IOS-XE 17.3.1
CSR25(config)#dial-peer voice 786 voip
CSR25(config-dial-peer)#voice-class sip bind ?
all
bind both SIP control and media packets
control bind only SIP control packets
media
bind only SIP media packets
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
96
Understanding Inbound Dial-Peer Matching Techniques
Priority
1
2
Match Based on URI
of an incoming
INVITE message
Match based on
Called Number
3
Match based on
Calling number
4
Default Dial-Peer 0
Inbound LAN Dial-Peer
Exact Pattern
match
A
Phone-number of
tel-uri
#CiscoLive
SP SIP Trunk
CUCM SIP Trunk
Host Name/IP
Address
User portion of
URI
Outbound Calls
CUBE
Inbound Calls
IP
PSTN
Inbound WAN Dial-Peer
Received:
INVITE sip:654321@10.2.1.1 SIP/2.0
Via: SIP/2.0/UDP 10.1.1.1:5060;x-routetag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
From: "555" <sip:555@10.1.1.1:5060>;tag=1
To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
CSeq: 1 INVITE
Contact: sip:555@10.1.1.1:5060
Supported: timer
Max-Forwards: 70
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
97
Outbound Dial-Peer Matching Criteria Summary
Priority
0
Outbound WAN Dial-Peer
Outbound Calls
Match Based on DPG,
DPPP, COR/LPCOR if
configured
A
CUBE
Exact Pattern match Outbound LAN
Dial-Peer
1
Match Based on URI
of incoming INVITE
message
Host Name/IP
Address
User portion of URI
Phone-number of
tel-uri
2
SP SIP Trunk
CUCM SIP Trunk
Match based on
Called Number
#CiscoLive
IP
PSTN
Inbound Calls
Received:
INVITE sip:654321@10.2.1.1 SIP/2.0
Via: SIP/2.0/UDP 10.1.1.1:5060;x-routetag="cid:orange@10.1.1.1";;branch=z9hG4bK-23955-1-0
From: "555" <sip:555@10.1.1.1:5060>;tag=1
To: ABC <sip:654321@10.2.1.1:5060>
Call-ID: 1-23955@10.1.1.1
CSeq: 1 INVITE
Contact: sip:555@10.1.1.1:5060
Supported: timer
Max-Forwards: 70
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
........
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
98
Destination Server Group
• Supports multiple destinations (session targets) be defined in a group and
applied to a single outbound dial-peer
• Once an outbound dial-peer is selected to route an outgoing call, multiple
destinations within a server group will be sorted in either round robin or
preference [default] order
• This reduces the need to configure multiple dial-peers with the same
capabilities but different destinations. E.g. Multiple subscribers in a cluster
voice class server-group 1
hunt-scheme {preference | round-robin}
ipv4 1.1.1.1 preference 5
ipv4 2.2.2.2
ipv4 3.3.3.3 port 5065 preference 3
ipv6 2010:AB8:0:2::1 port 5065 preference 3
ipv6 2010:AB8:0:2::2
* DNS target not supported in server group
#CiscoLive
DGTL-BRKCOL-2125
dial-peer voice 100 voip
description Outbound DP
destination-pattern 1234
session protocol sipv2
codec g711ulaw
dtmf-relay rtp-nte
session server-group 1
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
99
Applicable Roadmap [Subject to Change]
•
July 2020 – IOS-XE 17.3.1
• Server Groups will offer huntstop based on configurable SIP
response codes (e.g. 404) to prevent hunting to the next entry
within the server group along with the dial-peer
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
100
Multiple Number Patterns Under Same
Incoming/Outgoing Dial-peer
Site A
2000
Site B
(510)100-1000
Site C
(408)100-1000
G729 Sites
voice class e164-pattern-map 300
e164 200.
e164 510100100.
e164 408100100.
Up to 1000 entries in
a pattern map
dial-peer voice 1 voip
description Inbound DP via Calling
incoming calling e164-pattern-map 300
codec g729r8
A
SP SIP Trunk
SIP Trunk
CUBE
Site A
(919)200-2010
Site B
(510)100-1010
Site C
(408)100-1010
G711 Sites
IP PSTN
Up to 5000 entries in a text file
voice class e164-pattern-map 400
url flash:e164-pattern-map.cfg
! This is an example of the contents of
E164 patterns text file stored in
flash:e164-pattern-map.cfg
dial-peer voice 2 voip
description Outbound DP via Called
destination e164-pattern-map 400
codec g711ulaw
DGTL-BRKCOL-2125
#CiscoLive
9192002010
5101001010
4081001010
<blank line>
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
101
Destination Dial-peer Group
dial-peer voice 1001 voip
destination-pattern BAD
session protocol sipv2
session target ipv4:10.1.1.1
!
dial-peer voice 1002 voip
destination-pattern BAD.BAD
session protocol sipv2
session target ipv4:10.1.1.2
!
dial-peer voice 1003 voip
destination-pattern BAD.BAD.BAD
session protocol sipv2
session target ipv4:10.1.1.3
voice class dpg 10000
description Voice Class DPG for SJ
dial-peer 1001 preference 1
dial-peer 1002 preference 2
dial-peer 1003
!
dial-peer voice 100 voip
description Inbound DP
incoming called-number 1341
destination dpg 10000
Received:
INVITE sip:1341@CUBE-IP-ADDRESS:5060
1. Incoming Dial-peer is first
Sent:
matched
INVITE sip:1341@10.1.1.3:5060
2. Now the DPG associated with
the INBOUND DP is selected
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
102
Multi-Tenancy
Multiple Tenants on CUBE
•
Every Registrar/User Agent/ITSP connected to CUBE can be considered a
Tenant to CUBE
•
Allows specific global configurations (CLI under sip-ua) for multiple tenants
such as specific SIP Bind for REGISTER messages
•
Allows differentiated services for different tenants
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
104
“Voice class Tenant” Overview
•
Most configs under “sip-ua” and “voice service voip” added in “voice class tenant <tag>”, e.g.
Registrar and Credentials CLI under tenant using different bind and outbound proxy
Prior to Multi Tenancy
sip-ua
registrar 1 ipv4:60.60.60.60:9051 expires 3600
registrar 2 ipv4:70.70.70.70:9052 expires 3600
credentials username aaaa password 7 06070E204D realm aaaa.com
credentials username bbbb password 7 110B1B0715 realm bbbb.com
voice service voip
outbound-proxy ipv4:10.64.86.35:9057
bind control source-interface GigabitEthernet0/1
Global OB Proxy and Bind
E164 - aaaa
Registrar - 1
E164 - bbbb
Registrar - 2
With Voice Class Tenant (Multi-Tenancy)
voice class tenant 1
registrar 1 ipv4:60.60.60.60:9051 expires 3600
credentials username aaaa password 7 06070E204D realm aaaa.com
outbound-proxy ipv4:10.64.86.35:9057
bind control source-interface GigabitEthernet0/0
voice class tenant 2
registrar 1 ipv4:70.70.70.70:9052 expires 3600
credentials username bbbb password 7 110B1B0715 realm bbbb.com
outbound-proxy ipv4:10.64.86.40:9040
bind control source-interface GigabitEthernet0/1
#CiscoLive
OB Proxy 1 & Bind-1
E164 - aaaa
Registrar - 1
OB Proxy 2 & Bind-2
E164 - bbbb
DGTL-BRKCOL-2125
Registrar - 1
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
105
Configuring Voice Class Tenant
• Configure voice class tenant
Add new voice class
voice class tenant 1
tenant
registrar 1 ipv4:10.64.86.35:9052 expires 3600
credentials username aaaa password 7 06070E204D realm aaaa.com
credentials number bbbb username bbbb password 7 110B1B0715 realm bbbb.com
bind control source-interface GigabitEthernet0/0
bind media source-interface GigabitEthernet0/0
copy-list 1
outbound-proxy ipv4:10.64.86.35:9055
early-offer forced
• Apply tenant to the desired dial-peer
dial-peer voice 1 voip
destination-pattern 111
session protocol sipv2
session target ipv4:10.64.86.35:9051
session transport udp
voice-class sip tenant 1
Apply Tenant to a Dialpeer
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
106
Agenda
•
CUBE Overview, Deployments, and SIP Trunk Sizing
•
CUBE Licensing Updates
•
CUBE Architecture (Physical & Virtual)
•
Transitioning to SIP Trunking using CUBE
•
Advanced features on CUBE (Call Routing, Multi-Tenancy)
•
Call Recording & Intro to CUBE Media Proxy
•
Securing Collab deployments with CUBE
•
Futures & Key Takeaways
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
107
External/PSTN Call
Recording
External/PSTN Call Recording Options
• CUBE Controlled (Dial-peer based SIPREC)
•
•
•
•
SIPREC based, CUBE sends metadata in XML format
Dial-peer controlled, IP-PBX independent
Source of recorded media (RTP only) is always CUBE (External calls only).
Records both audio and video calls and supported with CUBE HA
• CUCM NBR (Network Based Recording)
• CUCM Controlled & triggered, requires UC Services API be enabled on CUBE
• Audio calls only
• Source of Recorded Media can be CUBE (Gateway Preferred) or Phone based (BiB)
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
109
CUBE Media Proxy
Existing Recording Architectures
• Current recording architectures allow only one fork from each leg (in-
leg/out-leg) to only one recorder
• No support for forking secure RTP stream
• MiFiD II Compliance requirements:
•
•
•
•
Support for more than one recorders
High Availability (Redundancy)
Secure forking
Call scenarios support
• External calls (inbound/outbound from/to ITSP, PSTN calls)
• Internal calls (on-prem calls)
• Contact center
• Common Metadata
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
111
CUBE Media Proxy: Overview
• Media proxy is based on CUBE architecture
• Supports the same ISR 4Ks, ASR1Ks, CSR1K on which CUBE is supported today
• Call Recording mechanism (triggers) is CUCM NBR based (GW based and Phone
BiB)
• Media proxy is designed to fork media to multiple recorders i.e. multiple forked
legs, and supports up to 5 recorders
• CUBE Media Proxy High Availability is also supported
• CUSP (Optional) supports Media proxy with recorder redundancy and load
balancing
• Secured forking (SRTP – SRTP) for Phone Based (BiB) recording
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
112
CUCM NBR GW forking to Media Proxy
Recorder1
6
RTP
Recorder2
RTP
Media Proxy
5
Speech Analytics
1
CUBE
2
SIP
RTP
0. CUCM registers to CUBE as an external XMF Application (using UC GW services API – CUCM NBR)
1,2. Initial call setups via CUBE-Ent
3. CUCM sets up SIP (recording) session with CUBE Media Proxy (offer/answer) with dummy port
4. MP destination IP/port obtained in Step-3 relayed by CUCM to CUBE via XMF API interface (HTTP)
5. CUBE-Ent starts to fork media streams to the MP (target ip/port received in Step-4). MP accepts RTP because of Media latching in
the inbound leg from CUCM
6. MP sets up SIP recording sessions with the 3 Recorders for multi-fork.
The ingress media stream from CUBE-Ent is then multi-forked by MP towards the 3 recorders simultaneously using the destination
ip/ports as negotiated in the SIP offer/answer
and the Recorders. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
113
DGTL-BRKCOL-2125
#CiscoLive b/w MP
CUBE Media Proxy: Design requirements
• Video call Recording is not supported today
• Secure media (SRTP) forking of non-secure calls is not supported
• CUBE Media Proxy and CUBE cannot be co-located
• Mid-call signaling updates from Recorders are not supported
• Early offer from CUCM to Media Proxy is required
• No support for SRTP fallback
• Media Proxy sends metadata to the recorders (FROM header)
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
114
SIPREC Based Media Proxy
Recorder1
4
RTP
SIP
RTP
XML Metadata
Media Proxy
3
Speech Analytics
1
CUBE
2
Recorder2
SIP
RTP
1,2. Initial call setups via CUBE-Ent
3. CUBE-Ent starts to fork media stream towards Media Proxy (INVITE with 2 Audio M Lines + XML
Metadata)
4. Media Proxy accepts incoming SIPREC request from CUBE Ent and initiates an INVITE (2 Audio M
Lines + XML Metadata) towards the Primary recorder – Recorder 1 above
Once a successful session with the Primary recorder has been established, MediaProxy sends an
115
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
#CiscoLive
INVITE towards the rest of
the recorders.
SIPREC Based Media Proxy: Design considerations
• Video call Recording is not supported today
• Secure media (SRTP) forking of non-secure calls is not supported (RTP to SRTP)
• Secure to Secure forking (SRTP to SRTP) is not supported
• CUBE Media Proxy and CUBE cannot be co-located
• Midcall updates from the recorders such as pause, or resume recording are not
supported (RE-INVITE with SDP changes)
• No support for SRTP fallback
• SIP INFO that indicates the recorder session status is not supported under SIPREC
based deployment is not supported
• INVITE with replaces header that is sent by recorders when they switch from active
to standby Media Proxy is not supported
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
116
CUBE Media Proxy
Capacities and Licensing
Media Proxy: Capacity for Various Platforms (IOS-XE 16.12+)
Platform
(CUBE Media Proxy Capacity)
Max IPT
Calls
Number of Recorders
One
Two
Three
1100 (Default DRAM) / 4321 (4GB)
500
350
4331 (4GB)
1000
700
4351 (4 GB)
2000
900
4431 (8 GB - CP)
3000
1000
4451 (8 GB - CP)
6000
3000
4461 (8 GB – CP) [IOS 17.2.1]
10000
4000
CSR1Kv – 1 vCPU1 (4 GB)
1000
90
CSR1Kv - 2 vCPU1 (4 GB)
3000
1100
CSR1Kv - 4 vCPU1 (8 GB)
6000
TBD
1002-X (16 GB)
14000
4500
1004/6/6-X RP2/ESP40 (16 GB)
16000
4500
#CiscoLive
BRKCOL-2125
Four
Five
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
118
Customer Deployment Scenario 7
Location 1
150 Recordings
Media Proxy:
• A media proxy platform used to fork calls to 3
recording servers.
• Total concurrent call load is 50 calls.
License Requirement:
• 150 x CUBE-MP-RED
• Only redundant licenses are available for
Media Proxy
Media Proxy
Active
50 Calls
• Note: Media Proxy license use is not currently
reported to CSSM.
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
119
Customer Deployment Scenario 8
450 Recordings
#CiscoLive
Location 1
Media Proxy
Active
HA Pair 1
Standby
Stateful
Media Proxy:
• Active and Standby CUBE Media Proxies in HA
Redundancy Group (RG)
• Both Media Proxies must be in the same layer 2
network
• Total call load for HA pair 150 calls, each forked 3
times.
• If active Media Proxy fails, stateful failover of all
calls to standby
License Requirement:
• 450 x CUBE-MP-RED
• Both Media Proxy platforms register to the same
Virtual Account holding a common pool of
licenses
• Note: Media Proxy license use is not currently
reported to CSSM.
150 Calls
Media Proxy
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
120
Customer Deployment Scenario 9
#CiscoLive
DGTL-BRKCOL-2125
Location 1
150 Recordings
Media Proxy:
• A media proxy platform used to fork calls to 3
recording servers.
• Total concurrent call load is 50 calls from CUBE
triggered using CUCM NBR
License Requirement:
• 150 x CUBE-MP-RED for Media Proxy
• 50 X CUBE-T-STD for PSTN calls through CUBE
• Only redundant licenses are available for Media
Proxy
• Note: Media Proxy license use is not currently
reported to CSSM.
Media Proxy
CUBE
Active
50 Calls
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
121
Agenda
•
CUBE Overview, Deployments, and SIP Trunk Sizing
•
CUBE Licensing Updates
•
CUBE Architecture (Physical & Virtual)
•
Transitioning to SIP Trunking using CUBE
•
Advanced features on CUBE (Call Routing, Multi-Tenancy)
•
Call Recording & Intro to CUBE Media Proxy
•
Securing Collab deployments with CUBE
•
Futures & Key Takeaways
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
122
Securing Collab
deployments with CUBE
Secure SIP Trunks with CUBE
LAN
WAN
Gig0/0/0
SIP TLS
SRTP
•
•
•
•
Gig0/0/1
TCP/UDP
RTP
CUBE
SP IP
Network
Interworking between all three transport types is supported : UDP/TCP/TLS
IOS-XE based platforms do not require DSPs for SRTP-RTP interworking
TLS Exclusivity can be configured with “transport tcp tls v1.2”
NGE Crypto supported for SRTP-SRTP (IOS-XE 16.5.2) [Crypto A – Crypto B], SRTP-RTP,
SRTP pass-thru
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
124
IOS-XE 16.11.1 or later Security Readiness changes
• For IOS-XE 16.11.1 or later, a master key must be pre-configured for passwords
before it can used in authentication, credentials and/or shared-secret CLIs
• Its mandatory to specify the encryption type for the password
• Type 6 passwords are encrypted using AES cipher and user defined master key
• Master key is never displayed in the configuration
• If master key configuration is removed, Type 6 passwords can never by
decrypted which may result in authentication failure
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
125
IOS-XE 16.11.1+ Security Configuration Requirement
LocalGateway#conf t
LocalGateway(config)#key
config-key password-encrypt Password123
LocalGateway(config)#password encryption aes
• If master key is not pre-configured, there will be an error shown when the password is
configured
LocalGateway(config-sip-ua)#authentication username ali password 0 hussain123
Failed type 6 encryption on password
• If password type 0 is used, it will be stored as type 6 AES encrypted password in
configuration
LocalGateway#show run | include credentials
credentials number Hussain6346_LGU username Hussain2572_LGU password
6 FbG\XYVJV\cPeMhMRFSFNINTIMZecQPD_Bbg realm BroadWorks
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
126
IOS-XE 16.11.1 Security Configuration Requirement
• Dial-peer, SIP-UA, Tenants, and STUN authentication credentials/shared secrets will use
the new Secure reversible encryption Type 6 AES format password
LocalGateway(config-sip-ua)#authentication username ali password ?
0
6
7
Specifies an UNENCRYPTED password will follow
Specifies an ENCRYPTED password will follow
Specifies a HIDDEN password will follow
• Type 6 only accepts password formats such as ”
YXMOEfOePAJhNCKXbU^CYYAR^aJJ`Sa_S”. Hence recommendation is to use password
type 0 which will be saved as type 6 in the configuration
• The encryption type 7 is supported in IOS XE Release 16.11.1a, but will be deprecated in
the later releases
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
127
Agenda
•
CUBE Overview, Deployments, and SIP Trunk Sizing
•
CUBE Licensing Updates
•
CUBE Architecture (Physical & Virtual)
•
Transitioning to SIP Trunking using CUBE
•
Advanced features on CUBE (Call Routing, Multi-Tenancy)
•
Call Recording & Intro to CUBE Media Proxy
•
Securing Collab deployments with CUBE
•
Futures & Key Takeaways
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
128
CUBE Resources
CUBE Resources
▪ CUBE is now a Microsoft certified SBC for Direct Routing along with E911 solution partners
https://docs.microsoft.com/en-us/microsoftteams/direct-routing-border-controllers
▪ Configuration application note avalable at
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/interoperability-portal/directrouting-with-cube.pdf
▪ CUBE Box
o https://cisco.box.com/CUBE-Enterprise (requires requesting access via askcube@external.cisco.com, include your box.com account’s email ID)
▪ Webex Calling LGW Box – https://cisco.box.com/WebexCalling
▪ CUBE Performance and Sizing
▪ Webex Calling Deployment Guide – https://help.webex.com
▪ Dcloud Labs
o Enabling Webex Calling
o SIP Trunking with CUBE
o Microsoft Teams Direct Routing with CUBE (future)
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
130
CUBE Roadmap
CUBE Roadmap [Subject to Change]
•
Starting IOS-XE 17.3.1, 100 VRFs are now supported on CUBE vs 54 in prior releases
•
DNS Aware Trust list [CY2021]
•
Microsoft Teams Direct Routing with Media Bypass enabled [2H CY2020]
•
Microsoft Teams Direct Routing to UCM [2H CY2020]
•
Programmability (CUBE Yang modelling) [CY2021]
•
vCUBE Support in AWS/Azure [1H CY2021]
•
Webex Contact Center integration [2H CY2020]
•
Integration with Cloud Speech services (Voicea, Google Answers, etc) [CY2021]
•
Cloud Connected UC integration [CY2021]
•
H.323 deprecation for CUBE [CY 2021]
#CiscoLive
DGTL-BRKCOL-2125
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
132
Thank you
#CiscoLive
#CiscoLive