Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
SIP Trunking for IP PSTN Access
Peter [email protected]
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
What is a SIP Trunk?A sampling of Views/Definitions
� Single IP based interconnect for voice and data using SIP
� SIP trunking is the IP equivalent of the digital/analog TDM connection that traditionally connected a PBX to the PSTN
� The logical session or channel established between a carrier andcustomer – (Porting PSTN Phone number to IP Address)
� A SIP Trunk service can be either – Managed – SP provides CPE equipment to monitor and guarantee
SLAs in addition to basic voice services– “un”Managed – Similar to an analog phone line – provides basic voice
services
� Any SIP-based “connection” between two applications– Intra-enterprise: Between applications, e.g. MPlace to CUCM, or
between different zones or departments within a company– Enterprise to SP: PSTN Access– B2B Inter-Enterprise: Between companies (e.g. Disney and Apple)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Unified Communications Content MappingSIP Trunk for PSTN Access
SMB
Enterprise
IP-PBX
A
A
Enterprise: Distributed SIP Trunk
A
Enterprise: Centralized SIP Trunk
CUBE
CUBE
CUBE
CUBE
CUBE
CUBE
VoIP SP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
SIP Trunk IndustryUpdate
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Industry Trends in “SIP Trunk for PSTN”
� Significant uptick in enterprise customer interest in SIP trunking– Numerous trial deployments
– Increasing production deployments, mostly on low session counts
� Video/SIP trunking for TelePresence offerings becoming available – ATT, TATA,
– Increased interest in SIP trunk security features
– FW, SRTP/TLS encryption, DOS attack mitigation
� Increased interest in SIP normalization/manipulation as industry-wide vendor/application interop continues to be problematic
– SIP maturity is still some years off
– Increasing interest in 3rd party PBX interop with Cisco SIP trunkingsolution – while we should position CUCM whenever possible, the PBX Interop lab does test CUBE with various IP-PBXs to provide interop info when required
� Increased incidences of toll fraud on SIP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
SIP Trunking – Growth and Impeding Factors
� Can be cheaper� Physical access more
versatile� Capacity changes more
dynamic� Equipment consolidation� Operational consolidation� Improved redundancy� New rich-media services� Vendor/SP advocates� Industry hype/pressure
� Immature PSTN-equivalent services
– 911 / 112– Fax/Modem– MLPP– MCID– Fault monitoring/isolation
� Number portability� Poorly understood legal and
geographical implications� Inconsistent service delivery
– Call-ID, recording
� Unregulated service– Requires in-depth evaluation– Costs vary significantly
based on geography and SP
Growth Impeding
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Current SP SIP Trunk ServicesCompared to TDM Services
Consideration SIP Trunk TDM TrunkBasic call completion Well defined Well defined
Suppl. services (Xfer, FWD, Hold, Conf) Requires validation testing Well defined
Fault Monitoring and Isolation Options PING monitoring Yellow/Red Alarms
Emergency Call (911) Handling Special Handling per SP Well defined
Malicious Call-ID (MCID) and Multi-level Priority and Preemption (MLPP)
Not defined Well defined
Caller-ID delivery Inconsistent Consistent
Voice Band Data Modems/Baudot TDD ill-defined or unsupported
Well defined
Fax Technology Industry interop issues Well defined
Deterministic traffic engineering.How are bursts handled? Who sends back equipment busy, enterprise or SP? Who provides announcements?
SP dependent Well defined
Porting numbers Within single SP control Well defined
Geographic and legal dependencies of call routing
Independent of geography but not of legislation
Geographically dependent
Future rich media services Great potential No
Cost to enterprise for service Inconsistent Well defined
Flexibility of call routing; site aggregation Very flexible SP dependent
Security considerations IP considerations; toll fraud Toll fraud
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Future SIP Trunk Services
� Technology possibilities of new features– Wideband codecs
– Video and Telepresence
– Presence
– SRTP/TLS
– Calls with subject lines– Fixed Mobile Convergence (different endpoints)
� Customer requests for additional voice services– Security (SRTP/TLS)
– Fax
� Industry currently working to get voice established– Most SPs have not discussed or unveiled plans for services
beyond voice
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
SIP Trunk DeploymentScenariosand Recommendations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Agenda
� SIP Trunk Reference Architecture
� SIP Trunk Enterprise Connection Models
� SIP Trunk Deployment Topologies
� Recommended SBC Solutions and Best Practises
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Reference SIP Trunking ArchitectureNMS &OSS
SIP Proxy / Softswitch
Media GW
Signaling
Bearer
A
CUBE CUBE
SBCS CUCM
�� ��S
P N
etwork | C
ustomer P
remise
�� ��
�� ��S
P-M
anaged |
CUCME
FW/NAT ALG
PSTN
SIP Trunk
ITPITPITPITP
Services(Presence,
VM etc)
IP PBX TDM PBX
CUBE
SBC
CUBECUBE CUBEFW/NAT
ALGFW/NAT
ALG
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Agenda
� SIP Trunk Reference Architecture
� SIP Trunk Enterprise Connection Models– Levels of Managed Services
– Dedicated / Integrated Voice + Data
– Centralized / Distributed Trunking
� SIP Trunk Deployment Topologies
� Recommended SBC Solutions and Best Practices
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
CUBE
CUCM
A
CUCME SBCS IP PBX
SIP Trunk SP Service ModelsSIP Trunk Service with L3 Router Demarc
SIP Trunk
Customer Premises
Service Provider Owned
VoIP SP
SBC
Managed accessservice providing an IP trunk between the SP network and a customer’s IP-enabled call agent
CUBE
A
Enterprise Owned
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
SIP Trunk SP Service ModelsSIP Trunk Service with L7 SBC Demarc
A
CUCM
SIP Trunk
IP PBX
CUBE CUBE
VoIP SP
SBC
Customer Premises
A
CUCM
CUBE
Service Provider Owned
Enterprise Owned
Managed accessservice providing an IP trunk between the SP network and a customer’s IP-enabled call agent
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Managed CME/IP-PBX
Managed CUCM
Phones
SIP Trunk SP Service ModelsSIP Trunk Managed IP-PBX Service
SIP Trunk
VoIP SP
Customer Premises
A
SBC
Enterprise Owned
Service Provider OwnedService in which a customer’s premise-based IP-PBX, UC apps and dial-plan are operated and maintained by the SP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Security Exposure on Enterprise SIP Trunk Connection Models – Where Should I Firewall?
Incr
ease
d S
ecur
ity
Exp
osur
e
CUBE
SIP + SIP + VPN SPVPN SP
ASIP Trunk
WAN Data
Recommended Deployment
Models
CUBE
SIP SPSIP SPA SIP Trunk
SIP SP + SIP SP + InternetInternet
ASIP Trunk
Internet DataCUBE
InternetInternetA
Internet Voice
Internet DataCUBE
WAN DataWAN SPWAN SP
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Cisco Unified Border Element
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 18
CUBE
IP
CUBE
Cisco Unified Border Element Architecture
� Actively involved in the call treatment, signaling and media streams
SIP B2B User Agent
� Signaling is terminated, interpreted and re-originated
Provides full inspection of signaling, and protection against malformed and malicious packets
� Media is handled in two different modes
Media Flow-Through
Media Flow-Around
� Digital Signal Processors (DSPs) are required for transcoding (calls with dissimilar codecs)
IP
Media Flow-Around� Signaling and media terminated by the
Cisco Unified Border Element
� Media bypasses the Cisco Unified Border Element
Media Flow-Through� Signaling and media terminated by the
Cisco Unified Border Element
� Transcoding and complete IP address hiding require this model
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 19
Cisco Unified Border Element Basic Call Flow
1. Incoming VoIP setup message from originating endpoint
2. This matches inbound VoIP dial peer 1 for characteristics such as codec, VAD, DTMF method, protocol, etc.
3. Match the called number to outbound VoIP dial peer 2
4. Outgoing VoIP setup message
Incoming VoIP Call Outgoing VoIP Call
dial-peer voice 1 voipdestination-pattern 1000incoming called-number .Tsession target ipv4:192.168.10.50codec g711ulaw
dial-peer voice 2 voipdestination-pattern 2000session protocol sipv2session target ipv4:192.168.12.25codec g711ulaw
Originating Endpoint
TerminatingEndpoint
CUBE
voice service voip allow-connections h323 to h323allow-connections h323 to sipallow-connections sip to h323allow-connections sip to sip
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 20
CUBE
H.323 and SIP Layer 5/7 DemarcationBack-to-Back User Agent
OutgoingIncoming
Incoming Call Leg
Outgoing Call Leg
dial-peer voice 1 voipdescription Incomingincoming called-number .Tsession protocol sipv2
dial-peer voice 4 voipdescription Outgoingdestination-pattern 99.Tsession target ipv4:x.x.x.xsession protocol sipv2
Protocol-Independent Memory Structure Holding Call State and Attributes(CLID, Called #, Codec…)
H.323/SIP Protocol StackExtract Call-Related Parameters from Protocol Message, Discard
Message and Update Call Memory
H.323/SIP Protocol StackBuild New Protocol Message
and Insert Call-Related Parameters from Call Memory
Demarcation
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 21
Cisco Unified Border Element—More Than an SBCAn Integrated Network Infrastructure Service
VXML
SRSTRSVP Agent
Cisco Unified Border Element� Address Hiding
� H.323 and SIP interworking
� DTMF interworking
� SIP security
� Transcoding
Unified CM Conferencing and
Transcoding
GK
TDM Gateway� Voice and Video TDM
Interconnect
� PSTN Backup
Routing, FW, IPS, QoS
WAN Interfaces
Note: An SBC appliance wouldhave only these features
CUBE
Note: Some features/components may require additional licensing
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 22
InterworkingH.323 and SIPSIP NormalizationDTMF InterworkingTranscodingCodec FilteringFax/Modem Support
SecurityEncryption
AuthenticationRegistration
SIP ProtectionFW Placement
Toll fraud
Session MgmtReal-time session MgmtCall Admissions ControlEnsuring QoSPSTN GW FallbackStatistics and BillingRedundancy/Scalability
DemarcationFault isolation
Topology HidingNetwork Borders
L5/L7 Protocol DemarcStatistics and Billing
Key Challenges When Interconnecting UC Networks
Mine
Yours
Why do I need a session border controller?
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 23
Call Admissions Control
� CUBE provides various different CAC mechanismsTotal calls, CPU, Memory, GK IP call capacity, max-connections, RSVP
High Water MarkLow Water Mark
Total Calls, CPU, Memory
CUBE
Call #1
Call #2
Call #3 Rejected by CUBE
dial-peer voice 1 voipmax-conn 2
gatekeeperendpoint circuit-id h323id IPIPGW1 AA max-calls 500
voice service voip allow-connections h323 to h323
h323 ip circuit max-calls 1500 ip circuit carrier-id AA reserved-calls 1000
GK IP Call Capacity
max-connections
CUBECall #3
CUBE
GK
Session Management
call threshold global [/mem/cpu] calls low xx high yy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 24
Quality of Service (QoS)
� Requirement
Ensure traffic adheres to QoS policies within each network
� The Cisco Unified Border Element can remark ToS/DSCP QoS parameters on signaling and media packets between networks
Police Mark
Classify
Police
Police
Mark
Mark
Mark
Police
Queue
Input Interface Output Interface
Queue
Queue
Shape
dial-peer voice 100 voip ip qos dscp ef media ip qos dscp af31 signaling
Session Management
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 26
VoIP SP 2
Enterprise
SIP “Normalization” at theNetwork Border
� “Normalize” SIP traffic coming into the SP or Enterprise network at the border
� Use SIP profiles to translate messages
Smart Business Communications System
Small-Medium Business
IP-PBX
CUBE
CUBE
CUBE
CUBE
Small-Medium Business
Residential
VoIP SP 1SP–SP
SBC SBC
CUBE
Interworking
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 27
SIP Profiles “Normalization”
� SIP profiles is a mechanism to normalize or customize SIP at thenetwork border to provide interop between incompatible devices
Incoming Outgoing
INVITE sip:[email protected]:5060;user=phone SIP/2.0
INVITE sip:[email protected]:5060; SIP/2.0
voice class sip-profiles 100request INVITE sip-header SIP-Req-URI modify "; SIP /2.0" ";user=phone SIP/2.0"request REINVITE sip-header SIP-Req-URI modify "; S IP/2.0" ";user=phone SIP/2.0"
Add user=phone for INVITEs
Modify a “sip:” URI to a “tel:” URI in INVITEs
Incoming Outgoing
INVITE tel:2222000020INVITE sip:[email protected]:5060
voice class sip-profiles 100request INVITE sip-header SIP-Req-URI modify "sip:( .*)@[^ ]+" "tel:\1" request INVITE sip-header From modify "<sip:(.*)@.* >" "<tel:\1>" request INVITE sip-header To modify "<sip:(.*)@.*>" "<tel:\1>"
Interworking
CUBE
CUBE
More information at www.cisco.com/go/cube > Configure > Configuration Examples and TechNotes
SIP incompatibilities arise due to:� A device rejecting an unknown
header (value or parameter) instead of ignoring it
� A device sending incorrect datain SIP
� A device not implementing (or incorrectly) protocol procedures
� A device expecting an optional header value/parameter or can be implemented in multiple ways
� A device sending a value/parameter that must be changed or suppressed(“normalized”) before it leaves/enters the enterprise to comply with policies
� Variations in the SIP standards of how to achieve certain functions
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 28
SP SP VoIPVoIP
Delayed Offer to Early Offer Interworking
� SP SIP trunk Early Offer (EO) interconnect for enterprise apps that support only Delay Offer (DO)
� Flow-through required for DE-EO supplementary services
INVITE (Offer SDP)INVITE
voice class codec 1codec preference 1 g711ulawcodec preference 2 …
dial-peer voice 4 voipdestination-pattern 321....voice-class codec 1voice-class sip early-offer forcedsession target ipv4:x.x.x.x
180/183/200 (Answer SDP)180/183/200 (Offer SDP)
ACK/PRACK (Answer SDP)
voice service voipsip
early-offer forced
Global Configuration Also Supported:
SDP in 200
No SDP in INVITE
DelayedEarly
SDP in INVITEOffer
SDP in 180/183Answer
Interworking
CUBE
SBC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 29
Media Transcoding
� Cisco Unified Border Element supports universal transcoding
Any voice codec to any other codec
e.g. iLBC to G.711 or iLBC to G.729
Voice transcoding only (not video)
� Transrating (different packetizations):Supported: Transrating of different codecs
e.g. G.711 a-law 20ms ↔ G.711 µ-law 10ms
G.711 20ms ↔ G.729A 30ms
Not supported: Transrating of the same codec
e.g. G.729A 20ms ↔ G.729A 30ms
iLBC , iSAC, Speex
IP Phones:G.711, G.729,G.722
SBC
�
x
Interworking
*Note: Only voice codecs are supported with transcoding—no video codecs
CUBE
Transcoding: G.711, G.723.1, G.726, G.728, G.729/a, iLBC , G.722
12.4(15)XY and 12.4.20TG.722—64 Kbps
iLBC—13.3 and 15.2 Kbps
G.729B, G.729AB 8 Kbps
G.729, G.729A 8 Kbps
G.723—5.3 and 6.3 Kbps
G.711 µlaw 64 Kbps
12.4(11)XW and 12.4.20T
G.711 a-law 64 Kbps
ReleaseSupported Codecs*
SP VoIPEnterprise
VoIPInternet
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 30
Demarcation at Network Borders� SP UNI
� Codec Choice/Negotiation
� Fault Isolation
� Security
� QoS Marking
� Voice Quality Statistics and Billing
Demarcation
Enterprise H.323
IP PBX Enterprise/SMB
Enterprise SIP
CUBE
CTS
Meeting PlaceCUBE
IP-PBX IP-PBX
E-Partner
Service ProviderSBC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 31
CUBE CUBE
IP
Topology/Address Hiding
� RequirementsMaintain connectivity without exposing the IP network details
Interconnect networks that have overlapping IP Addresses
� B2BUA provides complete topology hiding on signaling and mediaMaintains security and operational independence of both networks
Provides implicit NAT service by substituting Cisco Unified Border Element IP addresses on all traffic
Site A—192.168.10.x/24 Site B—192.168.10.x/24
192.168.10.10 192.168.10.50 192.168.10.10192.168.10.50
172.16.10.x/24
172.16.10.5 172.16.10.6
Inside
Outside
Inside
Demarcation
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 32
CUBE Security Protection Points
Ingress I/F Egress I/FHW LAN/WAN Interfaces
IOS Infrastructure (ACLs, FW, IPS, VPN)
TCP UDP TLS TCP UDP TLSDSP Hardware
DSP APIRTP Library
DTMF xlationCodec FilteringXcoding Control
SIP/H.323 Protocol Stack
Dial-peer Dial-peer
SIP/H.323 Protocol Stack
Voice Application CodeL7 Protocol-independent memory structures holding c all
state and attributes (CLID, Called #, Codec…)
RTP Library
Signaling Media
DOS� B2BUA – L7
Inspection� Call Volume/BW
Limiting (CAC)� Call Codec
Limiting � SIP Malformed
Inspection � SIP Listen Port
Configuration� RTP Malformed� Topology Hiding� Co-resident IOS:
ACLs, FW, IPS
Identity / Service Theft
� SIP Digest Authentication
� SIP Hostname Validation
� SIP Trunk Register� CDR� Toll Fraud� Co-resident IOS:
ACLs, COR
Privacy� SIP Header
Manipulation� Authentication and
encryption (media) – SRTP
� Authentication and encryption (signaling) – TLS
� Co-resident IOS: All VPN features
Security
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 33
SIP Protection
� SIP Proxy challenges INVITEs from the Cisco Unified Border Element to check endpoint validity with 401 Unauthorized
� The Cisco Unified Border Element responds with INVITE including credentials
Invite [From< [email protected]>]sip-ua authentication username xxx password yyy 100 Trying
401 Unauthorized
Invite [Authorization: name, passwd]
200 OK
100 Trying
sip-uapermit hostname dns:example1.sip.compermit hostname dns:example2.sip.compermit hostname dns:example3.sip.compermit hostname dns:example4.sip.com
Hostname Validation
Digest Authentication
Security
CUBE
� Initial INVITEs with a hostname URI are compared to a configured list of up to 10 hostnames
� If there is no a match to the INVITE, the Cisco Unified Border Element returns a "400 Bad Request—Invalid Host"
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 34
SIP Protection
� Default SIP Listen ports are 5060 (UDP/TCP) and 5061 (TLS)
� These ports are well-known and can be the target of attacks
� Change the SIP Listen port to a different setting that is not well-known
voice service voipsip
shutdown
voice service voipsip
listen-port non-secure 2000 secure 2050
SIP Listening Port
Registrationx(config)#sip-uax(config-sip-ua)#credentials username 1001 password cisco realm cisco.com
sip-uaregistrar ipv4:172.16.193.97 expires 3600 credentials username 1001 password
0822455D0A16 realm cisco.com
Security
� The Cisco Unified Border Element can send SIP REGISTER messages with credentials to a proxy
� Register statically on behalf of endpoints behind the Cisco Unified Border Element that do not register
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 35
SP VoIP
Toll Fraud—ACLs, Dial-Peers
� Use ACLs to allow/deny explicit sources of calls
� Apply explicit incoming and outgoing dial-peers to both CUBE interfaces to control the types and parameters of calls allowed on the network
� Use explicit destination-patterns on dial-peers (not .T) to block out disallowed off-net call destinations
� Use translation rules to ensure only valid calling/called numbers allowed
� Use Tcl/VXML scripts to do database lookups or additional checks to allow/deny call flows
� Change SIP port to something other than 5060
� Close unused H.323/SIP ports
� Disable secondary dial-tone on TDM ports
CUBE
A Incoming Outgoing
IncomingOutgoing
192.168.10.10 172.16.10.6
Is this a valid call flow to allow?
access-list 1 permit 192.168.10.0 0.0.0.255access-list 100 deny … (everything else)Explicit inc and outg dial-peers
access-list 2 permit 172.16.10.0 0.0.0.255access-list 200 deny … (everything else)Explicit inc and outg dial-peers
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
Deployment Options
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
Centralized/Aggregated SIP Trunk Model
� CUBE at central location
� Single SIP trunk IP address to SP
� All remote site calls hairpin through the campus site where SIP trunk terminates
PSTN
MPLS
SP VoIP
A
CUBE
SBC
HQ-SP RTPBranch-HQ RTP
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
Site-SP RTP
Distributed SIP Trunk Model
� CUBE at each site
� SIP trunk IP address per site
� Calls flow directly from site to SP
MPLS
A
CUBE
CUBE CUBE CUBE CUBE CUBE
PSTNSP VoIP
SBC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
Agenda
� SIP Trunk Reference Architecture
� SIP Trunk Enterprise Connection Models
� SIP Trunk Deployment Topologies– SMB
– Enterprise
� Recommended SBC Solutions and Best Practises
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
SMB Deployment ModelsSIP Managed Voice Services
� SIP Trunk Model– Managed Services (transparent to end
customer)– Distributed (every site has a connection)– Redundancy: None– Capacity: <50 sessions
� Border Element– SIP TDM GW– IAD with FW/NAT– IAD with CUBE-“light”– CME with integrated SIP trunking
VoIP SP 1
TDM PBX Interconnect
Managed IP-PBX
SP-owned
Customer-owned FXSCommercial Managed
Voice Services
IP PBX
IP-PBX Interconnect
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
Small Enterprise Deployment ModelsCME and CUCM
CME
CUBE
VoIP SP 1
CME
CUBE
SRST
A
CUBE
SRST
A
CUBE
CME Centralized
CME Distributed
CUCM Centralized
CUCM Distributed
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
Small Enterprise Deployment ModelsCME or CUCM
� SIP Trunk Model– Centralized – typically used when:
• Cost benefits can be shown• SIP SP is different from WAN provider
– Distributed – typically used when:• Survivability is important• SIP SP is the same as WAN (often MPLS) provider
– Redundancy: None– Capacity: <200 sessions
� Border Element– CME with integrated SIP trunking
– Medium-range standalone CUBE or integrated SRST/CUBE
� SRNDs: – www.cisco.com/go/interoperability > CUBE
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
Medium and Large Enterprise Deployment ModelsMulti-Site and Multi-Cluster CUCMs
VoIP SP 1
Multi-site CUCM Centralized (hybrid)
A
A
SRST
Multi-site CUCM Distributed
A
A
SRST
CUBE
A
SRST
A
A
A
A
A
A
SRST
A
A
A
A
A
CUBE
Multi-cluster, Multi-site CUCM
DistributedCUBE (Ent) CUSP+CUBE
Centralized (hybrid)
SBC:
SBC
SBC
SBC
SBC
SBC
SBC
SBC
SBC
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
Other Enterprise Deployment ModelsIP-PBX and TDM-PBX
VoIP SP 1
IP-PBX Centralized
CUBE
CUBE
CUBE
IP-PBX Distributed
CUBE
CUBE
CUBE
TDM-PBX Centralized
TDM-PBX Distributed
GK
GK
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
Medium and Large Enterprise Deployment Models
� SIP Trunk Model– Centralized – typically used when:
• Cost benefits can be shown• SIP SP is different from WAN provider
– Distributed – typically used when:• Survivability is important• SIP SP is the same as WAN (often MPLS) provider• Geographic considerations
– Redundancy: Generally must-have– Capacity:
• Medium Enterprise: 500-1500 sessions at campus/data center sites• Large Enterprise: 1500-5000 sessions at campus/data center sites• Very Large Enterprise: 5000+ sessions at campus/data center sites• 10-100 in remote sites
� Border Element– Medium-Large Campus/Data Center: CUSP+CUBE cluster or CUBE on ASR– Large-Very Large Campus/Data Center: CUBE on ASR– Remote sites: High-end standalone CUBE; integrated SRST/CUBE
� SRNDs: – www.cisco.com/go/interoperability > CUBE
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
Agenda
� SIP Trunk Reference Architecture
� SIP Trunk Enterprise Connection Models
� SIP Trunk Deployment Topologies
� Recommended SBC Solutions and Best Practises– SBC Product Positioning
– Determining an SBC Recommendation
– SBC Redundancy Options
– CUCM Best Practises
– SBC Best Practises
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
3800 ISR
7200VXR7201, 7301
ASR 1000 Series
2800 ISR
AS5000XM
Session Capacity
CP
S
50,000/Blade250,000/System
Cisco Unified Border Element (Service Provider Edition) provides SBC features for carrier class service provider implementations
Cisco Unified Border Element (Enterprise Edition) provides SBC features for enterprise implementations
Cisco Unified Border Element Portfolio
CUBE (Ent)
CUBE (SP)
7600
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
3800 ISR
7200VXR7201, 7301
ASR 1000 Series
2800 ISR
AS5000XM
Session Capacity
CP
SCUBE (Enterprise Edition) Portfolio
<5
8-12
50+
5000+<250 500-800
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49
CUCM SIP TrunkSP SIP TrunkSP SIP
A
CUCMCUBE
CUCM SIP Trunk
SP SIP Trunk
A
CUCM
CUBECUBE
CUBECUBE
CU
BE
ISR
CU
BE
+ C
US
P
Large-Scale SIP Trunks
SP SIP
SBC
CUBE Cluster
SBCCUBE
CUBE
CUBE
CUCM SIP TrunkSP SIP Trunk
SP SIP
ACUCM
CU
BE
AS
R
SBC
CUBE (Ent)
CUBE Cluster
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
CUBE (Ent) Solution Advantages(subject to change)
• Collocated features• TDM GW• Tcl / VXML
• Add’al collocated features• SRST• MTP• IOS FW
• T.38 fax• H.323• Video/TP• DSP features
• Transcoding• In-band tone DTMF• Transrating (upcoming)• Voice quality scoring
(upcoming)• GK Support• Cost-effective geographic (1+1 and N+1) redundancy
ISR
• Collocated features• TDM GW• Tcl / VXML
• T.38 fax• H.323 Support• Video/TP• DSP features
• Transcoding• In-band tone DTMF• Transrating (upcoming)• Voice quality scoring
(upcoming)• GK Support• Cost-effective geographic (1+1 and N+1) redundancy
• Footprint (5350XM 1RU)
5350XM/5400XM
• Scalability• Inbox redundancy
• ASR1002/4: SW failover with media preservation
• ASR1006: HW failover with media preservation
• Footprint (2/4/6 RU)
ASR1002/4/6
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51
Summary SIP Trunk Sizing Recommendations(subject to change)
Single 3845, 2951None200-500
Single 2851, 2911None100-200
Single 2811, 2901None<100
Small
Very Large
Large
Medium
Enter-priseSize
Inbox redundancy: Single ASR1006 RP2Geo redundancy: Dual ASR1006 RP2
Inbox redundancy: Single ASR1004/6 RP2Geo redundancy: Dual ASR1004/6 RP2
Inbox redundancy: Single ASR1002Geo redundancy: Dual ASR1002 or future ISR G2*
No redundancy: Single 3945Redundancy: Dual 3945
Platform Recommendation
Must-have
Must-have
Must-have
Optional
Redundancy Recommen-
dation
500-1000
1000-2000
2000-4000
4000+
SIP Trunk Sessions
*Future: 1H 2010 3945 with new SPE-xxx
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
Redundancy Options: None
� Aggregate SBC capacity is equal to trunk capacity– E.g. 4 boxes @ 500 each = 2000 session SIP trunk
– Full trunk capacity guaranteed only when ALL boxes are up
� Failure impact – single-box solution:– All connections dropped; SIP trunk out of service– No new calls until recovery
� Failure impact – multiple box solution:– % of connections dropped
– New calls handled with reduced SIP trunk capacity
A SIP SPSIP SPA SIP SPSIP SP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
Redundancy Options: 1+1
� Active/Standby (HSRP)– HSRP can work for intra-enterprise solutions, but is not recommended for SP
SIP trunks
� Active/Active (Load balancing)– Special case of N+1 redundancy (next slide)– SP SIP trunks usually offer only 2 IP addresses – if more than 2 boxes are
needed to guarantee SIP trunk session capacity, then a CUSP+CUBE solution is recommended
� Local/Geographic Considerations– HSRP provides local redundancy only– Load-balancing Act/Act can provide local or geographic redundancy
� Failure impact:– All existing connections on failed box are dropped; no stateful failover
– New calls are immediately handled with full SIP trunk capacity
A SIP SPSIP SP
Active/Active
SIP SPSIP SPA
Active/Standby
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54
Redundancy Options: Inbox
� SW Inbox redundancy : ASR1002 + ASR1004� HW Inbox redundancy : ASR1006
– Control plane (CPU or RP)– Data/Forwarding plane (packet forwarding)
� Failure impact – CUBE (Ent):– Media preservation for existing calls– New calls handled immediately with full SIP trunk capacity
ASR1006
A SIP SPSIP SP
Dual Forwarding plane HW
Active OS Standby OS
Dual Control plane HW (CPU)
ASR1002/4
A SIP SPSIP SP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55
N+1 and N+M Redundancy Options
� CUBEs can be ISRs or ASRs
� Local or Geographic redundancy– CUBEs can be distributed across sites as needed
� Use a load balancing algorithm in the attached call agent (or use DNS or CUSP) to distribute calls over pool of CUBEs
� Failure impact:– New calls are handled immediately with full SIP trunk capacity
A SIP SPSIP SP…
A SIP SPSIP SP
…
No, or 1+1 redundancy on CUSP
N routers to guarantee session capacity
M routers to protect against M simultaneous failures
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57
CUCM Best Practises
� CUCM 6.x or 7.x recommended for SIP trunking– H.323 CUCM interconnects to SIP trunks not recommended
� H.323 or SIP SBC interconnects with non-Cisco IP-PBX or TDM-PBXs can be used
� CUCM Configuration– Delayed Offer (no MTP) for CUCM outbound calls– Early Offer (no MTP) for CUCM inbound calls to CUCM– SBC Delayed Offer to Early Offer interworking
� Configure alternate PSTN routing if SIP trunk is down– Recommend not to remove TDM PSTN GWs until after a SIP trunk
has been proven in
� If xcoding is required– CUCM-controlled xcoding is the more flexible option for SBC
engineering purposes– SBC xcoding is more flexible in codec combinations
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
CUBE (Ent) Best Practises (1)� Always discuss the trade-offs of centralized and distributed SIP
trunk design
� Always try to do a POC of a SIP trunk connection
� MTPs:– Avoid MTP designs if possible; if not, collocate MTPs with CUBE (Ent)
to optimize the media path
� Integration or dedicated CUBE (Ent)– At low end (<500), MTP, VXML, FW, SRST easily integrated with
CUBE (Ent)– At >1000 sessions, it’s often better to dedicate platforms to each
function
� CUBE (Ent) Performance Engineering– H.323-SIP vs. SIP-SIP makes no significant difference– DTMF interworking or DO-EO adds no significant extra load– SIP profiles and Tcl tend to be fairly “light” on the CPU, but is
configuration dependent– MTP, Xcoding and SRTP-RTP conversion are CPU-intensive
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59
CUBE (Ent) Best Practises (2)
� Use SIP registration on the trunk if offered by the SP, it offers better security
� Define explicit incoming and outgoing dial-peers
� Deploy IOS UC features and techniques to mitigate toll-fraud
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60
CUBE (Ent) Best Practises (3)
� CUBE (Ent) and FW placement– Campus/Data center sites: Place CUBE (Ent) behind the FW
– Remote/small sites: Enable IOS FW integrated on CUBE (Ent)
� Redundancy Best Practises– Centralized SIP trunking: Redundancy always recommended,
regardless of session capacity
– Distributed SIP trunking: Redundancy recommended at sites with >1000 sessions