© 2010 Cisco Systems, Inc. All rights reserved. 1Cisco Public

Cisco Unified Border Element (CUBE) as an Enterprise Session Border Controller

Technical Product Overview Presentation

Cisco Systems Inc.November 2010

© 2010 Cisco Systems, Inc. All rights reserved. 2Cisco Public

SIP Trunking: Eventual solution to allow end to end IP CommunicationsEnabling Business-to-Business Collaboration

IPA IP A

Enterprise Domain 1 Enterprise Domain 2

Narrowband voice to Rich-media Interconnect

A A

Enterprise Domain 1Enterprise Domain 2

SP VoIPSBC SBCCUBE CUBE

Changing Landscapes –VoIP Islands to VoIP InterconnectsUnified communications SIP Trunks to destinations beyond the Enterprise

Extend rich-media collaboration to vendors, partners and customersA Cisco Unified Border Element (CUBE) provides b2b interconnectivity for secure rich-media services

IP IP

© 2010 Cisco Systems, Inc. All rights reserved. 3Cisco Public

Migration to SP SIP Trunking for PSTN Access

A

ACVPCVP

Branch Offices

Campus Contact Center

A

ACVPCVP

SP SIP

A

ACVPCVP

SP SIP

1. TDM Trunking – Yesterday

2. TDM and IP Trunking – Today

3. IP Trunking – TomorrowCampus Contact Center

Campus Contact Center

Branch Offices

Branch Offices

© 2010 Cisco Systems, Inc. All rights reserved. 4Cisco Public

Why should an Enterprise deploy a Session Border Controller if SP already has one ?

I have multiple PBXs that all need to have SIP Trunking enabled in order to get the best Return on Investment (ROI).

I would like to centralize all of my SIP Trunking in a single location.

SIP Trunking is complex new technology, how do I make Trouble shooting easier.

How can I ensure that I am compliant with my company’s security policies when I implement SIP Trunking ?

Challenge Impact of an SBC

Deploying an SBC allows you to have a single interconnect point to your Service Provider across multiple disparate systems.

A central office SBC allows you to scale your SIP Trunk solution while only connecting to one device.

Deployment of a enterprise SBC allows a single point of troubleshooting for your SIP Trunks. A device that is supported by Cisco allows you to have one vendor support your entire solution.

An SBC from a trusted vendor such as Cisco incorporates security in all aspects from an embedded firewall to administrative control on changes. SBC’s ensure security on SIP Trunks.

Features of a Cisco SBC

© 2010 Cisco Systems, Inc. All rights reserved. 5Cisco Public

Protecting Your Network with an Enterprise Session Border Controller

PRI Trunks for PSTN Access

SIP Trunks for PSTN Access

No CAC w/o an SBC: A SIP Trunk on Ethernet ingress can delivers hundreds of callsW/o an SBC, your IP network topology and endpoint characteristics are visible to the PSTN endpointW/o an SBC, there is no demarcation point for SP hand-off and troubleshooting purposesW/o an SBC, QoS and codec selections are under control of the SP/PSTN network ownerDOS attacks against SIP are easy and within reach of even very unsophisticated hackers

SIP interoperability varies greatly and the industry is still maturing, and SBC can help greatly to normalize SIPToll-fraud control point

Implicit Call Admission Control: Max 23/30 calls per T1/E1 PRIImplicit security: Cannot hack via PRI into your IP network; Your IP network is not visible via PRI to the outside; The IP characteristics of your endpoints are unknown to the PSTN endpointImplicit demarcation: The PRI-to-IP point of conversion is used for SP hand-off, troubleshooting and statisticsImplicit QoS and codec control: The Gateway assigns IP packet QoS markings and determines codecs used on your internal networkDOS attacks against PRI are rare and difficult to perpetrate: A hacker cannot control individual PRI messages -can only launch calls to your DIDsPRI interoperability is standard and well-understood in the industryThe GW is a toll-fraud control point

PRIMGCP,

H.323 or SIPA

Class5 COVoice Gateway

SP IP SP IP NetworkNetwork

SIPH.323 or

SIPA

SP SBCCUBE

Enterprise SBC (CUBE)

© 2010 Cisco Systems, Inc. All rights reserved. 6Cisco Public

SIP Trunk Best Practises SummaryUse CUBE as the onsite enterprise Border Element to

– SIP DO-EO conversion– Normalize traffic – SP UNI– Interconnect/share a SIP trunk to

different enterprise IP-PBXs– Security for CUCM/enterprise apps– QoS and troubleshooting demarc

Use a G.711 SIP trunk– Avoid transcoding if possible

Ensure these are addressed:– Redundancy – especially for large,

centralized SIP trunk designs– Fax– Emergency Calls– DID porting– SIP Trunk monitoring

The SIP trunk market is maturing– Plan and execute thorough

testing before production– Most interop issues can be

resolved with targeted configuration changes and protocol normalization

Evaluate different providers– Offerings vary considerably

CUCM recommendations– CUCM 5.x and older: H.323– CUCM 6.x and newer: SIP– Avoid MTPs if possible

Use the SRNDs and Configuration App Notes

© 2010 Cisco Systems, Inc. All rights reserved. 7Cisco Public

SIP Trunk Validations on Cisco.comCisco focuses on standards-compliance and participates in major IETF SIP Standards bodies

Cisco performs interoperability validations with SIP trunk providers and PBXs

Completed validations are posted to Cisco.com atwww.cisco.com/go/interoperability

© 2010 Cisco Systems, Inc. All rights reserved. 8Cisco Public

Enterprise Interconnect Internally and to Realms beyond the Enterprise

SP IP SP IP NetworkNetwork

SIP Trunks for PSTN Access

Business to Business

Telepresence

H.323 Video Between

Companies over Internet

SIP B2BUA

SIPH.323 or SIPA

A SP IP SP IP NetworkNetwork

SIP SIP A

H.323H.323

H.323 B2BUA

InternetInternet

SIP B2BUA

H.323 B2BUA

SBC

SBC

Enterprise Networks in Transition CUBE

A

SIP Application

SIPH.323

CUBECUBE

CUBECUBE

CUBE

© 2010 Cisco Systems, Inc. All rights reserved. 9Cisco Public

AS5000XM

ASR 1004/6 RP2

Active Voice Call (Session) Capacity

CPS

Cisco Unified Border Element (Enterprise Edition) Portfolio

<5

8-12

50-150

12-16K+<50 500-600 600-800 900-1000

3900 ISR G2

3800 ISR2900 ISR G2

17

1500-1700

ASR 1002

2800 ISR

2801 ISR

3900E ISR G2

2000-2500

20-35

4

800/1861 ISR

ASR 1001

10-12K

50-100

© 2010 Cisco Systems, Inc. All rights reserved. 10Cisco Public

Cisco Unified Border Element—More Than an SBCAn Integrated Network Infrastructure Service

VXML

SRSTRSVP Agent

Cisco Unified Border ElementAddress HidingH.323 and SIP interworkingDTMF interworkingSIP securityTranscoding

Unified CM Conferencing and

Transcoding

GK

TDM GatewayVoice and Video TDM Interconnect PSTN Backup

Routing, FW, IPS, QoS

WAN Interfaces

Note: An SBC appliance wouldhave only these features

CUBE

Note: Some features/components may require additional licensing

© 2010 Cisco Systems, Inc. All rights reserved. 11Cisco Public

Cisco Unified Border Element Key Features

InterworkingH.323 and SIPSIP NormalizationDTMF InterworkingTranscodingCodec FilteringFax/Modem Support

SecurityEncryption

AuthenticationRegistration

SIP ProtectionFW Placement

Toll fraud

Session MgmtReal-time session MgmtCall Admissions ControlEnsuring QoSPSTN GW FallbackStatistics and BillingRedundancy/Scalability

DemarcationFault isolation

Topology HidingNetwork Borders

L5/L7 Protocol DemarcStatistics and Billing

Mine

Yours

© 2010 Cisco Systems, Inc. All rights reserved. 12Cisco Public

Call Admissions ControlCUBE provides various different CAC mechanisms

– Total calls, CPU, Memory, GK IP call capacity, max-connections, RSVP

High Water MarkLow Water MarkTotal Calls,

CPU, MemoryCUBE

Call #1Call #2

Call #3 Rejected by CUBE

dial-peer voice 1 voipmax-conn 2

call spike call-number [steps number-of-steps size milliseconds]

call spike 10 steps 5 size 200

Call Spike Detection

Max Calls per Destination

CUBECall #3

CUBE

If a call spike is detected, reject calls

call threshold global [total/mem/cpu] calls low xx high yy

© 2010 Cisco Systems, Inc. All rights reserved. 13Cisco Public

In Leg Out Leg Support

Fast Start Fast Start Bi-Directional

Slow Start Slow Start Bi-Directional

Fast Start Slow Start Bi-Directional

In Leg Out Leg Support

Early Offer Early Offer Bi-Directional

Delayed Offer Delayed Offer Bi-Directional

Delayed Offer Early Offer Uni-Directional

In Leg Out Leg Support

Fast Start Early Offer Bi-Directional

Slow Start Delayed Offer Bi-Directional

H.323 and SIP Interworking

H.323-H.323

H.323-SIP

SIP-SIP

© 2010 Cisco Systems, Inc. All rights reserved. 14Cisco Public

DTMF Interworking

H.323 ↔ H.323 H.323 ↔ SIP SIP ↔ SIP

H.323 SIP

H.245-Alphanumeric NOTIFY

H.245-Signal NOTIFY

RFC2833 NOTIFY

H.245-Alphanumeric RFC2833

H.245-Signal RFC2833

RFC2833 RFC2833

H.245-alphanumeric KPML

H.245-Signal KPML

Voice In-Band* RFC2833

H.323 H.323

H.245-Alphanumeric

H.245-Alphanumeric

H.245-Signal H.245-Signal

RFC2833 RFC2833

H.245-Alphanumeric RFC2833

H.245-Signal RFC2833

Voice In-Band* RFC2833

SIP SIP

NOTIFY NOTIFY

RFC2833 NOTIFY

RFC2833 RFC2833

KPML KPML

Voice In-Band* RFC2833

All DTMF Interworking Is Bidirectional

*Requires Transcoder DSP

© 2010 Cisco Systems, Inc. All rights reserved. 15Cisco Public

VoIP SP 2

Enterprise

SIP Normalization at Network Border“Normalize” SIP traffic coming into the SP or Enterprise network at the border

Use SIP profiles to translate messages

Smart Business Communications System

Small-Medium Business

IP-PBX

CUBE

CUBE

CUBE

CUBE

Small-Medium Business

Residential

VoIP SP 1SP–SPSBC SBC

CUBE

© 2010 Cisco Systems, Inc. All rights reserved. 16Cisco Public

Media Transcoding and Transrating

Transcoding– One voice codec to any other codec

• E.g. iLBC-G.711 or iLBC-G.729– H.323 and SIP– CUCM 7.1.5 supports universal transcoding

Transrating– Different packetizations of the same codec

• E.g. G.729 20ms to G.729 30 ms– SIP-SIP support– No SRTP support with transrating

G.729 30 ms

*Note: Only voice codecs are supported with transcoding/transrating—no video codecs, or the audio of a video call

CUBE

• Transcoding: G.711, G.723.1, G.726, G.728, G.729/a, iLBC, G.722

• Transrating: G.729 20ms ↔ 30ms

Supported Codecs* Packetization (ms)

G.711 a-law 64 Kbps 10, 20, 30

G.711 µlaw 64 Kbps 10, 20, 30

G.723 5.3/6.3 Kbps 30, 60G.729, G.729A, G.729B, G.729AB 8 Kbps 10, 20, 30, 40, 50, 60

G.722—64 Kbps 10, 20, 30

SP VoIPEnterprise

VoIP

dial-peer voice 2 voipcodec g729r8 bytes 30 fixed-bytes

iLBC, iSAC, Speex IP Phones:

G.711, G.729 20 ms,G.722

!Call volume (gain/loss) adjustmentdial-peer voice 2 voip

audio incoming level-adjustment xaudio outgoing level-adjustment y

© 2010 Cisco Systems, Inc. All rights reserved. 17Cisco Public

CUBE Security Protection Points

Ingress I/F Egress I/FHW LAN/WAN Interfaces

IOS Infrastructure (ACLs, FW, IPS, VPN)

TCP UDP TLS TCP UDP TLSDSP Hardware

DSP APIRTP Library

DTMF xlationCodec FilteringXcoding Control

SIP/H.323 Protocol Stack

Dial-peer Dial-peer

SIP/H.323 Protocol Stack

Voice Application CodeL7 Protocol-independent memory structures holding call

state and attributes (CLID, Called #, Codec…)

RTP Library

Signaling Media

DOS• B2BUA – L7

Inspection• Call Volume/BW

Limiting (CAC)• Call Codec

Limiting • SIP Malformed

Inspection • SIP Listen Port

Configuration• RTP Malformed• Topology Hiding• Co-resident IOS:

ACLs, FW, IPS

Identity / Service Theft

• SIP Digest Authentication

• SIP Hostname Validation

• SIP Trunk Register• CDR• Toll Fraud• Co-resident IOS:

ACLs, COR

Privacy• SIP Header

Manipulation• Authentication and

encryption (media) – SRTP

• Authentication and encryption (signaling) – TLS

• Co-resident IOS: All VPN features

© 2010 Cisco Systems, Inc. All rights reserved. 18Cisco Public

CUBE CUBE

IP

CUBE Topology/Address Hiding

CUBE provides complete topology hiding on signaling and media– Maintains security and operational independence of both networks– Provides implicit NAT service by substituting CUBE IP addresses on all traffic

Allows for NAT and Firewall (FW) traversal

Site A—192.168.10.x/24 Site B—192.168.10.x/24

192.168.10.10 192.168.10.50 192.168.10.10192.168.10.50

172.16.10.x/24

172.16.10.5 172.16.10.6

Inside

Outside

Inside

© 2010 Cisco Systems, Inc. All rights reserved. 19Cisco Public

Centralized and Distributed SIP Trunk Models

Site-SP RTPSite-to-Site RTPMPLS

A

CUBE

A

CUBE

PSTNSP VoIP

PSTN

MPLS

SP VoIP

A

CUBE

Centralized

MPLSA

CUBE

CUBE CUBE CUBE CUBE CUBE

PSTNSP VoIPDistributed

Hybrid

© 2010 Cisco Systems, Inc. All rights reserved. 20Cisco Public

CUCM SIP TrunkSP SIP TrunkSP SIP

A

CUCMCUBE

CUCM SIP Trunk

SP SIP Trunk

A

CUCM

CUBECUBE

CUBECUBE

CU

BE

ISR

CU

BE

+ C

USP

Designing Large-Scale SIP Trunks

SP SIP

SBC

CUBE Cluster

SBCCUBE

CUBECUBE

CUCM SIP TrunkSP SIP Trunk

SP SIP

ACUCM

CU

BE

ASR

SBC

CUBE (Ent)

CUBE Cluster

© 2010 Cisco Systems, Inc. All rights reserved. 21Cisco Public

Methods for Providing SBC Redundancy and ScalabilityMethod Redundancy Scalability Notes

Box-to-Box Redundancy

All protocolsISR G2 and ASR platformsL2 local RedundancyMedia preservation or statefulfailover

Inbox Hardware Failover

ASR platformsStateful failover

CUCM Route ListsApplication server alternate routingH.323 and SIP

DNSAll protocolsMay affect PDD depending on DNS network design

Gatekeeper Load balancer H.323 only

CUSP Load balancer SIP only

CUBE on ISR G2E and ASR SIP-SIP, H.323-SIP

© 2010 Cisco Systems, Inc. All rights reserved. 22Cisco Public

Cisco License Manager (CLM)CiscoWorks LMSCisco Configuration Engine (CCE)

Image, Configuration and License Management

Provisioning Provisioning and and

MonitoringMonitoring

CLI (provisioning)Cisco Configuration Professional (CCP) 2.3 (provisioning)Cisco Unified Operations Manager (CUOM)SNMP monitoringCDR3rd Party Tools, e.g. Solarwinds

CUBE Network Management & Troubleshooting Summary

TroubleshootingCisco IOS Packet CaptureProtocol ladder diagrams (Wireshark)Cisco IOS Per-call Debugging (PCD)

© 2010 Cisco Systems, Inc. All rights reserved. 23Cisco Public

CUBE Monitoring

SIP OOD Options Ping, CLI dial-peer statusSIP Trunk StatusSIP Trunk Status

CISCO-SIP-UA-MIB, cSipStatsRetrySIP retries

CISCO-RTTMON-RTP-MIB, rttMonJitterStatsTable , rttMonLatestJitterOperTableIP SLA

CUBE 1.4: CISCO-DSP-MGMT-MIB, cdspTotAvailMtpSess, cdspTotUnusedMtpSessMTP utilization

CUBE 1.4: CISCO-DSP-MGMT-MIB, cdspTotAvailTranscodeSess, cdspTotUnusedTranscodeSessTranscoding util.

CUBE 1.4: CISCO-VOICE-DIAL-CONTROL-MIB, cvCallRateMonitorCall Arrival RateDIAL-CONTROL-MIB, dialCtlPeerStatsSuccessCalls, dialCtlPeerStatsAcceptCalls, dialCtlPeerStatsFailCalls, dialCtlPeerStatsRefuseCallsCISCO-SIP-UA-MIB, cSipStatsErrClient, cSipStatsErrServer, cSipStatsGlobalFail

Call Success/Failure

CUBE 1.4: CISCO-VOICE-DIAL-CONTROL-MIB, cvCallVolumeOlder CUBE: DIAL-CONTROL-MIB, callActiveCISCO-DIAL-CONTROL-MIB, cCallHistoryTableCUBE 8.5: SIP RAI Trunk Utilization

Trunk Utilization

CISCO-VOICE-DIAL-CONTROL-MIB, cvVoIPCallActiveTable

CISCO-DSP-MGMT-MIB, cdspCardResourceUtilization, cdspDspfarmUtilObjects

CISCO-PROCESS-MIB, cpmCPUTotal5minRevCISCO-MEMORY-POOL-MIB, ciscoMemoryPoolTableIF-MIB, IfEntry

MethodCPU, Memory, I/fRouter Health

DSP Availability

Loss, delay, jitterVoice Quality

Media Resources (DSPs)

Traffic Reports (Calls, Sessions, Capacity Planning, Errors)

InformationArea

More info in CUBE Management and Manageability Specification at:http://www.cisco.com/en/US/prod/collateral/voicesw/ps6790/gatecont/ps5640/white_paper_c11-613550.html

© 2010 Cisco Systems, Inc. All rights reserved. 24Cisco Public

Cisco.com SIP Trunk and CUBE ResourcesCisco UBE on Cisco.com

– http://www.cisco.com/go/cube

Cisco CommunicationsTransformations Whitepapers

– Section on Whitepapers

Cisco Interoperability Portal– www.cisco.com/go/interoperability

Cisco Unified Border Element (CUBE)/SIP Trunking Solutions

– Cisco UBE SP SIP Trunk Interoperability Reports– Cisco UBE PBX Interoperability Reports (Avaya/Nortel)

Cisco SRND Portal– www.cisco.com/go/srnd– CUCM SIP Trunk Documentation

• CUCM 8.x SRND• CUCM 7.x SRND• CUCM 6.x SRND

– CVP 7.0 SIP Trunk Integration

Marketing Support: ask-cube@external.cisco.comCisco Press: SIP Trunks

– SIP Trunking @ www.ciscopress.com/title/1587059444

TechWise TV: SIP, Session Management and Beyondhttp://www.youtube.com/watch?v=YFoLTsqEI0w

© 2010 Cisco Systems, Inc. All rights reserved. 25Cisco Public

Cisco.com SIP Trunk Design DocumentsDocument Coverage Location

CUCM 8.x SRND CUCM Connectivity to SIP Trunks cisco.com/go/srnd- Unified Communications- Unified Communications System- View Design Guide (CUCM 8.x)- Unified Comms Call Routing- Cisco Unified CM Trunks- Cisco Unified Border Element

CVP 7.x SRND Contact Center: CVP + CUBE cisco.com/go/srnd- Unified Communications- Customer Voice Portal- View Design Guide (CVP 7.x)- Gateway Options- Cisco Unified Border Element

CUBE in Contact Center Configuration Guide

Contact Center: CVP + CUBE http://cisco.com/en/US/docs/voice_ip_comm/unified_communications/cubecc.html

SP SIP Trunk Interop CUCM/CUBE Validation testingwith specific SP Offerings:- AT&T TollFree, FlexReach, VoEVPN- Allstream- Verizon- Paetec…

cisco.com/go/interoperabilityCisco Unified Border Element

© 2010 Cisco Systems, Inc. All rights reserved. 26Cisco Public 26