SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights...

30
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 SIP Trunking for IP PSTN Access Peter Sakala [email protected] © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 What is a SIP Trunk? A sampling of Views/Definitions Single IP based interconnect for voice and data using SIP SIP trunking is the IP equivalent of the digital/analog TDM connection that traditionally connected a PBX to the PSTN The logical session or channel established between a carrier and customer – (Porting PSTN Phone number to IP Address) A SIP Trunk service can be either Managed – SP provides CPE equipment to monitor and guarantee SLAs in addition to basic voice services “un”Managed – Similar to an analog phone line – provides basic voice services Any SIP-based “connection” between two applications Intra-enterprise: Between applications, e.g. MPlace to CUCM, or between different zones or departments within a company Enterprise to SP: PSTN Access B2B Inter-Enterprise: Between companies (e.g. Disney and Apple)

Transcript of SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights...

Page 1: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

SIP Trunking for IP PSTN Access

Peter [email protected]

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

What is a SIP Trunk?A sampling of Views/Definitions

� Single IP based interconnect for voice and data using SIP

� SIP trunking is the IP equivalent of the digital/analog TDM connection that traditionally connected a PBX to the PSTN

� The logical session or channel established between a carrier andcustomer – (Porting PSTN Phone number to IP Address)

� A SIP Trunk service can be either – Managed – SP provides CPE equipment to monitor and guarantee

SLAs in addition to basic voice services– “un”Managed – Similar to an analog phone line – provides basic voice

services

� Any SIP-based “connection” between two applications– Intra-enterprise: Between applications, e.g. MPlace to CUCM, or

between different zones or departments within a company– Enterprise to SP: PSTN Access– B2B Inter-Enterprise: Between companies (e.g. Disney and Apple)

Page 2: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3

Unified Communications Content MappingSIP Trunk for PSTN Access

SMB

Enterprise

IP-PBX

A

A

Enterprise: Distributed SIP Trunk

A

Enterprise: Centralized SIP Trunk

CUBE

CUBE

CUBE

CUBE

CUBE

CUBE

VoIP SP

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4

SIP Trunk IndustryUpdate

Page 3: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5

Industry Trends in “SIP Trunk for PSTN”

� Significant uptick in enterprise customer interest in SIP trunking– Numerous trial deployments

– Increasing production deployments, mostly on low session counts

� Video/SIP trunking for TelePresence offerings becoming available – ATT, TATA,

– Increased interest in SIP trunk security features

– FW, SRTP/TLS encryption, DOS attack mitigation

� Increased interest in SIP normalization/manipulation as industry-wide vendor/application interop continues to be problematic

– SIP maturity is still some years off

– Increasing interest in 3rd party PBX interop with Cisco SIP trunkingsolution – while we should position CUCM whenever possible, the PBX Interop lab does test CUBE with various IP-PBXs to provide interop info when required

� Increased incidences of toll fraud on SIP

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6

SIP Trunking – Growth and Impeding Factors

� Can be cheaper� Physical access more

versatile� Capacity changes more

dynamic� Equipment consolidation� Operational consolidation� Improved redundancy� New rich-media services� Vendor/SP advocates� Industry hype/pressure

� Immature PSTN-equivalent services

– 911 / 112– Fax/Modem– MLPP– MCID– Fault monitoring/isolation

� Number portability� Poorly understood legal and

geographical implications� Inconsistent service delivery

– Call-ID, recording

� Unregulated service– Requires in-depth evaluation– Costs vary significantly

based on geography and SP

Growth Impeding

Page 4: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7

Current SP SIP Trunk ServicesCompared to TDM Services

Consideration SIP Trunk TDM TrunkBasic call completion Well defined Well defined

Suppl. services (Xfer, FWD, Hold, Conf) Requires validation testing Well defined

Fault Monitoring and Isolation Options PING monitoring Yellow/Red Alarms

Emergency Call (911) Handling Special Handling per SP Well defined

Malicious Call-ID (MCID) and Multi-level Priority and Preemption (MLPP)

Not defined Well defined

Caller-ID delivery Inconsistent Consistent

Voice Band Data Modems/Baudot TDD ill-defined or unsupported

Well defined

Fax Technology Industry interop issues Well defined

Deterministic traffic engineering.How are bursts handled? Who sends back equipment busy, enterprise or SP? Who provides announcements?

SP dependent Well defined

Porting numbers Within single SP control Well defined

Geographic and legal dependencies of call routing

Independent of geography but not of legislation

Geographically dependent

Future rich media services Great potential No

Cost to enterprise for service Inconsistent Well defined

Flexibility of call routing; site aggregation Very flexible SP dependent

Security considerations IP considerations; toll fraud Toll fraud

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8

Future SIP Trunk Services

� Technology possibilities of new features– Wideband codecs

– Video and Telepresence

– Presence

– SRTP/TLS

– Calls with subject lines– Fixed Mobile Convergence (different endpoints)

� Customer requests for additional voice services– Security (SRTP/TLS)

– Fax

� Industry currently working to get voice established– Most SPs have not discussed or unveiled plans for services

beyond voice

Page 5: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9

SIP Trunk DeploymentScenariosand Recommendations

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10

Agenda

� SIP Trunk Reference Architecture

� SIP Trunk Enterprise Connection Models

� SIP Trunk Deployment Topologies

� Recommended SBC Solutions and Best Practises

Page 6: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11

Reference SIP Trunking ArchitectureNMS &OSS

SIP Proxy / Softswitch

Media GW

Signaling

Bearer

A

CUBE CUBE

SBCS CUCM

�� ��S

P N

etwork | C

ustomer P

remise

�� ��

�� ��S

P-M

anaged |

CUCME

FW/NAT ALG

PSTN

SIP Trunk

ITPITPITPITP

Services(Presence,

VM etc)

IP PBX TDM PBX

CUBE

SBC

CUBECUBE CUBEFW/NAT

ALGFW/NAT

ALG

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12

Agenda

� SIP Trunk Reference Architecture

� SIP Trunk Enterprise Connection Models– Levels of Managed Services

– Dedicated / Integrated Voice + Data

– Centralized / Distributed Trunking

� SIP Trunk Deployment Topologies

� Recommended SBC Solutions and Best Practices

Page 7: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13

CUBE

CUCM

A

CUCME SBCS IP PBX

SIP Trunk SP Service ModelsSIP Trunk Service with L3 Router Demarc

SIP Trunk

Customer Premises

Service Provider Owned

VoIP SP

SBC

Managed accessservice providing an IP trunk between the SP network and a customer’s IP-enabled call agent

CUBE

A

Enterprise Owned

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14

SIP Trunk SP Service ModelsSIP Trunk Service with L7 SBC Demarc

A

CUCM

SIP Trunk

IP PBX

CUBE CUBE

VoIP SP

SBC

Customer Premises

A

CUCM

CUBE

Service Provider Owned

Enterprise Owned

Managed accessservice providing an IP trunk between the SP network and a customer’s IP-enabled call agent

Page 8: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15

Managed CME/IP-PBX

Managed CUCM

Phones

SIP Trunk SP Service ModelsSIP Trunk Managed IP-PBX Service

SIP Trunk

VoIP SP

Customer Premises

A

SBC

Enterprise Owned

Service Provider OwnedService in which a customer’s premise-based IP-PBX, UC apps and dial-plan are operated and maintained by the SP

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16

Security Exposure on Enterprise SIP Trunk Connection Models – Where Should I Firewall?

Incr

ease

d S

ecur

ity

Exp

osur

e

CUBE

SIP + SIP + VPN SPVPN SP

ASIP Trunk

WAN Data

Recommended Deployment

Models

CUBE

SIP SPSIP SPA SIP Trunk

SIP SP + SIP SP + InternetInternet

ASIP Trunk

Internet DataCUBE

InternetInternetA

Internet Voice

Internet DataCUBE

WAN DataWAN SPWAN SP

Page 9: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17

Cisco Unified Border Element

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 18

CUBE

IP

CUBE

Cisco Unified Border Element Architecture

� Actively involved in the call treatment, signaling and media streams

SIP B2B User Agent

� Signaling is terminated, interpreted and re-originated

Provides full inspection of signaling, and protection against malformed and malicious packets

� Media is handled in two different modes

Media Flow-Through

Media Flow-Around

� Digital Signal Processors (DSPs) are required for transcoding (calls with dissimilar codecs)

IP

Media Flow-Around� Signaling and media terminated by the

Cisco Unified Border Element

� Media bypasses the Cisco Unified Border Element

Media Flow-Through� Signaling and media terminated by the

Cisco Unified Border Element

� Transcoding and complete IP address hiding require this model

Page 10: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 19

Cisco Unified Border Element Basic Call Flow

1. Incoming VoIP setup message from originating endpoint

2. This matches inbound VoIP dial peer 1 for characteristics such as codec, VAD, DTMF method, protocol, etc.

3. Match the called number to outbound VoIP dial peer 2

4. Outgoing VoIP setup message

Incoming VoIP Call Outgoing VoIP Call

dial-peer voice 1 voipdestination-pattern 1000incoming called-number .Tsession target ipv4:192.168.10.50codec g711ulaw

dial-peer voice 2 voipdestination-pattern 2000session protocol sipv2session target ipv4:192.168.12.25codec g711ulaw

Originating Endpoint

TerminatingEndpoint

CUBE

voice service voip allow-connections h323 to h323allow-connections h323 to sipallow-connections sip to h323allow-connections sip to sip

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 20

CUBE

H.323 and SIP Layer 5/7 DemarcationBack-to-Back User Agent

OutgoingIncoming

Incoming Call Leg

Outgoing Call Leg

dial-peer voice 1 voipdescription Incomingincoming called-number .Tsession protocol sipv2

dial-peer voice 4 voipdescription Outgoingdestination-pattern 99.Tsession target ipv4:x.x.x.xsession protocol sipv2

Protocol-Independent Memory Structure Holding Call State and Attributes(CLID, Called #, Codec…)

H.323/SIP Protocol StackExtract Call-Related Parameters from Protocol Message, Discard

Message and Update Call Memory

H.323/SIP Protocol StackBuild New Protocol Message

and Insert Call-Related Parameters from Call Memory

Demarcation

Page 11: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 21

Cisco Unified Border Element—More Than an SBCAn Integrated Network Infrastructure Service

VXML

SRSTRSVP Agent

Cisco Unified Border Element� Address Hiding

� H.323 and SIP interworking

� DTMF interworking

� SIP security

� Transcoding

Unified CM Conferencing and

Transcoding

GK

TDM Gateway� Voice and Video TDM

Interconnect

� PSTN Backup

Routing, FW, IPS, QoS

WAN Interfaces

Note: An SBC appliance wouldhave only these features

CUBE

Note: Some features/components may require additional licensing

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 22

InterworkingH.323 and SIPSIP NormalizationDTMF InterworkingTranscodingCodec FilteringFax/Modem Support

SecurityEncryption

AuthenticationRegistration

SIP ProtectionFW Placement

Toll fraud

Session MgmtReal-time session MgmtCall Admissions ControlEnsuring QoSPSTN GW FallbackStatistics and BillingRedundancy/Scalability

DemarcationFault isolation

Topology HidingNetwork Borders

L5/L7 Protocol DemarcStatistics and Billing

Key Challenges When Interconnecting UC Networks

Mine

Yours

Why do I need a session border controller?

Page 12: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 23

Call Admissions Control

� CUBE provides various different CAC mechanismsTotal calls, CPU, Memory, GK IP call capacity, max-connections, RSVP

High Water MarkLow Water Mark

Total Calls, CPU, Memory

CUBE

Call #1

Call #2

Call #3 Rejected by CUBE

dial-peer voice 1 voipmax-conn 2

gatekeeperendpoint circuit-id h323id IPIPGW1 AA max-calls 500

voice service voip allow-connections h323 to h323

h323 ip circuit max-calls 1500 ip circuit carrier-id AA reserved-calls 1000

GK IP Call Capacity

max-connections

CUBECall #3

CUBE

GK

Session Management

call threshold global [/mem/cpu] calls low xx high yy

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 24

Quality of Service (QoS)

� Requirement

Ensure traffic adheres to QoS policies within each network

� The Cisco Unified Border Element can remark ToS/DSCP QoS parameters on signaling and media packets between networks

Police Mark

Classify

Police

Police

Mark

Mark

Mark

Police

Queue

Input Interface Output Interface

Queue

Queue

Shape

dial-peer voice 100 voip ip qos dscp ef media ip qos dscp af31 signaling

Session Management

Page 13: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 26

VoIP SP 2

Enterprise

SIP “Normalization” at theNetwork Border

� “Normalize” SIP traffic coming into the SP or Enterprise network at the border

� Use SIP profiles to translate messages

Smart Business Communications System

Small-Medium Business

IP-PBX

CUBE

CUBE

CUBE

CUBE

Small-Medium Business

Residential

VoIP SP 1SP–SP

SBC SBC

CUBE

Interworking

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 27

SIP Profiles “Normalization”

� SIP profiles is a mechanism to normalize or customize SIP at thenetwork border to provide interop between incompatible devices

Incoming Outgoing

INVITE sip:[email protected]:5060;user=phone SIP/2.0

INVITE sip:[email protected]:5060; SIP/2.0

voice class sip-profiles 100request INVITE sip-header SIP-Req-URI modify "; SIP /2.0" ";user=phone SIP/2.0"request REINVITE sip-header SIP-Req-URI modify "; S IP/2.0" ";user=phone SIP/2.0"

Add user=phone for INVITEs

Modify a “sip:” URI to a “tel:” URI in INVITEs

Incoming Outgoing

INVITE tel:2222000020INVITE sip:[email protected]:5060

voice class sip-profiles 100request INVITE sip-header SIP-Req-URI modify "sip:( .*)@[^ ]+" "tel:\1" request INVITE sip-header From modify "<sip:(.*)@.* >" "<tel:\1>" request INVITE sip-header To modify "<sip:(.*)@.*>" "<tel:\1>"

Interworking

CUBE

CUBE

More information at www.cisco.com/go/cube > Configure > Configuration Examples and TechNotes

SIP incompatibilities arise due to:� A device rejecting an unknown

header (value or parameter) instead of ignoring it

� A device sending incorrect datain SIP

� A device not implementing (or incorrectly) protocol procedures

� A device expecting an optional header value/parameter or can be implemented in multiple ways

� A device sending a value/parameter that must be changed or suppressed(“normalized”) before it leaves/enters the enterprise to comply with policies

� Variations in the SIP standards of how to achieve certain functions

Page 14: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 28

SP SP VoIPVoIP

Delayed Offer to Early Offer Interworking

� SP SIP trunk Early Offer (EO) interconnect for enterprise apps that support only Delay Offer (DO)

� Flow-through required for DE-EO supplementary services

INVITE (Offer SDP)INVITE

voice class codec 1codec preference 1 g711ulawcodec preference 2 …

dial-peer voice 4 voipdestination-pattern 321....voice-class codec 1voice-class sip early-offer forcedsession target ipv4:x.x.x.x

180/183/200 (Answer SDP)180/183/200 (Offer SDP)

ACK/PRACK (Answer SDP)

voice service voipsip

early-offer forced

Global Configuration Also Supported:

SDP in 200

No SDP in INVITE

DelayedEarly

SDP in INVITEOffer

SDP in 180/183Answer

Interworking

CUBE

SBC

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 29

Media Transcoding

� Cisco Unified Border Element supports universal transcoding

Any voice codec to any other codec

e.g. iLBC to G.711 or iLBC to G.729

Voice transcoding only (not video)

� Transrating (different packetizations):Supported: Transrating of different codecs

e.g. G.711 a-law 20ms ↔ G.711 µ-law 10ms

G.711 20ms ↔ G.729A 30ms

Not supported: Transrating of the same codec

e.g. G.729A 20ms ↔ G.729A 30ms

iLBC , iSAC, Speex

IP Phones:G.711, G.729,G.722

SBC

x

Interworking

*Note: Only voice codecs are supported with transcoding—no video codecs

CUBE

Transcoding: G.711, G.723.1, G.726, G.728, G.729/a, iLBC , G.722

12.4(15)XY and 12.4.20TG.722—64 Kbps

iLBC—13.3 and 15.2 Kbps

G.729B, G.729AB 8 Kbps

G.729, G.729A 8 Kbps

G.723—5.3 and 6.3 Kbps

G.711 µlaw 64 Kbps

12.4(11)XW and 12.4.20T

G.711 a-law 64 Kbps

ReleaseSupported Codecs*

SP VoIPEnterprise

VoIPInternet

Page 15: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 30

Demarcation at Network Borders� SP UNI

� Codec Choice/Negotiation

� Fault Isolation

� Security

� QoS Marking

� Voice Quality Statistics and Billing

Demarcation

Enterprise H.323

IP PBX Enterprise/SMB

Enterprise SIP

CUBE

CTS

Meeting PlaceCUBE

IP-PBX IP-PBX

E-Partner

Service ProviderSBC

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 31

CUBE CUBE

IP

Topology/Address Hiding

� RequirementsMaintain connectivity without exposing the IP network details

Interconnect networks that have overlapping IP Addresses

� B2BUA provides complete topology hiding on signaling and mediaMaintains security and operational independence of both networks

Provides implicit NAT service by substituting Cisco Unified Border Element IP addresses on all traffic

Site A—192.168.10.x/24 Site B—192.168.10.x/24

192.168.10.10 192.168.10.50 192.168.10.10192.168.10.50

172.16.10.x/24

172.16.10.5 172.16.10.6

Inside

Outside

Inside

Demarcation

Page 16: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 32

CUBE Security Protection Points

Ingress I/F Egress I/FHW LAN/WAN Interfaces

IOS Infrastructure (ACLs, FW, IPS, VPN)

TCP UDP TLS TCP UDP TLSDSP Hardware

DSP APIRTP Library

DTMF xlationCodec FilteringXcoding Control

SIP/H.323 Protocol Stack

Dial-peer Dial-peer

SIP/H.323 Protocol Stack

Voice Application CodeL7 Protocol-independent memory structures holding c all

state and attributes (CLID, Called #, Codec…)

RTP Library

Signaling Media

DOS� B2BUA – L7

Inspection� Call Volume/BW

Limiting (CAC)� Call Codec

Limiting � SIP Malformed

Inspection � SIP Listen Port

Configuration� RTP Malformed� Topology Hiding� Co-resident IOS:

ACLs, FW, IPS

Identity / Service Theft

� SIP Digest Authentication

� SIP Hostname Validation

� SIP Trunk Register� CDR� Toll Fraud� Co-resident IOS:

ACLs, COR

Privacy� SIP Header

Manipulation� Authentication and

encryption (media) – SRTP

� Authentication and encryption (signaling) – TLS

� Co-resident IOS: All VPN features

Security

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 33

SIP Protection

� SIP Proxy challenges INVITEs from the Cisco Unified Border Element to check endpoint validity with 401 Unauthorized

� The Cisco Unified Border Element responds with INVITE including credentials

Invite [From< [email protected]>]sip-ua authentication username xxx password yyy 100 Trying

401 Unauthorized

Invite [Authorization: name, passwd]

200 OK

100 Trying

sip-uapermit hostname dns:example1.sip.compermit hostname dns:example2.sip.compermit hostname dns:example3.sip.compermit hostname dns:example4.sip.com

Hostname Validation

Digest Authentication

Security

CUBE

� Initial INVITEs with a hostname URI are compared to a configured list of up to 10 hostnames

� If there is no a match to the INVITE, the Cisco Unified Border Element returns a "400 Bad Request—Invalid Host"

Page 17: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 34

SIP Protection

� Default SIP Listen ports are 5060 (UDP/TCP) and 5061 (TLS)

� These ports are well-known and can be the target of attacks

� Change the SIP Listen port to a different setting that is not well-known

voice service voipsip

shutdown

voice service voipsip

listen-port non-secure 2000 secure 2050

SIP Listening Port

Registrationx(config)#sip-uax(config-sip-ua)#credentials username 1001 password cisco realm cisco.com

sip-uaregistrar ipv4:172.16.193.97 expires 3600 credentials username 1001 password

0822455D0A16 realm cisco.com

Security

� The Cisco Unified Border Element can send SIP REGISTER messages with credentials to a proxy

� Register statically on behalf of endpoints behind the Cisco Unified Border Element that do not register

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVVT-2305_c1 35

SP VoIP

Toll Fraud—ACLs, Dial-Peers

� Use ACLs to allow/deny explicit sources of calls

� Apply explicit incoming and outgoing dial-peers to both CUBE interfaces to control the types and parameters of calls allowed on the network

� Use explicit destination-patterns on dial-peers (not .T) to block out disallowed off-net call destinations

� Use translation rules to ensure only valid calling/called numbers allowed

� Use Tcl/VXML scripts to do database lookups or additional checks to allow/deny call flows

� Change SIP port to something other than 5060

� Close unused H.323/SIP ports

� Disable secondary dial-tone on TDM ports

CUBE

A Incoming Outgoing

IncomingOutgoing

192.168.10.10 172.16.10.6

Is this a valid call flow to allow?

access-list 1 permit 192.168.10.0 0.0.0.255access-list 100 deny … (everything else)Explicit inc and outg dial-peers

access-list 2 permit 172.16.10.0 0.0.0.255access-list 200 deny … (everything else)Explicit inc and outg dial-peers

Page 18: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36

Deployment Options

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37

Centralized/Aggregated SIP Trunk Model

� CUBE at central location

� Single SIP trunk IP address to SP

� All remote site calls hairpin through the campus site where SIP trunk terminates

PSTN

MPLS

SP VoIP

A

CUBE

SBC

HQ-SP RTPBranch-HQ RTP

Page 19: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38

Site-SP RTP

Distributed SIP Trunk Model

� CUBE at each site

� SIP trunk IP address per site

� Calls flow directly from site to SP

MPLS

A

CUBE

CUBE CUBE CUBE CUBE CUBE

PSTNSP VoIP

SBC

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39

Agenda

� SIP Trunk Reference Architecture

� SIP Trunk Enterprise Connection Models

� SIP Trunk Deployment Topologies– SMB

– Enterprise

� Recommended SBC Solutions and Best Practises

Page 20: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40

SMB Deployment ModelsSIP Managed Voice Services

� SIP Trunk Model– Managed Services (transparent to end

customer)– Distributed (every site has a connection)– Redundancy: None– Capacity: <50 sessions

� Border Element– SIP TDM GW– IAD with FW/NAT– IAD with CUBE-“light”– CME with integrated SIP trunking

VoIP SP 1

TDM PBX Interconnect

Managed IP-PBX

SP-owned

Customer-owned FXSCommercial Managed

Voice Services

IP PBX

IP-PBX Interconnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41

Small Enterprise Deployment ModelsCME and CUCM

CME

CUBE

VoIP SP 1

CME

CUBE

SRST

A

CUBE

SRST

A

CUBE

CME Centralized

CME Distributed

CUCM Centralized

CUCM Distributed

Page 21: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42

Small Enterprise Deployment ModelsCME or CUCM

� SIP Trunk Model– Centralized – typically used when:

• Cost benefits can be shown• SIP SP is different from WAN provider

– Distributed – typically used when:• Survivability is important• SIP SP is the same as WAN (often MPLS) provider

– Redundancy: None– Capacity: <200 sessions

� Border Element– CME with integrated SIP trunking

– Medium-range standalone CUBE or integrated SRST/CUBE

� SRNDs: – www.cisco.com/go/interoperability > CUBE

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43

Medium and Large Enterprise Deployment ModelsMulti-Site and Multi-Cluster CUCMs

VoIP SP 1

Multi-site CUCM Centralized (hybrid)

A

A

SRST

Multi-site CUCM Distributed

A

A

SRST

CUBE

A

SRST

A

A

A

A

A

A

SRST

A

A

A

A

A

CUBE

Multi-cluster, Multi-site CUCM

DistributedCUBE (Ent) CUSP+CUBE

Centralized (hybrid)

SBC:

SBC

SBC

SBC

SBC

SBC

SBC

SBC

SBC

Page 22: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44

Other Enterprise Deployment ModelsIP-PBX and TDM-PBX

VoIP SP 1

IP-PBX Centralized

CUBE

CUBE

CUBE

IP-PBX Distributed

CUBE

CUBE

CUBE

TDM-PBX Centralized

TDM-PBX Distributed

GK

GK

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45

Medium and Large Enterprise Deployment Models

� SIP Trunk Model– Centralized – typically used when:

• Cost benefits can be shown• SIP SP is different from WAN provider

– Distributed – typically used when:• Survivability is important• SIP SP is the same as WAN (often MPLS) provider• Geographic considerations

– Redundancy: Generally must-have– Capacity:

• Medium Enterprise: 500-1500 sessions at campus/data center sites• Large Enterprise: 1500-5000 sessions at campus/data center sites• Very Large Enterprise: 5000+ sessions at campus/data center sites• 10-100 in remote sites

� Border Element– Medium-Large Campus/Data Center: CUSP+CUBE cluster or CUBE on ASR– Large-Very Large Campus/Data Center: CUBE on ASR– Remote sites: High-end standalone CUBE; integrated SRST/CUBE

� SRNDs: – www.cisco.com/go/interoperability > CUBE

Page 23: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46

Agenda

� SIP Trunk Reference Architecture

� SIP Trunk Enterprise Connection Models

� SIP Trunk Deployment Topologies

� Recommended SBC Solutions and Best Practises– SBC Product Positioning

– Determining an SBC Recommendation

– SBC Redundancy Options

– CUCM Best Practises

– SBC Best Practises

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47

3800 ISR

7200VXR7201, 7301

ASR 1000 Series

2800 ISR

AS5000XM

Session Capacity

CP

S

50,000/Blade250,000/System

Cisco Unified Border Element (Service Provider Edition) provides SBC features for carrier class service provider implementations

Cisco Unified Border Element (Enterprise Edition) provides SBC features for enterprise implementations

Cisco Unified Border Element Portfolio

CUBE (Ent)

CUBE (SP)

7600

Page 24: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48

3800 ISR

7200VXR7201, 7301

ASR 1000 Series

2800 ISR

AS5000XM

Session Capacity

CP

SCUBE (Enterprise Edition) Portfolio

<5

8-12

50+

5000+<250 500-800

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49

CUCM SIP TrunkSP SIP TrunkSP SIP

A

CUCMCUBE

CUCM SIP Trunk

SP SIP Trunk

A

CUCM

CUBECUBE

CUBECUBE

CU

BE

ISR

CU

BE

+ C

US

P

Large-Scale SIP Trunks

SP SIP

SBC

CUBE Cluster

SBCCUBE

CUBE

CUBE

CUCM SIP TrunkSP SIP Trunk

SP SIP

ACUCM

CU

BE

AS

R

SBC

CUBE (Ent)

CUBE Cluster

Page 25: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50

CUBE (Ent) Solution Advantages(subject to change)

• Collocated features• TDM GW• Tcl / VXML

• Add’al collocated features• SRST• MTP• IOS FW

• T.38 fax• H.323• Video/TP• DSP features

• Transcoding• In-band tone DTMF• Transrating (upcoming)• Voice quality scoring

(upcoming)• GK Support• Cost-effective geographic (1+1 and N+1) redundancy

ISR

• Collocated features• TDM GW• Tcl / VXML

• T.38 fax• H.323 Support• Video/TP• DSP features

• Transcoding• In-band tone DTMF• Transrating (upcoming)• Voice quality scoring

(upcoming)• GK Support• Cost-effective geographic (1+1 and N+1) redundancy

• Footprint (5350XM 1RU)

5350XM/5400XM

• Scalability• Inbox redundancy

• ASR1002/4: SW failover with media preservation

• ASR1006: HW failover with media preservation

• Footprint (2/4/6 RU)

ASR1002/4/6

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51

Summary SIP Trunk Sizing Recommendations(subject to change)

Single 3845, 2951None200-500

Single 2851, 2911None100-200

Single 2811, 2901None<100

Small

Very Large

Large

Medium

Enter-priseSize

Inbox redundancy: Single ASR1006 RP2Geo redundancy: Dual ASR1006 RP2

Inbox redundancy: Single ASR1004/6 RP2Geo redundancy: Dual ASR1004/6 RP2

Inbox redundancy: Single ASR1002Geo redundancy: Dual ASR1002 or future ISR G2*

No redundancy: Single 3945Redundancy: Dual 3945

Platform Recommendation

Must-have

Must-have

Must-have

Optional

Redundancy Recommen-

dation

500-1000

1000-2000

2000-4000

4000+

SIP Trunk Sessions

*Future: 1H 2010 3945 with new SPE-xxx

Page 26: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52

Redundancy Options: None

� Aggregate SBC capacity is equal to trunk capacity– E.g. 4 boxes @ 500 each = 2000 session SIP trunk

– Full trunk capacity guaranteed only when ALL boxes are up

� Failure impact – single-box solution:– All connections dropped; SIP trunk out of service– No new calls until recovery

� Failure impact – multiple box solution:– % of connections dropped

– New calls handled with reduced SIP trunk capacity

A SIP SPSIP SPA SIP SPSIP SP

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53

Redundancy Options: 1+1

� Active/Standby (HSRP)– HSRP can work for intra-enterprise solutions, but is not recommended for SP

SIP trunks

� Active/Active (Load balancing)– Special case of N+1 redundancy (next slide)– SP SIP trunks usually offer only 2 IP addresses – if more than 2 boxes are

needed to guarantee SIP trunk session capacity, then a CUSP+CUBE solution is recommended

� Local/Geographic Considerations– HSRP provides local redundancy only– Load-balancing Act/Act can provide local or geographic redundancy

� Failure impact:– All existing connections on failed box are dropped; no stateful failover

– New calls are immediately handled with full SIP trunk capacity

A SIP SPSIP SP

Active/Active

SIP SPSIP SPA

Active/Standby

Page 27: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54

Redundancy Options: Inbox

� SW Inbox redundancy : ASR1002 + ASR1004� HW Inbox redundancy : ASR1006

– Control plane (CPU or RP)– Data/Forwarding plane (packet forwarding)

� Failure impact – CUBE (Ent):– Media preservation for existing calls– New calls handled immediately with full SIP trunk capacity

ASR1006

A SIP SPSIP SP

Dual Forwarding plane HW

Active OS Standby OS

Dual Control plane HW (CPU)

ASR1002/4

A SIP SPSIP SP

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55

N+1 and N+M Redundancy Options

� CUBEs can be ISRs or ASRs

� Local or Geographic redundancy– CUBEs can be distributed across sites as needed

� Use a load balancing algorithm in the attached call agent (or use DNS or CUSP) to distribute calls over pool of CUBEs

� Failure impact:– New calls are handled immediately with full SIP trunk capacity

A SIP SPSIP SP…

A SIP SPSIP SP

No, or 1+1 redundancy on CUSP

N routers to guarantee session capacity

M routers to protect against M simultaneous failures

Page 28: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57

CUCM Best Practises

� CUCM 6.x or 7.x recommended for SIP trunking– H.323 CUCM interconnects to SIP trunks not recommended

� H.323 or SIP SBC interconnects with non-Cisco IP-PBX or TDM-PBXs can be used

� CUCM Configuration– Delayed Offer (no MTP) for CUCM outbound calls– Early Offer (no MTP) for CUCM inbound calls to CUCM– SBC Delayed Offer to Early Offer interworking

� Configure alternate PSTN routing if SIP trunk is down– Recommend not to remove TDM PSTN GWs until after a SIP trunk

has been proven in

� If xcoding is required– CUCM-controlled xcoding is the more flexible option for SBC

engineering purposes– SBC xcoding is more flexible in codec combinations

Page 29: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58

CUBE (Ent) Best Practises (1)� Always discuss the trade-offs of centralized and distributed SIP

trunk design

� Always try to do a POC of a SIP trunk connection

� MTPs:– Avoid MTP designs if possible; if not, collocate MTPs with CUBE (Ent)

to optimize the media path

� Integration or dedicated CUBE (Ent)– At low end (<500), MTP, VXML, FW, SRST easily integrated with

CUBE (Ent)– At >1000 sessions, it’s often better to dedicate platforms to each

function

� CUBE (Ent) Performance Engineering– H.323-SIP vs. SIP-SIP makes no significant difference– DTMF interworking or DO-EO adds no significant extra load– SIP profiles and Tcl tend to be fairly “light” on the CPU, but is

configuration dependent– MTP, Xcoding and SRTP-RTP conversion are CPU-intensive

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59

CUBE (Ent) Best Practises (2)

� Use SIP registration on the trunk if offered by the SP, it offers better security

� Define explicit incoming and outgoing dial-peers

� Deploy IOS UC features and techniques to mitigate toll-fraud

Page 30: SIP Trunking for IP PSTN Accesspalo/Rozne/cisco-expo... · © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr © 2009 Cisco Systems, Inc. All rights reserved. Cisco

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60

CUBE (Ent) Best Practises (3)

� CUBE (Ent) and FW placement– Campus/Data center sites: Place CUBE (Ent) behind the FW

– Remote/small sites: Enable IOS FW integrated on CUBE (Ent)

� Redundancy Best Practises– Centralized SIP trunking: Redundancy always recommended,

regardless of session capacity

– Distributed SIP trunking: Redundancy recommended at sites with >1000 sessions