What Is A Sip Trunk?

Transcript

SIP Trunking for IP PSTN Access Peter Sakala [email protected] © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 What is a SIP Trunk? A sampling of Views/Definitions
Single IP based interconnect for voice and data using SIP
SIP trunking is the IP equivalent of the digital/analog TDM connection that traditionally connected a PBX to the PSTN
The logical session or channel established between a carrier and customer – (Porting PSTN Phone number to IP Address)
A SIP Trunk service can be either – Managed – SP provides CPE equipment to monitor and guarantee SLAs in addition to basic voice services – “un”Managed – Similar to an analog phone line – provides basic voice services
Any SIP-based “connection” between two applications – Intra-enterprise: Between applications, e.g. MPlace to CUCM, or between different zones or departments within a company – Enterprise to SP: PSTN Access – B2B Inter-Enterprise: Between companies (e.g. Disney and Apple) © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 2 Unified Communications Content Mapping SIP Trunk for PSTN Access CUBE SMB A CUBE A CUBE CUBE VoIP SP CUBE Enterprise: Centralized SIP Trunk A IP-PBX Enterprise CUBE Enterprise: Distributed SIP Trunk © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 SIP Trunk Industry Update © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 4 Industry Trends in “SIP Trunk for PSTN”
Significant uptick in enterprise customer interest in SIP trunking – Numerous trial deployments – Increasing production deployments, mostly on low session counts
Video/SIP trunking for TelePresence offerings becoming available – ATT, TATA, – Increased interest in SIP trunk security features – FW, SRTP/TLS encryption, DOS attack mitigation
Increased interest in SIP normalization/manipulation as industrywide vendor/application interop continues to be problematic – SIP maturity is still some years off – Increasing interest in 3rd party PBX interop with Cisco SIP trunking solution – while we should position CUCM whenever possible, the PBX Interop lab does test CUBE with various IP-PBXs to provide interop info when required
Increased incidences of toll fraud on SIP © 2009 Cisco Systems, Inc. All rights reserved. 5 Cisco Confidential SIP Trunking – Growth and Impeding Factors Growth Impeding
Can be cheaper
Physical access more versatile
Capacity changes more dynamic
Equipment consolidation
Operational consolidation
Improved redundancy
New rich-media services
Vendor/SP advocates
Industry hype/pressure
Immature PSTN-equivalent services – – – – – 911 / 112 Fax/Modem MLPP MCID Fault monitoring/isolation
Number portability
Poorly understood legal and geographical implications
Inconsistent service delivery – Call-ID, recording
Unregulated service – Requires in-depth evaluation – Costs vary significantly based on geography and SP © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 6 Current SP SIP Trunk Services Compared to TDM Services Consideration Basic call completion Suppl. services (Xfer, FWD, Hold, Conf) SIP Trunk TDM Trunk Well defined Well defined Requires validation testing Well defined Fault Monitoring and Isolation Options PING monitoring Yellow/Red Alarms Emergency Call (911) Handling Special Handling per SP Well defined Not defined Well defined Malicious Call-ID (MCID) and Multi-level Priority and Preemption (MLPP) Caller-ID delivery Inconsistent Consistent Voice Band Data Modems/Baudot TDD ill-defined or unsupported Well defined Fax Technology Industry interop issues Well defined SP dependent Well defined Deterministic traffic engineering. How are bursts handled? Who sends back equipment busy, enterprise or SP? Who provides announcements? Porting numbers Geographic and legal dependencies of call routing Future rich media services Cost to enterprise for service Flexibility of call routing; site aggregation Security considerations © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Within single SP control Well defined Independent of geography but not of legislation Geographically dependent Great potential No Inconsistent Well defined Very flexible SP dependent IP considerations; toll fraud Toll fraud 7 Future SIP Trunk Services
Technology possibilities of new features – – – – – – Wideband codecs Video and Telepresence Presence SRTP/TLS Calls with subject lines Fixed Mobile Convergence (different endpoints)
Customer requests for additional voice services – Security (SRTP/TLS) – Fax
Industry currently working to get voice established – Most SPs have not discussed or unveiled plans for services beyond voice © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 8 SIP Trunk Deployment Scenarios and Recommendations © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 Agenda
SIP Trunk Reference Architecture
SIP Trunk Enterprise Connection Models
SIP Trunk Deployment Topologies
Recommended SBC Solutions and Best Practises © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 10 Reference SIP Trunking Architecture SIP Proxy / NMS & Softswitch OSS Services (Presence, VM etc) Signaling ITP PSTN Media GW CUBE CUBE CUBE FW/NAT ALG CUBE SBC FW/NAT ALG CUBE CUBE FW/NAT ALG  SP-Managed | SIP Trunk A CUCM CUCME © 2009 Cisco Systems, Inc. All rights reserved. SBCS IP PBX TDM PBX Cisco Confidential  SP Network | Customer Premise  Bearer 11 Agenda
SIP Trunk Reference Architecture
SIP Trunk Enterprise Connection Models – Levels of Managed Services – Dedicated / Integrated Voice + Data – Centralized / Distributed Trunking
SIP Trunk Deployment Topologies
Recommended SBC Solutions and Best Practices © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 12 SIP Trunk SP Service Models SIP Trunk Service with L3 Router Demarc Managed access service providing an IP trunk between the SP network and a customer’s IP-enabled call agent Service Provider Owned VoIP SP SBC SIP Trunk Enterprise Owned CUBE CUBE Customer Premises A A CUCM CUCME © 2009 Cisco Systems, Inc. All rights reserved. SBCS IP PBX 13 Cisco Confidential SIP Trunk SP Service Models SIP Trunk Service with L7 SBC Demarc Service Provider Owned Managed access service providing an IP trunk between the SP network and a customer’s IP-enabled call agent VoIP SP SIP Trunk SBC Customer Premises CUBE CUBE Enterprise Owned CUBE A A CUCM CUCM © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential IP PBX 14 SIP Trunk SP Service Models SIP Trunk Managed IP-PBX Service Service in which a customer’s premisebased IP-PBX, UC apps and dial-plan are operated and maintained by the SP Service Provider Owned VoIP SP SIP Trunk SBC Customer Premises A Enterprise Owned Managed CUCM © 2009 Cisco Systems, Inc. All rights reserved. Managed CME/IP-PBX Phones 15 Cisco Confidential Security Exposure on Enterprise SIP Trunk Connection Models – Where Should I Firewall? SIP Trunk A SIP SP CUBE Increased Security Exposure WAN Data SIP Trunk A CUBE WAN Data SIP Trunk A CUBE Internet Data WAN SP SIP + VPN SP Recommended Deployment Models SIP SP + Internet Internet Voice A Internet CUBE © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential Internet Data 16 Cisco Unified Border Element © 2009 Cisco Systems, Inc. All rights reserved. 17 Cisco Confidential Cisco Unified Border Element Architecture
Actively involved in the call treatment, signaling and media streams CUBE IP SIP B2B User Agent
Signaling is terminated, interpreted and re-originated Provides full inspection of signaling, and protection against malformed and malicious packets
Media is handled in two different modes Media Flow-Through
Signaling and media terminated by the Cisco Unified Border Element
Transcoding and complete IP address hiding require this model CUBE IP Media Flow-Through Media Flow-Around Media Flow-Around
Digital Signal Processors (DSPs) are required for transcoding (calls with dissimilar codecs) BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Public
Signaling and media terminated by the Cisco Unified Border Element
Media bypasses the Cisco Unified Border Element 18 Cisco Unified Border Element Basic Call Flow voice service voip allow-connections h323 to h323 allow-connections h323 to sip allow-connections sip to h323 allow-connections sip to sip Originating Endpoint Incoming VoIP Call Terminating Endpoint Outgoing VoIP Call CUBE dial-peer voice 1 voip destination-pattern 1000 incoming called-number .T session target ipv4:192.168.10.50 codec g711ulaw dial-peer voice 2 voip destination-pattern 2000 session protocol sipv2 session target ipv4:192.168.12.25 codec g711ulaw 1. Incoming VoIP setup message from originating endpoint 2. This matches inbound VoIP dial peer 1 for characteristics such as codec, VAD, DTMF method, protocol, etc. 3. Match the called number to outbound VoIP dial peer 2 4. Outgoing VoIP setup message BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. 19 Cisco Public H.323 and SIP Layer 5/7 Demarcation Demarcation Back-to-Back User Agent Protocol-Independent Memory Structure Holding Call State and Attributes (CLID, Called #, Codec…) H.323/SIP Protocol Stack H.323/SIP Protocol Stack Extract Call-Related Parameters from Protocol Message, Discard Message and Update Call Memory Build New Protocol Message and Insert Call-Related Parameters from Call Memory Incoming Call Leg Incoming CUBE dial-peer voice 1 voip description Incoming incoming called-number .T session protocol sipv2 BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Outgoing Call Leg Outgoing dial-peer voice 4 voip description Outgoing destination-pattern 99.T session target ipv4:x.x.x.x session protocol sipv2 Cisco Public 20 Cisco Unified Border Element—More Than an SBC An Integrated Network Infrastructure Service TDM Gateway Cisco Unified Border Element
Address Hiding
Voice and Video TDM Interconnect
H.323 and SIP interworking
PSTN Backup
DTMF interworking
SIP security
Transcoding Routing, FW, IPS, QoS CUBE Note: An SBC appliance would have only these features Unified CM Conferencing and Transcoding WAN Interfaces RSVP Agent SRST VXML GK Note: Some features/components may require additional licensing BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. 21 Cisco Public Key Challenges When Interconnecting UC Networks Why do I need a session border controller? Session Mgmt Demarcation Real-time session Mgmt Call Admissions Control Ensuring QoS PSTN GW Fallback Statistics and Billing Redundancy/Scalability Fault isolation Topology Hiding Network Borders L5/L7 Protocol Demarc Statistics and Billing Interworking Yours H.323 and SIP SIP Normalization DTMF Interworking Transcoding Codec Filtering Fax/Modem Support BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Mine Cisco Public Security Encryption Authentication Registration SIP Protection FW Placement Toll fraud 22 Session Management Call Admissions Control
CUBE provides various different CAC mechanisms Total calls, CPU, Memory, GK IP call capacity, max-connections, RSVP High Water Mark Low Water Mark Total Calls, CPU, Memory CUBE call threshold global [/mem/cpu] calls low xx high yy gatekeeper endpoint circuit-id h323id IPIPGW1 AA max-calls 500 GK IP Call Capacity GK voice service voip allow-connections h323 to h323 h323 ip circuit max-calls 1500 ip circuit carrier-id AA reserved-calls 1000 CUBE max-connections Call #1 dial-peer voice 1 voip max-conn 2 Call #2 Call #3 BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. CUBE Call #3 Rejected by CUBE 23 Cisco Public Session Management Quality of Service (QoS)
Requirement Ensure traffic adheres to QoS policies within each network
The Cisco Unified Border Element can remark ToS/DSCP QoS parameters on signaling and media packets between networks dial-peer voice 100 voip ip qos dscp ef media ip qos dscp af31 signaling Input Interface Output Interface Police Mark Police Mark Classify BRKVVT-2305_c1 Police Mark Police Mark © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Queue Queue Cisco Public Shape Queue 24 SIP “Normalization” at the Network Border Interworking
“Normalize” SIP traffic coming into the SP or Enterprise network at the border
Use SIP profiles to translate messages CUBE Enterprise SBC VoIP SP 1 CUBE SP–SP SBC VoIP SP 2 CUBE CUBE CUBE Small-Medium Business BRKVVT-2305_c1 Residential IP-PBX Small-Medium Business © 2009 Cisco Systems, Inc. All rights reserved. Smart Business Communications System 26 Cisco Public Interworking SIP Profiles “Normalization”
SIP profiles is a mechanism to normalize or customize SIP at the network border to provide interop between incompatible devices SIP incompatibilities arise due to: Add user=phone for INVITEs
A device rejecting an unknown header (value or parameter) instead of ignoring it
A device sending incorrect data in SIP
A device not implementing (or incorrectly) protocol procedures
A device expecting an optional header value/parameter or can be implemented in multiple ways
A device sending a value/parameter that must be changed or suppressed (“normalized”) before it leaves/enters the enterprise to comply with policies
Variations in the SIP standards of how to achieve certain functions Incoming INVITE sip:[email protected]:506 0; SIP/2.0 Outgoing CUBE INVITE sip:[email protected]:5060; user=phone SIP/2.0 voice class sip-profiles 100 request INVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0" request REINVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0" Modify a “sip:” URI to a “tel:” URI in INVITEs Incoming INVITE sip:[email protected]:5060 Outgoing CUBE INVITE tel:2222000020 voice class sip-profiles 100 request INVITE sip-header SIP-Req-URI modify "sip:(.*)@[^ ]+" "tel:\1" request INVITE sip-header From modify "" "" request INVITE sip-header To modify "" "" More information at www.cisco.com/go/cube > Configure > Configuration Examples and TechNotes BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Public 27 Delayed Offer to Early Offer Interworking INVITE Interworking INVITE (Offer SDP) CUBE 180/183/200 (Offer SDP) 180/183/200 (Answer SDP) SBC SP VoIP ACK/PRACK (Answer SDP) voice class codec 1 codec preference 1 g711ulaw codec preference 2 … dial-peer voice 4 voip destination-pattern 321.... voice-class codec 1 voice-class sip early-offer forced session target ipv4:x.x.x.x
SP SIP trunk Early Offer (EO) interconnect for enterprise apps that support only Delay Offer (DO)
Flow-through required for DE-EO supplementary services Global Configuration Also Supported: Early Delayed Offer SDP in INVITE No SDP in INVITE Answer SDP in 180/183 SDP in 200 BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. voice service voip sip early-offer forced 28 Cisco Public Interworking Media Transcoding Internet Enterprise VoIP SP VoIP CUBE iLBC, iSAC, Speex SBC
Cisco Unified Border Element supports universal transcoding IP Phones: G.711, G.729, G.722 Transcoding: G.711, G.723.1, G.726, G.728, G.729/a, iLBC, G.722 Any voice codec to any other codec e.g. iLBC to G.711 or iLBC to G.729 Supported Codecs* Voice transcoding only (not video) G.711 a-law 64 Kbps
Transrating (different packetizations):  Supported: Transrating of different codecs e.g. G.711 a-law 20ms ↔ G.711 µ-law 10ms G.711 20ms ↔ G.729A 30ms x Not supported: Transrating of the same codec Release G.711 µlaw 64 Kbps G.723—5.3 and 6.3 Kbps G.729, G.729A 8 Kbps 12.4(11)XW and 12.4.20T G.729B, G.729AB 8 Kbps iLBC—13.3 and 15.2 Kbps G.722—64 Kbps e.g. G.729A 20ms ↔ G.729A 30ms 12.4(15)XY and 12.4.20T *Note: Only voice codecs are supported with transcoding—no video codecs BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Public 29 Demarcation Demarcation at Network Borders
SP UNI
Codec Choice/Negotiation
Fault Isolation
Security
QoS Marking
Voice Quality Statistics and Billing Enterprise H.323 CTS CUBE Enterprise SIP Service Provider SBC Meeting Place CUBE IP PBX Enterprise/SMB E-Partner IP-PBX IP-PBX BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. 30 Cisco Public Demarcation Topology/Address Hiding 192.168.10.10 192.168.10.50 172.16.10.5 172.16.10.6 192.168.10.50 192.168.10.10 IP Inside CUBE CUBE Inside Outside Site A—192.168.10.x/24 172.16.10.x/24 Site B—192.168.10.x/24
Requirements Maintain connectivity without exposing the IP network details Interconnect networks that have overlapping IP Addresses
B2BUA provides complete topology hiding on signaling and media Maintains security and operational independence of both networks Provides implicit NAT service by substituting Cisco Unified Border Element IP addresses on all traffic BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Public 31 Security CUBE Security Protection Points Identity / Service Theft DOS
B2BUA – L7 Inspection
Call Volume/BW Limiting (CAC)
Call Codec Limiting
SIP Malformed Inspection
SIP Listen Port Configuration
RTP Malformed
Topology Hiding
Co-resident IOS: ACLs, FW, IPS
SIP Digest Authentication
SIP Hostname Validation
SIP Trunk Register
CDR
Toll Fraud
Co-resident IOS: ACLs, COR Voice Application Code L7 Protocol-independent memory structures holding call state and attributes (CLID, Called #, Codec…) Dial-peer Dial-peer DTMF xlation Codec Filtering Xcoding Control SIP/H.323 Protocol Stack SIP/H.323 Protocol Stack RTP Library RTP Library DSP API DSP Hardware TCP UDP TLS TCP UDP TLS IOS Infrastructure (ACLs, FW, IPS, VPN) HW LAN/WAN Interfaces Ingress I/F Signaling BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. Privacy
SIP Header Manipulation
Authentication and encryption (media) – SRTP
Authentication and encryption (signaling) – TLS
Co-resident IOS: All VPN features Egress I/F Media 32 Cisco Public Security SIP Protection Digest Authentication CUBE Invite [From< [email protected]>] sip-ua authentication username xxx password yyy
SIP Proxy challenges INVITEs from the Cisco Unified Border Element to check endpoint validity with 401 Unauthorized
The Cisco Unified Border Element responds with INVITE including credentials 100 Trying 401 Unauthorized Invite [Authorization: name, passwd] 100 Trying 200 OK Hostname Validation
Initial INVITEs with a hostname URI are compared to a configured list of up to 10 hostnames
If there is no a match to the INVITE, the Cisco Unified Border Element returns a "400 Bad Request—Invalid Host" BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Public sip-ua permit hostname dns:example1.sip.com permit hostname dns:example2.sip.com permit hostname dns:example3.sip.com permit hostname dns:example4.sip.com 33 Security SIP Protection SIP Listening Port
Default SIP Listen ports are 5060 (UDP/TCP) and 5061 (TLS)
These ports are well-known and can be the target of attacks voice service voip sip shutdown voice service voip sip listen-port non-secure 2000 secure 2050
Change the SIP Listen port to a different setting that is not well-known Registration
The Cisco Unified Border Element can send SIP REGISTER messages with credentials to a proxy
Register statically on behalf of endpoints behind the Cisco Unified Border Element that do not register BRKVVT-2305_c1 © 2009 Cisco Systems, Inc. All rights reserved. x(config)#sip-ua x(config-sip-ua)#credentials username 1001 password cisco realm cisco.com sip-ua registrar ipv4:172.16.193.97 expires 3600 credentials username 1001 password 0822455D0A16 realm cisco.com 34 Cisco Public Toll Fraud—ACLs, Dial-Peers
Use ACLs to allow/deny explicit sources of calls
Apply explicit incoming and outgoing dial-peers to both CUBE interfaces to control the types and parameters of calls allowed on the network
Use explicit destination-patterns on dial-peers (not .T) to block out disallowed offnet call destinations
Use translation rules to ensure only valid calling/called numbers allowed
Use Tcl/VXML scripts to do database lookups or additional checks to allow/deny call flows
Change SIP port to something other than 5060 Is this a valid call flow to allow?
Close unused H.323/SIP ports
Disable secondary dial-tone on TDM ports A Incoming CUBE 192.168.10.10 © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Incoming 172.16.10.6 access-list 1 permit 192.168.10.0 0.0.0.255 access-list 100 deny … (everything else) Explicit inc and outg dial-peers BRKVVT-2305_c1 SP VoIP Outgoing Outgoing Cisco Public access-list 2 permit 172.16.10.0 0.0.0.255 access-list 200 deny … (everything else) Explicit inc and outg dial-peers 35 Deployment Options © 2009 Cisco Systems, Inc. All rights reserved. 36 Cisco Confidential Centralized/Aggregated SIP Trunk Model
CUBE at central location
Single SIP trunk IP address to SP
All remote site calls hairpin through the campus site where SIP trunk terminates SP VoIP PSTN SBC A MPLS CUBE © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential HQ-SP RTP Branch-HQ RTP 37 Distributed SIP Trunk Model
CUBE at each site
SIP trunk IP address per site
Calls flow directly from site to SP SP VoIP PSTN SBC A Site-SP RTP MPLS CUBE CUBE CUBE © 2009 Cisco Systems, Inc. All rights reserved. CUBE CUBE CUBE Cisco Confidential 38 Agenda
SIP Trunk Reference Architecture
SIP Trunk Enterprise Connection Models
SIP Trunk Deployment Topologies – SMB – Enterprise
Recommended SBC Solutions and Best Practises © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 39 SMB Deployment Models SIP Managed Voice Services SP-owned Commercial Managed Voice Services Customer-owned FXS VoIP SP 1 TDM PBX Interconnect
SIP Trunk Model – Managed Services (transparent to end customer) – Distributed (every site has a connection) – Redundancy: None – Capacity: <50 sessions IP PBX IP-PBX Interconnect
Border Element – – – – SIP TDM GW IAD with FW/NAT IAD with CUBE-“light” CME with integrated SIP trunking Managed IP-PBX © 2009 Cisco Systems, Inc. All rights reserved. 40 Cisco Confidential Small Enterprise Deployment Models CME and CUCM CME Centralized CUCM Centralized CME A CUBE CUBE SRST VoIP SP 1 CME Distributed CUCM Distributed CME A CUBE CUBE © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential SRST 41 Small Enterprise Deployment Models CME or CUCM
SIP Trunk Model – Centralized – typically used when: • Cost benefits can be shown • SIP SP is different from WAN provider – Distributed – typically used when: • Survivability is important • SIP SP is the same as WAN (often MPLS) provider – Redundancy: None – Capacity: <200 sessions
Border Element – CME with integrated SIP trunking – Medium-range standalone CUBE or integrated SRST/CUBE
SRNDs: – www.cisco.com/go/interoperability > CUBE © 2009 Cisco Systems, Inc. All rights reserved. 42 Cisco Confidential Medium and Large Enterprise Deployment Models Multi-Site and Multi-Cluster CUCMs Multi-cluster, Multi-site CUCM A SBC A A Multi-site CUCM Centralized (hybrid) A SBC A SBC A A A SBC SRST SRST VoIP SP 1 Centralized (hybrid) A Multi-site CUCM Distributed SBC A A A SBC A SBC A SBC A A SBC: SRST SRST CUBE © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr CUBE (Ent) CUSP+CUBE Cisco Confidential CUBE Distributed 43 Other Enterprise Deployment Models IP-PBX and TDM-PBX IP-PBX Centralized TDM-PBX Centralized GK CUBE CUBE VoIP SP 1 IP-PBX Distributed TDM-PBX Distributed GK CUBE CUBE CUBE © 2009 Cisco Systems, Inc. All rights reserved. CUBE Cisco Confidential 44 Medium and Large Enterprise Deployment Models
SIP Trunk Model – Centralized – typically used when: • Cost benefits can be shown • SIP SP is different from WAN provider – Distributed – typically used when: • Survivability is important • SIP SP is the same as WAN (often MPLS) provider • Geographic considerations – Redundancy: Generally must-have – Capacity: • Medium Enterprise: 500-1500 sessions at campus/data center sites • Large Enterprise: 1500-5000 sessions at campus/data center sites • Very Large Enterprise: 5000+ sessions at campus/data center sites • 10-100 in remote sites
Border Element – Medium-Large Campus/Data Center: CUSP+CUBE cluster or CUBE on ASR – Large-Very Large Campus/Data Center: CUBE on ASR – Remote sites: High-end standalone CUBE; integrated SRST/CUBE
SRNDs: – www.cisco.com/go/interoperability > CUBE © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 45 Agenda
SIP Trunk Reference Architecture
SIP Trunk Enterprise Connection Models
SIP Trunk Deployment Topologies
Recommended SBC Solutions and Best Practises – SBC Product Positioning – Determining an SBC Recommendation – SBC Redundancy Options – CUCM Best Practises – SBC Best Practises © 2009 Cisco Systems, Inc. All rights reserved. 46 Cisco Confidential Cisco Unified Border Element Portfolio Cisco Unified Border Element (Enterprise Edition) provides SBC features for enterprise implementations CUBE (Ent) CUBE (SP) Cisco Unified Border Element (Service Provider Edition) provides SBC features for carrier class service provider implementations CPS 7600 ASR 1000 Series 50,000/Blade 250,000/System AS5000XM 3800 ISR 2800 ISR 7200VXR 7201, 7301 © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential Session Capacity 47 CUBE (Enterprise Edition) Portfolio ASR 1000 Series CPS 50+ AS5000XM 8-12 3800 ISR 7200VXR 7201, 7301 2800 ISR <5 <250 500-800 © 2009 Cisco Systems, Inc. All rights reserved. Session Capacity 5000+ 48 Cisco Confidential CUBE ASR CUBE + CUSP CUBE ISR Large-Scale SIP Trunks SP SIP CUCM SIP Trunk SP SIP Trunk CUBE CUCM A CUBE SBC CUBE CUBE CUBE Cluster SP SIP Trunk SP SIP CUCM SIP Trunk CUCM A SBC CUBE CUBE CUBE CUBE CUBE Cluster SP SIP SP SIP Trunk CUCM SIP Trunk CUCM A SBC CUBE (Ent) © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 49 CUBE (Ent) Solution Advantages (subject to change) ISR 5350XM/5400XM ASR1002/4/6 • Collocated features • TDM GW • Tcl / VXML • Add’al collocated features • SRST • MTP • IOS FW • T.38 fax • H.323 • Video/TP • DSP features • Transcoding • In-band tone DTMF • Transrating (upcoming) • Voice quality scoring (upcoming) • GK Support • Cost-effective geographic (1+1 and N+1) redundancy • Collocated features • TDM GW • Tcl / VXML • T.38 fax • H.323 Support • Video/TP • DSP features • Transcoding • In-band tone DTMF • Transrating (upcoming) • Voice quality scoring (upcoming) • GK Support • Cost-effective geographic (1+1 and N+1) redundancy • Footprint (5350XM 1RU) • Scalability • Inbox redundancy • ASR1002/4: SW failover with media preservation • ASR1006: HW failover with media preservation • Footprint (2/4/6 RU) © 2009 Cisco Systems, Inc. All rights reserved. 50 Cisco Confidential Summary SIP Trunk Sizing Recommendations (subject to change) Enterprise Size SIP Trunk Sessions Redundancy Recommendation <100 None Single 2811, 2901 100-200 None Single 2851, 2911 200-500 None Single 3845, 2951 500-1000 Optional 1000-2000 Must-have Inbox redundancy: Single ASR1002 Geo redundancy: Dual ASR1002 or future ISR G2* Large 2000-4000 Must-have Inbox redundancy: Single ASR1004/6 RP2 Geo redundancy: Dual ASR1004/6 RP2 Very Large 4000+ Must-have Inbox redundancy: Single ASR1006 RP2 Geo redundancy: Dual ASR1006 RP2 Small Medium Platform Recommendation No redundancy: Single 3945 Redundancy: Dual 3945 *Future: 1H 2010 3945 with new SPE-xxx © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 51 Redundancy Options: None A A SIP SP SIP SP
Aggregate SBC capacity is equal to trunk capacity – E.g. 4 boxes @ 500 each = 2000 session SIP trunk – Full trunk capacity guaranteed only when ALL boxes are up
Failure impact – single-box solution: – All connections dropped; SIP trunk out of service – No new calls until recovery
Failure impact – multiple box solution: – % of connections dropped – New calls handled with reduced SIP trunk capacity © 2009 Cisco Systems, Inc. All rights reserved. 52 Cisco Confidential Redundancy Options: 1+1 A SIP SP A SIP SP Active/Active Active/Standby
Active/Standby (HSRP) – HSRP can work for intra-enterprise solutions, but is not recommended for SP SIP trunks
Active/Active (Load balancing) – Special case of N+1 redundancy (next slide) – SP SIP trunks usually offer only 2 IP addresses – if more than 2 boxes are needed to guarantee SIP trunk session capacity, then a CUSP+CUBE solution is recommended
Local/Geographic Considerations – HSRP provides local redundancy only – Load-balancing Act/Act can provide local or geographic redundancy
Failure impact: – All existing connections on failed box are dropped; no stateful failover – New calls are immediately handled with full SIP trunk capacity © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 53 Redundancy Options: Inbox ASR1006 ASR1002/4 Active OS Standby OS Dual Forwarding plane HW Dual Control plane HW (CPU) A SIP SP A SIP SP
SW Inbox redundancy: ASR1002 + ASR1004
HW Inbox redundancy: ASR1006 – Control plane (CPU or RP) – Data/Forwarding plane (packet forwarding)
Failure impact – CUBE (Ent): – Media preservation for existing calls – New calls handled immediately with full SIP trunk capacity © 2009 Cisco Systems, Inc. All rights reserved. 54 Cisco Confidential N+1 and N+M Redundancy Options No, or 1+1 redundancy on CUSP A SIP SP A SIP SP … … N routers to guarantee session capacity M routers to protect against M simultaneous failures
CUBEs can be ISRs or ASRs
Local or Geographic redundancy – CUBEs can be distributed across sites as needed
Use a load balancing algorithm in the attached call agent (or use DNS or CUSP) to distribute calls over pool of CUBEs
Failure impact: – New calls are handled immediately with full SIP trunk capacity © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 55 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56 CUCM Best Practises
CUCM 6.x or 7.x recommended for SIP trunking – H.323 CUCM interconnects to SIP trunks not recommended
H.323 or SIP SBC interconnects with non-Cisco IP-PBX or TDMPBXs can be used
CUCM Configuration – Delayed Offer (no MTP) for CUCM outbound calls – Early Offer (no MTP) for CUCM inbound calls to CUCM – SBC Delayed Offer to Early Offer interworking
Configure alternate PSTN routing if SIP trunk is down – Recommend not to remove TDM PSTN GWs until after a SIP trunk has been proven in
If xcoding is required – CUCM-controlled xcoding is the more flexible option for SBC engineering purposes – SBC xcoding is more flexible in codec combinations © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 57 CUBE (Ent) Best Practises (1)
Always discuss the trade-offs of centralized and distributed SIP trunk design
Always try to do a POC of a SIP trunk connection
MTPs: – Avoid MTP designs if possible; if not, collocate MTPs with CUBE (Ent) to optimize the media path
Integration or dedicated CUBE (Ent) – At low end (<500), MTP, VXML, FW, SRST easily integrated with CUBE (Ent) – At >1000 sessions, it’s often better to dedicate platforms to each function
CUBE (Ent) Performance Engineering – H.323-SIP vs. SIP-SIP makes no significant difference – DTMF interworking or DO-EO adds no significant extra load – SIP profiles and Tcl tend to be fairly “light” on the CPU, but is configuration dependent – MTP, Xcoding and SRTP-RTP conversion are CPU-intensive © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58 CUBE (Ent) Best Practises (2)
Use SIP registration on the trunk if offered by the SP, it offers better security
Define explicit incoming and outgoing dial-peers
Deploy IOS UC features and techniques to mitigate tollfraud © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 59 CUBE (Ent) Best Practises (3)
CUBE (Ent) and FW placement – Campus/Data center sites: Place CUBE (Ent) behind the FW – Remote/small sites: Enable IOS FW integrated on CUBE (Ent)
Redundancy Best Practises – Centralized SIP trunking: Redundancy always recommended, regardless of session capacity – Distributed SIP trunking: Redundancy recommended at sites with >1000 sessions © 2009 Cisco Systems, Inc. All rights reserved. © 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Confidential 60