SIP Trunking Design & Deployment For On-prem And Webex Calling . - Cisco

CUBE Session Capacity for UCCE (IOS-XE 16.12 ) 1CSR1Kv Platform - Based on tests using Cisco UCS C240 host with Intel Xeon 6132 2.60GHz processors running VMware ESXi 6.0 1100 series 4321 4331 4351 4431 4451 4461 CSR1Kv – 1 vCPU1 CSR1Kv - 2 vCPU1 CSR1Kv - 4 vCPU1 ASR1001-X ASR1002-X ASR1004/6/6-X RP2 Session Capacity (IOS-XE 16.12 ) UCCE Capacity UCCE Call Capacity RTP(G711)-RTP(G711) RTP(G711)-RTP(G711) (Prior to IOS-XE 16.12) 500 500 1000 2000 3000 6000 10000 (17.2.1) 1000 3000 6000 12000 14000 16000 N/A 125 250 500 750 1500 N/A 250 750 1500 3000 3500 4000 500 500 1000 1500 1800 3600 4680 500 3000 4250 4250 4250 4500 (IOS-XE 16.12 ) Impact UCCE of UCCE CPS to IPT 0% 0% 0% 25% 40% 40% 53% 50% 0% 29% 65% 70% 72% 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 3 7 8 10 20 26 3 20 24 24 24 25

Sample ISR4K CUBE Sizing An enterprise is considering a 4451-X for their collab deployment with the following requirements: 500 Unencrypted IPT calls 4451 Ratio to 100 Contact Center (CC) calls 6000 IPT Calls IPT calls Record all CC calls 100 IPT Calls IPT Calls 1 50 SRTP-RTP audio calls with SHA1-80 UCCE 1.67 100 SRTP-SRTP audio calls Recorded legs 1.0 SRTP-RTP 500 Unencrypted IPT calls * 1.00 500 SRTP-SRTP 100 Contact Center calls * 1.67 167 Record all CC calls 100 IPT Calls * 1.00 100 50 SRTP-RTP audio calls with SHA1-80 * 2.86 143 100 SRTP-SRTP audio calls * 11.11 1111 TOTAL Capacity in terms of IPT count 2021 BRKCOL-2125 %age IMPACT N/A 40% 50% 2.86 65% 11.11 91% 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Agenda CUBE Overview, Deployments, and SIP Trunk Sizing CUBE Licensing Updates CUBE Architecture (Physical & Virtual) Transitioning to SIP Trunking using CUBE Advanced features on CUBE (Call Routing, Multi-Tenancy) Call Recording & Intro to CUBE Media Proxy Securing Collab deployments with CUBE Webex Calling (VAR Channel) – Local Gateway (LGW) BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

CUBE Licensing Updates

New CUBE Licensing Offer What is Smart Licensing? Smart Licensing is a Cisco wide initiative that provides a License Inventory Management System which provides Customers, Cisco, and Selected Partners with information about License Ownership and Use All licenses are delivered directly to your cloud based Cisco Smart Software Manager (CSSM) account allowing you to control where they are used and monitor how they are used. Smart Licenses do not require registration, so no more PAKs Smart licenses entitle the CUSTOMER, not the product instance. Licenses are not node locked. Licenses are pooled for flexible use by devices registered to the same account BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Cisco Unified Border Element (CUBE) SIP Trunking to a Provider The Cisco Unified Border Element (CUBE) feature set delivers Session Border Control (SBC) functionality for Cisco IOS router platforms, enabling highly secure voice and video connectivity between an enterprise IP network and service provider trunk services. CUBE performs four critical functions of an SBC: PE-SBC MPLS, VPN, Internet SIP Service Connection Premise-based Call control Certified demarcation IP-PBX Policy based session management Security enforcement Protocol and media interworking Network demarcation BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Simplifying the CUBE Trunk Offer Current: 100 PIDs CUBE License – 5 Sessions CUBE License –ASR 100 Sessions Red (FL-CUBEE-5) (FLASR1-CE-100R) CUBE License –5 Sessions Red CUBE License –ASR 500 Sessions Red (FL-CUBEE-5-RED) (FLASR1-CE-500R) CUBE License – 25 Sessions CUBE License –ASR 1,000 Sessions Red (FL-CUBEE-25) (FLASR1-CE-1KR) CUBE License –25 Sessions Red CUBE License –ASR 4,000 Sessions Red (FL-CUBEE-25-RED) (FLASR1-CE-4KR) CUBE License – 100 Sessions CUBE License –ASR 16,000 Sessions Red (FL-CUBEE-100) (FLASR1-CE-16KR) CUBE License –100 Sessions Red CUBE License – C1 ASR 100 Sessions (FL-CUBEE-100-RED) CUBE License – Cisco ONE (1 Session) (C1-CUBEE-STD) CUBE License–Cisco ONE (1 Session Red) (C1-CUBEE-RED) ------ (C1-A-ASR1CUBEE100P) SWSS SWSS Simplified: EoS 15 June 2019 CUBE License – C1 ASR 100 Sessions Red (C1-A-ASR1CUBEE100R) CUBE License – C1 ASR xxxx Sessions xx (C1-A-ASR1CUBEE ) 2 options, 3 PIDs! CUBE Trunk Standard License – 1 Session (CUBE-T-STD) SWSS CUBE Trunk Redundant License – 1 Session (CUBE-T-RED) SWSS Upgrade to Trunk Redundant License – 1 Session SWSS (CUBE-T-RED-UP) SWSS SWSS CUBE session licenses are common across ISR, CSR and ASR platforms and can be pooled in a Smart Virtual Account SWSS ------ Note: Platform technology licenses are required to enable CUBE functionality. See later slide. As part of migration to Smart and SWSS enabled licensing for CUBE, all 0 licenses from router bundles will be removed by end of April 2019. Product Bulletin for the same can be accessed at etin-c25-742073.html BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

New CUBE Offer with Smart Licensing Cisco Unified Border Element (CUBE) Smart License Options Top Level “L-CUBE” Simplified New Offer Trunk CUBE Standard Trunk License 1 Session (CUBE-T-STD) SWSS CUBE Redundant Trunk License 1 Session (CUBE-T-RED) SWSS New Offer Lineside CUBE Lineside License 1 Session (CUBE-L-STD) SWSS Media Proxy CUBE Media Proxy License 1 Forked Session (CUBEMP-RED) SWSS Upgrade to Redundant Trunk License SWSS 1 Session (CUBE-T-RED-UP) Cisco Software Support Service (SWSS) is required for a minimum of 12 months when purchasing CUBE session license(s). SWSS provides access to software maintenance, updates, upgrades, and technical support Note: Platform technology licenses are required to enable CUBE functionality. See later slide. BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Cisco Unified Border Element (CUBE) Lineside Third Party Call Control in SP Cloud New Offer PE-SBC Business Internet Lineside Connection Hosted SIP Service Cloud-based call control CUBE Lineside Certified demarcation CUBE Lineside features compliment hosted call control solutions with: SIP proxy registration of IP phones (Cisco MPP or 3rd party). Service continuity should the hosted service become unavailable. Note: NanoCUBE RTU licenses will remain available for ISR800 series products only. IP Phones BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Cisco Unified Border Element (CUBE) Media Proxy New Offer Recording Server 1 Customer CUBE SBC Unified CM CUBE Media Proxy Employee Standalone application that extends CUBE trunk session forking to allow a call to be replicated up to five times for media recording redundancy & load balancing and call analytics. Supports Mandatory and Optional recorder policy Mandatory: Media proxy tries to fork to the mandatory recorder first. Forking to the remaining recorders will only happen after the connection to the first recorder is successful. Optional: Default policy. Media proxy will establish connection to all recorders, even if any of the recorders fail. Recording Server 2 Recording Server 3 Secured forking (SRTP – SRTP) CUBE Media Proxy Call Scenarios: External calls (inbound/outbound from/to ITSP, PSTN calls) Internal calls (on-prem calls) Contact center BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

The Road To Smart Licensing IOS XE 16.5 to 16.9 IOS XE 16.10 IOS XE 16.11 to 17.1 IOS XE 17.2 IOS XE 17.3 Smart Licensing Optional Only Option CSSM Register Required SLE (Platform) CSSM Register Required CUBE Licenses Paper RTU only Paper RTU only Static Config Smart Licenses Dynamic Count Smart Licenses Dynamic Count Smart Licenses CUBE Entitlement Node Locked Node Locked Pooled Pooled Pooled BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

CUBE Trunk – Road to Smart Licensing (SL) IOS XE 16.9 and earlier: Smart is optional for the platform (UCK9, SecK9). CUBE not enabled for SL IOS XE 16.10: Smart is the only platform option. CUBE not formally supported for SL IOS XE 16.11 - 17.1: CUBE fully supported for SL. CSSM registration is required - SIP stack will be disabled in "Eval Expired" licensing state. Reported licenses manually configured using 'mode border-element command'. No policing or enforcement of CUBE license usage (provided platform is registered). IOS XE 17.2 (March 2020): As above, but "mode border-element license capacity" deprecated and replaced with a dynamic use calculation. BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

Migration Offers for CUBE Licenses CiscoONE Licenses without SWSS No migration New licenses required with SWSS CiscoONE Licenses with SWSS Use PUT to purchase 0 migration SKUs RTU Licenses and EoS Platform No Migration New licenses required with SWSS RTU Licenses and Current Platform No migration 100% license discount when purchased with SWSS More information on Sales Connect BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Agenda CUBE Overview, Deployments, and SIP Trunk Sizing CUBE Licensing Updates CUBE Architecture (Physical & Virtual) Transitioning to SIP Trunking using CUBE Advanced features on CUBE (Call Routing, Multi-Tenancy) Call Recording & Intro to CUBE Media Proxy Securing Collab deployments with CUBE Webex Calling (VAR Channel) – Local Gateway (LGW) BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

CUBE Architecture Physical vs Virtual

Virtual CUBE (CUBE on CSR 1000v) Architecture CSR (Cloud Services Router) 1000v runs on a Hypervisor – IOS XE without the router ESXi Container ESP (data plane) RP (control plane) IOS-XE Chassis Mgr. Forwarding Mgr. Chassis Mgr. QFP Client / Driver CUBE signaling FFP code Forwarding Mgr. CUBE media processing Kernel (incl. utilities) Virtual CPU Memory Flash / Disk Console Mgmt ENET Ethernet NICs CSR 1000v (virtual IOS-XE) Hypervisor X86 Multi-Core CPU Memory Banks vSwitch NIC Hardware GE BRKCOL-2125 GE 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

Virtual CUBE (CUBE on CSR 1000v) – Cont’d CSR1000v is a virtual machine, running on x86 server (no specialized hardware) with physical resources are managed by hypervisor and shared among VMs Requires APPX (No TLS/SRTP) or AX (All vCUBE features) CSR licensing package to access voice CLI and increase throughput from 100 kbps default. CUBE Licensing follows ASR1K SKUs and still trust based No DSP based features (transcoding/inband-RFC2833 DTMF/ASP/NR) available vCUBE tracks only the next vSwitch interface resulting in SSO of vCUBE-HA only due to software failures (active vCUBE crashing/reloading) vCUBE Tested Reference Configurations [UCS base-M2-C460, C220-M3S, ESXi 5.1.0 & 5.5.0]. ESXi 6.0 supported with IOS-XE 16.3.1 or later BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Applicable Roadmap [Subject to Change] March 2021– IOS-XE 17.5.1 CUBE support in AWS / Azure BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Agenda CUBE Overview, Deployments, and SIP Trunk Sizing CUBE Licensing Updates CUBE Architecture (Physical & Virtual) Transitioning to SIP Trunking using CUBE Advanced features on CUBE (Call Routing, Multi-Tenancy) Call Recording & Intro to CUBE Media Proxy Securing Collab deployments with CUBE Webex Calling – Local Gateway (LGW) BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Step 1: Configure CUCM to route calls to the edge SBC SIP Trunk Pointing to CUBE Standby A CUBE Active IP PSTN CUBE Enterprise Campus CUBE with High Availability MPLS Configure CUCM to route all PSTN PSTN is now calls (central and branch) to CUBE used only for emergency (Gig0/0 in our slides) via a SIP trunk SRST calls over FXO lines Make sure all different patterns of CME calls – local, long distance, international, emergency,TDM PBX Enterprise etc. are pointing to informational Branch Offices CUBE BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Step 2: Get details from SIP Trunk provider Item SIP Trunk service provider requirement Sample Response 1 SIP Trunk IP Address (Destination IP Address for INVITES) 66.77.37.2 or DNS 2 SIP Trunk Port number (Destination port number for INVITES) 5060 3 SIP Trunk Transport Layer (UDP or TCP) UDP 4 Codecs supported G711, G729 5 Fax protocol support T.38 6 DTMF signaling mechanism RFC2833 7 Does the provider require SDP information in initial INVITE (Early offer required) Yes 8 SBC’s external IP address that is required for the SP to accept/authenticate calls (Source IP Address for INVITES) 9 Does SP require SIP Trunk registration for each DID? If yes, what is the username & password No 10 Does SP require Digest Authentication? 408-944-7700 BRKCOL-2125 128.107.214.195 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Step 3: Enable CUBE Application on Cisco routers 1. Enable CUBE Application voice service voip mode border-element license capacity 20 Required for Smart Licensing Today allow-connections sip to sip By default IOS/IOS-XE voice devices do not allow an incoming VoIP leg to go out as VoIP 2. Configure any other global settings to meet SP’s requirements voice service voip media bulk-stats sip early-offer forced To increment Rx/Tx counters on IOS-XE based platforms. W/O this CLI, it will show 0/0 (CPU intensive CLI) 3. Create a trusted list of IP addresses to prevent toll-fraud voice service voip ip address trusted list ipv4 66.77.37.2 ! ITSP SIP Trunk ipv4 10.10.1.20 ! CUCM sip silent-discard untrusted Applications initiating signaling towards CUBE, e.g. CUCM, CVP, Service Provider’s SBC. IP Addresses from dial-peers with “session target ip” or Server Group are trusted by default and need not be populated here Default configuration starting XE 3.10.1 /15.3(3)M1 to mitigate TDoS Attack BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

10.10.1.21 128.107.214.195 66.77.37.2 10.10.1.20 Step 4: Configure Call routing on CUBE Dial-Peer – “static routing” table mapping phone numbers to interfaces or IP addresses LAN Dial-Peers – Dial-peers that are facing towards the IP PBX for sending and receiving call legs to and from the PBX. Always bind LAN interface(s) on CUBE to LAN dial-peers, ensuring SIP/RTP is sourced from the intended LAN interfaces(s) WAN Dial-Peers – Dial-peers that are facing towards the SIP Trunk provider for sending and receiving call legs to and from the ITSP. Always bind CUBE’s WAN interface(s) to WAN dialpeer(s). BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Applicable Roadmap [Subject to Change] July 2020 – IOS-XE 17.3.1 CUBE to be enabled for Opus codec negotiation Trust List will be bypassed for validated CN/SAN Nov 2020 – IOS-XE 17.4.1 DNS Informed Trust lists H.323 Deprecation BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

SIP Normalization SIP profiles is a mechanism to normalise or customise SIP at the network border to provide interop between incompatible devices SIP incompatibilities arise due to: A device rejecting an unknown header (value or parameter) instead of ignoring it A device expecting an optional header value/parameter or can be implemented in multiple ways A device sending a value/parameter that must be changed or suppressed (“normalised”) before it leaves/enters the enterprise to comply with policies Variations in the SIP standards of how to achieve certain functions With CUBE 10.0.1 SIP Profiles can be applied to inbound SIP messages as well Add user phone for INVITEs Incoming INVITE sip:5551000@sip.com:5060 SIP/2.0 Outgoing CUBE INVITE sip:5551000@sip.com:5060 user phone SIP/2.0 voice class sip-profiles 100 rule 1 request INVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user phone SIP/2.0" rule 2 request REINVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user phone SIP/2.0" Modify a “sip:” URI to a “tel:” URI in INVITEs Incoming INVITE sip:2222000020@9.13.24.6:5060 SIP/2.0 Outgoing CUBE INVITE tel:2222000020 SIP/2.0 voice class sip-profiles 100 rule 10 request INVITE sip-header SIP-Req-URI modify "sip:(.*)@[ ] " "tel:\1" rule 20 request INVITE sip-header From modify " sip:(.*)@.* " " tel:\1 " rule 30 request INVITE sip-header To modify " sip:(.*)@.* " " tel:\1 " More information at ote-sip-00.html BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

Applicable Roadmap [Subject to Change] Nov 2020 – IOS-XE 17.4.1 Conditional SIP Header modification, i.e. apply SIP profile if a certain condition(s) is/are met. E.g., remove diversion header if content in diversion header contains 41 but NOT no-answer request ANY sip-header Diversion remove "(/ /41)(/! /no-answer)” BRKCOL-2125 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Agenda CUBE Overview, Deployments, and SIP Trunk Sizing CUBE Licensing Updates CUBE Architecture (Physical & Virtual) Transitioning to SIP Trunking using CUBE Advanced features on CUBE (Call Routing, Multi-Tenancy) Call Recording & Intro to CUBE Media Proxy Securing Collab deployments with CUBE Webex Calling (VAR Channe

CUBE Overview, Deployments, and SIP Trunk Sizing CUBE Licensing Updates CUBE Architecture (Physical & Virtual) Transitioning to SIP Trunking using CUBE Advanced features on CUBE (Call Routing, Multi-Tenancy) Call Recording & Intro to CUBE Media Proxy Securing Collab deployments with CUBE Webex Calling (VAR Channel .