DGTL-BRKCOL-2125

Download as pdf or txt
Download as pdf or txt
You are on page 1of 134

#CiscoLive

Deploying SIP Trunks with Cisco


Unified Border Element (CUBE)
Hussain Ali, CCIE# 38068 (Voice, Collaboration)
Technical Marketing Engineer
Dilip Singh, CCIE# 16545 (Collaboration)
Technical Leader
DGTL-BRKCOL-2125

#CiscoLive
Agenda
• CUBE Overview, Deployments, and SIP Trunk Sizing
• CUBE Licensing Updates
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE (Call Routing, Multi-Tenancy)
• Call Recording & Intro to CUBE Media Proxy
• Securing Collab deployments with CUBE
• Futures & Key Takeaways

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
CUBE Overview and
Deployments
On-Prem Collaboration Deployment (CUBE-T-STD)

DEMARC
Enterprise LAN ITSP WAN (SIP Provider)
PSTN (PRI/FXO)
Unified CM
TDM Backup
(Not available in
10.10.1.20

10.10.1.21 vCUBE)

66.77.37.2
Gig0/0
PSTN
Gig0/1
CUBE 128.107.214.195
SIP

DEMARC
H.323

RTP

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
CUBE LineSide (previously NanoCUBE) Deployment
Scenarios (CUBE-L-STD)

Service Provider
Call Control

CUBE LineSide CPE NANO-


CUBE
SIP NANO-
CUBE
SIP SIP
8xx IAD
8xx
CUBE
Hosted Service SIP PRI
SIP
Small Business CUCM
TDM PBX
IP PBX
SIP Trunking
Small Business Enterprise
Hosted Service
Small Business
SIP Trunking
PRI To SIP

Small Business

• CUBE Lineside replaces NanoCUBE for the current CUBE platforms


• https://www.cisco.com/c/en/us/products/routers/800-series-routers/eos-eol-notice-listing.html

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Branch CUBE Deployment with SRST Provisioned (CUBE-T-STD)
Branch with Unified SRST Provisioned
on the same platform as CUBE
Unified CM LAN Dial-Peers WAN Dial-Peers

CUBE
Gig0/0
PSTN
Enterprise Gig0/1

Data IP WAN
Center RTP
SIP - Trunkside
SIP - Lineside
SIP Endpoints
Enterprise LAN ITSP WAN (SIP Provider)
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Enabling compliance recording
w/CUBE Media Proxy (CUBE-MP-RED)
Recorder1

6
CUCM 12.5+ RTP
Recorder2
Media Proxy
RTP
5
Speech Analytics

1 SIP
CUBE RTP

2 0. CUCM registers to CUBE as an external XMF Application (using UC GW services API – CUCM NBR)
1,2. Initial call setups via CUBE-Ent
3. CUCM sets up SIP (recording) session with CUBE Media Proxy (offer/answer) with dummy port
4. MP destination IP/port obtained in Step-3 relayed by CUCM to CUBE via XMF API interface (HTTP)
5. CUBE-Ent starts to fork media streams to the MP (target ip/port received in Step-4). MP accepts RTP because of Media latching in the
inbound leg from CUCM
6. MP sets up SIP recording sessions with the 3 Recorders for multi-fork.
The ingress media stream from CUBE-Ent is then multi-forked by MP towards the 3 recorders simultaneously using the destination
ip/ports as negotiated in the SIP offer/answer
#CiscoLive b/w MP and the Recorders. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
DGTL-BRKCOL-2125 8
Webex Calling - Local Gateway Deployment
• Enables BYoPSTN option for Webex Calling
• Provides connectivity to a customer-owned PSTN
service
• May also provide connectivity to an on-premises
Cisco Webex Calling IP PBX or dedicated SBC/PSTN GW
• Endpoint registration is NOT proxied through
Local Gateway, unlike CUBE Lineside. Endpoints
Internet directly register to Webex Calling over the
PSTN Internet eliminating the need for endpoint
survivability.
Customer Site
Local • All communication between Webex Calling and
Gateway
endpoints/LGW is secured (SIP TLS/sRTP)
SBC or
IP PBX Webex Calling Endpoints • IOS-XE 16.10.x not supported.
Latest IOS-XE 16.12 or 16.9 release recommended
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Deploying Cisco Webex Edge Audio w/CUBE
High level overview

Webex Edge
1. On-premises telephone dials the Webex
Cisco Audio meeting number or gets a call back from
Unified CM Meeting the Webex meeting to get connected by
Z
audio into the meeting.
CUBE
2. Signaling is routed via the on-premises
call control device (Unified CM) through
the CUBE to Webex Meetings audio
IP Phone
service.
3. Audio media (the sound) is routed from
Customer Signaling the Webex meeting to CUBE and then to
Premises Media Path the on-premises phone for callback and
the reverse for call in.

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cisco UCM Cloud
PSTN interconnect via customer premises/Local Gateway
Cisco
• Customer/partner provides dual
UCM Cloud
connections to Equinix for redundancy
• Cisco® UCM Cloud has a redundant Signaling Equinix

connection to Equinix at all colocations Media

• Customer has a local gateway


(CUBE/PSTN GW) on premises to MPLS
SD-WAN
connect to the preferred PSTN VPN

provider
• SIP trunks are connected to the UCM
Cloud service from the customer’s
PSTN
local gateway
Customer Premises
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
CUBE High Availability as Local Gateway
Layer 2 box-to-box redundancy
CUBE-1
=
GE0/0/0 – GE0/0/1 –
10.10.1.10 Cisco Webex Calling

redundancy
redundancy
10.10.1.3 CUBE

20.20.1.3
GE0/0/2 – 40462196.cisco-bcld.com

rii 2
rii 1
Keepalives Internet
GE0/0/2 –
WAN Edge
IP PSTN
CUCM LAN GE0/0/0 –
WAN
GE0/0/1 – Y.Y.Y.Y
Virtual IP CUBE Virtual IP
CUBE-2

• LGW HA solution with layer 2 box-to-box redundancy for call preservation


• CUBE HA Active/standby model using virtual IP addresses
• Applicable to ISR 4K and vCUBE only
• Acts as a single Local Gateway from Webex Calling point of view
• Support for Webex Calling deployments available from IOS-XE 16.12.2
• LGW HA cannot have TDM or analog interfaces
#CiscoLive co-located DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
CUBE Interoperability Portal for application note
• Validated with Service
Providers World-Wide
• Independently Tested
with 3-Party PBXs in
tekVizion Labs
• Standards based
Verified by

Proven Interoperability and Interworking with


Service Providers Worldwide Cisco Interoperability Portal:
www.cisco.com/go/interoperability

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Microsoft Teams Direct Routing – Solution Overview

• Media Bypass Disabled/Off


(Without Media ByPass)
• Media traverses Microsoft’s Cloud
Media Processor
• Media always flows through CUBE

Microsoft Provided
Internet
SIP TLS sRTP

PSTN
SIP UDP/RTP Teams Client Teams Client

Customer Provided #CiscoLive


CUBE
DGTL-BRKCOL-2125
Customer Site
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
CUBE Product Portfolio
Calls Per Second : Short duration 30 sec CHT
CUBE (Enterprise) Product Portfolio [Not to Scale]
ASR 1004/6/6-X RP2
50-150

ASR 1002-X
ASR 1001-X ASR 1006-X
50-100 w/RP3 +
ESP40/ESP100
ISR 4451-X Starting IOS-XE 16.6
20-35 Introducing CUBE
on ISR4461
IOS-XE 17.2.1r IOS-XE 17.x does not
15-20
support ESP 20
CUBE on CSR
ISR 4431
8-12
vCUBE
ISR 4351

ISR-4K (4321, 4331)


<5

ISR1100s
IOS-XE 16.12.1+
4 <50 500-600 900-1000 2000-2500 4000 4500-6000 7000-10,000 12K-14K 14-16K

Active Concurrent Voice Calls Capacity


#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
CUBE Software Release Mapping
CUBE Software Release Mapping
Initial IOS-XE Release for this CUBE version Subsequent IOS-XE Release for this
CUBE Version
and Release date CUBE version
11.5.2 16.3.2/16.4.1 Nov 2016 16.3.3 - 16.3.9 / 16.4.2 – 16.4.3
11.6.0 16.5.1 March 2017 16.5.1b – 16.5.3
12.0.0 16.6.1 July 2017 16.6.2 – 16.6.8
12.0.0 16.7.1 Nov 2017 16.7.2 – 16.7.3
12.1.0 16.8.1 March 2018 16.8.2 – 16.8.3
12.1.0 16.9.1 July 2018 16.9.2 – 16.9.4 – 16.9.5
12.5.0 16.10.1a Nov 2018 16.10.2 – 16.10.3
12.6.0 16.11.1a March 2019 16.11.1b
12.7.0 16.12.1c July 2019 16.12.1a – 16.12.3 – 16.12.4
12.7.1 17.1.1 Nov 2019 -
12.8.0 17.2.1r March 2020 -
14.0 17.3.1 July 2020 -
TBD 17.4.1 Nov 2020 -
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
SIP Trunk Sizing
NOTE : Sizing information
is only intended as a
guideline. Actual session
count will vary based on
Sizing CUBE the number of features
Enterprise On- turned on the ISR/ASR/CSR
Prem deployments along with CUBE and the
IOS-XE version being used.

DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Testing Methodology
Testing Benchmark guidelines
• Collab Calls – Refers to basic IP telephony calls, e.g., IP Phone registered to UCM making
a PSTN call via a SIP trunk to CUBE
• Contact Center (UCCE) Calls – Inbound PSTN calls on CUBE (ingress CUBE) for CVP
treatment
• Platform is tested with a linear/constant call presentation rate - the presented CPS value
- with one type of call flow. Call Hold Time (CHT) is set for 180 seconds
• CPS is the maximum sustainable average presentation rate. Higher instantaneous
presentation rates are possible, but this is not tested.
• Tests focus on the number of successful simultaneous or concurrent active call handling
at around 70% CPU and memory utilization. Buffer allows for other features that might
be configured / required in IOS-XE
• All CUBE platforms are tested with static IP routing configured for the next hop

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
General Guidelines
CUBE Sizing Guidelines
• All deployments for CUBE must be done with the following memory:
• 16GB of memory for ASR1K series – 8 GB (Control Plane memory) for ISR4400 series
• 4 GB for ISR4300 series – 2 GB for ISR G2 series

• Session count (end to end calls through CUBE) is dependent on the amount of memory
in the box. Numbers listed in the datasheet are based on above memory requirements
being satisfied
• CUBE Media Proxy cannot be co-located with CUBE Enterprise
• CUBE HA has less than 5% impact on number of sessions under full load
• CUBE + IOS based S/W MTP co-location: 1 S/W MTP session on the platform = 1 CUBE
IPT session, when specific data tables are not available, and not to exceed total CUBE
Collab numbers combined
• Complex call flows (Cisco UCCE) can reduce CPS and session count. With IOS-XE
16.12+, there is significant performance gain for UCCE call flows
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
CUBE Sizing Guidelines
• SRTP with SIP TLS : Numbers will vary based on crypto algorithm and codec
used
• SRTP pass-thru session count and CPS same as RTP-RTP call flows
• SIP Header manipulation through SIP profiles has less than 5% impact on
number of sessions. Impact of SDP manipulation will be slightly higher
compared to SIP headers. For example, 6% for changing the codec order in
the m-lines
• Media forking for call recording can have a 50% impact on IPT session count
regardless of the call type (IPT or UCCE) being recorded on CUBE Enterprise.
This includes SIPREC, CUBE ORA with Cisco MediaSense, and CUCM NBR.
• Performance numbers will be published for long lived (July) releases. [16.9,
16.12, 17.3, etc]
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Call Admission Control (CAC)
• Call processing capacity for any CUBE instance will be influenced by several
considerations, including software version, features configured and the platform
itself
• To ensure that calls continue to be processed reliably, configure Call Admission
Control as follows to reject calls when use of system resources exceeds 80%. Refer
to the CUBE Configuration Guide for further details
enable
conf t
call threshold global cpu-avg low 75 high 80
call threshold global total-mem low 75 high 80
call treatment on
end

• show call active total-calls lists the total number of concurrent


calls on a CUBE platform
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Collab Calls -
Basic IP Telephony Audio Calls
CUBE IP Telephony Session Capacity Summary
CUBE SIP-SIP Audio Session Count IOS-XE
Platform Sustainable CPS
1CSR1Kv
Sessions (Flow-thru) 16.12+
- Based on tests using Cisco UCS ® C240 host with Intel ®
Xeon ® 6132 2.60GHz processors running VMware ESXi 6.0. IOS-XE 16.12+
IOS-XE 16.6 or earlier RTP(G711)-RTP(G711)

1100 series (Default DRAM) N/A 500 5


4321 100 500 4
4331 500 1000 10
4351 1000 2000 13
4431 3000 3000 15
4451 6000 6000 40
4461 N/A 10000 (17.2.1r) 55
CSR1Kv – 1 vCPU1 (4 GB) 900 1000 5
CSR1Kv - 2 vCPU1 (4 GB) 900 3000 20
CSR1Kv - 4 vCPU1 (8 GB) 3250 6000 30
ASR1001-X 12000 12000 50
ASR1002-X 14000 14000 55
ASR1006-X RP3 ESP40/ESP100 16000 16000 65
ASR1004/6/6-X RP2/ESP40 16000
#CiscoLiveBRKCOL-2125
16000 70
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Collab Calls -
Encrypted Audio Calls
SRTP-RTP
SRTP-SRTP
CUBE Encrypted IPT Session Capacity (IOS-XE 16.12+)
Session Capacity (IOS-XE Encrypted Audio calls
Platform Impact of
1CSR1Kv - Based on tests using Cisco UCS ® C240 host with Intel 16.12+) w/SHA1_80 CPS
® Xeon ® 6132 2.60GHz processors running VMware ESXi 6.0. sRTP to IPT
RTP(G711)-RTP(G711) sRTP(G711)-RTP(G711)

1100 series (Default DRAM) 500 40% 300 2


4321 500 40% 300 1
4331 1000 40% 600 3
4351 2000 62.5% 750 4
4431 3000 75% 750 4
4451 6000 65% 2100 (16.12.2) 11
4461 10000 (17.2.1r) 1% 9900 55
CSR1Kv – 1 vCPU1 (4 GB) 1000 70% 300 1
CSR1Kv - 2 vCPU1 (4 GB) 3000 67% 1000 6
CSR1Kv - 4 vCPU1 (8 GB) 6000 82% 1080 6
ASR1001-X 12000 79% 2700 13
ASR1002-X 14000 55% 6500 36
ASR1004/6/6-X RP2/ESP40 16000 #CiscoLive 78% 3500
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
CUBE Encrypted IPT Session Capacity (IOS-XE 16.12+)
Session Capacity (IOS- Encrypted Audio
Platform XE 16.12.1)
Impact of
calls w/GCM128 CPS
1CSR1Kv - Based on tests using Cisco UCS ® C240 host with Intel ® Xeon ®
6132 2.60GHz processors running VMware ESXi 6.0. sRTP to IPT
RTP(G711)-RTP(G711) sRTP(G711)-RTP(G711)

1100 series (Default DRAM) 500 40% 300 2


4321 (4 GB) 500 40% 300 1
4331 (4 GB) 1000 40% 600 3
4351 (4 GB) 2000 62.5% 750 4
4431 (8 GB) 3000 75% 750 4
4451 (8 GB) 6000 65% 2100 11
CSR1Kv – 1 vCPU1 (4 GB) 1000 70% 300 1
CSR1Kv - 2 vCPU1 (4 GB) 3000 67% 1000 6
CSR1Kv - 4 vCPU1 (8 GB) 6000 82% 1080 6
ASR1001-X (16 GB) 12000 80% 2400 13
ASR1002-X (16 GB) 14000 57% 6000 32
ASR1004/6/6-X RP2/ESP40 16000
#CiscoLive 80% 3200
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
CUBE Encrypted IPT Session Capacity (IOS-XE 16.12+)
Session Capacity (IOS- Encrypted Audio calls
Platform Impact of
1CSR1Kv - Based on tests using Cisco UCS ® C240 host with Intel ® Xeon ® 6132 XE 16.12.1) w/GCM256 CPS
2.60GHz processors running VMware ESXi 6.0. sRTP to IPT
RTP(G711)-RTP(G711) sRTP(G711)-RTP(G711)

1100 series (Default DRAM) 500 40% 300 2


4321 (4 GB) 500 40% 300 2
4331 (4 GB) 1000 40% 600 4
4351 (4 GB) 2000 62.5% 750 4
4431 (8 GB) 3000 75% 750 4
4451 (8 GB) 6000 65% 1080 6
CSR1Kv – 1 vCPU1 (4 GB) 1000 70% 300 1
CSR1Kv - 2 vCPU1 (4 GB) 3000 67% 1000 6
CSR1Kv - 4 vCPU1 (8 GB) 6000 82% 1080 6
ASR1001-X (16 GB) 12000 83% 2000 10
ASR1002-X (16 GB) 14000 68% 4500 25
ASR1004/6/6-X RP2/ESP40 16000
#CiscoLive
83% 2700
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
CUBE Encrypted IPT Session Capacity (IOS-XE 16.12+)
Session Capacity Encrypted Audio
Platform Impact of sRTP
SHA1_80 – GCM128 CPS
1CSR1Kv -
Based on tests using Cisco UCS ® C240 host with Intel ® (IOS-XE 16.12.1)
®
Xeon 6132 2.60GHz processors running VMware ESXi 6.0. RTP(G711)-RTP(G711)
to IPT
sRTP(G711) - sRTP(G711)

1100 series (Default DRAM) 500 70% 150 1


4321 (4 GB) 500 70% 150 1
4331 (4 GB) 1000 70% 300 2
4351 (4 GB) 2000 81% 375 2
4431 (8 GB) 3000 87.5% 375 2
4451 (8 GB) 6000 91% 540 3
CSR1Kv – 1 vCPU1 (4 GB) 1000 85% 150 1
CSR1Kv - 2 vCPU1 (4 GB) 3000 83.3% 500 3
CSR1Kv - 4 vCPU1 (8 GB) 6000 91% 540 3
ASR1001-X (16 GB) 12000 92% 1000 6
ASR1002-X (16 GB) 14000 79% 3000 16
ASR1004/6/6-X RP2/ESP40 16000 #CiscoLive BRKCOL-2125
91% 1500
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
9
CUBE Encrypted IPT Session Capacity (IOS-XE 16.12+)
Encrypted Audio
Platform Session Capacity (IOS-XE Impact of
SHA1_80 – GCM256 CPS
1CSR1Kv -Based on tests using Cisco UCS ® C240 host with Intel ®
Xeon ® 6132 2.60GHz processors running VMware ESXi 6.0.
16.12.1) RTP(G711)-RTP(G711) sRTP to IPT
sRTP(G711) - sRTP(G711)

1100 series (Default DRAM) 500 70% 150 1


4321 (4 GB) 500 70% 150 1
4331 (4 GB) 1000 70% 300 2
4351 (4 GB) 2000 81% 375 2
4431 (8 GB) 3000 87.5% 375 2
4451 (8 GB) 6000 91% 540 3
CSR1Kv – 1 vCPU1 (4 GB) 1000 85% 150 1
CSR1Kv - 2 vCPU1 (4 GB) 3000 83.3% 500 3
CSR1Kv - 4 vCPU1 (8 GB) 6000 91% 540 3
ASR1001-X (16 GB) 12000 92% 1000 5
ASR1002-X (16 GB) 14000 82% 2500 14
ASR1004/6/6-X RP2/ESP40 16000#CiscoLive BRKCOL-2125 91% 1500
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 8
Encrypted Video Calls
SRTP-RTP
SRTP-SRTP
CUBE Encrypted Video Session Capacity
[H.264 QCIF (15 FPS, 64 kbps)] - (IOS-XE 16.12+)
Encrypted video calls Encrypted video calls
Platform
1CSR1Kv - Based on tests using Cisco UCS ® C240 host with Intel ® Xeon ®
w/SHA1_80 CPS w/GCM128 CPS
6132 2.60GHz processors running VMware ESXi 6.0.
sRTP(G711)-RTP(G711) sRTP(G711)-RTP(G711)

1100 series (Default DRAM) 100 1 50 1


4321 (4 GB) 100 1 50 1
4331 (4 GB) 180 1 100 1
4351 (4 GB) 180 1 120 1
4431 (8 GB) 180 1 100 1
4451 (8 GB) 540 3 180 1
CSR1Kv – 1 vCPU1 (4 GB) 180 1 180 1
CSR1Kv - 2 vCPU1 (4 GB) 180 1 540 1
CSR1Kv - 4 vCPU1 (8 GB) 540 3 540 3
ASR1001-X (16 GB) 900 5 360 2
ASR1002-X (16 GB) 2300 13 900 5
ASR1004/6/6-X RP2/ESP40 1250
#CiscoLive BRKCOL-2125
7 540
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
3
36
CUBE Encrypted Video Session Capacity
[H.264 QCIF (15 FPS, 64 kbps)] - (IOS-XE 16.12+)

Platform
Encrypted video calls Encrypted Video calls
1CSR1Kv - Based on tests using Cisco UCS ® C240 host with Intel ® Xeon ®
w/GCM256 CPS SHA1_80 – GCM128 CPS
6132 2.60GHz processors running VMware ESXi 6.0.
sRTP(G711)-RTP(G711) sRTP(G711) - sRTP(G711)

1100 series (Default DRAM) 50 1 50 1


4321 (4 GB) 50 1 50 1
4331 (4 GB) 100 1
4351 (4 GB) 110 1 130 1
4431 (8 GB) 100 1 115 1
4451 (8 GB) 180 1 180 1
CSR1Kv – 1 vCPU1 (4 GB) 180 1 180 1
CSR1Kv - 2 vCPU1 (4 GB) 180 1 180 1
CSR1Kv - 4 vCPU1 (8 GB) 540 3 180 1
ASR1001-X (16 GB) 360 2 360 2
ASR1002-X (16 GB) 900 5 900 5
ASR1004/6/6-X RP2/ESP40 540#CiscoLive BRKCOL-2125
3 540
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
3
CUBE Encrypted Video Session Capacity
[H.264 QCIF (15 FPS, 64 kbps)] - (IOS-XE 16.12+)

Platform Encrypted Video Calls


1CSR1Kv - Based on tests using Cisco UCS ® C240 host with Intel ® Xeon ® 6132 2.60GHz SHA1_80 – GCM256 CPS
processors running VMware ESXi 6.0.
sRTP(G711) - sRTP(G711)

1100 series (Default DRAM) 50 1


4321 (4 GB) 50 1
4331 (4 GB) 110 1
4351 (4 GB) 130 1
4431 (8 GB) 115 1
4451 (8 GB) 180 1
CSR1Kv – 1 vCPU1 (4 GB) 180 1
CSR1Kv - 2 vCPU1 (4 GB) 180 1
CSR1Kv - 4 vCPU1 (8 GB) 180 1
ASR1001-X (16 GB) 360 2
ASR1002-X (16 GB) 900 5
ASR1004/6/6-X RP2/ESP40 (16 GB) #CiscoLive BRKCOL-2125
540 3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Contact Center Calls
CUBE Session Capacity for UCCE (IOS-XE 16.12+)
Platform Session Capacity UCCE Call Capacity Impact of
UCCE Capacity RTP(G711)-RTP(G711) UCCE
1CSR1Kv - Based on tests using Cisco UCS ® C240 (IOS-XE 16.12+) UCCE to
host with Intel ® Xeon ® 6132 2.60GHz processors (Prior to IOS-XE 16.12) CPS
running VMware ESXi 6.0 RTP(G711)-RTP(G711) (IOS-XE 16.12+) IPT
1100 series 500 N/A 500 0% 5
4321 500 125 500 0% 3
4331 1000 250 1000 0% 7
4351 2000 500 1500 25% 8
4431 3000 750 1800 40% 10
4451 6000 1500 3600 40% 20
4461 10000 (17.2.1) N/A 4680 53% 26
CSR1Kv – 1 vCPU1 1000 250 500 50% 3
CSR1Kv - 2 vCPU1 3000 750 3000 0% 20
CSR1Kv - 4 vCPU1 6000 1500 4250 29% 24
ASR1001-X 12000 3000 4250 65% 24
ASR1002-X 14000 3500 4250 70% 24
ASR1004/6/6-X RP2 16000 4000
#CiscoLiveBRKCOL-2125
4500 72%
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
25
Sample ISR4K CUBE Sizing
• An enterprise is considering a 4451-X for their collab
deployment with the following requirements:
• 500 Unencrypted IPT calls
4451 Ratio to %age
• 100 Contact Center (CC) calls 6000 IPT Calls IPT calls IMPACT
• Record all CC calls = 100 IPT Calls IPT Calls 1 N/A
• 50 SRTP-RTP audio calls with SHA1-80 UCCE 1.67 40%
• 100 SRTP-SRTP audio calls Recorded legs 1.0 50%
SRTP-RTP 2.86 65%
500 Unencrypted IPT calls * 1.00 = 500 SRTP-SRTP 11.11 91%
+ 100 Contact Center calls * 1.67 = 167
+ Record all CC calls = 100 IPT Calls * 1.00 = 100
+ 50 SRTP-RTP audio calls with SHA1-80 * 2.86 = 143
+ 100 SRTP-SRTP audio calls * 11.11 = 1111
TOTAL Capacity in terms of IPT count = 2021
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Agenda
• CUBE Overview, Deployments, and SIP Trunk Sizing
• CUBE Licensing Updates
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE (Call Routing, Multi-Tenancy)
• Call Recording & Intro to CUBE Media Proxy
• Securing Collab deployments with CUBE
• Futures & Key Takeaways

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
CUBE Licensing
Platform Licensing prior to enabling CUBE
• Before CUBE can be configured and licensed, platform technology and
throughput licensing is required.
• Ensure appropriate license for using TLS on the platform is enabled
• For Cisco ISR 1000 and Cisco ISR4000 series, UCK9 and SecurityK9 are required
license boot level uck9
license boot level securityk9

• For Cisco Cloud Services Router 1000 series virtual routers, configure both the
feature and required throughput levels. Example below displays CLI required for
1Gbps throughput, how to increase memory configuration, and enabling AX
package (all licensed options)
license boot level ax
platform hardware throughput level MB 1000
platform memory add 4000
• For Cisco ASR1000 series routers, Advanced IP services is required
license boot level advipservices
license boot level adventerprise
#CiscoLive DGTL-BRKCOL-2112 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
CUBE Licensing Offer
What is Smart Licensing?
• Smart Licensing is a Cisco wide initiative that provides a License Inventory Management
System which provides Customers, Cisco, and Selected Partners with information about
License Ownership and Use
• All licenses are delivered directly to your cloud based Cisco Smart Software Manager (CSSM)
account allowing you to control where they are used and monitor how they are used.
• Smart Licenses do not require registration, so no more PAKs

• Smart licenses entitle the CUSTOMER, not the product instance. Licenses are not node
locked.
• Licenses are pooled for flexible use by devices registered to the same account

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Cisco Unified Border Element (CUBE)
SIP Trunking to a Provider
• The Cisco Unified Border Element (CUBE)
feature set delivers Session Border Control
(SBC) functionality for Cisco IOS router
platforms, enabling highly secure voice and
PE-SBC
video connectivity between an enterprise IP
network and service provider trunk services.
MPLS, VPN, • CUBE performs four critical functions of an
Internet SBC:
SIP Service
Connection Certified
• Policy based session management
demarcation • Security enforcement
• Protocol and media interworking
IP-PBX
Premise-based
Call control • Network demarcation

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Simplifying the CUBE Trunk Offer
Current: EoS
15 June
Simplified:
100+ PIDs 2019 2 options, 3 PIDs!
CUBE License – 5 Sessions CUBE License –ASR 100 Sessions Red
(FL-CUBEE-5) (FLASR1-CE-100R)
CUBE License –5 Sessions Red CUBE License –ASR 500 Sessions Red CUBE Trunk Standard License
(FL-CUBEE-5-RED) (FLASR1-CE-500R) – 1 Session
CUBE License – 25 Sessions CUBE License –ASR 1,000 Sessions Red (CUBE-T-STD) +SWSS
(FL-CUBEE-25) (FLASR1-CE-1KR)
CUBE License –25 Sessions Red CUBE License –ASR 4,000 Sessions Red
CUBE Trunk Redundant License
(FL-CUBEE-25-RED) (FLASR1-CE-4KR) – 1 Session
CUBE License – 100 Sessions CUBE License –ASR 16,000 Sessions Red (CUBE-T-RED) +SWSS
(FL-CUBEE-100) (FLASR1-CE-16KR)
CUBE License –100 Sessions Red CUBE License – C1 ASR 100 Sessions
Upgrade to Trunk Redundant
(FL-CUBEE-100-RED) (C1-A-ASR1CUBEE100P) +SWSS License – 1 Session
CUBE License – Cisco ONE (1 Session)
+SWSS
CUBE License – C1 ASR 100 Sessions Red
+SWSS
(CUBE-T-RED-UP) +SWSS
(C1-CUBEE-STD) (C1-A-ASR1CUBEE100R)
CUBE License–Cisco ONE (1 Session Red) CUBE License – C1 ASR xxxx Sessions xx CUBE session licenses are common
(C1-CUBEE-RED) +SWSS (C1-A-ASR CUBEE…) +SWSS
across ISR, CSR and ASR platforms and
------ ------ can be pooled in a Smart Virtual Account

Note: Platform technology licenses are required to enable CUBE functionality. See later slide.

As part of migration to Smart and SWSS enabled licensing for CUBE, all $0 licenses from router bundles will be removed by end of April 2019. Product Bulletin for
the same can be accessed at https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-border-element/bulletin-c25-742073.html
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
What’s included in a Trunk License?

One Inbound leg Secure Media Multiple media sessions per call
Any protocol, any media Encrypt, decrypt, Re-encrypt

One Outbound leg Media Transcoding, Transrating Call handling policy via XCC API
Any protocol, any media & DTMF Interworking

One SIP Forked leg Advanced header manipulation Stateful High Availability*
Local or API controlled

* Requires CUBE Redundant Trunk license

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
CUBE Offers with Smart Licensing
Cisco Unified Border Element (CUBE) Smart License Options
Top Level “L-CUBE”
Simplified New New
Trunk Offer Lineside Offer Media Proxy
CUBE Standard Trunk License
+SWSS CUBE Lineside License +SWSS CUBE Media Proxy License +SWSS
1 Session (CUBE-T-STD)
1 Session (CUBE-L-STD) 1 Forked Session (CUBE-MP-
CUBE Redundant Trunk License
1 Session (CUBE-T-RED)
+SWSS RED)
Upgrade to Redundant Trunk License
+SWSS
1 Session (CUBE-T-RED-UP)

Cisco Software Support Service (SWSS) is required for a minimum of 12 months when purchasing
CUBE session license(s).
SWSS provides access to software maintenance, updates, upgrades, and technical support
Note: Platform technology licenses are required to enable CUBE functionality. See later slide.

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Cisco Unified Border Element (CUBE)
Lineside
Third Party Call Control • CUBE Lineside features compliment
in SP Cloud hosted call control solutions with:
New
Offer • SIP proxy registration of IP phones
(Cisco MPP or 3rd party).
PE-SBC
• Service continuity should the hosted
service become unavailable.
Business
Internet
Lineside Note: Lineside licenses do not entitle use of
Connection Certified
demarcation
trunk features.
CUBE Lineside

Hosted Note: NanoCUBE RTU licenses will remain


IP available for ISR800 series products only.
SIP Service
Cloud-based Phones
call control

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Cisco Unified Border Element (CUBE)
Media Proxy
• Standalone application that extends CUBE trunk session
forking to allow a call to be replicated up to five times
New
for media recording redundancy & load balancing and Offer
call analytics.
• Supports Mandatory and Optional recorder policy
• Mandatory: Media proxy tries to fork to the mandatory Recording
recorder first. Forking to the remaining recorders will only Server 1

happen after the connection to the first recorder is successful.



Customer
Optional: Default policy. Media proxy will establish connection CUBE CUBE Media
SBC Proxy Recording
to all recorders, even if any of the recorders fail. Server 2

• Secured forking (SRTP – SRTP)


Recording
• CUBE Media Proxy Call Scenarios: Unified CM Employee Server 3

• External calls (inbound/outbound from/to ITSP, PSTN calls)


• Internal calls (on-prem calls)
• Contact center

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
The Road To Smart Licensing
IOS XE IOS XE IOS XE IOS XE
16.6 to 16.9 16.10 16.11 to 17.1 17.2 to 17.3

Platform Smart Smart Smart Licensing mode is mandatory


Technology Licensing Licensing Continued CSSM registration required to enable CUBE
Optional Mandatory features
Licensing

Smart Licensing only* Smart Licensing only*


Trunk license requests Trunk license requests
set by manual set dynamically by
CUBE Paper Paper
configuration usage
Licensing RTU only RTU only No license policing No license policing
(Calls continue if out (Calls continue if out
of compliance) of compliance)

• *From IOS XE 16.11 Smart License offers are required for all CUBE features.
Trunk license usage only is reported to CSSM at this time.
• CSR1000v (Virtual Router running vCUBE)#CiscoLive
requires Smart Licensing
DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
License Reporting
• License consumption reporting in IOS XE releases 16.11, 16.12 and 17.1 are manually
configured using the mode border-element license capacity
command.
• With these releases, license capacity reporting is both static and optional
• CUBE platforms must be registered to the Smart Licensing server, even if license
capacity is not configured. Call processing will be shut down if a device is not
registered and the evaluation period has expired.
• Call processing will not be limited if the number of sessions exceeds the license
capacity configuration, nor if the license request is ‘out of compliance’.
• Some of the scenarios in the following slides describe license pooling. To ensure that
the correct number of licenses are consumed from the virtual account, it is suggested
that the average number of licenses required is configured on each device. The
“Configured for” information provides guidance on how to configure this.
• Starting IOS XE release 17.2.1, license use is calculated dynamically and the license
capacity option has been deprecated.

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
CUBE Version 12.x
Deployment Examples / Smart
Licensing Scenarios
Session quantities in the following example scenarios
are provided for illustration purposes only.
Refer to CUBE performance documentation when
selecting an appropriate platform to meet required
call processing loads.

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Customer Deployment Scenario 1a
Separate Deployments
• Two active CUBEs in separate locations Location 1
• No Box to Box redundancy (Redundancy Group HA)

Configured for
50 licenses
Active
• No load balancing 50 Calls
• Each location processes up to 50 sessions at any time.
License Requirement:
• 100 x CUBE-T-STD Location 2

Configured for
• CUBE platforms may register to:

50 licenses
Active
• The same Virtual Account holding a common pool of 100 licenses 50 Calls
• Different Virtual Accounts, each with 50 licenses

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Customer Deployment Scenario 1b
Separate Deployments Location 1
• Two active CUBEs in the same location
• No Box to Box redundancy (Redundancy Group HA)

Configured for
50 licenses
Active
• No load balancing 50 Calls
• Each CUBE processes up to 50 sessions at any time.
License Requirement:
• 100 x CUBE-T-STD

Configured for
• CUBE platforms may register to:

50 licenses
Active
• The same Virtual Account holding a common pool of 100 licenses 50 Calls
• Different Virtual Accounts, each with 50 licenses

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Customer Deployment Scenario 2a
Geographic (Active-Active) Load Balancing
• Two active CUBEs in separate locations Location 1
• No Box to Box redundancy (Redundancy Group HA)

Configured for
100 licenses
• Load balancing provided by SP or with CUSP
• Total call load across both locations up to 200 Active

concurrent sessions. 200 Calls


License Requirement: Location 2

Configured for
• 200 x CUBE-T-STD

100 licenses
• CUBE platforms register to the same Virtual Account
holding a common pool of licenses Active

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Customer Deployment Scenario 2b
Active-Active Load Balancing within a location Location 1
• Two active CUBEs in the same location

Configured for
100 licenses
• No Box to Box redundancy (Redundancy Group HA)
• Load balancing provided by SP or with CUSP
Active
• Total call load across both CUBEs up to 200
concurrent sessions. 200 Calls
License Requirement:

Configured for
100 licenses
• 200 x CUBE-T-STD
• CUBE platforms register to the same Virtual Account
holding a common pool of licenses Active

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Customer Deployment Scenario 3
Box to Box High Availability (HA) with Call
Location 1
Preservation
• Active and Standby CUBEs in HA Redundancy Group

Configured for
250 licenses
(RG)
• Both CUBEs must be in the same layer 2 network 250 Calls
Active
• Total call load up to 250 concurrent sessions.

Stateful
License Requirement:
Standby
• 250 x CUBE-T-RED

Configured for
250 licenses
• Both CUBE platforms register to the same Virtual
Account holding a common pool of licenses
• Only the active CUBE reports license usage

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Customer Deployment Scenario 4a Location 1

Configured for
300 licenses
Box to Box High Availability with Call Preservation within a
location and geographic load balancing across locations
Active
• One pair of High Availability CUBEs in RG at each site

Stateful
HA Pair 1
• Geographic load balancing provided by SP or with CUSP Standby
• Total call load up to 600 concurrent sessions across locations

Configured for
300 licenses
• If an active CUBE fails, stateful failover of local load to
standby
• If location 1 fails, all associated calls fail. Total load serviced 600 Calls Location 2
by active CUBE at site 2

Configured for
300 licenses
License Requirement:
• 600 x CUBE-T-RED Active

Stateful
• All CUBE platforms register to the same Virtual Account HA Pair 1
holding a common pool of licenses Standby

• Only active CUBEs reports license usage

Configured for
300 licenses
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Customer Deployment Scenario 4b Location 1

Configured for
300 licenses
Box to Box High Availability with Call Preservation and
load balancing within a location
Active
• Two pairs of High Availability CUBEs in separate RGs at

Stateful
HA Pair 1
the same site
Standby
• Load balancing across HA pairs provided by SP or with

Configured for
300 licenses
CUSP
• Total call load for location up to 600 concurrent sessions
• If an active CUBE fails, stateful failover of local load to 600 Calls
standby

Configured for
300 licenses
• If HA pair 1 fails, all associated calls fail. Total load
serviced by active CUBE in HA pair 2
Active

Stateful
License Requirement: HA Pair 1
• 600 x CUBE-T-RED Standby
• All CUBE platforms register to the same Virtual Account

Configured for
300 licenses
holding a common pool of licenses

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Customer Deployment Scenario 4c Primary Site

Box to Box High Availability with Call Preservation within a primary

Configured for
250 licenses
location with load transfer to minimal, virtualized DR site
• One pair of High Availability CUBEs in RG at primary site processing all Active

Stateful
calls during normal operation HA Pair 1
• If the active CUBE fails, stateful failover of load to standby at primary site
500 Calls Standby
• Traffic rerouted to Disaster Recovery site by SP on complete failure of

Configured for
250 licenses
primary site
• Total call load up to 500 concurrent sessions
License Requirement: DR Site
• 500 x CUBE-T-RED

Configured for
250 licenses
• All CUBE platforms register to the same Virtual Account holding a
common pool of licenses
Active
• Active CUBEs report license usage
• Redundant licenses cover standard license requirement from DR site.
Smart Account will show license borrowing of 250 STD licenses from the
RED pool.

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Customer Deployment Scenario 5
ASR1006/1006-x
Inbox Hardware or Software Redundancy
Hardware Redundancy
• Stateful Switchover (SSO): ASR1006 with dual route
processors (control plane) and dual ESPs (forwarding plane)
• Route Processor Redundancy (RPR): ASR1001/2/4 with
software redundancy Dual Forwarding Plane Hardware

• Both options provide stateful failover Dual Control Plane Hardware


• Required call volume up to 350 concurrent sessions.
License Requirement:
• 350 x CUBE-T-STD Active IOS Standby IOS

• Active route processor registers to Smart virtual account ASR1001/2/4


• Standby Route Processor takes over registration on failover Software Redundancy

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Customer Deployment Scenario 6
Lineside registration proxy and survivability Third Party Call Control in SP Hosted
Cloud
SIP
• A customer using a cloud call control service uses Service
CUBE for lineside optimization and survivability. Cloud-based
PE-SBC call control
• A CUBE platform is deployed at four customer sites.
• Each site has 25 handsets that register to the cloud Business
service. Internet
License Requirement:
A Lineside CUBE at each of the 4 locations
• 100 x CUBE-L-STD
• All CUBE platforms register to the same Virtual
Account holding a common pool of licenses
25 handsets at each of the 4 locations
• Note: CUBE line side license use is not currently
reported to CSSM.
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
CUBE Version 12.x
License Migration
Classic CUBE (RTU) to CUBE Smart
Licenses
Migration Overview
• The following scenarios describe the valid migration paths to CUBE Session
Smart Licenses for customers that have purchased Classic CUBE Right To
Use (RTU) Session Licenses in the past.
• Take the time to understand each CUBE licensing migration case to set
expectations accordingly.

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
CUBE Migration Case A:
Legacy Platforms with Classic RTU Licenses

Platform ISR G1 (2800/3800), ISR G2 (2900/3900), ASR1001, ASR1002


Licenses From: CUBE Classic Right To Use (RTU) Session Licenses
To: CUBE Version 12 Smart Session Licenses with SWSS
Migration • Classic RTU CUBE session licenses are node locked to the router for which they were
purchased.
• RTU Session Licenses remain valid for as long as the customer uses their router and the
model has not reached End of Support. Licenses have no residual value beyond this point
• Customers wishing to migrate to a newer hardware platform must purchase
new licenses using L-CUBE with a minimum of 12 months SWSS.
Note • ISR G1 Hardware End of Support: 31 October 2016
• ISR G2 Hardware End of Support: 31 December 2022
• ASR1001/2 Hardware End of Support: 30 April 2021

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
CUBE Migration Case B:
Current Platforms with Classic RTU Licenses
Platform ISR4000, ASR1001-X, ASR1002-X, ASR1004(RP2), ASR1006(RP2), CSR1000V
Licenses From: CUBE Classic Right To Use (RTU) Session Licenses
To: CUBE Version 12 Smart Session Licenses with SWSS
Migration • Classic RTU session licenses are intended to provide perpetual entitlement for the
hardware platform for which they were purchased.
• Customers wishing to use software beyond IOS-XE version 16.9.x may apply to purchase
replacement CUBE version 12 session licenses as follows:
a) The same or more RTU session licenses must have been purchased since 1 Oct
2014.
b) Sales Order details for RTU purchases must be provided.
c) At least 12 months SWSS must be purchased at standard customer discount for all
CUBE session licenses ordered.
A discount of up to 100% on CUBE license PIDs will be supported through a DSA if
conditions a, b and c are met and documented in the deal request.
Notes The migration offer detailed above will remain available until the End of Sale of CUBE Version 12
licenses (early 2021). Thereafter, standard discounts will apply for the purchase of all CUBE licenses and
support. Customers may continue to use#CiscoLive
CUBE 12.1DGTL-BRKCOL-2125
(IOS XE 16.9.x) ©with Classic RTU session licenses.
2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
CUBE Migration Case C:
Cisco ONE RTU licenses
Platform All Cisco ONE™ Compatible Platforms
Licenses From: Cisco ONE Classic Right to Use (RTU) CUBE Session Licenses
To: CUBE Version 12 Smart Session Licenses with SWSS
Migration • Cisco ONE CUBE session licenses (C1-CUBE*) provide RTU entitlement for their
associated platform.
• If covered by an active Cisco ONE SWSS contract, licenses may be transferred to any
compatible Cisco ONE licensed platform.
• Cisco ONE SWSS provides entitlement to router software upgrades.
• With Active Cisco ONE SWSS Contract Coverage, customers:
a) Migrate to Smart enabled CUBE Version 12 session licenses (MIG-CUBE-C1-STD
& MIG-CUBE-C1-RED) using My Cisco Enhancements (MCE)
b) Renew support with Collaboration SWSS for CUBE session licenses
• Without Active Cisco ONE SWSS Contract Coverage, refer to Case A or B. This
includes all ‘free’ CUBE licenses included with C1 bundles.
Notes Customers with an active Cisco ONE SWSS contract are encouraged to update their CUBE Cisco ONE
RTU licenses to Smart as soon as possible and not wait for their contract to expire.
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Migration Offers for CUBE Licenses
CiscoONE CiscoONE RTU RTU
Licenses Licenses Licenses Licenses
without with SWSS and EoS and
SWSS Platform Current
Platform

No migration
No migration No Migration
Use PUT to 100% license
New licenses New licenses
purchase $0 discount when
required with required with
migration SKUs purchased with
SWSS SWSS
SWSS

More information on Sales Connect


#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Agenda
• CUBE Overview, Deployments, and SIP Trunk Sizing
• CUBE Licensing Updates
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE (Call Routing, Multi-Tenancy)
• Call Recording & Intro to CUBE Media Proxy
• Securing Collab deployments with CUBE
• Futures & Key Takeaways

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
CUBE Architecture
Physical vs Virtual
Virtual CUBE (CUBE on CSR 1000v)
Architecture
• CSR (Cloud Services Router) 1000v runs on a Hypervisor – IOS XE without
the router
ESXi Container

RP (control plane) ESP (data plane) FFP code

Chassis Mgr. QFP Client Chassis Mgr.


IOS-XE Forwarding Mgr. / Driver Forwarding Mgr.

CUBE signaling CUBE media processing


Kernel (incl. utilities)

Virtual CPU Memory Flash / Disk Console Mgmt ENET Ethernet NICs

CSR 1000v (virtual IOS-XE)

Hypervisor vSwitch NIC

X86 Multi-Core CPU Memory Banks Hardware GE … GE


#CiscoLive BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Virtual CUBE (CUBE on CSR 1000v) – Cont’d
• CSR1000v is a virtual machine, running on x86 server (no specialized hardware) with
physical resources are managed by hypervisor and shared among VMs
• Requires APPX (No TLS/SRTP) or AX (All vCUBE features) CSR licensing package to
access voice CLI and increase throughput from 100 kbps default. CUBE Licensing uses
L-CUBE top level SKU
• No DSP based features (transcoding/inband-RFC2833 DTMF/ASP/NR) available
• vCUBE tracks only the next vSwitch interface resulting in SSO of vCUBE-HA only due to
software failures (active vCUBE crashing/reloading)
• vCUBE Tested Reference Configurations [UCS base-M2-C460, C220-M3S, ESXi 5.1.0 &
5.5.0]. ESXi 6.0 supported with IOS-XE 16.3.1 or later
• ESXi 6.7 supported with IOS-XE 17.3.1 or later

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Applicable Roadmap [Subject to Change]
• March 2021– IOS-XE 17.5.1
• CUBE support in AWS / Azure

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Agenda
• CUBE Overview, Deployments, and SIP Trunk Sizing
• CUBE Licensing Updates
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE (Call Routing, Multi-Tenancy)
• Call Recording & Intro to CUBE Media Proxy
• Securing Collab deployments with CUBE
• Futures & Key Takeaways

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Step 1:
Configure CUCM to route calls to the edge SBC
SIP Trunk Pointing to CUBE
Standby

CUBE
A
Active IP PSTN

CUBE
Enterprise CUBE with High
Campus Availability

MPLS
• Configure CUCM to route all PSTN calls
PSTN is now
(central and branch) to CUBE (Gig0/0 in
used only for
ourSRST
slides) via a SIP trunk emergency
calls over
FXO lines
• Make sure all different patterns of calls –
local, long
CME distance, international,

emergency, informational etc.. are


TDM PBX
pointing to CUBE
Enterprise
Branch Offices
#CiscoLive BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Step 2: Get details from SIP Trunk provider
Item SIP Trunk service provider requirement Sample Response
1 SIP Trunk IP Address (Destination IP Address for INVITES) 66.77.37.2 or DNS
2 SIP Trunk Port number (Destination port number for INVITES) 5060
3 SIP Trunk Transport Layer (UDP or TCP) UDP
4 Codecs supported G711, G729
5 Fax protocol support T.38
6 DTMF signaling mechanism RFC2833
7 Does the provider require SDP information in initial INVITE (Early Yes
offer required)
8 SBC’s external IP address that is required for the SP to
128.107.214.195
accept/authenticate calls (Source IP Address for INVITES)
9 Does SP require SIP Trunk registration for each DID? If yes, what is No
the username & password
10 Does SP require Digest Authentication? 408-944-7700
#CiscoLive BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Step 3: Enable CUBE Application on Cisco routers
1. Enable CUBE Application
voice service voip
mode border-element → Enables CUBE, capacity keyword has been deprecated.
allow-connections sip to sip → By default IOS/IOS-XE voice devices do not allow an incoming
VoIP leg to go out as VoIP

2. Configure any other global settings to meet SP’s requirements


voice service voip
media bulk-stats → To increment Rx/Tx counters on IOS-XE based platforms. W/O this CLI,
it will show 0/0 (CPU intensive CLI)
sip
early-offer forced
3. Create a trusted list of IP addresses to prevent toll-fraud
voice service voip
ip address trusted list → Applications initiating signaling towards CUBE, e.g. CUCM, CVP,
ipv4 66.77.37.2 ! ITSP SIP Trunk Service Provider’s SBC. IP Addresses from dial-peers with “session target
ipv4 10.10.1.20 ! CUCM ip” or Server Group are trusted by default and need not be populated here
sip
silent-discard untrusted → Default configuration starting XE 3.10.1 /15.3(3)M1 to mitigate TDoS Attack
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Step 4: Configure Call routing on CUBE

10.10.1.20

66.77.37.2
10.10.1.21 128.107.214.195

• Dial-Peer – “static routing” table mapping phone numbers to interfaces or IP addresses

• LAN Dial-Peers – Dial-peers that are facing towards the IP PBX for sending and receiving call legs
to and from the PBX. Always bind LAN interface(s) on CUBE to LAN dial-peers, ensuring SIP/RTP is
sourced from the intended LAN interfaces(s)

• WAN Dial-Peers – Dial-peers that are facing towards the SIP Trunk provider for sending and
receiving call legs to and from the ITSP. Always bind CUBE’s WAN interface(s) to WAN dial-peer(s).

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
OPUS codec support on CUBE
OPUS codec support on CUBE [IOS-XE 17.3.1]
• Opus Codec is supported for both secure and non-secure calls
• RTP-to-RTP, SRTP-to-SRTP, SRTP-to-RTP, and RTP-to-SRTP.

• Opus codec defines the optional media format (fmtp) parameters in a call under
codec profile:
• maxaveragebitrate
• maxplaybackrate
• Stereo
• sprop-maxcapturerate
• sprop-stereo
• Usedtx
• useinbandfec

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
OPUS codec considerations
• Transcoding and Transrating with OPUS is not supported on CUBE
• If the received SDP has multiple fmtp lines, then only the first fmtp line is passed in the
outbound INVITE.
• Media recording isn’t supported with Extended Media Forking (XMF) [CUCM Network
based recording Gateway Preferred]
• SIPREC is supported
• RTP payload-type [opus number] — under dial-peer configuration mode to support OPUS
as supported codec.
• From IOS-XE 17.3.1, the default payload type for opus is reserved to 114. Previously 114 was
reserved for cisco-codec-aacld, which has now been moved to 112. Beginning IOS-XE 17.3.1, default
payload type for cisco-codec-aacld is 112
• Codec profile configuration is not mandatory unless in a DO-EO call. Since CUBE is the
offeror in a DO-EO call, it will make use of FMTP parameters from the profile.

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
OPUS Configurations
Dial-peer level configuration:
CUBE(config)#dial-peer voice 786 voip
CUBE(config-dial-peer)#codec opus profile 2
CUBE(config-dial-peer)#rtp payload-type opus 114 (default value is 114)

Global config level


CUBE(config)#codec profile 2 opus
CUBE(conf-codec-profile)#fmtp "fmtp:114 maxplaybackrate=16000; sprop-
maxcapturerate=16000; maxaveragebitrate=20000; stereo=1; sprop-stereo=0;
useinbandfec=0; usedtx=0“

Voice class codec config level


CUBE(config)#voice class codec 80
CUBE(config-class)#codec preference 1 opus profile 2

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Applicable Roadmap [Subject to Change]
• Nov 2020 – IOS-XE 17.4.1
• Codec Reordering with Voice class codec priority list, i.e.,
rewrite codec list for EO-EO sessions according to VCC priority
list, ignoring incoming SDP’s codec order

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
SIP Normalization
SIP profiles is a mechanism to normalize or customize SIP at the
network border to provide interop between incompatible devices
SIP incompatibilities arise due to: Add user=phone for INVITEs
• A device rejecting an unknown header (value or Incoming Outgoing
parameter) instead of ignoring it CUBE
INVITE INVITE
sip:[email protected]:5060 sip:[email protected]:5060
• A device expecting an optional header SIP/2.0 user=phone SIP/2.0
value/parameter or can be implemented in multiple
voice class sip-profiles 100
ways rule 1 request INVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0"
rule 2 request REINVITE sip-header SIP-Req-URI modify "; SIP/2.0" ";user=phone SIP/2.0"
• A device sending a value/parameter that must be
changed or suppressed (“normalised”) before it Modify a “sip:” URI to a “tel:” URI in INVITEs
leaves/enters the enterprise to comply with policies
Incoming Outgoing
• Variations in the SIP standards of how to achieve CUBE
INVITE INVITE
certain functions sip:[email protected]:5060 tel:2222000020
SIP/2.0 SIP/2.0

• With CUBE 10.0.1 SIP Profiles can be voice class sip-profiles 100
rule 10 request INVITE sip-header SIP-Req-URI modify "sip:(.*)@[^ ]+" "tel:\1"
applied to inbound SIP messages as rule 20 request INVITE sip-header From modify "<sip:(.*)@.*>" "<tel:\1>"
rule 30 request INVITE sip-header To modify "<sip:(.*)@.*>" "<tel:\1>"
well
More information at http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-border-element/118825-technote-sip-00.html

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Applicable Roadmap [Subject to Change]
• Nov 2020 – IOS-XE 17.4.1
• Conditional SIP Header modification, i.e. apply SIP profile if a
certain condition(s) is/are met. E.g., remove diversion header if
content in diversion header contains 41 but NOT no-answer

request ANY sip-header Diversion remove


"(/==/41)(/!=/no-answer)”

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Agenda
• CUBE Overview, Deployments, and SIP Trunk Sizing
• CUBE Licensing Updates
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE (Call Routing, Multi-Tenancy)
• Call Recording & Intro to CUBE Media Proxy
• Securing Collab deployments with CUBE
• Futures & Key Takeaways

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
CUBE Dial-Peers
Advanced Call Routing
dial-peer voice 100 voip dial-peer voice 201 voip
description *Inbound LAN dial-peer. From CUCM to CUBE* description *Outbound WAN dial-peer. From CUBE to SP*
session protocol sipv2 destination-pattern 81[2-9]..[2-9]......$
incoming called-number 8T session protocol sipv2
voice-class sip bind control source-interface Gig0/0 session target ipv4:10.1.40.11
voice-class sip bind media source-interface Gig0/0 session transport udp
dtmf-relay rtp-nte voice-class sip bind control source-interface Gig0/1
codec g711ulaw voice-class sip bind media source-interface Gig0/1
no vad dtmf-relay rtp-nte
codec g711ulaw
no vad
Inbound LAN Dial-Peer Outbound WAN Dial-Peer
Outbound Calls

A
CUCM SIP Trunk ITSP SIP Trunk
G0/0 CUBE G0/1
198.18.133.3 10.1.40.11

Outbound LAN Dial-Peer Inbound Calls Inbound WAN Dial-Peer


dial-peer voice 101 voip dial-peer voice 200 voip
description *Inbound WAN dial-peer. From Provider to CUBE*
description *Outbound LAN dial-peer. From CUBE to CUCM*
translation-profile outgoing CUBE_to_CUCM session protocol sipv2
incoming uri via 200
destination-pattern +1408944....$
voice-class sip bind control source-interface Gig0/1
session protocol sipv2
voice-class sip bind media source-interface Gig0/1
session target ipv4:198.18.133.3 dtmf-relay rtp-nte
voice-class sip bind control source-interface Gig0/0 codec g711ulaw
voice-class sip bind media source-interface Gig0/0 no vad
dtmf-relay rtp-nte
codec g711ulaw voice class uri 200 sip
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
no vad host ipv4:10.1.40.11
Operational Dial-peer
binding
Live-Bind of Interfaces [CSCve59988]
• CUBE allows to configure the source IP address of signalling and
media packets by specifying an interface bind at the global (voice
service voip), or at the dial-peer, or at the tenant (voice
class tenant) level
• Interface with an active call if bound to a new dial-peer on CUBE,
does not take effect in pre IOS-XE 17.3.1 release
• Additionally “bind all” cli is not present at the dial-peer level
prior to IOS-XE 17.3.1
• Beginning IOS-XE 17.3.1, live (active calls on the same interface) bind
of an interface can now be done at both the dial-peer and the tenant
level

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Pre IOS-XE 17.3.1 behavior output
• Live-bind of interface at dial-peer level: Interface has live calls using a different
dial-peer and trying to bind the same interface on a new dial-peer

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
IOS-XE 17.3.1 behavior output
• Live-bind of interface at dial-peer level: Interface has live calls using a
different dial-peer and trying to bind the same interface on a new dial-
peer

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Bind all CLI at the dial-peer level
• Bind all CLI was present only at the Global and the Tenant levels
Prior to IOS-XE 17.3.1
CUBE(config-dial-peer)#voice-class sip bind ?
control bind only SIP control packets
media bind only SIP media packets

Starting IOS-XE 17.3.1


CSR25(config)#dial-peer voice 786 voip
CSR25(config-dial-peer)#voice-class sip bind ?
all bind both SIP control and media packets
control bind only SIP control packets
media bind only SIP media packets

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Understanding Inbound Dial-Peer Matching Techniques
Priority
Inbound LAN Dial-Peer Outbound Calls

Exact Pattern
Match Based on URI match A CUCM SIP Trunk SP SIP Trunk
IP
1 of an incoming PSTN
Host Name/IP CUBE
INVITE message Address Inbound Calls
Inbound WAN Dial-Peer
User portion of
2 Match based on URI Received:
Called Number Phone-number of INVITE sip:[email protected] SIP/2.0
tel-uri Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
3 Match based on tag="cid:[email protected]";;branch=z9hG4bK-23955-1-0
From: "555" <sip:[email protected]:5060>;tag=1
Calling number To: ABC <sip:[email protected]:5060>
Call-ID: [email protected]
4 Default Dial-Peer 0 CSeq: 1 INVITE
Contact: sip:[email protected]:5060
Supported: timer
Max-Forwards: 70
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Outbound Dial-Peer Matching Criteria Summary
Priority Outbound WAN Dial-Peer
Outbound Calls
Match Based on DPG,
0 DPPP, COR/LPCOR if A CUCM SIP Trunk SP SIP Trunk
IP
configured CUBE PSTN
Exact Pattern match Outbound LAN Inbound Calls
Dial-Peer
Match Based on URI Host Name/IP Received:
of incoming INVITE Address
INVITE sip:[email protected] SIP/2.0
1 Via: SIP/2.0/UDP 10.1.1.1:5060;x-route-
message User portion of URI tag="cid:[email protected]";;branch=z9hG4bK-23955-1-0
From: "555" <sip:[email protected]:5060>;tag=1
Phone-number of To: ABC <sip:[email protected]:5060>
tel-uri Call-ID: [email protected]
CSeq: 1 INVITE
Match based on Contact: sip:[email protected]:5060
2 Called Number Supported: timer
Max-Forwards: 70
Subject: BRKUCC-2934 Session
Content-Type: application/sdp
Content-Length: 226
........

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Destination Server Group
• Supports multiple destinations (session targets) be defined in a group and
applied to a single outbound dial-peer
• Once an outbound dial-peer is selected to route an outgoing call, multiple
destinations within a server group will be sorted in either round robin or
preference [default] order
• This reduces the need to configure multiple dial-peers with the same
capabilities but different destinations. E.g. Multiple subscribers in a cluster
voice class server-group 1 dial-peer voice 100 voip
hunt-scheme {preference | round-robin} description Outbound DP
ipv4 1.1.1.1 preference 5 destination-pattern 1234
ipv4 2.2.2.2 session protocol sipv2
ipv4 3.3.3.3 port 5065 preference 3 codec g711ulaw
ipv6 2010:AB8:0:2::1 port 5065 preference 3 dtmf-relay rtp-nte
ipv6 2010:AB8:0:2::2
session server-group 1
* DNS target not supported in server group #CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Applicable Roadmap [Subject to Change]
• July 2020 – IOS-XE 17.3.1
• Server Groups will offer huntstop based on configurable SIP
response codes (e.g. 404) to prevent hunting to the next entry
within the server group along with the dial-peer

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Multiple Number Patterns Under Same
Incoming/Outgoing Dial-peer
voice class e164-pattern-map 300
e164 200. Up to 1000 entries in
e164 510100100. a pattern map
Site A 2000
e164 408100100.
Site B (510)100-1000 dial-peer voice 1 voip
description Inbound DP via Calling
Site C (408)100-1000 incoming calling e164-pattern-map 300
codec g729r8
G729 Sites
A SIP Trunk SP SIP Trunk IP PSTN
CUBE
Up to 5000 entries in a text file
Site A (919)200-2010 voice class e164-pattern-map 400 ! This is an example of the contents of
E164 patterns text file stored in
url flash:e164-pattern-map.cfg flash:e164-pattern-map.cfg
Site B (510)100-1010

dial-peer voice 2 voip 9192002010


Site C (408)100-1010 5101001010
description Outbound DP via Called
4081001010
G711 Sites destination e164-pattern-map 400 <blank line>
codec g711ulaw #CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Destination Dial-peer Group
voice class dpg 10000 dial-peer voice 1001 voip
description Voice Class DPG for SJ destination-pattern BAD
dial-peer 1001 preference 1 session protocol sipv2
dial-peer 1002 preference 2 session target ipv4:10.1.1.1
dial-peer 1003 !
! dial-peer voice 1002 voip
dial-peer voice 100 voip destination-pattern BAD.BAD
description Inbound DP session protocol sipv2
incoming called-number 1341 session target ipv4:10.1.1.2
destination dpg 10000 !
dial-peer voice 1003 voip
Received: destination-pattern BAD.BAD.BAD
INVITE sip:1341@CUBE-IP-ADDRESS:5060 session protocol sipv2
session target ipv4:10.1.1.3
1. Incoming Dial-peer is first
Sent: matched 2. Now the DPG associated with
INVITE sip:[email protected]:5060 the INBOUND DP is selected
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Multi-Tenancy
Multiple Tenants on CUBE

• Every Registrar/User Agent/ITSP connected to CUBE can be considered a


Tenant to CUBE
• Allows specific global configurations (CLI under sip-ua) for multiple tenants
such as specific SIP Bind for REGISTER messages
• Allows differentiated services for different tenants
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
“Voice class Tenant” Overview
• Most configs under “sip-ua” and “voice service voip” added in “voice class tenant <tag>”, e.g.
Registrar and Credentials CLI under tenant using different bind and outbound proxy
Prior to Multi Tenancy
sip-ua
registrar 1 ipv4:60.60.60.60:9051 expires 3600 Global OB Proxy and Bind
registrar 2 ipv4:70.70.70.70:9052 expires 3600
credentials username aaaa password 7 06070E204D realm aaaa.com
credentials username bbbb password 7 110B1B0715 realm bbbb.com E164 - aaaa Registrar - 1
voice service voip
outbound-proxy ipv4:10.64.86.35:9057 E164 - bbbb Registrar - 2
bind control source-interface GigabitEthernet0/1

With Voice Class Tenant (Multi-Tenancy)


voice class tenant 1
registrar 1 ipv4:60.60.60.60:9051 expires 3600 OB Proxy 1 & Bind-1
credentials username aaaa password 7 06070E204D realm aaaa.com E164 - aaaa Registrar - 1
outbound-proxy ipv4:10.64.86.35:9057
bind control source-interface GigabitEthernet0/0
voice class tenant 2
registrar 1 ipv4:70.70.70.70:9052 expires 3600
OB Proxy 2 & Bind-2
credentials username bbbb password 7 110B1B0715 realm bbbb.com E164 - bbbb Registrar - 1
outbound-proxy ipv4:10.64.86.40:9040
bind control source-interface GigabitEthernet0/1
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Configuring Voice Class Tenant
• Configure voice class tenant
voice class tenant 1 Add new voice class
registrar 1 ipv4:10.64.86.35:9052 expires 3600 tenant
credentials username aaaa password 7 06070E204D realm aaaa.com
credentials number bbbb username bbbb password 7 110B1B0715 realm bbbb.com
bind control source-interface GigabitEthernet0/0
bind media source-interface GigabitEthernet0/0
copy-list 1
outbound-proxy ipv4:10.64.86.35:9055
early-offer forced

• Apply tenant to the desired dial-peer


dial-peer voice 1 voip
destination-pattern 111
session protocol sipv2
session target ipv4:10.64.86.35:9051
session transport udp Apply Tenant to a Dial-
voice-class sip tenant 1 peer
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Agenda
• CUBE Overview, Deployments, and SIP Trunk Sizing
• CUBE Licensing Updates
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE (Call Routing, Multi-Tenancy)
• Call Recording & Intro to CUBE Media Proxy
• Securing Collab deployments with CUBE
• Futures & Key Takeaways

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
External/PSTN Call
Recording
External/PSTN Call Recording Options
• CUBE Controlled (Dial-peer based SIPREC)
• SIPREC based, CUBE sends metadata in XML format
• Dial-peer controlled, IP-PBX independent
• Source of recorded media (RTP only) is always CUBE (External calls only).
• Records both audio and video calls and supported with CUBE HA

• CUCM NBR (Network Based Recording)


• CUCM Controlled & triggered, requires UC Services API be enabled on CUBE
• Audio calls only
• Source of Recorded Media can be CUBE (Gateway Preferred) or Phone based (BiB)

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
CUBE Media Proxy
Existing Recording Architectures
• Current recording architectures allow only one fork from each leg (in-
leg/out-leg) to only one recorder
• No support for forking secure RTP stream
• MiFiD II Compliance requirements:
• Support for more than one recorders
• High Availability (Redundancy)
• Secure forking
• Call scenarios support
• External calls (inbound/outbound from/to ITSP, PSTN calls)
• Internal calls (on-prem calls)
• Contact center
• Common Metadata
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
CUBE Media Proxy: Overview
• Media proxy is based on CUBE architecture
• Supports the same ISR 4Ks, ASR1Ks, CSR1K on which CUBE is supported today
• Call Recording mechanism (triggers) is CUCM NBR based (GW based and Phone
BiB)
• Media proxy is designed to fork media to multiple recorders i.e. multiple forked
legs, and supports up to 5 recorders
• CUBE Media Proxy High Availability is also supported
• CUSP (Optional) supports Media proxy with recorder redundancy and load
balancing
• Secured forking (SRTP – SRTP) for Phone Based (BiB) recording

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
CUCM NBR GW forking to Media Proxy

Recorder1

6
RTP
Recorder2
Media Proxy
RTP
5
Speech Analytics

1 SIP
CUBE RTP

2 0. CUCM registers to CUBE as an external XMF Application (using UC GW services API – CUCM NBR)
1,2. Initial call setups via CUBE-Ent
3. CUCM sets up SIP (recording) session with CUBE Media Proxy (offer/answer) with dummy port
4. MP destination IP/port obtained in Step-3 relayed by CUCM to CUBE via XMF API interface (HTTP)
5. CUBE-Ent starts to fork media streams to the MP (target ip/port received in Step-4). MP accepts RTP because of Media latching in
the inbound leg from CUCM
6. MP sets up SIP recording sessions with the 3 Recorders for multi-fork.
The ingress media stream from CUBE-Ent is then multi-forked by MP towards the 3 recorders simultaneously using the destination
ip/ports as negotiated in the SIP offer/answer
#CiscoLive b/w MP and the Recorders. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
DGTL-BRKCOL-2125 113
CUBE Media Proxy: Design requirements
• Video call Recording is not supported today
• Secure media (SRTP) forking of non-secure calls is not supported
• CUBE Media Proxy and CUBE cannot be co-located
• Mid-call signaling updates from Recorders are not supported
• Early offer from CUCM to Media Proxy is required
• No support for SRTP fallback
• Media Proxy sends metadata to the recorders (FROM header)

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
SIPREC Based Media Proxy

Recorder1

RTP
Media Proxy Recorder2

XML Metadata
RTP 3
SIP

Speech Analytics

1 SIP
CUBE RTP

2 1,2. Initial call setups via CUBE-Ent


3. CUBE-Ent starts to fork media stream towards Media Proxy (INVITE with 2 Audio M Lines + XML
Metadata)
4. Media Proxy accepts incoming SIPREC request from CUBE Ent and initiates an INVITE (2 Audio M
Lines + XML Metadata) towards the Primary recorder – Recorder 1 above
Once a successful session with the Primary recorder has been established, MediaProxy sends an
INVITE towards the rest of the recorders.
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
SIPREC Based Media Proxy: Design considerations
• Video call Recording is not supported today
• Secure media (SRTP) forking of non-secure calls is not supported (RTP to SRTP)
• Secure to Secure forking (SRTP to SRTP) is not supported
• CUBE Media Proxy and CUBE cannot be co-located
• Midcall updates from the recorders such as pause, or resume recording are not
supported (RE-INVITE with SDP changes)
• No support for SRTP fallback
• SIP INFO that indicates the recorder session status is not supported under SIPREC
based deployment is not supported
• INVITE with replaces header that is sent by recorders when they switch from active
to standby Media Proxy is not supported

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
CUBE Media Proxy
Capacities and Licensing
Media Proxy: Capacity for Various Platforms (IOS-XE 16.12+)
Platform Max IPT (CUBE Media Proxy Capacity)
Calls Number of Recorders
One Two Three Four Five
1100 (Default DRAM) / 4321 (4GB) 500 350
4331 (4GB) 1000 700
4351 (4 GB) 2000 900
4431 (8 GB - CP) 3000 1000
4451 (8 GB - CP) 6000 3000
4461 (8 GB – CP) [IOS 17.2.1] 10000 4000
CSR1Kv – 1 vCPU1 (4 GB) 1000 90
CSR1Kv - 2 vCPU1 (4 GB) 3000 1100
CSR1Kv - 4 vCPU1 (8 GB) 6000 TBD
1002-X (16 GB) 14000 4500
1004/6/6-X RP2/ESP40 (16 GB) 16000 4500
#CiscoLive BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Customer Deployment Scenario 7
Media Proxy:
• A media proxy platform used to fork calls to 3 Location 1
recording servers.

150 Recordings
• Total concurrent call load is 50 calls.
License Requirement:
• 150 x CUBE-MP-RED Media Proxy

Active
• Only redundant licenses are available for 50 Calls
Media Proxy
• Note: Media Proxy license use is not currently
reported to CSSM.

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Customer Deployment Scenario 8
Media Proxy:
• Active and Standby CUBE Media Proxies in HA
Redundancy Group (RG)
• Both Media Proxies must be in the same layer 2 Location 1
network

450 Recordings
• Total call load for HA pair 150 calls, each forked 3
times. Media Proxy

• If active Media Proxy fails, stateful failover of all

Stateful
Active
HA Pair 1
calls to standby
Standby
License Requirement:
• 450 x CUBE-MP-RED 150 Calls
Media Proxy
• Both Media Proxy platforms register to the same
Virtual Account holding a common pool of
licenses
• Note: Media Proxy license use is not currently
reported to CSSM.

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Customer Deployment Scenario 9
Media Proxy:
• A media proxy platform used to fork calls to 3
recording servers. Location 1
• Total concurrent call load is 50 calls from CUBE

150 Recordings
triggered using CUCM NBR
License Requirement:
• 150 x CUBE-MP-RED for Media Proxy Media Proxy

• 50 X CUBE-T-STD for PSTN calls through CUBE CUBE

• Only redundant licenses are available for Media Active


Proxy 50 Calls
• Note: Media Proxy license use is not currently
reported to CSSM.
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Agenda
• CUBE Overview, Deployments, and SIP Trunk Sizing
• CUBE Licensing Updates
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE (Call Routing, Multi-Tenancy)
• Call Recording & Intro to CUBE Media Proxy
• Securing Collab deployments with CUBE
• Futures & Key Takeaways

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Securing Collab
deployments with CUBE
Secure SIP Trunks with CUBE
LAN WAN
Gig0/0/0 Gig0/0/1
SIP TLS TCP/UDP SP IP
RTP Network
SRTP CUBE

• Interworking between all three transport types is supported : UDP/TCP/TLS


• IOS-XE based platforms do not require DSPs for SRTP-RTP interworking
• TLS Exclusivity can be configured with “transport tcp tls v1.2”
• NGE Crypto supported for SRTP-SRTP (IOS-XE 16.5.2) [Crypto A – Crypto B], SRTP-RTP,
SRTP pass-thru

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
IOS-XE 16.11.1 or later Security Readiness changes
• For IOS-XE 16.11.1 or later, a master key must be pre-configured for passwords
before it can used in authentication, credentials and/or shared-secret CLIs

• Its mandatory to specify the encryption type for the password

• Type 6 passwords are encrypted using AES cipher and user defined master key

• Master key is never displayed in the configuration

• If master key configuration is removed, Type 6 passwords can never by


decrypted which may result in authentication failure

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
IOS-XE 16.11.1+ Security Configuration Requirement
LocalGateway#conf t
LocalGateway(config)#key
config-key password-encrypt Password123
LocalGateway(config)#password encryption aes

• If master key is not pre-configured, there will be an error shown when the password is
configured
LocalGateway(config-sip-ua)#authentication username ali password 0 hussain123

Failed type 6 encryption on password

• If password type 0 is used, it will be stored as type 6 AES encrypted password in


configuration
LocalGateway#show run | include credentials
credentials number Hussain6346_LGU username Hussain2572_LGU password
6 FbG\XYVJV\cPeMhMRFSFNINTIMZecQPD_Bbg realm BroadWorks

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
IOS-XE 16.11.1 Security Configuration Requirement
• Dial-peer, SIP-UA, Tenants, and STUN authentication credentials/shared secrets will use
the new Secure reversible encryption Type 6 AES format password

LocalGateway(config-sip-ua)#authentication username ali password ?


0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
7 Specifies a HIDDEN password will follow

• Type 6 only accepts password formats such as ”


YXMOEfOePAJhNCKXbU^CYYAR^aJJ`Sa_S”. Hence recommendation is to use password
type 0 which will be saved as type 6 in the configuration

• The encryption type 7 is supported in IOS XE Release 16.11.1a, but will be deprecated in
the later releases
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Agenda
• CUBE Overview, Deployments, and SIP Trunk Sizing
• CUBE Licensing Updates
• CUBE Architecture (Physical & Virtual)
• Transitioning to SIP Trunking using CUBE
• Advanced features on CUBE (Call Routing, Multi-Tenancy)
• Call Recording & Intro to CUBE Media Proxy
• Securing Collab deployments with CUBE
• Futures & Key Takeaways

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
CUBE Resources
CUBE Resources
▪ CUBE is now a Microsoft certified SBC for Direct Routing along with E911 solution partners
https://docs.microsoft.com/en-us/microsoftteams/direct-routing-border-controllers
▪ Configuration application note avalable at
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/interoperability-portal/direct-
routing-with-cube.pdf
▪ CUBE Box
o https://cisco.box.com/CUBE-Enterprise (requires requesting access via ask-
[email protected], include your box.com account’s email ID)
▪ Webex Calling LGW Box – https://cisco.box.com/WebexCalling
▪ CUBE Performance and Sizing
▪ Webex Calling Deployment Guide – https://help.webex.com
▪ Dcloud Labs
o Enabling Webex Calling
o SIP Trunking with CUBE
o Microsoft Teams Direct Routing with CUBE (future)

#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
CUBE Roadmap
CUBE Roadmap [Subject to Change]
• Starting IOS-XE 17.3.1, 100 VRFs are now supported on CUBE vs 54 in prior releases
• DNS Aware Trust list [CY2021]
• Microsoft Teams Direct Routing with Media Bypass enabled [2H CY2020]
• Microsoft Teams Direct Routing to UCM [2H CY2020]
• Programmability (CUBE Yang modelling) [CY2021]
• vCUBE Support in AWS/Azure [1H CY2021]
• Webex Contact Center integration [2H CY2020]
• Integration with Cloud Speech services (Voicea, Google Answers, etc) [CY2021]
• Cloud Connected UC integration [CY2021]
• H.323 deprecation for CUBE [CY 2021]
#CiscoLive DGTL-BRKCOL-2125 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Thank you

#CiscoLive
#CiscoLive

You might also like