Local Gateway Configuration Task Flow

Use this task flow to configure local gateways for your Webex Calling deployment. The steps that follow are performed on the CLI interface itself. The trunk between the local gateway and Webex Calling is always secured using SIP TLS transport and SRTP for media between Local gateway and the Webex Calling Access SBC.

Before you begin

  • Meet the local gateway requirements for Webex Calling.

  • Create a local gateway in Control Hub.

  • The configuration guidelines provided in this document assume that a dedicated local gateway platform is in place with no existing voice configuration. If an existing PSTN gateway or CUBE enterprise deployment is being modified to also use the local gateway function for Webex Calling, pay careful attention to the configuration applied and make sure existing call flows and functionality are not interrupted as a result of changes that you make.

  Command or Action Purpose
1

Parameter Mapping Between Cisco Webex Control Hub and Cisco Unified Border Element

Use this table as a reference for the parameters that come from Control Hub and where they map onto the local gateway.
2

Perform Reference Platform Configuration

Implement these steps as a common global configuration for the local gateway. The configuration includes baseline platform configuration and a trust pool update.

3

Register Local Gateway to Webex Calling
4

Choose one, depending on your deployment:

Call Routing on the local gateway is based on the Webex Calling deployment option that you chose. This section assumes that IP PSTN termination is on the same platform as the local gateway. The configuration that follows is for one of these options on the local gateway:

  • The local gateway deployment option without an on-premises IP PBX. The local gateway and IP PSTN CUBE are coresident.

  • The local gateway deployment option within an existing Unified CM environment. The local gateway and IP PSTN CUBE are coresident.

Parameter Mapping Between Cisco Webex Control Hub and Cisco Unified Border Element

Table 1. Parameter Mapping Between Cisco Webex Control Hub and Local Gateway

Control Hub

Local Gateway

Registrar Domain:

Control Hub should parse the domain from the LinePort that is received from UCAPI.

example.com

registrar

example.com

Trunk Group OTG/DTG

sip profiles:

rule <rule-number> request ANY sip-header

From modify ">" ";otg=otgDtgId>"

Line/Port

user@example.com

number: user

Outbound Proxy

outbound proxy (DNS name – SRV of the Access SBC)

SIP Username

username

SIP Password

password

Perform Reference Platform Configuration

Before you begin

  • Ensure that baseline platform configuration such as NTPs, ACLs, enable passwords, master password (IOS-XE 16.11.1 and later), IP routing, IP Addresses, and so on are configured according to your organization's policies and procedures.

  • IOS-XE 16.9.3 and later or 16.11.1 and later is required for local gateway deployments. IOS-XE releases16.10.x is not supported.

1

Ensure that any layer 3 interfaces have valid and routable IP addresses assigned:

interface GigabitEthernet0/0/0
 description Interface facing PSTN and/or CUCM
 ip address 192.168.80.14 255.255.255.0
!
interface GigabitEthernet0/0/1
 description Interface facing Webex Calling
 ip address 192.168.43.197 255.255.255.0
2

If you're using IOS-XE 16.11.1 or later, you must preconfigure a master key for the password using the commands shown below before it can be used in the credentials and shared secrets. Type 6 passwords are encrypted using AES cypher and user-defined master key. 

LocalGateway#conf t
LocalGateway(config)#key config-key password-encrypt Password123

LocalGateway(config)#password encryption aes
3

Configure IP Name Server to enable DNS lookup and ensure it is reachable by pinging it:

LocalGateway#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
LocalGateway(config)#ip name-server 8.8.8.8
LocalGateway(config)#end
4

Enable TLS 1.2 Exclusivity and a default Dummy Trustpoint:

  1. Create a dummy PKI Trustpoint and call it dummyTp

  2. Assign the trustpoint as the default signaling trustpoint under sip-ua

  3. cn-san-validate server is needed to ensure that the local gateway establishes the connection only if the outbound proxy configured on the tenant 200 (described later) matches with CN-SAN list received from the server.

  4. The crypto trustpoint is needed for TLS to work even though a local client certificate (for example, mTLS) is not required for the connection to be set up.

  5. Disable TLS v1.0 and v1.1 by enabling v1.2 exclusivity.

LocalGateway#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
LocalGateway(config)#
LocalGateway(config)#crypto pki trustpoint dummyTp
LocalGateway(ca-trustpoint)# revocation-check crl
LocalGateway(ca-trustpoint)#exit

LocalGateway(config)#sip-ua
LocalGateway(config-sip-ua)# crypto signaling default trustpoint dummyTp cn-san-validate server

LocalGateway(config-sip-ua)# transport tcp tls v1.2
LocalGateway(config-sip-ua)#end
5

Update Local Gateway Trustpool:

The default trustpool bundle does not include the “DigiCert Root CA” certificate needed for validating the server side certificate during TLS connection establishment to Webex Calling.

The trustpool bundle must be updated by downloading the latest “Cisco Trusted Core Root Bundle” from http://www.cisco.com/security/pki/.

  1. Check if the DigiCert Room CA certificate exists:

    LocalGateway#show crypto pki trustpool | include DigiCert

  2. If it doesn't exist, update as follows:

    LocalGateway#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
LocalGateway(config)#crypto pki trustpool import clean url 
http://www.cisco.com/security/pki/trs/ios_core.p7b
Reading file from http://www.cisco.com/security/pki/trs/ios_core.p7b
Loading http://www.cisco.com/security/pki/trs/ios_core.p7b 
% PEM files import succeeded.
LocalGateway(config)#end

  1. Verify:

    LocalGateway#show crypto pki trustpool | include DigiCert
    cn=DigiCert Global Root CA
    o=DigiCert Inc
    cn=DigiCert Global Root CA
    o=DigiCert Inc

Register Local Gateway to Webex Calling

Before you begin

Ensure that you completed the steps in Control Hub to create a location and add a local gateway. In the example local gateway shown here, the information was obtained from Control Hub.

1

Enter these commands to turn on the local gateway application: 

LocalGateway#configure terminal
LocalGateway(config)#voice service voip
LocalGateway(conf-voi-serv)#ip address trusted list
LocalGateway(cfg-iptrust-list)#ipv4 128.177.14.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 128.177.36.0 255.255.255.192
LocalGateway(cfg-iptrust-list)#ipv4 135.84.169.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 135.84.170.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 135.84.171.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 135.84.172.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 199.59.65.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 199.59.66.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 199.59.70.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 199.59.71.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 199.59.64.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 199.59.67.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 85.119.56.128 255.255.255.192
LocalGateway(cfg-iptrust-list)#ipv4 85.119.57.128 255.255.255.192
LocalGateway(cfg-iptrust-list)#ipv4 185.115.196.0 255.255.255.128
LocalGateway(cfg-iptrust-list)#ipv4 185.115.197.0 255.255.255.128
CUBE(cfg-iptrust-list)#exit
LocalGateway(conf-voi-serv)#allow-connections sip to sip
LocalGateway(conf-voi-serv)#media statistics
LocalGateway(conf-voi-serv)#media bulk-stats
LocalGateway(conf-voi-serv)#media-address range 192.168.43.197 192.168.43.197 port-range 8000 48000

LocalGateway(cfg-media-addr-range)#exit
LocalGateway(conf-voi-serv)#no supplementary-service sip refer
LocalGateway(conf-voi-serv)#no supplementary-service sip handle-replaces
LocalGateway(conf-voi-serv)# fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

LocalGateway(conf-serv-stun)#stun
LocalGateway(conf-serv-stun)#stun flowdata agent-id 1 boot-count 4
LocalGateway(conf-serv-stun)#stun flowdata shared-secret 0 Password123$

LocalGateway(conf-serv-stun)#sip

LocalGateway(conf-serv-sip)#g729 annexb-all
LocalGateway(conf-serv-sip)#early-offer forced
LocalGateway(conf-serv-sip)#end

Explanation of commands:

Toll-Fraud Prevention
Device(config)# voice service voip
Device(config-voi-serv)# ip address trusted list
Device(cfg-iptrust-list)# ipv4 199.59.70.0 255.255.255.128
Device(cfg-iptrust-list)# ipv4 199.59.71.0 255.255.255.128

  • Explicitly enables the source IP addresses of entities from which the local gateway expects legitimate VoIP calls, such as Webex Calling peers, Unified CM nodes, IP PSTN.

  • By default, LGW blocks all incoming VoIP call setups from IP addresses not in its trusted list. IP Addresses from dial-peers with “session target ip” or Server Group are trusted by default and need not be populated here.

  • IP addresses in this list need to match the IP subnets according to the regional Webex Calling data center the customer is connected to. For more information, see Port Reference Information for Webex Calling.


     

    If your LGW is behind a firewall with restricted cone NAT, you may prefer to disable the IP address trusted list on the Webex Calling-facing interface. This is because the firewall already protects you from unsolicited inbound VoIP. This action would reduce your longer term configuration overhead, because we cannot guarantee that the addresses of the Webex Calling peers will remain fixed, and you would need to configure your firewall for the peers in any case.

  • Other IP addresses may need to be configured on other interfaces; for example, your Unified CM addresses may need to be added to the inward-facing interfaces.

  • IP addresses must match the IP of hosts the outbound-proxy resolves to in tenant 200

  • See https://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html for more information.

Media
voice service voip
 media statistics 
 media bulk-stats 
 media-address range 192.168.43.197 192.168.43.197 port-range 8000 48000

  • Media Statistics enables media monitoring on the local gateway.

  • Media bulk-stats enables the control plane to poll the data plane for bulk call statistics.

  • Media-address range <LGW IP Address Range> port-range configuration decides which RTP source ports to use for this media address range. This is being configured for Gig0/0/1 interface facing Webex Calling.

SIP-to-SIP Basic Functionality
allow-connections sip to sip
Supplementary Services
 no supplementary-service sip refer
 no supplementary-service sip handle-replaces

Disables REFER and replaces dialog ID in Replaces header with the peer dialog ID.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr4/vcr4-cr-book/vcr-s12.html#wp2876138889 for more information.

Fax Protocol
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

Enables T.38 for fax transport, though the fac traffic will not be encrypted.

Enable Global STUN
stun
  stun flowdata agent-id 1 boot-count 4
  stun flowdata shared-secret 0 Password123$

  • When a call is forwarded back to a Webex Calling user (for example, both the called and calling parties are Webex Calling subscribers and have the media anchored at the Webex Calling SBC), the media cannot flow to the local gateway as the pinhole isn't open.

  • The STUN bindings feature on the local gateway allows locally generated STUN requests to be sent over the negotiated media path. This helps in opening up the pinhole in the firewall.

  • STUN password is a prerequisite for the local gateway to send STUN messages out. IOS/IOS-XE based firewalls can be configured to check for this password and open pinholes dynamically (for example, without explicit in-out rules). But for the local gateway deployment case, the firewall is statically configured to open pinholes in and out based on the Webex Calling SBC sub nets. As such, the firewall should just treat this as any inbound UDP packet which will trigger the pinhole opening without explicitly looking at the packet contents.

G729
sip
  g729 annexb-all

Allows all variants of G729.

SIP
early-offer forced

Forces the local gateway to send the SDP information in the initial INVITE message instead of waiting for acknowledgement from the neighboring peer.

2

Configure “SIP Profile 200”.

LocalGateway(config)# voice class sip-profiles 200
LocalGateway (config-class)# rule 9 request ANY sip-header SIP-Req-URI modify "sips:(.*)" "sip:\1"
LocalGateway (config-class)# rule 10 request ANY sip-header To modify "<sips:(.*)" "<sip:\1"
LocalGateway (config-class)# rule 11 request ANY sip-header From modify "<sips:(.*)" "<sip:\1"
LocalGateway (config-class)# rule 12 request ANY sip-header Contact modify "<sips:(.*)>" "<sip:\1;transport=tls>" 
LocalGateway (config-class)# rule 13 response ANY sip-header To modify "<sips:(.*)" "<sip:\1"
LocalGateway (config-class)# rule 14 response ANY sip-header From modify "<sips:(.*)" "<sip:\1"
LocalGateway (config-class)# rule 15 response ANY sip-header Contact modify "<sips:(.*)" "<sip:\1"
LocalGateway (config-class)# rule 20 request ANY sip-header From modify ">" ";otg=hussain2572_lgu>"
LocalGateway (config-class)# rule 30 request ANY sip-header P-Asserted-Identity modify "sips:(.*)" "sip:\1"

These rules are

Explanation of commands:

  • rule 9 ensures the header is listed as “SIP-Req-URI” and not “SIP-Req-URL”

    This converts between SIP URIs and SIP URLs, because Webex Calling doesn't support SIP URIs in the request/response messages, but needs them for SRV queries, e.g. _sips._tcp.<outbound-proxy>.

  • rule 20 modifies the From header to include the Trunk Group OTG/DTG parameter from Control Hub to uniquely identify a LGW site within an enterprise.

  • This SIP Profile will be applied to voice class tenant 200 (discussed later) for all traffic facing Webex Calling.

3

Configure Codec Profile, STUN definition, and SRTP Crypto suite.

LocalGateway(config)# voice class codec 99
LocalGateway(config-class)# codec preference 1 g711ulaw
LocalGateway(config-class)# codec preference 2 g711alaw 
LocalGateway(config-class)# codec preference 3 g729r8
LocalGateway(config-class)# exit
LocalGateway(config)# voice class srtp-crypto 200
LocalGateway(config-class)# crypto 1 AES_CM_128_HMAC_SHA1_80
LocalGateway(config-class)# exit
LocalGateway(config)# voice class stun-usage 200
LocalGateway(config-class)# stun usage firewall-traversal flowdata
LocalGateway(config-class)# exit

Explanation of commands:

  • Voice class codec 99: Allows both g729 and g711 (mu and a-law) codecs for sessions. Is applied to all the dial-peers.

  • Voice class srtp-crypto 200: Specifies SHA1_80 as the only SRTP cipher-suite that's offered by local gateway in the SDP in offer and answer. Webex Calling only supports SHA1_80.

  • Will be applied to voice class tenant 200 (discussed later) facing Webex Calling.

  • Voice class stun-usage 200: Defines STUN usage. Is applied to all Webex Calling-facing (2XX tag) dial-peers to avoid no way audio when a Unified CM phone forwards the call to another Webex Calling phone.


 

In cases where media is anchored at the ITSP SBC and the Local Gateway is behind a NAT and waiting for the inbound media stream from ITSP, this command may be applied on ITSP facing dial-peers.

4

Map Control Hub parameters to local gateway configuration:

Webex Calling is added as a tenant within the local gateway. The configuration required to register the local gateway is defined under voice class tenant 200. You must obtain the elements of that configuration from the local gateway admin page within the Control Hub as shown in this screenshot. This is an example to display what fields map to the respective local gateway CLI.

Tenant 200 is then applied to all the Webex Calling facing dial-peers (2xx tag) within the local gateway configuration. The voice class tenant feature allows for grouping and configuring of SIP trunk parameters otherwise done under voice service voip and sip-ua. When a tenant is configured and applied under a dial-peer, the IOS-XE configurations are applied in the following order of preference:

  • Dial-peer configuration

  • Tenant configuration

  • Global configuration (voice service voip / sip-ua)
5

Configure voice class tenant 200 to Trunk Registration from LGW to Webex Calling: 

LocalGateway(config)#voice class tenant 200
  registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls
  credentials number Hussain6346_LGU username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks
  authentication username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks
  authentication username Hussain2572_LGU password 0 meX7]~)VmF realm 40462196.cisco-bcld.com
  no remote-party-id
  sip-server dns:40462196.cisco-bcld.com
  connection-reuse
  srtp-crypto 200
  session transport tcp tls 
  url sips 
  error-passthru
  asserted-id pai 
  bind control source-interface GigabitEthernet0/0/1
  bind media source-interface GigabitEthernet0/0/1
  no pass-thru content custom-sdp 
  sip-profiles 200 
  outbound-proxy dns:1a01.sipconnect-us10.cisco-bcld.com  
  privacy-policy passthru

Explanation of commands:

voice class tenant 200

A local gateway's multitenant feature enables specific global configurations for multiple tenants on SIP trunks that allow differentiated services for tenants.

registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls

Registrar server for the Local gateway with the registration set to refresh every two minutes (50% of 240 seconds). For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr3/vcr3-cr-book/vcr-r1.html#wp1687622014.

credentials number Hussain6346_LGU username Hussain2572_LGU password 0 meX71]~)Vmf realm BroadWorks

Credentials for Trunk Registration challenge. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-c6.html#wp3153621104.

authentication username Hussain2572_LGU password 0 meX71]~)Vmf realm BroadWorks
authentication username Hussain2572_LGU password 0 meX71]~)Vmf realm 40462196.cisco-bcld.com

Authentication challenge for calls. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-a1.html#wp1551532462.

no remote-party-id

Disable SIP Remote-Party-ID (RPID) header as Webex Calling supports PAI, which is enabled using CIO asserted-id pai (see below).

sip-server dns:40462196.cisco-bcld.com
Webex Calling servers. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-a1.html#wp1551532462
connection-reuse

To use the same persistent connection for registration and call processing.

srtp-crypto 200

Specifies SHA1_80 as defined in voice class srtp-crypto 200.

session transport tcp tls
Sets transport to TLS
url sips

SRV query has to be SIPs as supported by the access SBC; all other messages are changed to SIP by sip-profile 200.

error-passthru

SIP error response pass-thru functionality

asserted-id pai

Turns on PAI processing in local gateway.

bind control source-interface GigabitEthernet0/0/1

Signaling source interface facing Webex Calling.

bind media source-interface GigabitEthernet0/0/1

Media source interface facing Webex Calling.

no pass-thru content custom-sdp

Default command under tenant.

sip-profiles 200

Changes SIPS to SIP and modify Line/Port for INVITE and REGISTER messages as defined in voice class sip-profiles 200.

outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com

Webex Calling Access SBC. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr3/vcr3-cr-book/vcr-o1.html#wp3297755699.

privacy-policy passthru

Transparently pass across privacy header values from incoming to the outgoing leg.

After tenant 200 is defined within the local gateway and a SIP VoIP dial-peer is configured, the gateway then initiates a TLS connection towards Webex Calling, at which point the Access SBC presents its certificate to the local gateway. The local gateway validates the Webex Calling Access SBC certificate using the CA root bundle updated earlier. A persistent TLS session is established between the local gateway and Webex Calling Access SBC. The Local gateway then sends a REGISTER to the Access SBC which is challenged. Registration AOR is number@domain. The number is taken from credentials “number” parameter and domain from the “registrar dns:<fqdn>”. When the Registration is challenged, the username, password and realm parameters from credentials are used to build the header and sip-profile 200 converts SIPS URL back to SIP. Registration is successful once 200 OK is received from the Access SBC.

Configure Local Gateway Without IP PBX

The following configuration on the local gateway is required for this deployment option:

  1. Voice class tenants—First we will create additional tenants for dial-peers facing ITSP similar to tenant 200 that we created for Webex Calling facing dial-peers.

  2. Voice class URIs—Patterns defining host IP addresses/ports for various trunks terminating on Local Gateway: Webex Calling to LGW; and PSTN SIP trunk termination on LGW.

  3. Outbound dial-peers—To route outbound call legs from LGW to ITSP SIP trunk and Webex Calling.

  4. Voice class DPG—Target outbound dial-peers invoked from an inbound dial-peer.

  5. Inbound dial-peers—To accept inbound call legs from ITSP and Webex Calling.

Configuration in this section can be used for either partner-hosted local gateway setup, as shown below, or local customer site gateway.

1

Configure the following voice class tenants:

  1. Voice class tenant 100 is applied on all OUTBOUND dial-peers facing IP PSTN.

    voice class tenant 100 
  session transport udp
  url sip
  error-passthru
  bind control source-interface GigabitEthernet0/0/0
  bind media source-interface GigabitEthernet0/0/0
  no pass-thru content custom-sdp

  2. Voice class tenant 300 is applied on all INBOUND dial-peers from IP PSTN.

    voice class tenant 300 
  bind control source-interface GigabitEthernet0/0/0
  bind media source-interface GigabitEthernet0/0/0
  no pass-thru content custom-sdp
2

Configure the following voice class URI:

  1. Define ITSP’s host IP address:

    voice class uri 100 sip
  host ipv4:192.168.80.13

  2. Define pattern to uniquely identify a local gateway site within an Enterprise based on Control Hub's TrunkGroup OTG/DTG parameter:

    voice class uri 200 sip
 pattern dtg=hussain2572.lgu

     

    Local gateway doesn't currently support underscore "_" in the match pattern. As a workaround, we use dot "." (match any) to match the "_". 

    Received
INVITE sip:+16785550123@198.18.1.226:5061;transport=tls;dtg=hussain2572_lgu SIP/2.0
   Via: SIP/2.0/TLS 199.59.70.30:8934;branch=z9hG4bK2hokad30fg14d0358060.1
 pattern :8934
3

Configure the following outbound dial peers:

  1. Outbound dial-peer toward IP PSTN:

    dial-peer voice 101 voip 
 description Outgoing dial-peer to IP PSTN
 destination-pattern BAD.BAD
 session protocol sipv2
 session target ipv4:192.168.80.13
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad

    Explanation of Commands:

    dial-peer voice 101 voip
 description Outgoing dial-peer to PSTN

    Defines a VOIP dial-peer with a tag of 101 and a meaningful description is given for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    Digit pattern that allows selection of this dial-peer. However, we will invoke this outgoing dial-peer directly from the inbound dial-peer using DPG statements and that bypasses the digit pattern match criteria. As a result, we're using an arbitrary pattern based on alphanumeric digits allowed by the destination-pattern CLI.

    session protocol sipv2

    Specifies that this dial-peer will be handling SIP call legs.

    session target ipv4:192.168.80.13

    Indicates the destination’s target IPv4 address where this call leg will be sent. In this case, ITSP’s IP address.

    voice-class codec 99

    Indicates codec preference list 99 to be used for this dial-peer.

    dtmf-relay rtp-nte

    Defines RTP-NTE (RFC2833) as the DTMF capability expected on this call leg.

    voice-class sip tenant 100

    The dial-peer will inherit all the parameters from Tenant 100 unless that same parameter is defined under the dial-peer itself.

    no vad

    Disables voice activity detection.

  2. Outbound dial-peer towards Webex Calling

    dial-peer voice 201 voip
 description Outgoing dial-peer to Webex Calling
 destination-pattern BAD.BAD
 session protocol sipv2
 session target sip-server
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class stun-usage 200
 no voice-class sip localhost
 voice-class sip tenant 200
 srtp
 no vad

    Explanation of commands:

    dial-peer voice 201 voip
     description Outgoing dial-peer to Webex Calling

    Defines a VOIP dial-peer with a tag of 201 and a meaningful description is given for ease of management and troubleshooting

    session target sip-server

    Indicates that the global SIP server is the destination for calls from this dial peer. Webex Calling server defined in tenant 200 is inherited for this dial-peer.

    voice-class stun-usage 200

    The STUN bindings feature on the local gateway allows locally generated STUN requests to be sent over the negotiated media path. This helps in opening up the pinhole in the firewall.

    no voice-class sip localhost

    Disables substitution of the DNS localhost name in place of the physical IP address in the From, Call-ID, and Remote-Party-ID headers of outgoing messages.

    voice-class sip tenant 200

    The dial-peer inherits all the parameters from Tenant 200 (LGW <--> Webex Calling Trunk) unless that same parameter is defined under the dial-peer itself.

    srtp

    SRTP is enabled for this call leg.

    no vad

    Disables voice activity detection.
4

Configure the following dial-peer groups (DPG):

  1. Defines dial-peer group 100. Outbound dial-peer 101 is the target for any incoming dial-peer invoking dial-peer group 100. We will apply DPG 100 to incoming dial-peer 200 defined later for Webex Calling --> LGW --> PSTN path. 

    voice class dpg 100
 description Incoming IP PSTN(DP100) to Webex Calling(DP201)
 dial-peer 101 preference 1

  2. Define dial-peer group 200 with outbound dial-peer 201 as the target for CUCM --> LGW --> Webex Calling path. DPG 200 will be applied to incoming dial-peer 100 defined later. 

    voice class dpg 200
 description Incoming IP PSTN(DP100) to Webex Calling(DP201)
 dial-peer 201 preference 1
5

Configure the following Inbound dial-peers:

  1. Inbound dial-peer for incoming IP PSTN call legs:

    dial-peer voice 100 voip
 description Incoming dial-peer from PSTN
 session protocol sipv2
 destination dpg 200
 incoming uri via 100
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 300
 no vad

    Explanation of Commands

    dial-peer voice 100 voip
description Incoming dial-peer from PSTN

    Defines a VOIP dial-peer with a tag of 100 and a meaningful description is given for ease of management and troubleshooting.

    session protocol sipv2

    Specifies that this dial-peer will be handling SIP call legs.

    incoming uri via 100

    All incoming traffic from IP PSTN to LocalGW is matched on the incoming VIA header’s host IP address defined in voice class URI 100 SIP to match based on source IP (ITSP’s) address.

    destination dpg 200

    With the destination dpg 200, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination Dial-peer group 200, which is dial-peer 201.

    voice-class sip tenant 300

    The dial-peer will inherit all the parameters from Tenant 300 unless that same parameter is defined under the dial-peer itself.

    no vad

    Disables voice activity detection.

  2. Inbound dial-peer for incoming Webex Calling call legs: 

    dial-peer voice 200 voip
 description Incoming dial-peer from Webex Calling
 session protocol sipv2
 destination dpg 100
 incoming uri request 200
 voice-class codec 99
 voice-class stun-usage 200
 voice-class sip tenant 200
 srtp
 no vad

    Explanation of Commands

    dial-peer voice 200 voip
description Incoming dial-peer from Webex Calling

    Defines a VOIP dial-peer with a tag of 200 and a meaningful description is given for ease of management and troubleshooting.

    incoming uri request 200

    All incoming traffic from Webex Calling to LGW can be matched on the unique dtg pattern in the request URI, uniquely identifying the local gateway site within an Enterprise and in the Webex Calling ecosystem.

    destination dpg 100

    With the destination dpg 100, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination Dial-peer group 300, which is dial-peer 101.

    voice-class stun-usage 200

    The STUN bindings feature on the local gateway allows locally generated STUN requests to be sent over the negotiated media path. This helps in opening up the pinhole in the firewall.

    voice-class sip tenant 200

    The dial-peer will inherit all the parameters from Tenant 200 unless that same parameter is defined under the dial-peer itself.

    srtp

    Enables SRTP for this call leg.

    no vad

    Disables voice activity detection.
PSTN to Webex Calling

All incoming IP PSTN call legs on the local gateway are matched on dial-peer 100 as it defines a match criteria for the VIA header with the IP PSTN’s IP address. Outbound dial-peer selection is dictated by DPG 200 that directly invokes outgoing dial-peer 201, which has the Webex Calling server listed as the target destination.

Webex Calling to PSTN

All incoming Webex Calling call legs on the local gateway are matched on dial-peer 200 as it meets a match criteria for the REQUEST URI header pattern with the TrunkGroup OTG/DTG parameter, unique to this local gateway deployment. Outbound dial-peer selection is dictated by DPG 100 that directly invokes outgoing dial-peer 101, which has the IP PSTN IP address listed as the target destination.

Configure Local Gateway with an Existing Unified CM Environment

For this deployment option, the following configuration on the local gateway is required:

  1. Voice class tenants—You must create additional tenants for dial-peers facing Unified CM and ITSP, similar to tenant 200 that we created for Webex Calling facing dial-peers.

  2. Voice class URIs—Patterns defining host IP addresses/ports for various trunks terminating on the LGW: from Unified CM to LGW for PSTN destinations; Unified CM to LGW for Webex Calling destinations; Webex Calling to LGW; and PSTN SIP trunk termination on LGW.

  3. Voice class server-group—Target IP addresses/ports for outbound trunks from LGW to Unified CM, LGW to Webex Calling, and LGW to PSTN SIP trunk.

  4. Outbound dial-peers—To route outbound call legs from LGW to Unified CM, ITSP SIP trunk, and/or Webex Calling.

  5. Voice class DPG—Target outbound dial-peer(s) invoked from an inbound dial-peer.

  6. Inbound dial-peers —To accept inbound call legs from Unified CM, ITSP, and/or Webex Calling.

1

Configure the following voice class tenants:

  1. Voice class tenant 100 is applied on all outbound dial-peers facing Unified CM and IP PSTN:

    voice class tenant 100 
  session transport udp
  url sip
  error-passthru
  bind control source-interface GigabitEthernet0/0/0
  bind media source-interface GigabitEthernet0/0/0
  no pass-thru content custom-sdp

  2. Voice class tenant 300 will be applied on all inbound dial-peers from Unified CM and IP PSTN:

    voice class tenant 300 
  bind control source-interface GigabitEthernet0/0/0
  bind media source-interface GigabitEthernet0/0/0
  no pass-thru content custom-sdp
2

Configure the following voice class URIs:

  1. Defines ITSP’s host IP address:

    voice class uri 100 sip
  host ipv4:192.168.80.13

  2. Define pattern to uniquely identify a local gateway site within an Enterprise based on Control Hub's TrunkGroup OTG/DTG parameter:

    voice class uri 200 sip
 pattern dtg=hussain2572.lgu

     

    The local gateway doesn't currently support underscore "_" in the match pattern. As a workaround, we use dot "." (match any) to match the "_". 

    Received
INVITE sip:+16785550123@198.18.1.226:5061;transport=tls;dtg=hussain2572_lgu SIP/2.0
   Via: SIP/2.0/TLS 199.59.70.30:8934;branch=z9hG4bK2hokad30fg14d0358060.1
 pattern :8934

  3. Defines Unified CM signaling VIA port for the Webex Calling trunk:

    voice class uri 300 sip
 pattern :5065

  4. Defines CUCM source signaling IP and VIA port for PSTN trunk:

    voice class uri 302 sip
 pattern 192.168.80.60:5060
3

Configure the following voice class server-groups:

  1. Defines Unified CM trunk’s target host IP address and port number for Unified CM Group 1 (5 nodes). Unified CM uses port 5065 for inbound traffic on the Webex Calling trunk (Webex Calling <-> LGW --> Unified CM). 

    voice class server-group 301
 ipv4 192.168.80.60 port 5065

  2. Defines Unified CM trunk’s target host IP address and port number for Unified CM Group 2 if applicable:

    voice class server-group 303
 ipv4 192.168.80.60 port 5065

  3. Defines Unified CM trunk’s target host IP address for Unified CM Group 1 (5 nodes). Unified CM uses default port 5060 for inbound traffic on the PSTN trunk. With no port number specified, default 5060 is used. (PSTN <-> LGW --> Unified CM) 

    voice class server-group 305
 ipv4 192.168.80.60

  4. Defines Unified CM trunk’s target host IP address for Unified CM Group 2, if applicable.

    voice class server-group 307 
 ipv4 192.168.80.60
4

Configure the following outbound dial-peers:

  1. Outbound dial-peer towards IP PSTN:

    dial-peer voice 101 voip 
 description Outgoing dial-peer to IP PSTN
 destination-pattern BAD.BAD
 session protocol sipv2
 session target ipv4:192.168.80.13
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad

    Explanation of commands

    dial-peer voice 101 voip
description Outgoing dial-peer to PSTN

    Defines a VOIP dial-peer with a tag of 101 and a meaningful description is given for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    Digit pattern that will allow selection of this dial-peer. However, we will invoke this outgoing dial-peer directly from the inbound dial-peer using DPG statements and that bypasses the digit pattern match criteria. As a result, we're using an arbitrary pattern based on alphanumeric digits allowed by the destination-pattern CLI.

    session protocol sipv2

    Specifies that this dial-peer will be handling SIP call legs.

    session target ipv4:192.168.80.13

    Indicates the destination’s target IPv4 address where this call leg will be send. (In this case, ITSP’s IP address.)

    voice-class codec 99

    Indicates codec preference list 99 to be used for this dial-peer.

    voice-class sip tenant 100

    The dial-peer will inherit all the parameters from Tenant 100 unless that same parameter is defined under the dial-peer itself.

  2. Outbound dial-peer towards Webex Calling: 

    dial-peer voice 201 voip
 description Outgoing dial-peer to Webex Calling
 destination-pattern BAD.BAD
 session protocol sipv2
 session target sip-server
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class stun-usage 200
 no voice-class sip localhost
 voice-class sip tenant 200
 srtp
 no vad

    Explanation of commands

    dial-peer voice 201 voip
 description Outgoing dial-peer to Webex Calling

    Defines a VOIP dial-peer with a tag of 201 and a meaningful description is given for ease of management and troubleshooting.

    session target sip-server

    Indicates that the global SIP server is the destination for calls from this dial peer. Webex Calling server defined in tenant 200 will be inherited for this dial-peer.

    voice-class stun-usage 200

    The STUN bindings feature on the LGW allows locally generated STUN requests to be sent over the negotiated media path. This helps in opening up the pinhole in the firewall.

    no voice-class sip localhost

    Disables subsititution of the DNS localhost name in place of the physical IP address in the From, Call-ID, and Remote-Party-ID headers of outgoing messages.

    voice-class sip tenant 200

    The dial-peer inherits all the parameters from Tenant 200 (LGW <--> Webex Calling Trunk) unless that same parameter is defined under the dial-peer itself.

    srtp

    SRTP is enabled for this call leg.

  3. Outbound dial-peer toward Unified CM's Webex Calling Trunk:

    dial-peer voice 301 voip
 description Outgoing dial-peer to CUCM-Group-1 for 
inbound from Webex Calling - Nodes 1 to 5
 destination-pattern BAD.BAD
 session protocol sipv2
 session server-group 301
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad

    Explanation of Commands

    dial-peer voice 301 voip
description Outgoing dial-peer to CUCM-Group-1 for 
inbound from Webex Calling – Nodes 1 to 5

    Defines a VOIP dial-peer with a tag of 301 and a meaningful description is given for ease of management and troubleshooting.

    session server-group 301

    Instead of session target IP in the dial-peer, we are pointing to a Destination Server Group (server-group 301 for dial-peer 301) to define multiple target UCM nodes though the example only shows a single node.

    Server Group in Outbound Dial Peer

    With multiple dial-peers in the DPG and multiple servers in the dial-peer server group, we can achieve random distribution of calls over all Unified CM call processing subscribers or hunt based on a defined preference. Each server group can have up to five servers (IPv4/v6 with or without port). A second dial-peer and second server group is only required if more than five call processing subscribers are used.

    See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/multiple-server-groups.html for more information.

  4. Second outbound dial-peer toward Unified CM's Webex Calling Trunk if you have more than 5 Unified CM nodes:

    dial-peer voice 303 voip
 description Outgoing dial-peer to CUCM-Group-2 
for inbound from Webex Calling - Nodes 6 to 10
 destination-pattern BAD.BAD
 session protocol sipv2
 session server-group 303
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad

  5. Outbound dial-peer toward Unified CM's PSTN trunk:

    dial-peer voice 305 voip
 description Outgoing dial-peer to CUCM-Group-1 
for inbound from PSTN - Nodes 1 to 5
 destination-pattern BAD.BAD
 session protocol sipv2
 session server-group 305
 voice-class codec 99 
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad

  6. Second outbound dial-peer toward Unified CM’s PSTN Trunk if you have more than 5 Unified CM nodes:

    dial-peer voice 307 voip
 description Outgoing dial-peer to CUCM-Group-2 
for inbound from PSTN - Nodes 6 to 10
 destination-pattern BAD.BAD
 session protocol sipv2
 session server-group 307
 voice-class codec 99  
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad
5

Configure the following DPG:

  1. Defines DPG 100. Outbound dial-peer 101 is the target for any incoming dial-peer invoking dial-peer group 100. We will apply DPG 100 to incoming dial-peer 302 defined later for the Unified CM --> LGW --> PSTN path: 

    voice class dpg 100
 dial-peer 101 preference 1

  2. Define DPG 200 with outbound dial-peer 201 as the target for Unified CM --> LGW --> Webex Calling path: 

    voice class dpg 200
 dial-peer 201 preference 1

  3. Define DPG 300 for outbound dial-peers 301 or 303 for the Webex Calling --> LGW --> Unified CM path: 

    voice class dpg 300
 dial-peer 301 preference 1
 dial-peer 303 preference 1

  4. Define DPG 302 for outbound dial-peers 305 or 307 for the PSTN --> LGW --> Unified CM path: 

    voice class dpg 302
 dial-peer 305 preference 1
 dial-peer 307 preference 1
6

Configure the following inbound dial-peers:

  1. Inbound dial-peer for incoming IP PSTN call legs:

    dial-peer voice 100 voip
 description Incoming dial-peer from PSTN
 session protocol sipv2
 destination dpg 302
 incoming uri via 100
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 300
 no vad

    Explanation of Commands

    dial-peer voice 100 voip
description Incoming dial-peer from PSTN

    Defines a VOIP dial-peer with a tag of 100 and a meaningful description is given for ease of management and troubleshooting.

    session protocol sipv2

    Specifies that this dial-peer will be handling SIP call legs.

    incoming uri via 100

    All incoming traffic from IP PSTN to LGW is matched on the incoming VIA header’s host IP address defined in voice class URI 100 SIP to match based on source IP (ITSP’s) address.

    destination dpg 302

    With the destination DPG 302, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination DPG 302, which can be either dial-peer 305 or dial-peer 307.

    voice-class sip tenant 300

    The dial-peer will inherit all the parameters from Tenant 300 unless that same parameter is defined under the dial-peer itself.

  2. Inbound dial-peer for incoming Webex Calling call legs: 

    dial-peer voice 200 voip
 description Incoming dial-peer from Webex Calling
 session protocol sipv2
 destination dpg 300
 incoming uri via 200
 incoming uri request 200
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class stun-usage 200
 voice-class sip tenant 200
 srtp
 no vad

    Explanation of Commands

    dial-peer voice 200 voip
description Incoming dial-peer from Webex Calling

    Defines a VOIP dial-peer with a tag of 200 and a meaningful description is given for ease of management and troubleshooting.

    incoming uri request 200

    All incoming traffic from Webex Calling to LGW can be matched on the unique dtg pattern in the request URI, uniquely identifying a local gateway site within an Enterprise and in the Webex Calling ecosystem.

    destination dpg 300

    With the destination DPG 300, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination DPG 300, which can be either dial-peer 301 or dial-peer 303.

    voice-class stun-usage 200

    The STUN bindings feature on the LGW allows locally generated STUN requests to be sent over the negotiated media path. This helps in opening up the pinhole in the firewall.

    voice-class sip tenant 200

    The dial-peer inherits all the parameters from Tenant 200 unless that same parameter is defined under the dial-peer itself.

    srtp

    Enables SRTP for this call leg.

  3. Inbound dial-peer for incoming Unified CM call legs with Webex Calling as the destination: 

    dial-peer voice 300 voip
 description Incoming dial-peer from CUCM for Webex Calling
 session protocol sipv2
 destination dpg 200
 incoming uri via 300
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 300
 no vad

    Explanation of Commands

    dial-peer voice 300 voip
description Incoming dial-peer from CUCM for Webex Calling

    Defines a VOIP dial-peer with a tag of 300 and a meaningful description is given for ease of management and troubleshooting.

    incoming uri via 300

    All incoming traffic from Unified CM to LGW is matched on the via source port (5065), defined in voice class URI 300 SIP.

    destination dpg 200

    With the destination DPG 200, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination DPG 200, which will be dial-peer 201.

    voice-class sip tenant 300

    The dial-peer will inherit all the parameters from Tenant 300 unless that same parameter is defined under the dial-peer itself.

  4. Inbound dial-peer for incoming Unified CM call legs with PSTN as the destination:

    dial-peer voice 302 voip
 description Incoming dial-peer from CUCM for PSTN
 session protocol sipv2
 destination dpg 100
 incoming uri via 302
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 300
 no vad

    Explanation of Commands

    dial-peer voice 302 voip
description Incoming dial-peer from CUCM for PSTN

    Defines a VOIP dial-peer with a tag of 302 and a meaningful description is given for ease of management and troubleshooting.

    incoming uri via 302

    All incoming traffic from Unified CM to LGW for a PSTN destination is matched on the Unified CM source signaling IP address and VIA port defined in voice class URI 302 SIP. Standard SIP port 5060 is used.

    destination dpg 100

    With the destination DPG 100, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination DPG 100, which will be dial-peer 101.

    voice-class sip tenant 300

    The dial-peer will inherit all the parameters from Tenant 300 unless that same parameter is defined under the dial-peer itself.

IP PSTN to Unified CM PSTN Trunk

Webex Calling Platform to Unified CM Webex Calling Trunk

Unified CM PSTN Trunk to IP PSTN

Unified CM Webex Calling Trunk to Webex Calling Platform