סקירה

Webex Calling תומך כעת בשתי גרסאות של שער מקומי:

  • שער מקומי

  • שער מקומי עבור Webex for Government

שיקולים מרכזיים

  • לפני שתתחיל, הבין את דרישות רשת הטלפון הממותגת הציבורית (PSTN) ואת דרישות השער המקומי (LGW) עבור Webex Calling. עיין בארכיטקטורה המועדפת של Cisco עבור Webex Calling לקבלת מידע נוסף.

  • מאמר זה מניח שפלטפורמת שער מקומי ייעודית קיימת ללא תצורת קול קיימת. אם תשנה פריסה קיימת של שער PSTN או פריסה ארגונית של CUBE כדי להשתמש בפונקציית השער המקומי עבור Webex Calling, שים לב היטב לתצורה. ודא שלא תפריע לזרימות השיחות והפונקציונליות הקיימות בשל השינויים שביצעת.

הפרוצדורות מכילות קישורים לתיעוד הפניה לפקודה שבה תוכל ללמוד עוד על אפשרויות הפקודה הבודדות. כל קישורי הפקודות עוברים לעיון הפקודות של Webex Managed Gateways Command Reference , אלא אם כן צוין אחרת (במקרה זה, קישורי הפקודות עוברים לעיון הפקודות הקוליות של Cisco IOS). באפשרותך לגשת לכל המדריכים האלה ב-Cisco Unified Border Element Command References.

לקבלת מידע אודות SBCs הנתמכים של צד שלישי, עיין בתיעוד הפניה למוצר המתאים.

קבע את תצורת השער המקומי שלך

קיימות שתי אפשרויות לקביעת התצורה של השער המקומי עבור ה-trunk של Webex Calling:

  • Trunk מבוסס רישום

  • Trunk המבוסס על תעודה

השתמש בזרימת המשימה תחת השער המקומי המבוסס על הרישום או שער מקומי המבוסס על תעודה כדי להגדיר את השער המקומי עבור ה-trunk של Webex Calling.

ראה תחילת העבודה עם שער מקומי לקבלת מידע נוסף על סוגי ה-trunk שונים. בצע את השלבים הבאים בשער המקומי עצמו באמצעות ממשק שורת הפקודה (CLI). אנו משתמשים בהעברת פרוטוקול התחלת הפעלה (SIP) ואבטחת שכבת תעבורה (TLS) כדי לאבטח את ה-TRUNK ואת פרוטוקול זמן אמת מאובטח (SRTP) כדי לאבטח את המדיה בין השער המקומי ל-Webex Calling.

שיקולים מרכזיים

שער מקומי עבור Webex for Government אינו תומך בדברים הבאים:

  • STUN/ICE-Lite עבור מיטוב נתיב מדיה

  • פקס (T.38)

קבע את תצורת השער המקומי שלך עבור Webex for Government

כדי להגדיר שער מקומי עבור ה-trunk של Webex Calling ב-Webex for Government, השתמש באפשרות הבאה:

  • Trunk המבוסס על תעודה

השתמש בזרימת המשימה תחת השער המקומי המבוסס על תעודה כדי להגדיר את השער המקומי עבור ה-trunk של Webex Calling. לקבלת פרטים נוספים על אופן קביעת התצורה של שער מקומי המבוסס על תעודה, ראה הגדרת trunk המבוסס על תעודת Webex Calling.

חובה להגדיר צפני GCM תואמים ל-FIPS לתמיכה בשער המקומי עבור Webex for Government. אם לא, הגדרת השיחה נכשלה. לקבלת פרטי תצורה, ראה trunk מבוסס על תעודת Webex Calling.

Webex for Government אינו תומך בשער מקומי מבוסס רישום.

סקירה כללית של העיצוב

סעיף זה מתאר כיצד להגדיר רכיב גבול Cisco Unified (CUBE) כשער מקומי עבור Webex Calling, באמצעות רישום SIP trunk. החלק הראשון של מסמך זה ממחיש כיצד להגדיר שער PSTN פשוט. במקרה זה, כל השיחות מ-PSTN מנותבות ל-Webex Calling וכל השיחות מ-Webex Calling מנותבות ל-PSTN. התמונה שלהלן מדגישה את הפתרון הזה ואת תצורת ניתוב השיחות ברמה הגבוהה שתבצע מעקב.

בתכנון זה, נעשה שימוש בתצורות הראשיות הבאות:

  • דיירי מחלקה קולית: משמש ליצירת תצורות ספציפיות של trunk.

  • Uri של מחלקת קול: משמש לסיווג הודעות SIP עבור הבחירה של עמית חיוג נכנס.

  • עמית חיוג נכנס: מספק טיפול להודעות SIP נכנסות וקובע את הנתיב היוצא עם קבוצת עמיתי חיוג.

  • קבוצת עמיתי חיוג: מגדיר את עמיתי החיוג היוצא המשמשים לניתוב שיחות קדימה.

  • עמית חיוג יוצא: מספק טיפול להודעות SIP יוצאות ומנתב אותן למטרה הנדרשת.

ניתוב שיחות מ-PSTN אל פתרון תצורת Webex Calling/ממנו

בעוד ש-IP ו-SIP הפכו לפרוטוקולי ברירת המחדל עבור ענפי TRUNK של PSTN, מעגלי ISDN של TDM (ריבוב חלוקת זמן) עדיין נמצאים בשימוש נרחב ונתמכים עם ענפי trunk של Webex Calling. כדי לאפשר אופטימיזציה של מדיה של נתיבי IP עבור שערים מקומיים עם זרימות שיחות TDM-IP, יש צורך כעת להשתמש בתהליך ניתוב שיחות של שני רגל. גישה זו משנה את תצורת ניתוב השיחות המוצגת לעיל, על-ידי הצגת קבוצה של עמיתי חיוג חוזר פנימי בין ענפי Webex Calling וענפי PSTN, כפי שמודגם בתמונה שלהלן.

בעת חיבור פתרון מקומי של Cisco Unified Communications Manager עם Webex Calling, באפשרותך להשתמש בתצורת שער PSTN הפשוט כקו בסיס לבניית הפתרון המואר בתרשים הבא. במקרה זה, Unified Communications Manager מספק ניתוב וטיפול מרכזי בכל שיחות PSTN ו-Webex Calling.

לאורך מסמך זה, נעשה שימוש בשמות המארח, כתובות ה-IP והממשקים המוארים בתמונה הבאה.

השתמש בהנחיית התצורה בשאר המסמך הזה כדי להשלים את תצורת השער המקומי שלך באופן הבא:

  • שלב 1: קבע תצורה של קישוריות ואבטחה של קו בסיס נתב

  • שלב 2: קביעת התצורה של Trunk של Webex Calling

    בהתאם לארכיטקטורה הנדרשת שלך, בצע גם:

  • שלב 3: קבע תצורה של שער מקומי עם trunk של SIP PSTN

  • שלב 4: קבע תצורה של שער מקומי עם סביבת Unified CM קיימת

    או:

  • שלב 3: קבע תצורה של שער מקומי עם trunk של TDM PSTN

קבע תצורה של קישוריות ואבטחה

תצורת קו בסיס

הצעד הראשון בהכנת נתב Cisco כשער מקומי עבור Webex Calling הוא לבנות תצורת קו בסיס שמאבטחת את הפלטפורמה שלך ומבססת את הקישוריות.

  • כל פריסות השער המקומי מבוססות הרישום דורשות מגרסאות Cisco IOS XE 17.6.1a ואילך. בגרסאות המומלצות, עיין בדף מחקר התוכנה של Cisco . חפש את הפלטפורמה ובחר באחת המהדורות המוצעות.

    • יש להגדיר נתבים מסדרת ISR4000 עם רישיונות Unified Communications ו-Security Technology.

    • נתבי סדרת Catalyst Edge 8000 מצוידים בכרטיסי קול או DSPs דורשים רישוי DNA Advantage. נתבים ללא כרטיסי קול או DSP דורשים רישוי של DNA Essentials.

  • בנה תצורת קו בסיס עבור הפלטפורמה שלך שתואמת את המדיניות העסקית שלך. בפרט, קבע את התצורה של הפעולות הבאות ואמת את הפעולות הבאות:

    • NTP

    • רשימת גישה

    • אימות משתמש וגישה מרחוק

    • DNS

    • ניתוב IP

    • כתובות IP

  • הרשת כלפי Webex Calling חייבת להשתמש בכתובת IPv4.

  • העלה את חבילת CA של Cisco root לשער המקומי.

תצורה

1

ודא שאתה מקצה כתובות IP חוקיות וניתנות לניתוב לכל ממשקי שכבה 3, לדוגמה:

 ממשק GigabitEthernet0/0/0 תיאור ממשק הפונה ל-PSTN ו/או כתובת IP CUCM 10.80.13.12 255.255.255.0 ! ממשק GigabitEthernet0/0/1 תיאור ממשק הפונה ל-Webex Calling (כתובת פרטית) כתובת ip 192.51.100.1 255.255.255.240

2

הגן על פרטי רישום ואישורי STUN בנתב באמצעות הצפנה סימטרית. הגדר את מפתח ההצפנה הראשי ואת סוג ההצפנה באופן הבא:

 מפתח config-key password-encrypt-key encryption t YourPassword password encryption aes

3

צור נקודת אמון של PKI מציין מיקום.

דורש נקודת האמון הזו לקבוע את התצורה של TLS מאוחר יותר. עבור ענפי trunk מבוססי רישום, נקודת האמון הזו אינה דורשת אישור - כפי שיידרש ל-trunk המבוסס על תעודה.
 איפוס סיסמה - EmptyTP Revocation
4

הפעל בלעדיות TLS1.2 וציין את נקודת האמון של ברירת המחדל באמצעות פקודות התצורה הבאות. יש לעדכן גם את פרמטרי התעבורה כדי להבטיח חיבור מאובטח אמין לרישום:

פקודת השרת cn-san-validate מבטיחה שהשער המקומי מאפשר חיבור אם שם המארח המוגדר בדייר 200 כלול בשדות ה-CN או ה-SAN של התעודה המתקבלת מתוך ה-proxy היוצא.

  1. הגדר ספירת tcp-retry ל-1000 (כפולות של 5 אלפיות שנייה = 5 שניות).

  2. פקודת הגדרת חיבור טיימר מאפשרת לך לכוונן את משך הזמן שבו ה-LGW ממתין להגדרת חיבור עם ה-proxy לפני שתשקול את האפשרות הזמינה הבאה. ברירת המחדל עבור שעון עצר זה היא 20 שניות והמינימום 5 שניות. התחל עם ערך נמוך ועלייה במידת הצורך כדי להתאים לתנאי הרשת.

 חיבור טיימרים sip-ua ליצור tls 5 תעבורה tcp tls v1.2 איתות הצפנה המהווה ברירת מחדל trustpoint EmptyTP cn-san-validate server tcp-retry 1000

5

התקן את חבילת Cisco root CA, הכוללת את אישור DigiCert CA המשמש את Webex Calling. השתמש בפקודה הנקייה של מאגר האמון pki ההצפנה כדי להוריד את חבילת CA השורש מה-URL שצוין, וכדי לנקות את מאגר האמון של CA הנוכחי, ואז להתקין את החבילה החדשה של האישורים:

אם עליך להשתמש ב-proxy לגישה לאינטרנט באמצעות HTTPS, הוסף את התצורה הבאה לפני היבוא של חבילת CA:

ip http לקוח proxy-server proxy.com יציאת proxy 80
 ip http לקוח מקור-ממשק GigabitEthernet0/0/1 הצפנה pki trustpool ייבוא url נקי ⁦https://www.cisco.com/security/pki/trs/ios_core.p7b⁩
קבע תצורה של trunk מבוסס רישום של Webex Calling
1

צור trunk של PSTN המבוסס על רישום עבור מיקום קיים ב-Control Hub. שים לב למידע ה-trunk שסופק ברגע שה-trunk נוצר. פרטים אלה, כפי שהודגש באיור הבא, ישמשו בשלבים התצורה במדריך זה. למידע נוסף, ראה קביעת תצורה של ענפי trunk, קבוצות ניתוב ותוכניות חיוג עבור Webex Calling.

2

הזן את הפקודות הבאות כדי להגדיר את CUBE כשער מקומי של Webex Calling:

 שירות קול כתובת IP voip רשימה מהימנה ipv4 x.x.x.x y.y.y.y מצב border-element מדיה סטטיסטיקת מדיה bulk-stats allow-connections sip to sip no supplementary-service sip refer stun stun flowdata agent-id 1 boot-count 4 stun flowdata shared-secret 0 Password $ sip payload asymmetric full early-offer forced

הנה הסבר על השדות עבור התצורה:

 כתובת IP מהימנה  ipv4 x.x.x.x y.y.y.y

  • כדי להגן מפני הונאת תשלום, רשימת הכתובות המהימנות מגדירה רשימה של מארחים ורשתות שמהם השער המקומי מצפה לשיחות VoIP לגיטימיות.

  • כברירת מחדל, שער מקומי חוסם את כל הודעות ה-VoIP הנכנסות מכתובות IP שאינן ברשימה המהימנה שלה. עמיתי חיוג מוגדרים באופן סטטי עם כתובות IP של יעד הפעלה או כתובות IP של קבוצת שרתים הם מהימנים כברירת מחדל, לכן אין צורך להוסיף לרשימה המהימנה.

  • בעת קביעת התצורה של השער המקומי שלך, הוסף לרשימה את רשתות המשנה של IP של מרכז הנתונים האזורי של Webex Calling. לקבלת מידע נוסף, ראה מידע עזר לגבי יציאות עבור Webex Calling. כמו כן, הוסף טווחי כתובות עבור שרתי Unified Communications Manager (אם נעשה בהם שימוש) ושערים trunk של PSTN.

    אם ה-LGW שלך נמצא מאחורי חומת אש עם NAT חרוט מוגבל, ייתכן שתעדיף להשבית את הרשימה המהימנה של כתובות ה-IP בממשק הפונה ל-Webex Calling. חומת האש כבר מגינה עליך מפני VoIP נכנס שלא ביקשתם. השבת פעולה מפחיתה את תקורת התצורה לטווח ארוך יותר, מכיוון שאיננו יכולים להבטיח שהכתובות של עמיתי Webex Calling יישארו קבועות, ועליך להגדיר את חומת האש שלך עבור העמיתים בכל מקרה.

רכיב גבול מצב

מאפשר תכונות Cisco Unified Border Element ‏(CUBE) בפלטפורמה.

סטטיסטיקת מדיה

מאפשר ניטור מדיה בשער המקומי.

סטטיסטיקות בצובר מדיה

מאפשר למטוס הבקרה לסקור את מישור הנתונים עבור סטטיסטיקת שיחות בצובר.

למידע נוסף על פקודות אלה, ראה מדיה.

Sip לחיבורים לאפשר ל-SIP

הפעל פונקציונליות בסיסית של CUBE SIP גב אל גב של סוכן משתמש. למידע נוסף, ראה אפשר חיבורים.

כברירת מחדל, תעבורת פקס T.38 מופעלת. למידע נוסף, ראה פרוטוקול פקס t (שירות קולי).

גבר

מאפשר STUN (מעבר הפעלה של UDP דרך NAT) באופן גלובלי.

  • כאשר אתה מעביר שיחה למשתמש Webex Calling (לדוגמה, גם הצד המתקשר וגם הצד המתקשר הם מנויי Webex Calling ואם תעגן מדיה ב-SBC של Webex Calling), המדיה לא תוכל לזרום לשער המקומי מכיוון שחור הסיכה אינו פתוח.

  • תכונת איגודי STUN בשער המקומי מאפשרת לשלוח בקשות STUN שנוצרו באופן מקומי דרך נתיב המדיה המתווך במשא ומתן. זה עוזר לפתוח את חור הסיכה בחומת האש.

לקבלת מידע נוסף, ראה Stun flowdata agent-id ו- stun flowdata data shared-secret.

מנה אסימטרית מלאה

מגדיר תמיכת תוכן מנה אסימטרי SIP עבור מטענים DTMF ומטען קודק דינמי. לקבלת מידע נוסף אודות פקודה זו, ראה מטען אסימטרי.

הצעה מוקדמת כפוי

מאלץ את השער המקומי לשלוח מידע SDP בהודעת INVITE הראשונית במקום להמתין לאישור מהעמית השכן. לקבלת מידע נוסף אודות פקודה זו, ראה הצעה מוקדמת.

3

קבע את התצורה של מסנן Codec 100 של מחלקה קולית עבור ה-trunk. בדוגמה זו, משתמשים באותו מסנן קודק עבור כל ענפי ה-trunk. ניתן להגדיר מסננים עבור כל trunk לצורך שליטה מדויקת.

 קודק סוג קול 100 קודק העדפת 1 אופוס קודק העדפת 2 g711ulaw קודק העדפת 3 g711alaw

הנה הסבר על השדות עבור התצורה:

קודק סוג קול 100

משמש כדי לאפשר קודקים מועדפים עבור שיחות דרך ענפי SIP trunk. למידע נוסף, ראה Codec של מחלקה קולית.

קודק Opus נתמך רק עבור ענפי trunk מבוססי PSTN. אם ה-trunk של PSTN משתמש בחיבור T1/E1 או FXO אנלוגי, אל תכלול העדפת קודק 1 opus מתצורת קודק מחלקה קולית 100 .

4

קבע תצורה שימוש ב-Voice class stun 100 כדי לאפשר ICE ב-trunk של Webex Calling.

 מחלקה קול stun usage 100 stun usage firewall מעבר נתונים flowdata stun usage ice lite

הנה הסבר על השדות עבור התצורה:

Stun שימוש בקרח lite

משמש להפעלת ICE-Lite עבור כל עמיתי החיוג הפונים ל-Webex Calling כדי לאפשר אופטימיזציה של מדיה בכל עת שהדבר אפשרי. למידע נוסף, ראה שימוש ב-Stun class voice Stun usage ו-Stun usage ice lite.

דרוש לך שימוש ב-Stun של ICE-lite עבור זרימות שיחות באמצעות מיטוב נתיב מדיה. כדי לספק מיטוב מדיה עבור שער SIP אל TDM, הגדר עמית חיוג LOOPBACK עם ICE-Lite מופעל ברגל IP-IP. לקבלת פרטים טכניים נוספים, פנה לחשבון או לצוותי TAC

5

הגדר את מדיניות הצפנת המדיה עבור תעבורת Webex.

 מחלקה קולית srtp-הצפנה 100 הצפנה 1 AES_CM_128_HMAC_SHA1_80

הנה הסבר על השדות עבור התצורה:

Voice class srtp-crypto 100

מציין את SHA1_80 כ-CUBE חבילת הצופן היחידה של SRTP מציעה ב-SDP בהודעות הצעה ותשובה. Webex Calling תומך רק ב-SHA1_80. לקבלת מידע נוסף, ראה קריפטו מחלקה קולית.

6

הגדר תבנית כדי לזהות שיחות באופן ייחודי ל-trunk של שער מקומי בהתבסס על פרמטר ה-trunk של היעד שלו: 

 מחלקה קולית uri 100 sip pattern dtg=דאלאס1463285401_LGU

הנה הסבר על השדות עבור התצורה:

שיעור קול uri 100 sip

מגדיר תבנית התואמת להזמנת SIP נכנסת לעמית חיוג נכנס של trunk. בעת הזנת תבנית זו, השתמש ב-dtg= ואחריו בערך ה-Trunk OTG/DTG שסופק ב-Control Hub כאשר ה-trunk נוצר. למידע נוסף, ראה uri של מחלקה קולית.

7

קבע את התצורה של פרופיל SIP 100, שישמש לשינוי הודעות SIP לפני שהן יישלחו ל-Webex Calling.

 מחלקה קולית sip-profiles 100 כלל 10 בקש ANY sip-header SIP-Req-URI לשנות את "sips:" "sip:" rule 20 לבקש ANY sip-header To change "" """ rule 50 response ANY sip-header To change "" ";otg=dallas1463285401_lgu>" rule 90 request ANY sip-header P-Asserted-Identity change "sips:" "sip:"

הנה הסבר על השדות עבור התצורה:

  • חוק 10 עד 70 ו-90

    מבטיח שכותרות SIP המשמשות לאיתות שיחות ישתמשו בסכמת sip, ולא בסכמת sips, שנדרש על-ידי שרתי Webex. קביעת התצורה של CUBE לשימוש ב-sips מבטיחה להשתמש ברישום מאובטח.

  • כלל 80

    משנה את כותרת From כך שתכלול את מזהה ה-OTG/DTG של קבוצת trunk מ-Control Hub כדי לזהות באופן ייחודי אתר שער מקומי בתוך ארגון.

8

קבע את התצורה של trunk של Webex Calling:

  1. צור דייר מחלקה קולית 100 כדי להגדיר ותצורות קבוצה הנדרשות במיוחד עבור ה-trunk של Webex Calling. בפרט, פרטי רישום ה-trunk שסופקו ב-Control Hub ינוצלו בשלב זה כמפורט להלן. עמיתי חיוג המשויכים לדייר זה מאוחר יותר יירשו את התצורות האלה.

    The following example uses the values illustrated in Step 1 for the purpose of this guide (shown in bold). Replace these with values for your trunk in your configuration.

     voice class tenant 100 registrar dns:98027369.us10.bcld.webex.com scheme sips expires 240 refresh-ratio 50 tcp tls credentials number Dallas1171197921_LGU username Dallas1463285401_LGU password 0 9Wt[M6ifY+ realm BroadWorks authentication username Dallas1463285401_LGU password 0 9Wt[M6ifY+ realm BroadWorks authentication username Dallas1463285401_LGU password 0 9Wt[M6ifY+ realm 98027369.us10.bcld.webex.com no remote-party-id sip-server dns:98027369.us10.bcld.webex.com connection-reuse srtp-crypto 100 session transport tcp tls url sips error-passthru asserted-id pai bind control source-interface GigabitEthernet0/0/1 bind media source-interface GigabitEthernet0/0/1 no pass-thru content custom-sdp sip-profiles 100 outbound-proxy dns:dfw04.sipconnect-us.bcld.webex.com privacy-policy passthru

    Here's an explanation of the fields for the configuration:

    voice class tenant 100

    Defines a set of configuration parameters that will be used only for the Webex Calling trunk. For more information, see voice class tenant.

    registrar dns:98027369.us10.bcld.webex.com scheme sips expires 240 refresh-ratio 50 tcp tls

    Registrar server for the Local Gateway with the registration set to refresh every two minutes (50% of 240 seconds). For more information, see registrar.

    Ensure that you use the Register Domain value from Control Hub here.

    credentials number Dallas1171197921_LGU username Dallas1463285401_LGU password 0 9Wt[M6ifY+ realm BroadWorks

    Credentials for trunk registration challenge. For more information, see credentials (SIP UA).

    Ensure that you use the Line/Port host, Authentication Username and Authentication Password values respectively from Control Hub here.

    authentication username Dallas1171197921_LGU password 0 9Wt[M6ifY+ realm BroadWorks
    authentication username Dallas1171197921_LGU password 0 9Wt[M6ifY+ realm 98027369.us10.bcld.webex.com

    אתגר אימות לשיחות. For more information, see authentication (dial-peer).

    Ensure that you use the Authentication Username, Authentication Password and Registrar Domain values respectively from Control Hub here.

    no remote-party-id

    Disable SIP Remote-Party-ID (RPID) header as Webex Calling supports PAI, which is enabled using CIO asserted-id pai. For more information, see remote-party-id.

    sip-server dns:us25.sipconnect.bcld.webex.com

    Configures the target SIP server for the trunk. Use the edge proxy SRV address provided in Control Hub when you created your trunk.

    connection-reuse

    Uses the same persistent connection for registration and call processing. For more information, see connection-reuse.

    srtp-crypto 100

    Configures the preferred cipher-suites for the SRTP call leg (connection) (specified in step 5). For more information, see voice class srtp-crypto.

    session transport tcp tls

    Sets transport to TLS. For more information, see session-transport.

    url sips

    SRV query must be SIPs as supported by the access SBC; all other messages are changed to SIP by sip-profile 200.

    error-passthru

    Specifies SIP error response pass-thru functionality. For more information, see error-passthru.

    asserted-id pai

    Turns on PAI processing in Local Gateway. For more information, see asserted-id.

    bind control source-interface GigabitEthernet0/0/1

    Configures the source interface and associated IP address for messages sent to WebexCalling. For more information, see bind.

    bind media source-interface GigabitEthernet0/0/1

    Configures the source interface and associated IP address for media sent to WebexCalling. For more information, see bind.

    no pass-thru content custom-sdp

    פקודת ברירת מחדל תחת דייר. For more information on this command, see pass-thru content.

    sip-profiles 100

    Changes SIPs to SIP and modify Line/Port for INVITE and REGISTER messages as defined in sip-profiles 100. For more information, see voice class sip-profiles.

    outbound-proxy dns:dfw04.sipconnect-us.bcld.webex.com

    Webex Calling access SBC. Insert the Outbound Proxy Address provided in Control Hub when you created your trunk. For more information, see outbound-proxy.

    privacy-policy passthru

    Configures the privacy header policy options for the trunk to pass privacy values from the received message to the next call leg. For more information, see privacy-policy.

  2. Configure the Webex Calling trunk dial-peer. 

     dial-peer voice 100 voip description Inbound/Outbound Webex Calling max-conn 250 destination-pattern BAD.BAD session protocol sipv2 session target sip-server incoming uri request 100 voice-class codec 100 dtmf-relay rtp-nte voice-class stun-usage 100 no voice-class sip localhost voice-class sip tenant 100 srtp no vad

    Here's an explanation of the fields for the configuration:

     dial-peer voice 100 voip  description Inbound/Outbound Webex Calling

    Defines a VoIP dial-peer with a tag of 100 and gives a meaningful description for ease of management and troubleshooting.

    max-conn 250

    Restricts the number of concurrent inbound and outbound calls between the LGW and Webex Calling. For registration trunks, the maximum value configured should be 250. Usea lower value if that would be more appropriate for your deployment. For more information on concurrent call limits for Local Gateway, refer to the Get started with Local Gateway document.

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    Specifies that dial-peer 100 handles SIP call legs. For more information, see session protocol (dial-peer).

    session target sip-server

    Indicates that the SIP server defined in tenant 100 is inherited and used for the destination for calls from this dial peer.

    incoming uri request 100

    To specify the voice class used to match a VoIP dial peer to the uniform resource identifier (URI) of an incoming call. For more information, see incoming uri.

    voice-class codec 100

    Configures the dial-peer to use the common codec filter list 100. For more information, see voice-class codec.

    voice-class stun-usage 100

    Allows locally generated STUN requests on the Local Gateway to be sent over the negotiated media path. STUN helps to open a firewall pinhole for media traffic.

    no voice-class sip localhost

    Disables substitution of the DNS local host name in place of the physical IP address in the From, Call-ID, and Remote-Party-ID headers of outgoing messages.

    voice-class sip tenant 100

    The dial-peer inherits all parameters configured globally and in tenant 100. Parameters may be overridden at the dial-peer level.

    srtp

    Enables SRTP for the call leg.

    no vad

    משבית את זיהוי הפעילות הקולית.

After you define tenant 100 and configure a SIP VoIP dial-peer, the gateway initiates a TLS connection toward Webex Calling. At this point the access SBC presents its certificate to the Local Gateway. The Local Gateway validates the Webex Calling access SBC certificate using the CA root bundle that was updated earlier. If the certificate is recognised, a persistent TLS session is established between the Local Gateway and Webex Calling access SBC. The Local Gateway is then able to use this secure connection to register with the Webex access SBC. When the registration is challenged for authentication:

  • The username, password, and realm parameters from the credentials configuration is used in the response.

  • The modification rules in sip profile 100 are used to convert SIPS URL back to SIP.

Registration is successful when a 200 OK is received from the access SBC.

Configure Local Gateway with a SIP PSTN trunk

Having built a trunk towards Webex Calling above, use the following configuration to create a non-encrypted trunk towards a SIP based PSTN provider:

If your Service Provider offers a secure PSTN trunk, you may follow a similar configuration as detailed above for the Webex Calling trunk. Secure to secure call routing is supported by CUBE.

If you are using a TDM / ISDN PSTN trunk, skip to next section Configure Local Gateway with TDM PSTN trunk.

To configure TDM interfaces for PSTN call legs on the Cisco TDM-SIP Gateways, see  Configuring ISDN PRI.

1

Configure the following voice class uri to identify inbound calls from the PSTN trunk:

 voice class uri 200 sip host ipv4:192.168.80.13

Here's an explanation of the fields for the configuration:

voice class uri 200 sip

Defines a pattern to match an incoming SIP invite to an incoming trunk dial-peer. When entering this pattern, use the IP address of you IP PSTN gateway. For more information, see  voice class uri.

2

Configure the following IP PSTN dial-peer:

 dial-peer voice 200 voip description Inbound/Outbound IP PSTN trunk destination-pattern BAD.BAD session protocol sipv2 session target ipv4:192.168.80.13 incoming uri via 200 voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 voice-class codec 100 dtmf-relay rtp-nte no vad

Here's an explanation of the fields for the configuration:

 dial-peer voice 200 voip  description Inbound/Outbound IP PSTN trunk

Defines a VoIP dial-peer with a tag of 200 and gives a meaningful description for ease of management and troubleshooting. For more information, see dial-peer voice.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

session protocol sipv2

Specifies that dial-peer 200 handles SIP call legs. For more information, see session protocol (dial peer).

session target ipv4:192.168.80.13

Indicates the destination’s target IPv4 address to send the call leg. The session target here is ITSP’s IP address. For more information, see  session target (VoIP dial peer).

incoming uri via 200

Defines a match criterion for the VIA header with the IP PSTN’s IP address. Matches all incoming IP PSTN call legs on the Local Gateway with dial-peer 200. For more information, see  incoming url.

bind control source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

bind media source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

voice-class codec 100

Configures the dial-peer to use the common codec filter list 100. For more information, see voice-class codec.

dtmf-relay rtp-nte

Defines RTP-NTE (RFC2833) as the DTMF capability expected on the call leg. For more information, see DTMF Relay (Voice over IP).

no vad

משבית את זיהוי הפעילות הקולית. For more information, see vad (dial peer).

3

If you are configuring your Local Gateway to only route calls between Webex Calling and the PSTN, add the following call routing configuration. If you are configuring your Local Gateway with a Unified Communications Manager platform, skip to the next section.

  1. Create dial-peer groups to route calls towards Webex Calling or the PSTN. Define DPG 100 with outbound dial-peer 100 toward Webex Calling. DPG 100 is applied to the incoming dial-peer from the PSTN. Similarly, define DPG 200 with outbound dial-peer 200 toward the PSTN. DPG 200 is applied to the incoming dial-peer from Webex.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 200 description Route calls to PSTN dial-peer 200

    Here's an explanation of the fields for the configuration:

    dial-peer 100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  2. Apply dial-peer groups to route calls from Webex to the PSTN and from the PSTN to Webex: 

     dial-peer voice 100 destination dpg 200 dial-peer voice 200 destination dpg 100

    Here's an explanation of the fields for the configuration:

    destination dpg 200

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

    This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features are configured.

Configure Local Gateway with a TDM PSTN trunk

Having built a trunk towards Webex Calling, use the following configuration to create a TDM trunk for your PSTN service with loop-back call routing to allow media optimization on the Webex call leg.

If you do not require IP media optimization, follow the configuration steps for a SIP PSTN trunk. Use a voice port and POTS dial-peer (as shown in Steps 2 and 3) instead of the PSTN VoIP dial-peer.
1

The loop-back dial-peer configuration uses dial-peer groups and call routing tags to ensure that calls pass correctly between Webex and the PSTN, without creating call routing loops. Configure the following translation rules that will be used to add and remove the call routing tags:

 voice translation-rule 100 rule 1 /^\+/ /A2A/ voice translation-profile 100 translate called 100 voice translation-rule 200 rule 1 /^/ /A1A/ voice translation-profile 200 translate called 200 voice translation-rule 11 rule 1 /^A1A/ // voice translation-profile 11 translate called 11 voice translation-rule 12 rule 1 /^A2A44/ /0/ rule 2/^A2A/ /00/ voice translation-profile 12 translate called 12

Here's an explanation of the fields for the configuration:

voice translation-rule

Uses regular expressions defined in rules to add or remove call routing tags. Over-decadic digits (‘A’) are used to add clarity for troubleshooting.

In this configuration, the tag added by translation-profile 100 is used to guide calls from Webex Calling towards the PSTN via the loopback dial-peers. Similarly, the tag added by translation-profile 200 is used to guide calls from the PSTN towards Webex Calling. Translation-profiles 11 and 12 remove these tags before delivering calls to the Webex and PSTN trunks respectively.

This example assumes that called numbers from Webex Calling are presented in +E.164 format. Rule 100 removes the leading + to maintain a valid called number. Rule 12 then adds a national or international routing digit(s) when removing the tag. Use digits that suit your local ISDN national dial plan.

If Webex Calling presents numbers in national format, adjust rules 100 and 12 to simply add and remove the routing tag respectively.

For more information, see voice translation-profile and voice translation-rule.

2

Configure TDM voice interface ports as required by the trunk type and protocol used. For more information, see Configuring ISDN PRI. For example, the basic configuration of a Primary Rate ISDN interface installed in NIM slot 2 of a device might include the following:

 card type e1 0 2 isdn switch-type primary-net5 controller E1 0/2/0 pri-group timeslots 1-31
3

Configure the following TDM PSTN dial-peer:

 dial-peer voice 200 pots description Inbound/Outbound PRI PSTN trunk destination-pattern BAD.BAD translation-profile incoming 200 direct-inward-dial port 0/2/0:15

Here's an explanation of the fields for the configuration: 

 dial-peer voice 200 pots  description Inbound/Outbound PRI PSTN trunk

Defines a VoIP dial-peer with a tag of 200 and gives a meaningful description for ease of management and troubleshooting. For more information, see dial-peer voice.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

translation-profile incoming 200

Assigns the translation profile that will add a call routing tag to the incoming called number.

direct-inward-dial

Routes the call without providing a secondary dial-tone. For more information, see direct-inward-dial.

port 0/2/0:15

The physical voice port associated with this dial-peer.

4

To enable media optimization of IP paths for Local Gateways with TDM-IP call flows, you can modify the call routing by introducing a set of internal loop-back dial-peers between Webex Calling and PSTN trunks. Configure the following loop-back dial-peers. In this case, all incoming calls will be routed initially to dial-peer 10 and from there to either dial-peer 11 or 12 based on the applied routing tag. After removal of the routing tag, calls will be routed to the outbound trunk using dial-peer groups.

 dial-peer voice 10 voip description Outbound loop-around leg destination-pattern BAD.BAD session protocol sipv2 session target ipv4:192.168.80.14 voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad dial-peer voice 11 voip description Inbound loop-around leg towards Webex translation-profile incoming 11 session protocol sipv2 incoming called-number A1AT voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad dial-peer voice 12 voip description Inbound loop-around leg towards PSTN translation-profile incoming 12 session protocol sipv2 incoming called-number A2AT voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad

Here's an explanation of the fields for the configuration: 

 dial-peer voice 10 pots  description Outbound loop-around leg

Defines a VoIP dial-peer and gives a meaningful description for ease of management and troubleshooting. For more information, see dial-peer voice.

translation-profile incoming 11

Applies the translation profile defined earlier to remove the call routing tag before passing to the outbound trunk.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

session protocol sipv2

Specifies that this dial-peer handles SIP call legs. For more information, see  session protocol (dial peer).

session target 192.168.80.14

Specifies the local router interface address as the call target to loop-back. For more information, see session target (voip dial peer).

bind control source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for messages sent through the loop-back. For more information, see  bind.

bind media source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for media sent through the loop-back. For more information, see  bind.

dtmf-relay rtp-nte

Defines RTP-NTE (RFC2833) as the DTMF capability expected on the call leg. For more information, see  DTMF Relay (Voice over IP).

codec g711alaw

Forces all PSTN calls to use G.711. Select a-law or u-law to match the companding method used by your ISDN service.

no vad

משבית את זיהוי הפעילות הקולית. For more information, see  vad (dial peer).

5

Add the following call routing configuration:

  1. Create dial-peer groups to route calls between the PSTN and Webex trunks, via the loop-back.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 200 description Route calls to PSTN dial-peer 200 voice class dpg 10 description Route calls to Loopback dial-peer 10

    Here's an explanation of the fields for the configuration:

    dial-peer 100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  2. Apply dial-peer groups to route calls.

     dial-peer voice 100 destination dpg 10 dial-peer voice 200 destination dpg 10 dial-peer voice 11 destination dpg 100 dial-peer voice 12 destination dpg 200

    Here's an explanation of the fields for the configuration:

    destination dpg 200

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features are configured.
Configure Local Gateway with an existing Unified CM environment

The PSTN-Webex Calling configuration in the previous sections may be modified to include additional trunks to a Cisco Unified Communications Manager (UCM) cluster. In this case, all calls are routed via Unified CM. Calls from UCM on port 5060 are routed to the PSTN and calls from port 5065 are routed to Webex Calling. The following incremental configurations may be added to include this calling scenario.

When creating the Webex Calling trunk in Unified CM, ensure that you configure the incoming port in the SIP Trunk Security Profile settings to 5065. This allows incoming messages on port 5065 and populate the VIA header with this value when sending messages to the Local Gateway.

1

קבע את תצורת מזהי ה-URI הבאים של המחלקה הקולית:

  1. Classifies Unified CM to Webex calls using SIP VIA port:

     voice class uri 300 sip pattern :5065

  2. Classifies Unified CM to PSTN calls using SIP via port:

     voice class uri 400 sip pattern 192\.168\.80\.6[0-5]:5060

    Classify incoming messages from the UCM towards the PSTN trunk using one or more patterns that describe the originating source addresses and port number. Regular expressions may be used to define matching patterns if required.

    In the example above, a regular expression is used to match any IP address in the range 192.168.80.60 to 65 and port number 5060.

2

Configure the following DNS records to specify SRV routing to Unified CM hosts:

IOS XE uses these records for locally determining target UCM hosts and ports. With this configuration, it is not required to configure records in your DNS system. If you prefer to use your DNS, then these local configurations are not required.

 ip host ucmpub.mydomain.com 192.168.80.60 ip host ucmsub1.mydomain.com 192.168.80.61 ip host ucmsub2.mydomain.com 192.168.80.62 ip host ucmsub3.mydomain.com 192.168.80.63 ip host ucmsub4.mydomain.com 192.168.80.64 ip host ucmsub5.mydomain.com 192.168.80.65 ip host _sip._udp.wxtocucm.io srv 0 1 5065 ucmpub.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub1.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub2.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub3.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub4.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub5.mydomain.com ip host _sip._udp.pstntocucm.io srv 0 1 5060 ucmpub.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub1.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub2.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub3.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub4.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub5.mydomain.com

Here's an explanation of the fields for the configuration:

The following command creates a DNS SRV resource record. Create a record for each UCM host and trunk:

ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub5.mydomain.com

_sip._udp.pstntocucm.io: SRV resource record name

2: The SRV resource record priority

1: The SRV resource record weight

5060: The port number to use for the target host in this resource record

ucmsub5.mydomain.com: The resource record target host

To resolve the resource record target host names, create local DNS A records. לדוגמה:

ip host ucmsub5.mydomain.com 192.168.80.65

ip host: Creates a record in the local IOS XE database.

ucmsub5.mydomain.com: The A record host name.

192.168.80.65: The host IP address.

Create the SRV resource records and A records to reflect your UCM environment and preferred call distribution strategy.

3

Configure the following dial-peers:

  1. Dial-peer for calls between Unified CM and Webex Calling:

     dial-peer voice 300 voip description UCM-Webex Calling trunk destination-pattern BAD.BAD session protocol sipv2 session target dns:wxtocucm.io incoming uri via 300 voice-class codec 100 voice-class sip bind control source-interface GigabitEthernet 0/0/0 voice-class sip bind media source-interface GigabitEthernet 0/0/0 dtmf-relay rtp-nte no vad

    Here's an explanation of the fields for the configuration:

     dial-peer voice 300 voip  description UCM-Webex Calling trunk

    Defines a VoIP dial-peer with a tag 300 and gives a meaningful description for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    Specifies that dial-peer 300 handles SIP call legs. For more information, see  session protocol (dial-peer).

    session target dns:wxtocucm.io

    Defines the session target of multiple Unified CM nodes through DNS SRV resolution. In this case, the locally defined SRV record wxtocucm.io is used to direct calls.

    incoming uri via 300

    Uses voice class URI 300 to direct all incoming traffic from Unified CM using source port 5065 to this dial-peer. For more information, see  incoming uri.

    voice-class codec 100

    Indicates codec filter list for calls to and from Unified CM. For more information, see  voice class codec.

    bind control source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

    bind media source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

    dtmf-relay rtp-nte

    Defines RTP-NTE (RFC2833) as the DTMF capability expected on the call leg. For more information, see  DTMF Relay (Voice over IP).

    no vad

    משבית את זיהוי הפעילות הקולית. For more information, see  vad (dial peer).

  2. Dial-peer for calls between Unified CM and the PSTN:

     dial-peer voice 400 voip description UCM-PSTN trunk destination-pattern BAD.BAD session protocol sipv2 session target dns:pstntocucm.io incoming uri via 400 voice-class codec 100 voice-class sip bind control source-interface GigabitEthernet 0/0/0 voice-class sip bind media source-interface GigabitEthernet 0/0/0 dtmf-relay rtp-nte no vad

    Here's an explanation of the fields for the configuration:

     dial-peer voice 400 voip  description UCM-PSTN trunk

    Defines a VoIP dial-peer with a tag of 400 and gives a meaningful description for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    Specifies that dial-peer 400 handles SIP call legs. For more information, see  session protocol (dial-peer).

    session target dns:pstntocucm.io

    Defines the session target of multiple Unified CM nodes through DNS SRV resolution. In this case, the locally defined SRV record pstntocucm.io is used to direct calls.

    incoming uri via 400

    Uses voice class URI 400 to direct all incoming traffic from the specified Unified CM hosts using source port 5060 to this dial-peer. For more information, see  incoming uri.

    voice-class codec 100

    Indicates codec filter list for calls to and from Unified CM. For more information, see  voice class codec.

    bind control source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

    bind media source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

    dtmf-relay rtp-nte

    Defines RTP-NTE (RFC2833) as the DTMF capability expected on the call leg. For more information, see  DTMF Relay (Voice over IP).

    no vad

    משבית את זיהוי הפעילות הקולית. For more information, see  vad (dial peer).

4

Add call routing using the following configurations:

  1. Create dial-peer groups to route calls between Unified CM and Webex Calling. Define DPG 100 with outbound dial-peer 100 towards Webex Calling. DPG 100 is applied to the associated incoming dial-peer from Unified CM. Similarly, define DPG 300 with outbound dial-peer 300 toward Unified CM. DPG 300 is applied to the incoming dial-peer from Webex.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 300 description Route calls to Unified CM Webex Calling trunk dial-peer 300

  2. Create a dial-peer groups to route calls between Unified CM and the PSTN. Define DPG 200 with outbound dial-peer 200 toward the PSTN. DPG 200 is applied to the associated incoming dial-peer from Unified CM. Similarly, define DPG 400 with outbound dial-peer 400 toward Unified CM. DPG 400 is applied to the incoming dial-peer from the PSTN.

     voice class dpg 200 description Route calls to PSTN dial-peer 200 voice class dpg 400 description Route calls to Unified CM PSTN trunk dial-peer 400

    Here's an explanation of the fields for the configuration:

    dial-peer  100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  3. Apply dial-peer groups to route calls from Webex to Unified CM and from Unified CM to Webex: 

     dial-peer voice 100 destination dpg 300 dial-peer voice 300 destination dpg 100

    Here's an explanation of the fields for the configuration:

    destination dpg 300

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

  4. Apply dial-peer groups to route calls from the PSTN to Unified CM and from Unified CM to the PSTN:

     dial-peer voice 200 destination dpg 400 dial-peer voice 400 destination dpg 200

    This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features have been configured.

Monitor and troubleshoot Local Gateway with diagnostic signatures

Diagnostic Signatures (DS) proactively detects commonly observed issues in the IOS XE-based Local Gateway and generates email, syslog, or terminal message notification of the event. You can also install the DS to automate diagnostics data collection and transfer-collected data to the Cisco TAC case to accelerate resolution time.

Diagnostic Signatures (DS) are XML files that contain information about problem trigger events and actions to be taken to inform, troubleshoot, and remediate the issue. You can define the problem detection logic using syslog messages, SNMP events and through periodic monitoring of specific show command outputs.

The action types include collecting show command outputs:

  • Generating a consolidated log file

  • Uploading the file to a user-provided network location such as HTTPS, SCP, FTP server.

TAC engineers author the DS files and digitally sign it for integrity protection. לכל קובץ DS יש מזהה מספרי ייחודי שהוקצה על-ידי המערכת. Diagnostic Signatures Lookup Tool (DSLT) is a single source to find applicable signatures for monitoring and troubleshooting various problems.

Before you begin:

  • Do not edit the DS file that you download from DSLT. The files that you modify fail installation due to the integrity check error.

  • A Simple Mail Transfer Protocol (SMTP) server you require for the Local Gateway to send out email notifications.

  • Ensure that the Local Gateway is running IOS XE 17.6.1 or higher if you wish to use the secure SMTP server for email notifications.

דרישות מקדימות

Local Gateway running IOS XE 17.6.1a or higher

  1. התכונה חתימות אבחון מופעלת כברירת מחדל.

  2. Configure the secure email server to be used to send proactive notification if the device is running Cisco IOS XE 17.6.1a or higher.

    configure terminal call-home mail-server <username>:<pwd>@<email server> priority 1 secure tls end

  3. Configure the environment variable ds_email with the email address of the administrator to notify you. 

    configure terminal call-home diagnostic-signature environment ds_email <email address> end

The following shows an example configuration of a Local Gateway running on Cisco IOS XE 17.6.1a or higher to send the proactive notifications to tacfaststart@gmail.com using Gmail as the secure SMTP server:

We recommend you to use the Cisco IOS XE Bengaluru 17.6.x or later versions.

call-home mail-server tacfaststart:password@smtp.gmail.com priority 1 secure tls diagnostic-signature environment ds_email "tacfaststart@gmail.com"

A Local Gateway running on Cisco IOS XE Software is not a typical web-based Gmail client that supports OAuth, so we must configure a specific Gmail account setting and provide specific permission to have the email from the device processed correctly:

  1. Go to Manage Google Account > Security and turn on the Less secure app access setting.

  2. Answer “Yes, it was me” when you receive an email from Gmail stating “Google prevented someone from signing into your account using a non-Google app.”

Install diagnostic signatures for proactive monitoring

Monitoring high CPU utilization

This DS tracks CPU utilization for five seconds using the SNMP OID 1.3.6.1.4.1.9.2.1.56. When the utilization reaches 75% or more, it disables all debugs and uninstalls all diagnostic signatures that are installed in the Local Gateway. השתמש בשלבים הבאים כדי להתקין את החתימה.

  1. Use the show snmp command to enable SNMP. If you do not enable, then configure the snmp-server manager command.

    show snmp %SNMP agent not enabled config t snmp-server manager end show snmp Chassis: ABCDEFGHIGK 149655 SNMP packets input      0 Bad SNMP version errors      1 Unknown community name      0 Illegal operation for community name supplied      0 Encoding errors 37763 Number of requested variables      2 Number of altered variables 34560 Get-request PDUs 138 Get-next PDUs      2 Set-request PDUs      0 Input queue packet drops (Maximum queue size 1000) 158277 SNMP packets output      0 Too big errors (Maximum packet size 1500) 20 No such name errors      0 Bad values errors      0 General errors 7998 Response PDUs 10280 Trap PDUs Packets currently in SNMP process input queue: 0 SNMP global trap: מופעל

  2. הורד את DS 64224 באמצעות אפשרויות הרשימה הנפתחת הבאות ב-Diagnostic Signatures Lookup Tool:

    שם שדה

    ערך שדה

    פלטפורמה

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    מוצר

    CUBE Enterprise בפתרון Webex Calling

    היקף בעיה

    ביצועים

    סוג בעיה

    High CPU Utilization with Email Notification.

  3. העתק את קובץ ה-XML של DS ל-flash של השער המקומי.

    LocalGateway# copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:

    The following example shows copying the file from an FTP server to the Local Gateway. 

    copy ftp://user:pwd@192.0.2.12/DS_64224.xml bootflash:  Accessing ftp://*:*@ 192.0.2.12/DS_64224.xml...!  [OK - 3571/4096 bytes] 3571 bytes copied in 0.064 secs (55797 bytes/sec)

  4. התקן את קובץ ה-XML של DS בשער המקומי.

    call-home diagnostic-signature load DS_64224.xml Load file DS_64224.xml success

  5. Use the show call-home diagnostic-signature command to verify that the signature is successfully installed. עמודת המצב צריכה לכלול ערך "רשום". 

    show call-home diagnostic-signature Current diagnostic-signature settings:  Diagnostic-signature: enabled Profile: CiscoTAC-1 (status: ACTIVE) Downloading URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: username@gmail.com

    הורד חתימות DS:

    מזהה DS

    שם DC

    מהדורה

    מצב

    עדכון אחרון (GMT+00:00)

    64224

    DS_LGW_CPU_MON75

    0.0.10

    רשום

    2020-11-07 22:05:33

    כאשר החתימה הזו מופעלת, היא מסירה את ההתקנה של כל חתימות האבחון הפועלות, כולל את עצמה. If necessary, reinstall DS 64224 to continue monitoring high CPU utilization on the Local Gateway.

Monitoring SIP trunk registration

This DS checks for unregistration of a Local Gateway SIP Trunk with Webex Calling cloud every 60 seconds. Once the unregistration event is detected, it generates an email and syslog notification and uninstalls itself after two unregistration occurrences. Use the steps below to install the signature:

  1. הורד את DS 64117 באמצעות אפשרויות הרשימה הנפתחת הבאות ב-Diagnostic Signatures Lookup Tool:

    שם שדה

    ערך שדה

    פלטפורמה

    Cisco 4300, 4400 ISR Series או Cisco CSR 1000V Series

    מוצר

    CUBE Enterprise בפתרון Webex Calling

    היקף בעיה

    SIP-SIP

    סוג בעיה

    SIP Trunk Unregistration with Email Notification.

  2. העתק את קובץ ה-XML של DS לשער המקומי.

    copy ftp://username:password@<server name or ip>/DS_64117.xml bootflash:

  3. התקן את קובץ ה-XML של DS בשער המקומי. 

    call-home diagnostic-signature load DS_64117.xml Load file DS_64117.xml success LocalGateway#

  4. Use the show call-home diagnostic-signature command to verify that the signature is successfully installed. The status column must have a “registered” value.

Monitoring abnormal call disconnects

This DS uses SNMP polling every 10 minutes to detect abnormal call disconnect with SIP errors 403, 488 and 503.  If the error count increment is greater than or equal to 5 from the last poll, it generates a syslog and email notification. Please use the steps below to install the signature.

  1. Use the show snmp command to check whether SNMP is enabled. If it is not enabled, configure the snmp-server manager command. 

    show snmp %SNMP agent not enabled config t snmp-server manager end show snmp Chassis: ABCDEFGHIGK 149655 SNMP packets input      0 Bad SNMP version errors      1 Unknown community name      0 Illegal operation for community name supplied      0 Encoding errors 37763 Number of requested variables      2 Number of altered variables 34560 Get-request PDUs 138 Get-next PDUs      2 Set-request PDUs      0 Input queue packet drops (Maximum queue size 1000) 158277 SNMP packets output      0 Too big errors (Maximum packet size 1500) 20 No such name errors      0 Bad values errors      0 General errors 7998 Response PDUs 10280 Trap PDUs Packets currently in SNMP process input queue: 0 SNMP global trap: מופעל

  2. הורד את DS 65221 באמצעות האפשרויות הבאות ב-Diagnostic Signatures Lookup Tool:

    שם שדה

    ערך שדה

    פלטפורמה

    Cisco 4300, 4400 ISR Series או Cisco CSR 1000V Series

    מוצר

    CUBE Enterprise בפתרון Webex Calling

    היקף בעיה

    ביצועים

    סוג בעיה

    SIP abnormal call disconnect detection with Email and Syslog Notification.

  3. העתק את קובץ ה-XML של DS לשער המקומי. 

    copy ftp://username:password@<server name or ip>/DS_65221.xml bootflash:

  4. התקן את קובץ ה-XML של DS בשער המקומי. 

    call-home diagnostic-signature load DS_65221.xml Load file DS_65221.xml success

  5. Use the show call-home diagnostic-signature command to verify that the signature is successfully installed. The status column must have a “registered” value.

Install diagnostic signatures to troubleshoot a problem

Use Diagnostic Signatures (DS) to resolve issues quickly. Cisco TAC engineers have authored several signatures that enable the necessary debugs that are required to troubleshoot a given problem, detect the problem occurrence, collect the right set of diagnostic data and transfer the data automatically to the Cisco TAC case. Diagnostic Signatures (DS) eliminate the need to manually check for the problem occurrence and makes troubleshooting of intermittent and transient issues a lot easier.

You can use the Diagnostic Signatures Lookup Tool to find the applicable signatures and install them to self-solve a given issue or you can install the signature that is recommended by the TAC engineer as part of the support engagement.

הנה דוגמה כיצד למצוא ולהתקין DS כדי לזהות את המופע "‎%VOICE_IEC-3-GW: CCAPI: Internal Error (call spike threshold): IEC=1.1.181.1.29.0" syslog and automate diagnostic data collection using the following steps:

  1. Configure an additional DS environment variable ds_fsurl_prefix which is the Cisco TAC file server path (cxd.cisco.com) to which the collected diagnostics data are uploaded. The username in the file path is the case number and the password is the file upload token which can be retrieved from Support Case Manager in the following command. The file upload token can be generated in the Attachments section of the Support Case Manager, as needed. 

    configure terminal call-home diagnostic-signature LocalGateway(cfg-call-home-diag-sign)environment ds_fsurl_prefix "scp://<case number>:<file upload token>@cxd.cisco.com" end

    דוגמה: 

    call-home diagnostic-signature environment ds_fsurl_prefix " environment ds_fsurl_prefix "scp://612345678:abcdefghijklmnop@cxd.cisco.com"

  2. Ensure that SNMP is enabled using the show snmp command. If it is not enabled, configure the snmp-server manager command.

    show snmp %SNMP agent not enabled config t snmp-server manager end

  3. Ensure to install the High CPU monitoring DS 64224 as a proactive measure to disable all debugs and diagnostics signatures during the time of high CPU utilization. הורד את DS 64224 באמצעות האפשרויות הבאות ב-Diagnostic Signatures Lookup Tool:

    שם שדה

    ערך שדה

    פלטפורמה

    Cisco 4300, 4400 ISR Series או Cisco CSR 1000V Series

    מוצר

    CUBE Enterprise בפתרון Webex Calling

    היקף בעיה

    ביצועים

    סוג בעיה

    High CPU Utilization with Email Notification.

  4. הורד את DS 65095 באמצעות האפשרויות הבאות ב-Diagnostic Signatures Lookup Tool:

    שם שדה

    ערך שדה

    פלטפורמה

    Cisco 4300, 4400 ISR Series או Cisco CSR 1000V Series

    מוצר

    CUBE Enterprise בפתרון Webex Calling

    היקף בעיה

    יומני Syslog

    סוג בעיה

    Syslog‏ - ‎%VOICE_IEC-3-GW: CCAPI: Internal Error (Call spike threshold): IEC=1.1.181.1.29.0

  5. העתק את קובצי ה-XML של DS לשער המקומי.

    copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:  copy ftp://username:password@<server name or ip>/DS_65095.xml bootflash:

  6. התקן את קובץ ה-XML של DS 64224 לניטור ניצול גבוה של CPU ולאחר מכן את קובץ ה-XML של DS 65095 בשער המקומי. 

    call-home diagnostic-signature load DS_64224.xml Load file DS_64224.xml success call-home diagnostic-signature load DS_65095.xml Load file DS_65095.xml success

  7. Verify that the signature is successfully installed using the show call-home diagnostic-signature command. The status column must have a “registered” value. 

    show call-home diagnostic-signature Current diagnostic-signature settings:  Diagnostic-signature: enabled Profile: CiscoTAC-1 (status: ACTIVE) Downloading URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: username@gmail.com ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com

    חתימות DS שהורדו:

    מזהה DS

    שם DC

    מהדורה

    מצב

    עדכון אחרון (GMT+00:00)

    64224

    00:07:45

    DS_LGW_CPU_MON75

    0.0.10

    רשום

    2020-11-08

    65095

    00:12:53

    DS_LGW_IEC_Call_spike_threshold

    0.0.12

    רשום

    2020-11-08

Verify diagnostic signatures execution

In the following command, the “Status” column of the show call-home diagnostic-signature command changes to “running” while the Local Gateway executes the action defined within the signature. The output of show call-home diagnostic-signature statistics is the best way to verify whether a diagnostic signature detects an event of interest and executes the action. The “Triggered/Max/Deinstall” column indicates the number of times the given signature has triggered an event, the maximum number of times it is defined to detect an event and whether the signature deinstalls itself after detecting the maximum number of triggered events. 

show call-home diagnostic-signature Current diagnostic-signature settings:  Diagnostic-signature: enabled Profile: CiscoTAC-1 (status: ACTIVE) Downloading URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: carunach@cisco.com ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com

חתימות DS שהורדו:

מזהה DS

שם DC

מהדורה

מצב

עדכון אחרון (GMT+00:00)

64224

DS_LGW_CPU_MON75

0.0.10

רשום

2020-11-08 00:07:45

65095

DS_LGW_IEC_Call_spike_threshold

0.0.12

פועל

2020-11-08 00:12:53

show call-home diagnostic-signature statistics

מזהה DS

שם DC

Triggered/Max/Deinstall

זמן ריצה ממוצע (שניות)

זמן ריצה מקסימלי (שניות)

64224

DS_LGW_CPU_MON75

‎0/0/N

0.000

0.000

65095

DS_LGW_IEC_Call_spike_threshold

1/20/Y

23.053

23.053

The notification email that is sent during diagnostic signature execution contains key information such as issue type, device details, software version, running configuration, and show command outputs that are relevant to troubleshoot the given problem.

Uninstall diagnostic signatures

Use Diagnostic signatures for troubleshooting purposes are typically defined to uninstall after detection of some problem occurrences. If you want to uninstall a signature manually, retrieve the DS ID from the output of the show call-home diagnostic-signature command and run the following command:

call-home diagnostic-signature deinstall <DS ID>

דוגמה:

call-home diagnostic-signature deinstall 64224

New signatures are added to Diagnostics Signatures Lookup Tool periodically, based on issues that are commonly observed in deployments. TAC אינו תומך כרגע בבקשות ליצירת חתימות מותאמות אישית חדשות.

Manage and validate Cisco IOS XE Gateways through Control Hub

For better management of Cisco IOS XE Gateways, we recommend that you enroll and manage the gateways through the Control Hub. It is an optional configuration. When enrolled, you can use the configuration validation option in the Control Hub to validate your Local Gateway configuration and identify any configuration issues. Currently, only registration-based trunks support this functionality.

For more information, refer the following:

Design overview

This section describes how to configure a Cisco Unified Border Element (CUBE) as a Local Gateway for Webex Calling, using certificate-based mutual TLS (mTLS) SIP trunk. The first part of this document illustrates how to configure a simple PSTN gateway. In this case, all calls from the PSTN are routed to Webex Calling and all calls from Webex Calling are routed to the PSTN. The following image highlights this solution and the high-level call routing configuration that will be followed.

In this design, the following principal configurations are used:

  • voice class tenants: Used to create trunk specific configurations.

  • voice class uri: Used to classify SIP messages for the selection of an inbound dial-peer.

  • inbound dial-peer: Provides treatment for inbound SIP messages and determines the outbound route with a dial-peer group.

  • dial-peer group: Defines the outbound dial-peers used for onward call routing.

  • outbound dial-peer: Provides treatment for outbound SIP messages and routes them to the required target.

Call routing from/to PSTN to/from Webex Calling configuration solution

While IP and SIP have become the default protocols for PSTN trunks, TDM (Time Division Multiplexing) ISDN circuits are still widely used and are supported with Webex Calling trunks. To enable media optimization of IP paths for Local Gateways with TDM-IP call flows, it is currently necessary to use a two-leg call routing process. This approach modifies the call routing configuration shown above, by introducing a set of internal loop-back dial-peers between Webex Calling and PSTN trunks as illustrated in the image below.

When connecting an on-premises Cisco Unified Communications Manager solution with Webex Calling, you can use the simple PSTN gateway configuration as a baseline for building the solution illustrated in the following diagram. In this case, Unified Communications Manager provides centralized routing and treatment of all PSTN and Webex Calling calls.

Throughout this document, the host names, IP addresses, and interfaces illustrated in the following image are used. Options are provided for public or private (behind NAT) addressing. SRV DNS records are optional, unless load balancing across multiple CUBE instances.

Use the configuration guidance in the rest of this document to complete your Local Gateway configuration as follows:

  • שלב 1: Configure router baseline connectivity and security

  • שלב 2: Configure Webex Calling Trunk

    Depending on your required architecture, follow either:

  • שלב 3: Configure Local Gateway with SIP PSTN trunk

  • Step 4: Configure Local Gateway with existing Unified CM environment

    Or:

  • שלב 3: Configure Local Gateway with TDM PSTN trunk

Configure connectivity and security

Baseline configuration

The first step in preparing your Cisco router as a Local Gateway for Webex Calling is to build a baseline configuration that secures your platform and establishes connectivity.

  • All certificate-based Local Gateway deployments require Cisco IOS XE 17.9.1a or later versions. For the recommended versions, see the Cisco Software Research page. Search for the platform and select one of the suggested releases.

    • ISR4000 series routers must be configured with both Unified Communications and Security technology licenses.

    • Catalyst Edge 8000 series routers fitted with voice cards or DSPs require DNA Essentials licensing. Routers without voice cards or DSPs require a minimum of DNA Essentials licensing.

    • For high-capacity requirements, you may also require a High Security (HSEC) license and additional throughput entitlement.

      Refer to Authorization Codes for further details.

  • Build a baseline configuration for your platform that follows your business policies. In particular, configure the following and verify the working:

    • NTP

    • ACLs

    • User authentication and remote access

    • DNS

    • IP routing

    • IP addresses

  • The network toward Webex Calling must use a IPv4 address. Local Gateway Fully Qualified Domain Names (FQDN) or Service Record (SRV) addresses must resolve to a public IPv4 address on the internet.

  • All SIP and media ports on the Local Gateway interface facing Webex must be accessible from the internet, either directly or via static NAT. Ensure that you update your firewall accordingly.

  • Install a signed certificate on the Local Gateway (the following provides detailed configuration steps).

    • A public Certificate Authority (CA) as detailed in  What Root Certificate Authorities are Supported for Calls to Cisco Webex Audio and Video Platforms? must sign the device certificate.

    • The FQDN configured in the Control Hub when creating a trunk must be the Common Name (CN) or Subject Alternate Name (SAN) certificate of the router. לדוגמה:

      • If a configured trunk in the Control Hub of your organization has cube1.lgw.com:5061 as FQDN of the Local Gateway, then the CN or SAN in the router certificate must contain cube1.lgw.com. 

      • If a configured trunk in the Control Hub of your organization has lgws.lgw.com as the SRV address of the Local Gateway(s) reachable from the trunk, then the CN or SAN in the router certificate must contain lgws.lgw.com. The records that the SRV address resolves to (CNAME, A Record, or IP Address) are optional in SAN.

      • Whether you use an FQDN or SRV for the trunk, the contact address for all new SIP dialogs from your Local Gateway uses the name configured in the Control Hub.

  • Ensure that certificates are signed for client and server usage.

  • Upload the Cisco root CA bundle to the Local Gateway.

תצורה

1

Ensure that you assign valid and routable IP addresses to any Layer 3 interfaces, for example:

 interface GigabitEthernet0/0/0 description Interface facing PSTN and/or CUCM ip address 192.168.80.14 255.255.255.0 ! interface GigabitEthernet0/0/1 description Interface facing Webex Calling (Public address) ip address 198.51.100.1 255.255.255.240

2

Protect STUN credentials on the router using symmetric encryption. Configure the primary encryption key and encryption type as follows:

 key config-key password-encrypt YourPassword password encryption aes
3

Create an encryption trustpoint with a certificate signed by your preferred Certificate Authority (CA).

  1. Create an RSA key pair using the following exec command.

    crypto key generate rsa general-keys exportable label lgw-key modulus 4096

  2. When using cube1.lgw.com as the fqdn for the trunk, create a trustpoint for the signed certificate with the following configuration commands: 

     crypto pki trustpoint LGW_CERT enrollment terminal pem fqdn cube1.lgw.com subject-name cn=cube1.lgw.com subject-alt-name cube1.lgw.com revocation-check none rsakeypair lgw-key

  3. Generate Certificate Signing Request (CSR) with the following exec or configuration command and use it to request a signed certificate from a supported CA provider:

    crypto pki enroll LGW_CERT

4

Authenticate your new certificate using your intermediate (or root) CA certificate, then import the certificate (Step 4). Enter the following exec or configuration command:

 crypto pki authenticate LGW_CERT <paste Intermediate X.509 base 64 based certificate here>

5

Import a signed host certificate using the following exec or configuration command:

 crypto pki import LGW_CERT certificate <paste CUBE host X.509 base 64 certificate here>

6

Enable TLS1.2 exclusivity and specify the default trustpoint using the following configuration commands:

 sip-ua crypto signaling default trustpoint LGW_CERT transport tcp tls v1.2

7

Install the Cisco root CA bundle, which includes the DigiCert CA certificate used by Webex Calling. Use the crypto pki trustpool import clean url command to download the root CA bundle from the specified URL, and to clear the current CA trustpool, then install the new bundle of certificates:

If you need to use a proxy for access to the internet using HTTPS, add the following configuration before importing the CA bundle:

ip http client proxy-server yourproxy.com proxy-port 80
 ip http client source-interface GigabitEthernet0/0/1 crypto pki trustpool import clean url https://www.cisco.com/security/pki/trs/ios_core.p7b
Configure Webex Calling certificate-based trunk
1

Create a CUBE certificate-based PSTN trunk for an existing location in Control Hub. For more information, see Configure trunks, route groups, and dial plans for Webex Calling.

Make a note of the trunk information that is provided once the trunk is created. These details, as highlighted in the following illustration, will be used in the configuration steps in this guide.
2

Enter the following commands to configure CUBE as a Webex Calling Local Gateway:

 voice service voip ip address trusted list ipv4 x.x.x.x y.y.y.y mode border-element allow-connections sip to sip no supplementary-service sip refer stun stun flowdata agent-id 1 boot-count 4 stun flowdata shared-secret 0 Password123$ sip asymmetric payload full early-offer forced sip-profiles inbound

Here's an explanation of the fields for the configuration:

 ip address trusted list  ipv4 x.x.x.x y.y.y.y

  • To protect against toll fraud, the trusted address list defines a list of hosts and networks entities from which the Local Gateway expects legitimate VoIP calls.

  • By default, Local Gateway blocks all incoming VoIP messages from IP addresses not in its trusted list. Statically configured dial-peers with “session target IP” or server group IP addresses are trusted by default so do not need to be added to the trusted list.

  • When configuring your Local Gateway, add the IP subnets for your regional Webex Calling data center to the list, see Port Reference Information for Webex Calling for more information. Also, add address ranges for Unified Communications Manager servers (if used) and PSTN trunk gateways.

  • For more information on how to use an IP address trusted list to prevent toll fraud, see IP address trusted.

mode border-element

Enables Cisco Unified Border Element (CUBE) features on the platform.

allow-connections sip to sip

Enable CUBE basic SIP back to back user agent functionality. For more information, see Allow connections.

By default, T.38 fax transport is enabled. For more information, see fax protocol t38 (voice-service).

stun

Enables STUN (Session Traversal of UDP through NAT) globally.

These global stun commands are only required when deploying your Local Gateway behind NAT.

  • When you forward a call to a Webex Calling user (for example, both the called and calling parties are Webex Calling subscribers and if you anchor media at the Webex Calling SBC), then the media cannot flow to the Local Gateway as the pinhole isn't open.

  • The STUN bindings feature on the Local Gateway allows locally generated STUN requests to be sent over the negotiated media path. This helps to open the pinhole in the firewall.

For more information, see  stun flowdata agent-id and  stun flowdata shared-secret.

asymmetric payload full

Configures SIP asymmetric payload support for both DTMF and dynamic codec payloads. For more information on this command, see asymmetric payload.

early-offer forced

Forces the Local Gateway to send SDP information in the initial INVITE message instead of waiting for acknowledgment from the neighboring peer. For more information on this command, see early-offer.

sip-profiles inbound

Enables CUBE to use SIP profiles to modify messages as they are received. Profiles are applied via dial-peers or tenants.

3

Configure voice class codec 100 codec filter for the trunk. In this example, the same codec filter is used for all trunks. You can configure filters for each trunk for precise control.

 voice class codec 100 codec preference 1 opus codec preference 2 g711ulaw codec preference 3 g711alaw

Here's an explanation of the fields for the configuration:

voice class codec 100

Used to only allow preferred codecs for calls through SIP trunks. For more information, see voice class codec.

Opus codec is supported only for SIP-based PSTN trunks. If the PSTN trunk uses a voice T1/E1 or analog FXO connection, exclude codec preference 1 opus from the voice class codec 100 configuration.

4

Configure voice class stun-usage 100 to enable ICE on the Webex Calling trunk. (This step is not applicable for Webex for Government)

 voice class stun-usage 100 stun usage firewall-traversal flowdata stun usage ice lite

Here's an explanation of the fields for the configuration:

stun usage ice lite

Used to enable ICE-Lite for all Webex Calling facing dial-peers to allow media-optimization whenever possible. For more information, see voice class stun usage and stun usage ice lite.

The stun usage firewall-traversal flowdata command is only required when deploying your Local Gateway behind NAT.
You require stun usage of ICE-lite for call flows using media path optimization. To provide media-optimization for a SIP to TDM gateway, configure a loopback dial-peer with ICE-Lite enabled on the IP-IP leg. For further technical details, contact the Account or TAC teams.
5

Configure the media encryption policy for Webex traffic. (This step is not applicable for Webex for Government)

 voice class srtp-crypto 100 crypto 1 AES_CM_128_HMAC_SHA1_80

Here's an explanation of the fields for the configuration:

voice class srtp-crypto 100

Specifies SHA1_80 as the only SRTP cipher-suite CUBE offers in the SDP in offer and answer messages. Webex Calling only supports SHA1_80. For more information, see voice class srtp-crypto.

6

Configure FIPS-compliant GCM ciphers (This step is applicable only for Webex for Government). 

 voice class srtp-crypto 100 crypto 1 AEAD_AES_256_GCM

Here's an explanation of the fields for the configuration:

voice class srtp-crypto 100

Specifies GCM as the cipher-suite that CUBE offers. It is mandatory to configure GCM ciphers for Local Gateway for Webex for Government.

7

Configure a pattern to uniquely identify calls to a Local Gateway trunk based on its destination FQDN or SRV:

 voice class uri 100 sip pattern cube1.lgw.com

Here's an explanation of the fields for the configuration:

voice class uri 100 sip

Defines a pattern to match an incoming SIP invite to an incoming trunk dial-peer. When entering this pattern, use LGW FQDN or SRV configured in Control Hub while creating a trunk.

8

Configure SIP message manipulation profiles. If your gateway is configured with a public IP address, configure a profile as follows or skip to the next step if you are using NAT. In this example, cube1.lgw.com is the FQDN configured for the Local Gateway and "198.51.100.1" is the public IP address of the Local Gateway interface facing Webex Calling:

 voice class sip-profiles 100 rule 10 request ANY sip-header Contact modify "@.*:" "@cube1.lgw.com:" rule 20 response ANY sip-header Contact modify "@.*:" "@cube1.lgw.com:"

Here's an explanation of the fields for the configuration:

rules 10 and 20

To allow Webex to authenticate messages from your local gateway, the 'Contact' header in SIP request and responses messages must contain the value provisioned for the trunk in Control Hub. This will either be the FQDN of a single host, or the SRV domain name used for a cluster of devices.

Skip the next step if you have configured your Local Gateway with public IP addresses.

9

If your gateway is configured with a private IP address behind static NAT, configure inbound and outbound SIP profiles as follows. In this example, cube1.lgw.com is the FQDN configured for the Local Gateway, "10.80.13.12" is the interface IP address facing Webex Calling and "192.65.79.20" is the NAT public IP address.

SIP profiles for outbound messages to Webex Calling 
 voice class sip-profiles 100 rule 10 request ANY sip-header Contact modify "@.*:" "@cube1.lgw.com:" rule 20 response ANY sip-header Contact modify "@.*:" "@cube1.lgw.com:" rule 30 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 1.*) 10.80.13.12" "\1 192.65.79.20" rule 31 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 2.*) 10.80.13.12" "\1 192.65.79.20" rule 40 response ANY sdp-header Audio-Connection-Info modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 41 request ANY sdp-header Audio-Connection-Info modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 50 request ANY sdp-header Connection-Info modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 51 response ANY sdp-header Connection-Info modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 60 response ANY sdp-header Session-Owner modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 61 request ANY sdp-header Session-Owner modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 70 request ANY sdp-header Audio-Attribute modify "(a=rtcp:.*) 10.80.13.12" "\1 192.65.79.20" rule 71 response ANY sdp-header Audio-Attribute modify "(a=rtcp:.*) 10.80.13.12" "\1 192.65.79.20 rule 80 request ANY sdp-header Audio-Attribute modify "(a=candidate:1 1.*) 10.80.13.12" "\1 192.65.79.20" rule 81 request ANY sdp-header Audio-Attribute modify "(a=candidate:1 2.*) 10.80.13.12" "\1 192.65.79.20"

Here's an explanation of the fields for the configuration:

rules 10 and 20

To allow Webex to authenticate messages from your local gateway, the 'Contact' header in SIP request and responses messages must contain the value provisioned for the trunk in Control Hub. This will either be the FQDN of a single host, or the SRV domain name used for a cluster of devices.

rules 30 to 81

Convert private address references to the external public address for the site, allowing Webex to correctly interpret and route subsequent messages.

SIP profile for inbound messages from Webex Calling 
 voice class sip-profiles 110 rule 10 response ANY sdp-header Video-Connection-Info modify "192.65.79.20" "10.80.13.12" rule 20 response ANY sip-header Contact modify "@.*:" "@cube1.lgw.com:" rule 30 response ANY sdp-header Connection-Info modify "192.65.79.20" "10.80.13.12" rule 40 response ANY sdp-header Audio-Connection-Info modify "192.65.79.20" "10.80.13.12" rule 50 response ANY sdp-header Session-Owner modify "192.65.79.20" "10.80.13.12" rule 60 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 1.*) 192.65.79.20" "\1 10.80.13.12" rule 70 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 2.*) 192.65.79.20" "\1 10.80.13.12" rule 80 response ANY sdp-header Audio-Attribute modify "(a=rtcp:.*) 192.65.79.20" "\1 10.80.13.12"

Here's an explanation of the fields for the configuration:

rules 10 to 80

Convert public address references to the configured private address, allowing messages from Webex to be correctly processed by CUBE.

For more information, see voice class sip-profiles.

10

Configure a SIP Options keepalive with header modification profile.

 voice class sip-profiles 115 rule 10 request OPTIONS sip-header Contact modify "<sip:.*:" "<sip:cube1.lgw.com:" rule 30 request ANY sip-header Via modify "(SIP.*) 10.80.13.12" "\1 192.65.79.20" rule 40 response ANY sdp-header Connection-Info modify "10.80.13.12" "192.65.79.20" rule 50 response ANY sdp-header Audio-Connection-Info modify "10.80.13.12" "192.65.79.20" ! voice class sip-options-keepalive 100 description Keepalive for Webex Calling up-interval 5 transport tcp tls sip-profiles 115

Here's an explanation of the fields for the configuration:

voice class sip-options-keepalive 100

Configures a keepalive profile and enters voice class configuration mode. You can configure the time (in seconds) at which an SIP Out of Dialog Options Ping is sent to the dial-target when the heartbeat connection to the endpoint is in UP or Down status.

This keepalive profile is triggered from the dial-peer configured towards Webex.

To ensure that the contact headers include the SBC fully qualified domain name, SIP profile 115 is used. Rules 30, 40, and 50 are required only when the SBC is configured behind static NAT.

In this example, cube1.lgw.com is the FQDN selected for the Local Gateway and if static NAT is used, "10.80.13.12" is the SBC interface IP address towards Webex Calling and "192.65.79.20" is the NAT public IP address.

11

Configure Webex Calling trunk:

  1. Create voice class tenant 100 to define and group configurations required specifically for the Webex Calling trunk. Dial-peers associated with this tenant later will inherit these configurations:

    The following example uses the values illustrated in Step 1 for the purpose of this guide (shown in bold). Replace these with values for your trunk in your configuration.

     voice class tenant 100 no remote-party-id sip-server dns:us25.sipconnect.bcld.webex.com srtp-crypto 100 localhost dns:cube1.lgw.com session transport tcp tls no session refresh error-passthru bind control source-interface GigabitEthernet0/0/1 bind media source-interface GigabitEthernet0/0/1 no pass-thru content custom-sdp sip-profiles 100 sip-profiles 110 inbound privacy-policy passthru !

    Here's an explanation of the fields for the configuration:

    voice class tenant 100

    We recommend that you use tenants to configure trunks which have their own TLS certificate, and CN or SAN validation list. Here, the tls-profile associated with the tenant contains the trust point to be used to accept or create new connections, and has the CN or SAN list to validate the incoming connections. For more information, see voice class tenant.

    no remote-party-id

    Disable SIP Remote-Party-ID (RPID) header as Webex Calling supports PAI, which is enabled using CIO asserted-id pai. For more information, see remote-party-id.

    sip-server dns:us25.sipconnect.bcld.webex.com

    Configures the target SIP server for the trunk. Use the edge proxy SRV address provided in Control Hub when you created your trunk

    srtp-crypto 100

    Configures the preferred cipher-suites for the SRTP call leg (connection) (specified in Step 5). For more information, see voice class srtp-crypto.

    localhost dns: cube1.lgw.com

    Configures CUBE to replace the physical IP address in the From, Call-ID, and Remote-Party-ID headers in outgoing messages with the provided FQDN.

    session transport tcp tls

    Sets transport to TLS for associated dial-peers. For more information, see session-transport.

    no session refresh

    Disables SIP session refresh globally.

    error-passthru

    Specifies SIP error response pass-thru functionality. For more information, see error-passthru.

    bind control source-interface GigabitEthernet0/0/1

    Configures the source interface and associated IP address for messages sent to Webex Calling. For more information, see bind.

    bind media source-interface GigabitEthernet0/0/1

    Configures the source interface and associated IP address for media sent to Webex Calling. For more information, see bind.

    voice-class sip profiles 100

    Applies the header modification profile (Public IP or NAT addressing) to use for outbound messages. For more information, see voice-class sip profiles.

    voice-class sip profiles 110 inbound

    Applies the header modification profile (NAT addressing only) to use for inbound messages. For more information, see voice-class sip profiles.

    privacy-policy passthru

    Configures the privacy header policy options for the trunk to pass privacy values from the received message to the next call leg. For more information, see privacy-policy.

  2. Configure the Webex Calling trunk dial-peer.

     dial-peer voice 100 voip description Inbound/Outbound Webex Calling destination-pattern BAD.BAD session protocol sipv2 session target sip-server incoming uri request 100 voice-class codec 100 voice-class stun-usage 100 voice-class sip rel1xx disable voice-class sip asserted-id pai voice-class sip tenant 100 voice-class sip options-keepalive profile 100 dtmf-relay rtp-nte srtp no vad

    Here's an explanation of the fields for the configuration:

     dial-peer voice 100 voip  description Inbound/Outbound Webex Calling

    Defines a VoIP dial-peer with a tag of 100 and gives a meaningful description for ease of management and troubleshooting. For more information, see dial-peer voice.

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    Specifies that dial-peer 100 handles SIP call legs. For more information, see session protocol (dial-peer).

    session target sip-server

    Indicates that the SIP server defined in tenant 100 is inherited and used for the destination for calls from this dial peer.

    incoming uri request 100

    To specify the voice class used to match a VoIP dial peer to the uniform resource identifier (URI) of an incoming call. For more information, see  incoming uri.

    voice-class codec 100

    Indicates codec filter list for calls to and from Webex Calling. For more information, see voice class codec.

    voice-class stun-usage 100

    Allows locally generated STUN requests on the Local Gateway to be sent over the negotiated media path. STUN help to open a firewall pinhole for media traffic.

    voice-class sip asserted-id pai

    Sets the outgoing calling information using the privacy asserted ID (PAI) header. For more information, see voice-class sip asserted-id.

    voice-class sip tenant 100

    The dial-peer inherits all parameters configured globally and in tenant 100. Parameters may overridden at the dial-peer level. For more information, see  voice-class sip tenant.

    voice-class sip options-keepalive profile 100

    This command is used to monitor the availability of a group of SIP servers or endpoints using a specific profile (100).

    srtp

    Enables SRTP for the call leg.

Configure Local Gateway with a SIP PSTN trunk

Having built a trunk towards Webex Calling above, use the following configuration to create a non-encrypted trunk towards a SIP based PSTN provider:

If your Service Provider offers a secure PSTN trunk, you may follow a similar configuration as detailed above for the Webex Calling trunk. Secure to secure call routing is supported by CUBE.

If you are using a TDM / ISDN PSTN trunk, skip to next section Configure Local Gateway with TDM PSTN trunk.

To configure TDM interfaces for PSTN call legs on the Cisco TDM-SIP Gateways, see  Configuring ISDN PRI.

1

Configure the following voice class uri to identify inbound calls from the PSTN trunk:

 voice class uri 200 sip host ipv4:192.168.80.13

Here's an explanation of the fields for the configuration:

voice class uri 200 sip

Defines a pattern to match an incoming SIP invite to an incoming trunk dial-peer. When entering this pattern, use the IP address of you IP PSTN gateway. For more information, see  voice class uri.

2

Configure the following IP PSTN dial-peer:

 dial-peer voice 200 voip description Inbound/Outbound IP PSTN trunk destination-pattern BAD.BAD session protocol sipv2 session target ipv4:192.168.80.13 incoming uri via 200 voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 voice-class codec 100 dtmf-relay rtp-nte no vad

Here's an explanation of the fields for the configuration:

 dial-peer voice 200 voip  description Inbound/Outbound IP PSTN trunk

Defines a VoIP dial-peer with a tag of 200 and gives a meaningful description for ease of management and troubleshooting. For more information, see dial-peer voice.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

session protocol sipv2

Specifies that dial-peer 200 handles SIP call legs. For more information, see session protocol (dial peer).

session target ipv4:192.168.80.13

Indicates the destination’s target IPv4 address to send the call leg. The session target here is ITSP’s IP address. For more information, see  session target (VoIP dial peer).

incoming uri via 200

Defines a match criterion for the VIA header with the IP PSTN’s IP address. Matches all incoming IP PSTN call legs on the Local Gateway with dial-peer 200. For more information, see  incoming url.

bind control source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

bind media source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

voice-class codec 100

Configures the dial-peer to use the common codec filter list 100. For more information, see voice-class codec.

dtmf-relay rtp-nte

Defines RTP-NTE (RFC2833) as the DTMF capability expected on the call leg. For more information, see DTMF Relay (Voice over IP).

no vad

משבית את זיהוי הפעילות הקולית. For more information, see vad (dial peer).

3

If you are configuring your Local Gateway to only route calls between Webex Calling and the PSTN, add the following call routing configuration. If you are configuring your Local Gateway with a Unified Communications Manager platform, skip to the next section.

  1. Create dial-peer groups to route calls towards Webex Calling or the PSTN. Define DPG 100 with outbound dial-peer 100 toward Webex Calling. DPG 100 is applied to the incoming dial-peer from the PSTN. Similarly, define DPG 200 with outbound dial-peer 200 toward the PSTN. DPG 200 is applied to the incoming dial-peer from Webex.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 200 description Route calls to PSTN dial-peer 200

    Here's an explanation of the fields for the configuration:

    dial-peer 100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  2. Apply dial-peer groups to route calls from Webex to the PSTN and from the PSTN to Webex: 

     dial-peer voice 100 destination dpg 200 dial-peer voice 200 destination dpg 100

    Here's an explanation of the fields for the configuration:

    destination dpg 200

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

    This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features are configured.

Configure Local Gateway with a TDM PSTN trunk

Having built a trunk towards Webex Calling, use the following configuration to create a TDM trunk for your PSTN service with loop-back call routing to allow media optimization on the Webex call leg.

If you do not require IP media optimization, follow the configuration steps for a SIP PSTN trunk. Use a voice port and POTS dial-peer (as shown in Steps 2 and 3) instead of the PSTN VoIP dial-peer.
1

The loop-back dial-peer configuration uses dial-peer groups and call routing tags to ensure that calls pass correctly between Webex and the PSTN, without creating call routing loops. Configure the following translation rules that will be used to add and remove the call routing tags:

 voice translation-rule 100 rule 1 /^\+/ /A2A/ voice translation-profile 100 translate called 100 voice translation-rule 200 rule 1 /^/ /A1A/ voice translation-profile 200 translate called 200 voice translation-rule 11 rule 1 /^A1A/ // voice translation-profile 11 translate called 11 voice translation-rule 12 rule 1 /^A2A44/ /0/ rule 2/^A2A/ /00/ voice translation-profile 12 translate called 12

Here's an explanation of the fields for the configuration:

voice translation-rule

Uses regular expressions defined in rules to add or remove call routing tags. Over-decadic digits (‘A’) are used to add clarity for troubleshooting.

In this configuration, the tag added by translation-profile 100 is used to guide calls from Webex Calling towards the PSTN via the loopback dial-peers. Similarly, the tag added by translation-profile 200 is used to guide calls from the PSTN towards Webex Calling. Translation-profiles 11 and 12 remove these tags before delivering calls to the Webex and PSTN trunks respectively.

This example assumes that called numbers from Webex Calling are presented in +E.164 format. Rule 100 removes the leading + to maintain a valid called number. Rule 12 then adds a national or international routing digit(s) when removing the tag. Use digits that suit your local ISDN national dial plan.

If Webex Calling presents numbers in national format, adjust rules 100 and 12 to simply add and remove the routing tag respectively.

For more information, see voice translation-profile and voice translation-rule.

2

Configure TDM voice interface ports as required by the trunk type and protocol used. For more information, see Configuring ISDN PRI. For example, the basic configuration of a Primary Rate ISDN interface installed in NIM slot 2 of a device might include the following:

 card type e1 0 2 isdn switch-type primary-net5 controller E1 0/2/0 pri-group timeslots 1-31
3

Configure the following TDM PSTN dial-peer:

 dial-peer voice 200 pots description Inbound/Outbound PRI PSTN trunk destination-pattern BAD.BAD translation-profile incoming 200 direct-inward-dial port 0/2/0:15

Here's an explanation of the fields for the configuration: 

 dial-peer voice 200 pots  description Inbound/Outbound PRI PSTN trunk

Defines a VoIP dial-peer with a tag of 200 and gives a meaningful description for ease of management and troubleshooting. For more information, see dial-peer voice.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

translation-profile incoming 200

Assigns the translation profile that will add a call routing tag to the incoming called number.

direct-inward-dial

Routes the call without providing a secondary dial-tone. For more information, see direct-inward-dial.

port 0/2/0:15

The physical voice port associated with this dial-peer.

4

To enable media optimization of IP paths for Local Gateways with TDM-IP call flows, you can modify the call routing by introducing a set of internal loop-back dial-peers between Webex Calling and PSTN trunks. Configure the following loop-back dial-peers. In this case, all incoming calls will be routed initially to dial-peer 10 and from there to either dial-peer 11 or 12 based on the applied routing tag. After removal of the routing tag, calls will be routed to the outbound trunk using dial-peer groups.

 dial-peer voice 10 voip description Outbound loop-around leg destination-pattern BAD.BAD session protocol sipv2 session target ipv4:192.168.80.14 voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad dial-peer voice 11 voip description Inbound loop-around leg towards Webex translation-profile incoming 11 session protocol sipv2 incoming called-number A1AT voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad dial-peer voice 12 voip description Inbound loop-around leg towards PSTN translation-profile incoming 12 session protocol sipv2 incoming called-number A2AT voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad

Here's an explanation of the fields for the configuration: 

 dial-peer voice 10 pots  description Outbound loop-around leg

Defines a VoIP dial-peer and gives a meaningful description for ease of management and troubleshooting. For more information, see dial-peer voice.

translation-profile incoming 11

Applies the translation profile defined earlier to remove the call routing tag before passing to the outbound trunk.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

session protocol sipv2

Specifies that this dial-peer handles SIP call legs. For more information, see  session protocol (dial peer).

session target 192.168.80.14

Specifies the local router interface address as the call target to loop-back. For more information, see session target (voip dial peer).

bind control source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for messages sent through the loop-back. For more information, see  bind.

bind media source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for media sent through the loop-back. For more information, see  bind.

dtmf-relay rtp-nte

Defines RTP-NTE (RFC2833) as the DTMF capability expected on the call leg. For more information, see  DTMF Relay (Voice over IP).

codec g711alaw

Forces all PSTN calls to use G.711. Select a-law or u-law to match the companding method used by your ISDN service.

no vad

משבית את זיהוי הפעילות הקולית. For more information, see  vad (dial peer).

5

Add the following call routing configuration:

  1. Create dial-peer groups to route calls between the PSTN and Webex trunks, via the loop-back.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 200 description Route calls to PSTN dial-peer 200 voice class dpg 10 description Route calls to Loopback dial-peer 10

    Here's an explanation of the fields for the configuration:

    dial-peer 100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  2. Apply dial-peer groups to route calls.

     dial-peer voice 100 destination dpg 10 dial-peer voice 200 destination dpg 10 dial-peer voice 11 destination dpg 100 dial-peer voice 12 destination dpg 200

    Here's an explanation of the fields for the configuration:

    destination dpg 200

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features are configured.
Configure Local Gateway with an existing Unified CM environment

The PSTN-Webex Calling configuration in the previous sections may be modified to include additional trunks to a Cisco Unified Communications Manager (UCM) cluster. In this case, all calls are routed via Unified CM. Calls from UCM on port 5060 are routed to the PSTN and calls from port 5065 are routed to Webex Calling. The following incremental configurations may be added to include this calling scenario.

1

קבע את תצורת מזהי ה-URI הבאים של המחלקה הקולית:

  1. Classifies Unified CM to Webex calls using SIP VIA port:

     voice class uri 300 sip pattern :5065

  2. Classifies Unified CM to PSTN calls using SIP via port:

     voice class uri 400 sip pattern 192\.168\.80\.6[0-5]:5060

    Classify incoming messages from the UCM towards the PSTN trunk using one or more patterns that describe the originating source addresses and port number. Regular expressions may be used to define matching patterns if required.

    In the example above, a regular expression is used to match any IP address in the range 192.168.80.60 to 65 and port number 5060.

2

Configure the following DNS records to specify SRV routing to Unified CM hosts:

IOS XE uses these records for locally determining target UCM hosts and ports. With this configuration, it is not required to configure records in your DNS system. If you prefer to use your DNS, then these local configurations are not required.

 ip host ucmpub.mydomain.com 192.168.80.60 ip host ucmsub1.mydomain.com 192.168.80.61 ip host ucmsub2.mydomain.com 192.168.80.62 ip host ucmsub3.mydomain.com 192.168.80.63 ip host ucmsub4.mydomain.com 192.168.80.64 ip host ucmsub5.mydomain.com 192.168.80.65 ip host _sip._udp.wxtocucm.io srv 0 1 5065 ucmpub.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub1.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub2.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub3.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub4.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub5.mydomain.com ip host _sip._udp.pstntocucm.io srv 0 1 5060 ucmpub.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub1.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub2.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub3.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub4.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub5.mydomain.com

Here's an explanation of the fields for the configuration:

The following command creates a DNS SRV resource record. Create a record for each UCM host and trunk:

ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub5.mydomain.com

_sip._udp.pstntocucm.io: SRV resource record name

2: The SRV resource record priority

1: The SRV resource record weight

5060: The port number to use for the target host in this resource record

ucmsub5.mydomain.com: The resource record target host

To resolve the resource record target host names, create local DNS A records. לדוגמה:

ip host ucmsub5.mydomain.com 192.168.80.65

ip host: Creates a record in the local IOS XE database.

ucmsub5.mydomain.com: The A record host name.

192.168.80.65: The host IP address.

Create the SRV resource records and A records to reflect your UCM environment and preferred call distribution strategy.

3

Configure the following dial-peers:

  1. Dial-peer for calls between Unified CM and Webex Calling:

     dial-peer voice 300 voip description UCM-Webex Calling trunk destination-pattern BAD.BAD session protocol sipv2 session target dns:wxtocucm.io incoming uri via 300 voice-class codec 100 voice-class sip bind control source-interface GigabitEthernet 0/0/0 voice-class sip bind media source-interface GigabitEthernet 0/0/0 dtmf-relay rtp-nte no vad

    Here's an explanation of the fields for the configuration:

     dial-peer voice 300 voip  description UCM-Webex Calling trunk

    Defines a VoIP dial-peer with a tag 300 and gives a meaningful description for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    Specifies that dial-peer 300 handles SIP call legs. For more information, see  session protocol (dial-peer).

    session target dns:wxtocucm.io

    Defines the session target of multiple Unified CM nodes through DNS SRV resolution. In this case, the locally defined SRV record wxtocucm.io is used to direct calls.

    incoming uri via 300

    Uses voice class URI 300 to direct all incoming traffic from Unified CM using source port 5065 to this dial-peer. For more information, see  incoming uri.

    voice-class codec 100

    Indicates codec filter list for calls to and from Unified CM. For more information, see  voice class codec.

    bind control source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

    bind media source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

    dtmf-relay rtp-nte

    Defines RTP-NTE (RFC2833) as the DTMF capability expected on the call leg. For more information, see  DTMF Relay (Voice over IP).

    no vad

    משבית את זיהוי הפעילות הקולית. For more information, see  vad (dial peer).

  2. Dial-peer for calls between Unified CM and the PSTN:

     dial-peer voice 400 voip description UCM-PSTN trunk destination-pattern BAD.BAD session protocol sipv2 session target dns:pstntocucm.io incoming uri via 400 voice-class codec 100 voice-class sip bind control source-interface GigabitEthernet 0/0/0 voice-class sip bind media source-interface GigabitEthernet 0/0/0 dtmf-relay rtp-nte no vad

    Here's an explanation of the fields for the configuration:

     dial-peer voice 400 voip  description UCM-PSTN trunk

    Defines a VoIP dial-peer with a tag of 400 and gives a meaningful description for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    Specifies that dial-peer 400 handles SIP call legs. For more information, see  session protocol (dial-peer).

    session target dns:pstntocucm.io

    Defines the session target of multiple Unified CM nodes through DNS SRV resolution. In this case, the locally defined SRV record pstntocucm.io is used to direct calls.

    incoming uri via 400

    Uses voice class URI 400 to direct all incoming traffic from the specified Unified CM hosts using source port 5060 to this dial-peer. For more information, see  incoming uri.

    voice-class codec 100

    Indicates codec filter list for calls to and from Unified CM. For more information, see  voice class codec.

    bind control source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

    bind media source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

    dtmf-relay rtp-nte

    Defines RTP-NTE (RFC2833) as the DTMF capability expected on the call leg. For more information, see  DTMF Relay (Voice over IP).

    no vad

    משבית את זיהוי הפעילות הקולית. For more information, see  vad (dial peer).

4

Add call routing using the following configurations:

  1. Create dial-peer groups to route calls between Unified CM and Webex Calling. Define DPG 100 with outbound dial-peer 100 towards Webex Calling. DPG 100 is applied to the associated incoming dial-peer from Unified CM. Similarly, define DPG 300 with outbound dial-peer 300 toward Unified CM. DPG 300 is applied to the incoming dial-peer from Webex.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 300 description Route calls to Unified CM Webex Calling trunk dial-peer 300

  2. Create a dial-peer groups to route calls between Unified CM and the PSTN. Define DPG 200 with outbound dial-peer 200 toward the PSTN. DPG 200 is applied to the associated incoming dial-peer from Unified CM. Similarly, define DPG 400 with outbound dial-peer 400 toward Unified CM. DPG 400 is applied to the incoming dial-peer from the PSTN.

     voice class dpg 200 description Route calls to PSTN dial-peer 200 voice class dpg 400 description Route calls to Unified CM PSTN trunk dial-peer 400

    Here's an explanation of the fields for the configuration:

    dial-peer  100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  3. Apply dial-peer groups to route calls from Webex to Unified CM and from Unified CM to Webex: 

     dial-peer voice 100 destination dpg 300 dial-peer voice 300 destination dpg 100

    Here's an explanation of the fields for the configuration:

    destination dpg 300

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

  4. Apply dial-peer groups to route calls from the PSTN to Unified CM and from Unified CM to the PSTN:

     dial-peer voice 200 destination dpg 400 dial-peer voice 400 destination dpg 200

    This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features have been configured.

Monitor and troubleshoot Local Gateway with diagnostic signatures

Diagnostic Signatures (DS) proactively detects commonly observed issues in the Cisco IOS XE-based Local Gateway and generates email, syslog, or terminal message notification of the event. באפשרותך גם להתקין את DS כדי להפוך את איסוף נתוני האבחון לאוטומטי ולהעביר נתונים שנאספו למקרה Cisco TAC כדי לקצר את זמן הפתרון.

Diagnostic Signatures (DS) are XML files that contain information about problem trigger events and actions to inform, troubleshoot, and remediate the issue. Use syslog messages, SNMP events and through periodic monitoring of specific show command outputs to define the problem detection logic. The action types include:

  • Collecting show command outputs

  • Generating a consolidated log file

  • Uploading the file to a user provided network location such as HTTPS, SCP, FTP server

TAC engineers author DS files and digitally sign it for integrity protection. Each DS file has the unique numerical ID assigned by the system. Diagnostic Signatures Lookup Tool (DSLT) is a single source to find applicable signatures for monitoring and troubleshooting various problems.

Before you begin:

  • Do not edit the DS file that you download from DSLT. The files that you modify fail installation due to the integrity check error.

  • A Simple Mail Transfer Protocol (SMTP) server you require for the Local Gateway to send out email notifications.

  • Ensure that the Local Gateway is running IOS XE 17.6.1 or higher if you wish to use the secure SMTP server for email notifications.

דרישות מקדימות

שער מקומי שבו פועל IOS XE 17.6.1 ואילך

  1. התכונה חתימות אבחון מופעלת כברירת מחדל.

  2. Configure the secure email server that you use to send proactive notification if the device is running IOS XE 17.6.1 or higher.

     configure terminal call-home mail-server <username>:<pwd>@<email server> priority 1 secure tls end

  3. Configure the environment variable ds_email with the email address of the administrator to you notify.

     configure terminal call-home diagnostic-signature LocalGateway(cfg-call-home-diag-sign)environment ds_email <email address> end

Install diagnostic signatures for proactive monitoring

Monitoring high CPU utilization

This DS tracks 5-seconds CPU utilization using the SNMP OID 1.3.6.1.4.1.9.2.1.56. When the utilization reaches 75% or more, it disables all debugs and uninstalls all diagnostic signatures that you install in the Local Gateway. השתמש בשלבים הבאים כדי להתקין את החתימה.

  1. Ensure that you enabled SNMP using the command show snmp. If SNMP is not enabled, then configure the snmp-server manager command.

     show snmp %SNMP agent not enabled config t snmp-server manager end show snmp Chassis: ABCDEFGHIGK 149655 SNMP packets input      0 Bad SNMP version errors      1 Unknown community name      0 Illegal operation for community name supplied      0 Encoding errors 37763 Number of requested variables      2 Number of altered variables 34560 Get-request PDUs 138 Get-next PDUs      2 Set-request PDUs      0 Input queue packet drops (Maximum queue size 1000) 158277 SNMP packets output      0 Too big errors (Maximum packet size 1500) 20 No such name errors      0 Bad values errors      0 General errors 7998 Response PDUs 10280 Trap PDUs Packets currently in SNMP process input queue: 0 SNMP global trap: מופעל

  2. הורד את DS 64224 באמצעות אפשרויות הרשימה הנפתחת הבאות ב-Diagnostic Signatures Lookup Tool:

    copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:

    שם שדה

    ערך שדה

    פלטפורמה

    Cisco 4300, 4400 ISR Series, or Catalyst 8000V Edge Software

    מוצר

    CUBE Enterprise in Webex Calling solution

    היקף בעיה

    ביצועים

    סוג בעיה

    ניצול CPU גבוה עם התראה בדוא"ל

  3. העתק את קובץ ה-XML של DS ל-flash של השער המקומי.

    copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:

    The following example shows copying the file from an FTP server to the Local Gateway.

    copy ftp://user:pwd@192.0.2.12/DS_64224.xml bootflash:  Accessing ftp://*:*@ 192.0.2.12/DS_64224.xml...!  [OK - 3571/4096 bytes] 3571 bytes copied in 0.064 secs (55797 bytes/sec)

  4. התקן את קובץ ה-XML של DS בשער המקומי.

     call-home diagnostic-signature load DS_64224.xml Load file DS_64224.xml success

  5. Use the show call-home diagnostic-signature command to verify that the signature is successfully installed. The status column must have a “registered” value. 

     show call-home diagnostic-signature Current diagnostic-signature settings:   Diagnostic-signature: enabled Profile: CiscoTAC-1 (status: ACTIVE) Downloading URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: username@gmail.com

    הורד חתימות DS:

    מזהה DS

    שם DC

    מהדורה

    מצב

    עדכון אחרון (GMT+00:00)

    64224

    DS_LGW_CPU_MON75

    0.0.10

    רשום

    2020-11-07 22:05:33

    כאשר החתימה הזו מופעלת, היא מסירה את ההתקנה של כל חתימות האבחון הפועלות, כולל את עצמה. If necessary, please reinstall DS 64224 to continue monitoring high CPU utilization on the Local Gateway.

Monitoring abnormal call disconnects

This DS uses SNMP polling every 10 minutes to detect abnormal call disconnect with SIP errors 403, 488 and 503.  If the error count increment is greater than or equal to 5 from the last poll, it generates a syslog and email notification. Please use the steps below to install the signature.

  1. Ensure that SNMP is enabled using the command show snmp. If SNMP is not enabled, configure the snmp-server manager command. 

    show snmp %SNMP agent not enabled config t snmp-server manager end show snmp Chassis: ABCDEFGHIGK 149655 SNMP packets input      0 Bad SNMP version errors      1 Unknown community name      0 Illegal operation for community name supplied      0 Encoding errors 37763 Number of requested variables      2 Number of altered variables 34560 Get-request PDUs 138 Get-next PDUs      2 Set-request PDUs      0 Input queue packet drops (Maximum queue size 1000) 158277 SNMP packets output      0 Too big errors (Maximum packet size 1500) 20 No such name errors      0 Bad values errors      0 General errors 7998 Response PDUs 10280 Trap PDUs Packets currently in SNMP process input queue: 0 SNMP global trap: מופעל

  2. הורד את DS 65221 באמצעות האפשרויות הבאות ב-Diagnostic Signatures Lookup Tool:

    שם שדה

    ערך שדה

    פלטפורמה

    Cisco 4300, 4400 ISR Series, or Catalyst 8000V Edge Software

    מוצר

    CUBE Enterprise בפתרון Webex Calling

    היקף בעיה

    ביצועים

    סוג בעיה

    SIP abnormal call disconnect detection with Email and Syslog Notification.

  3. העתק את קובץ ה-XML של DS לשער המקומי.

    copy ftp://username:password@<server name or ip>/DS_65221.xml bootflash:

  4. התקן את קובץ ה-XML של DS בשער המקומי. 

     call-home diagnostic-signature load DS_65221.xml Load file DS_65221.xml success

  5. Use the command show call-home diagnostic-signature to verify that the signature is successfully installed. עמודת המצב צריכה לכלול ערך "רשום".

Install diagnostic signatures to troubleshoot a problem

You can also use Diagnostic Signatures (DS) to resolve issues quickly. Cisco TAC engineers have authored several signatures that enable the necessary debugs that are required to troubleshoot a given problem, detect the problem occurrence, collect the right set of diagnostic data and transfer the data automatically to the Cisco TAC case. הדבר מבטל את הצורך בבדיקה ידנית של מופע הבעיה ומאפשר לפתור בעיות המתרחשות לסירוגין ובעיות ארעיות הרבה יותר בקלות.

You can use the Diagnostic Signatures Lookup Tool to find the applicable signatures and install them to selfsolve a given issue or you can install the signature that is recommended by the TAC engineer as part of the support engagement.

הנה דוגמה כיצד למצוא ולהתקין DS כדי לזהות את המופע "‎%VOICE_IEC-3-GW: CCAPI: Internal Error (call spike threshold): IEC=1.1.181.1.29.0" syslog and automate diagnostic data collection using the following steps:

  1. Configure another DS environment variable ds_fsurl_prefix as the Cisco TAC file server path (cxd.cisco.com) to upload the diagnostics data. The username in the file path is the case number and the password is the file upload token which can be retrieved from Support Case Manager as shown in the following. The file upload token can be generated in the Attachments section of the Support Case Manager, as required. 

     configure terminal call-home diagnostic-signature LocalGateway(cfg-call-home-diag-sign)environment ds_fsurl_prefix "scp://<case number>:<file upload token>@cxd.cisco.com" end

    דוגמה: 

     call-home diagnostic-signature environment ds_fsurl_prefix " environment ds_fsurl_prefix "scp://612345678:abcdefghijklmnop@cxd.cisco.com"

  2. Ensure that SNMP is enabled using the command show snmp. If SNMP not enabled, configure the snmp-server manager command.

     show snmp %SNMP agent not enabled config t snmp-server manager end

  3. We recommend installing the High CPU monitoring DS 64224 as a proactive measure to disable all debugs and diagnostics signatures during the time of high CPU utilization. הורד את DS 64224 באמצעות האפשרויות הבאות ב-Diagnostic Signatures Lookup Tool:

    שם שדה

    ערך שדה

    פלטפורמה

    Cisco 4300, 4400 ISR Series, or Catalyst 8000V Edge Software

    מוצר

    CUBE Enterprise בפתרון Webex Calling

    היקף בעיה

    ביצועים

    סוג בעיה

    High CPU Utilization with Email Notification.

  4. הורד את DS 65095 באמצעות האפשרויות הבאות ב-Diagnostic Signatures Lookup Tool:

    שם שדה

    ערך שדה

    פלטפורמה

    Cisco 4300, 4400 ISR Series, or Catalyst 8000V Edge Software

    מוצר

    CUBE Enterprise בפתרון Webex Calling

    היקף בעיה

    יומני Syslog

    סוג בעיה

    Syslog‏ - ‎%VOICE_IEC-3-GW: CCAPI: Internal Error (Call spike threshold): IEC=1.1.181.1.29.0

  5. העתק את קובצי ה-XML של DS לשער המקומי.

     copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:  copy ftp://username:password@<server name or ip>/DS_65095.xml bootflash:

  6. Install the high CPU monitoring DS 64224 and then DS 65095 XML file in the Local Gateway. 

     call-home diagnostic-signature load DS_64224.xml Load file DS_64224.xml success call-home diagnostic-signature load DS_65095.xml Load file DS_65095.xml success

  7. ודא שהחתימה מותקנת בהצלחה באמצעות show call-home diagnostic-signature. עמודת המצב צריכה לכלול ערך "רשום". 

     show call-home diagnostic-signature Current diagnostic-signature settings:   Diagnostic-signature: enabled Profile: CiscoTAC-1 (status: ACTIVE) Downloading URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: username@gmail.com ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com

    חתימות DS שהורדו:

    מזהה DS

    שם DC

    מהדורה

    מצב

    עדכון אחרון (GMT+00:00)

    64224

    00:07:45

    DS_LGW_CPU_MON75

    0.0.10

    רשום

    2020-11-08:00:07:45

    65095

    00:12:53

    DS_LGW_IEC_Call_spike_threshold

    0.0.12

    רשום

    2020-11-08:00:12:53

Verify diagnostic signatures execution

In the following command, the “Status” column of the command show call-home diagnostic-signature changes to “running” while the Local Gateway executes the action defined within the signature. The output of show call-home diagnostic-signature statistics is the best way to verify whether a diagnostic signature detects an event of interest and executed the action. The “Triggered/Max/Deinstall” column indicates the number of times the given signature has triggered an event, the maximum number of times it is defined to detect an event and whether the signature deinstalls itself after detecting the maximum number of triggered events. 

show call-home diagnostic-signature Current diagnostic-signature settings:   Diagnostic-signature: enabled Profile: CiscoTAC-1 (status: ACTIVE) Downloading URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: carunach@cisco.com ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com

חתימות DS שהורדו:

מזהה DS

שם DC

מהדורה

מצב

עדכון אחרון (GMT+00:00)
64224

DS_LGW_CPU_MON75

0.0.10

רשום

2020-11-08 00:07:45

65095

DS_LGW_IEC_Call_spike_threshold

0.0.12

פועל

2020-11-08 00:12:53

show call-home diagnostic-signature statistics

מזהה DS

שם DC

Triggered/Max/Deinstall

זמן ריצה ממוצע (שניות)

זמן ריצה מקסימלי (שניות)
64224

DS_LGW_CPU_MON75

‎0/0/N

0.000

0.000

65095

DS_LGW_IEC_Call_spike_threshold

1/20/Y

23.053

23.053

The notification email that is sent during Diagnostic Signature execution contains key information such as issue type, device details, software version, running configuration and show command outputs that are relevant to troubleshoot the given problem.

Uninstall diagnostic signatures

Use the diagnostic signatures for troubleshooting purposes are typically defined to uninstall after detection of some problem occurrences. If you wish to uninstall a signature manually, retrieve the DS ID from the output of show call-home diagnostic-signature and run the following command:

call-home diagnostic-signature deinstall <DS ID>

דוגמה:

call-home diagnostic-signature deinstall 64224

New signatures are added to the Diagnostics Signatures Lookup Tool periodically, based on issues that are observed in deployments. TAC אינו תומך כרגע בבקשות ליצירת חתימות מותאמות אישית חדשות.