概述

Webex 当前支持两个版本的本地网关:

  • 本地网关

  • Webex for 的本地网关

关键注意事项

  • 开始之前,请了解Webex 的本地公共交换电话网络(PSTN)和本地网关(LGW)要求。请参阅 Cisco 首选架构Webex Calling 获取更多信息。

  • 本文假设已设置专用的本地网关平台,不存在语音配置。如果您修改现有PSTN网关或CUBE企业部署以用作Webex 的本地网关功能,请注意配置。确保您所做的更改不会中断现有的呼叫流程和功能。

程序包含指向命令引用文档的链接,您可以在其中了解各个命令选项的更多信息。除非另有说明(在这种情况下,命令链接转至Webex托管网关命令参考 )(在这种情况下,命令链接转至 Cisco IOS语音命令参考)。您可以在Cisco Unified Border Element Reference 所有这些指南。

有关支持的第三方SBC的信息,请参阅相应的产品参考文档。

配置本地网关

有两个选项来为中继配置本地网关Webex Calling 网关:

  • 基于注册的中继

  • 基于证书的中继

使用基于注册的本地网关基于证书的本地网关 下的任务流程为Webex 干线配置本地网关。

有关不同干线类型的更多信息,请参阅本地网关入门 。使用命令行界面 (CLI) 在本地网关本身上执行以下步骤。我们使用会话发起协议(SIP)和传输层安全性(TLS)传输来保护干线,并使用安全实时协议(SRTP)来保护本地网关和Webex 之间的媒体。

关键注意事项

  • 选择CUBE作为本地网关。Webex for 当前不支持任何第三方会话边界控制器(SBC)。要查看最新列表,请参阅本地网关入门

  • 为所有Webex for 本地网关安装Cisco IOS XE Dublin 17.12.1a或更高版本。

  • 要查看Webex for 支持的根证书颁发机构(CA)列表,请参阅 bex for 的根证书颁发机构

  • 有关Webex for 中本地网关的外部端口范围的详细信息,请参阅 bex for (FedRAMP)的网络要求

政府版Webex的本地网关不支持以下内容:

  • 用于媒体路径优化的STUN/IC-Lite功能

  • 传真(T.38)

为Webex for 配置本地网关

要在政府版Webex中为您的Webex 中继配置本地网关,请使用以下选项:

  • 基于证书的中继

使用基于证书的本地网关 下的任务流程为Webex 中继配置本地网关。有关如何配置基于证书的本地网关的更多详细信息,请参阅 基于证书的Webex 干线

必须配置符合FIPS的GCM密码,以支持政府版Webex的本地网关。否则,呼叫设置将失败。有关配置详细信息,请参阅 基于证书的Webex 干线

Webex for 不支持基于注册的本地网关。

设计概述

本节介绍如何使用注册SIP干线将Cisco Unified Border Element (CUBE)配置为Webex 的本地网关。本文档的第一部分介绍如何配置简单的PSTN网关。在这种情况下,来自PSTN的所有呼叫都路由到Webex ,而来自Webex 的所有呼叫都路由到PSTN。下图突出显示了此解决方案和后续的高级呼叫路由配置。

在此设计中,使用了以下主要配置:

  • 语音类租户: 用于创建干线特定配置。

  • 语音类uri: 用于对SIP消息进行分类,以选择入站拨号对等方。

  • 入站拨号对等方: 提供入站SIP消息的处理,并通过拨号对等方组确定出站路由。

  • 拨号对等方组: 定义用于前转呼叫路由的出站拨号对等方。

  • 出站拨号对等方: 提供出站SIP消息的处理,并将其路由到所需的终端。

从PSTN到/从Webex 配置解决方案的呼叫路由

虽然IP和SIP已成为PSTN干线的默认协议,但TDM(时分多路复用)ISDN电路仍在广泛使用,并受Webex 干线支持。要使用TDM-IP呼叫流为本地网关启用IP路径的媒体优化,目前需要使用两段呼叫路由过程。此方法通过在Webex 和PSTN干线之间引入一组内部回环拨号对等方,修改上图所示的呼叫路由配置。

将本地Cisco Unified Communications Manager解决方案与Webex 连接时,您可以使用简单的PSTN网关配置作为构建解决方案的基准,如下图所示。在这种情况下,Unified Communications Manager提供所有PSTN和Webex 呼叫的集中路由和处理。

本文档中使用了下图所示的主机名、IP地址和接口。

使用本文档其余部分中的配置指南按如下方式完成本地网关配置:

  • 步骤 1:配置路由器基准连接和安全性

  • 步骤 2:配置Webex 中继

    根据您所需的架构,请执行以下任一操作:

  • 步骤 3:使用SIP PSTN干线配置本地网关

  • 步骤 4:使用现有Unified CM环境配置本地网关

    或:

  • 步骤 3:使用TDM PSTN干线配置本地网关

配置连接和安全性

基准配置

将Cisco路由器准备为Webex 的本地网关的第一步是构建保护平台并建立连接的基准配置。

  • 所有基于注册的本地网关部署都需要Cisco IOS XE 17.6.1a或更高版本。有关推荐的版本,请参阅 isco软件研究 。搜索平台并选择 版本之一。

    • ISR4000系列路由器必须同时配置Unified Communications和安全技术许可证。

    • 装有语音卡或DSP的Catalyst Edge 8000系列路由器需要DNA优势许可。没有语音卡或DSP的路由器至少需要DNA精要许可。

  • 为您的平台构建一个遵循您业务策略的基准配置。特别是,配置以下各项并验证工作:

    • NTP

    • Acl

    • 用户验证和远程访问

    • DNS

    • IP 路由

    • IP地址

  • 面向Webex 的网络必须使用IPv4地址。

  • 将Cisco根CA捆绑包上传到本地网关。

配置

1

确保为任何第3层接口分配有效且可路由的IP地址,例如:

 接口GigabitEthernet0/0/0描述面向PSTN和/或CUCM ip地址的接口10.80.13.12,255.255.255.0 !接口GigabitEthernet0/0/1描述面向Webex 的接口(专用地址) ip地址192.51.100.1,255.255.240

2

使用对称加密保护路由器上的注册和STUN凭证。按如下方式配置主加密密钥和加密类型:

 密钥配置密钥密码加密您的密码加密

3

创建占位符PKI信任点。

需要此信任点稍后配置TLS。对于基于注册的干线,此信任点不需要证书-与基于证书的干线一样。
 crypto pki trustpoint EmptyTP吊销-检查无
4

启用TLS1.2排他性,并使用以下配置命令指定默认信任点。还应更新传输参数,以确保可靠的安全登记连接:

如果租户200中配置的主机名包含在从出站代理收到的证书的CN或SAN字段中,则cn-san验证服务器命令可确保本地网关允许连接。

  1. cp-重试计数设置 为1000(5 msec倍数= 5秒)。

  2. 时器连接建立 命令允许您在考虑下一个可用选项之前调整LGW为与代理建立连接而等待的时间。该计时器的默认值为20秒,最小值为5秒。以较低的值开始,并在必要时根据网络条件增加值。

 sip-ua计时器连接建立tls 5 transport tcp tls v1.2加密信令默认trustpoint EmptyTP cn-san-validate server tcp-retry 1000

5

安装Cisco根CA套件,其中包含Webex 使用的DigiCert CA证书。使用 to pki trustpool import clean url 命令从指定的URL下载根CA捆绑包,清除当前CA trustpool,然后安装新的证书捆绑包:

如果您需要使用代理访问使用HTTPS的互联网,请在导入CA捆绑包之前添加以下配置:

ip http client -server your 。com -port 80
 ip http client source interface GigabitEthernet0/0/1 crypto pki trustpool import clean url https://www.cisco.com/security/pki/trs/ios_core.p7b
配置基于注册的Webex 干线
1

为Control Hub中的现有位置创建基于注册的PSTN中继。在创建干线后,记下提供的干线信息。这些详细信息将在本指南的配置步骤中使用,如下图所示。有关更多信息,请参阅 Webex 的中继、路由组和拨号方案

2

输入以下命令以将CUBE配置为Webex 本地网关:

 语音服务voip ip地址受信任列表ipv4 x.x.x.x y.y.y模式边界元素媒体统计媒体批量统计sip to sip no additional-service sip refer stunstun流数据agent-id 1启动计数4 stun流数据共享秘密0密码123$ sip非对称有效负载完全提前提供强制

以下是配置字段的说明:

  地址受信任列表  ipv4 x.x.x.x y.y.y.y.y

  • 为了防止收费欺诈,受信任的地址列表定义了本地网关期望从中进行合法VoIP呼叫的主机和网络列表。

  • 默认情况下,本地网关会阻止来自不在其受信任列表中的IP地址的所有传入VoIP消息。默认情况下,具有“会话目标IP”或服务器组IP地址的静态配置的拨号对等方受信任,因此无需添加到受信任列表。

  • 配置本地网关时,将区域Webex 数据中心的IP子网添加到列表中。有关更多信息,请参阅 Webex Calling 的端口参考信息。此外,为Unified Communications Manager服务器(如果使用)和PSTN干线网关添加地址范围。

    如果您的LGW位于具有受限锥形NAT的防火墙后,您可能希望在面向Webex 的界面上禁用IP地址受信任列表。防火墙已保护您免受未经请求的入站网络语音。禁用操作会降低您的长期 配置开销,因为我们无法保证 Webex Calling 同伴的地址保持不变,并且您在任何情况下都必须为这些同事配置防火墙。

模式边框元素

在平台上启用Cisco Unified Border Element (CUBE)功能。

媒体统计

在本地网关上启用媒体监控。

媒体批量统计

允许控制飞机对数据飞机进行投票,从而批量呼叫统计信息。

有关这些命令的更多信息,请参阅媒体

allow-connections sip to sip

启用CUBE基本SIP背靠背用户代理功能。有关详细信息,请参阅允许连接

默认情况下,启用T.38传真传输。有关详细信息,请参阅 协议t38(语音服务)

studn

全局启用STUN(通过NAT的UDP会话遍历)。

  • 当您将呼叫转发给 Webex Calling 用户(例如,被叫方和主叫方都是 Webex Calling 订户,如果您将媒体固定到 Webex Calling SBC),那么媒体无法流式到本地网关,因为针孔未打开。

  • 本地网关上的STUN绑定功能允许通过协商的媒体路径发送本地生成的STUN请求。这有助于在防火墙中打开针孔。

有关详细信息,请参阅 流数据代理-id 流数据共享-密钥

非对称有效载荷满

配置DTMF和动态编解码器负载的SIP非对称负载支持。有关此命令的更多信息,请参阅非对称负载

early-offer forced

强制本地网关在初始INVITE消息中发送SDP信息,而不是等待邻近对等机的确认。有关此命令的更多信息,请参阅提前报价

3

为干线配置 类编解码器100 过滤器。在此示例中,所有干线都使用相同的编解码器过滤器。您可以为每个干线配置过滤器,以实现精确控制。

 语音类编解码器100编解码器首选项1 opus编解码器首选项2 g711ulaw编解码器首选项3 g711alaw

以下是配置字段的说明:

语音类编解码器100

用于仅允许通过SIP干线进行呼叫的首选编解码器。有关详细信息,请参阅语音类编解码器

Opus编解码器仅支持基于SIP的PSTN干线。如果PSTN干线使用语音T1/E1或模拟FXO连接,则排除编解码器首选项1奥普斯 从LabVIEW语音类编解码器100 配置。

4

配置 类stun使用率100 以在Webex 干线上启用ICE。

 语音类眩晕使用情况100眩晕使用防火墙-穿越流数据眩晕使用冰

以下是配置字段的说明:

眩晕使用冰精简版

用于为所有面向Webex 的拨号对等方启用ICE-Lite,以允许尽可能优化媒体。有关更多信息,请参阅voice class stun使用情况stun use ice lite

使用媒体路径优化的呼叫流需要使用ICE-lite的stun。要为SIP到TDM网关提供媒体优化,请在IP-IP分支上配置启用ICE-Lite的环回拨号对等方。有关更多技术详细信息,请联系客户或TAC团队

5

为Webex流量配置媒体加密策略。

 voice class srtp-crypto 100 crypto 1 AES_ _128_  MAC_  1_80

以下是配置字段的说明:

语音类srtp-crypto 100

指定SHA1_80为提议和应答消息中SDP中提供的唯一SRTP密码套件CUBE。Webex 仅支持SHA1_80。有关更多信息,请参阅 类srtp-crypto

6

配置模式以根据目标干线参数唯一标识对本地网关干线的呼叫: 

 语音类uri 100 sip pattern dtg= 1463285401_  GU

以下是配置字段的说明:

语音类uri 100 sip

定义将传入SIP邀请与传入中继拨号对等方匹配的模式。输入此模式时,请使用dtg=,后跟创建干线时Control Hub中提供的干线OTG/DTG值。有关更多信息,请参阅 类uri

7

配置 配置文件100,用于在SIP消息发送到Webex 之前对其进行修改。

 voice class sip-profile 100 rule 10 request ANY SIP-HEADER SIP-Req-URI modify "sips:" "sip:" rule 20 request ANY SIP-header修改"" "" " otg=dallas1463285401_lgu>" rule 90 request ANY SIP-HEADER P- - 修改" sips:"

以下是配置字段的说明:

  • 第10至70条和第90条

    确保用于呼叫信令的SIP标头使用sip,而不是Webex代理要求的sips方案。将CUBE配置为使用sips可确保使用安全注册。

  • 第80条

    修改From标头以包含Control Hub中的中继组OTG/DTG标识符,以唯一标识企业内的本地网关站点。

8

配置Webex 中继:

  1. 创建 语类租户100 以定义和分组专门针对Webex 干线所需的配置。特别是,之前在Control Hub中提供的中继注册详细信息将在以下步骤中使用。稍后与此租户关联的拨号对等方将继承这些配置。

    以下示例针对本指南的目的使用步骤1中所示的值(以粗体显示)。将这些值替换为配置中干线的值。

     语音类租户100注册器dns:98027369.us10.bcld.webex.com scheme sips过期240刷新比率50 tcp tls凭证编号  1171197921_  GU 用户名  1463285401_  GU 密码0 9Wt[M6ifY+ 领域broadWorks验证用户名  1463285401_ LGU 密码0 9Wt[M6ifY+ 领域BroadWorks验证用户名  1463285401_ LGU 密码0 9Wt[M6ifY+ 领域 98027369.us10.bcld.webex.com no remote-party-id sip-server dns:98027369.us 10.bcld.webex.com connection-reuse srtp-crypto 100 session transport tcp tls url sips error-passthru -id pai bind control source-interface GigabitEthernet0/0/1bind media source-interface GigabitEthernet0/0/1 no pass-thru content custom-sdp sip-profile 100 out-proxy dns: fw04.sipconnect-us.bcld.webex 。com隐私政策直通

    以下是配置字段的说明:

    语音类 100

    定义一组仅用于Webex 干线的配置参数。有关更多信息,请参阅

    ns:98027369.us10.bcld.webex.com 240 50 cp tls

    注册设置为每隔两分钟刷新一次(240 秒的 50%)的本地网关的 Registrar 服务器。有关更多信息,请参阅注册员

    确保在此处使用Control Hub中的“寄存器域”值。

    证号Dallas 1171197921_ GU 1463285401_ GU 0 9Wt[M6ifY+ 领域 BroadWorks

    用于中继注册验证的凭证。有关详细信息,请参阅凭证(SIP UA)

    确保您在此处分别从Control Hub使用线路/端口主机、身份验证用户名和身份验证密码的值。

    用户名 1171197921_ GU 0 9Wt[M6ifY+ BroadWorks
    验证用户名 达拉斯1171197921_lgu 密码 0 9Wt[M6if Y+ 领域 98027369.us10.bcld.webex.com

    呼叫的验证质询。有关详细信息,请参阅身份验证(拨号对等方)

    确保您在此处分别使用Control Hub中的身份验证用户名、身份验证密码和注册器域值。

    no remote-party-id

    由于Webex 支持PAI,禁用SIP Remote-Party-ID (RPID)标头,该标头使用CIO -id pai启用。有关详细信息,请参阅remote-party-id

    -server dns:us 25.sipconnect.bcld.webex.com

    配置干线的目标SIP服务器。创建中继时,使用Control Hub中提供的边缘代理SRV地址。

    connection-reuse

    使用相同的永久连接进行注册和呼叫处理。有关详细信息,请参阅连接复用

    tp-crypto 100

    配置SRTP呼叫分支(连接)(在步骤中指定)的首选密码套件5). For more information, see voice class srtp-crypto.

    session transport tcp tls

    将传输设置为 TLS。For more information, see session-transport.

    url sips

    SRV查询必须是访问 SBC 支持的 SIP;所有其他消息都由 sip-profile 200 更改为 SIP。

    error-passthru

    指定 SIP 错误响应传递功能。For more information, see error-passthru.

    asserted-id pai

    在本地网关中打开 PAI 处理。For more information, see asserted-id.

    bind control source-interface GigabitEthernet0/0/1

    Configures the source interface and associated IP address for messages sent to WebexCalling. For more information, see bind.

    bind media source-interface GigabitEthernet0/0/1

    Configures the source interface and associated IP address for media sent to WebexCalling. For more information, see bind.

    no pass-thru content custom-sdp

    租户下的缺省命令。For more information on this command, see pass-thru content.

    sip-profiles 100

    Changes SIPs to SIP and modify Line/Port for INVITE and REGISTER messages as defined in sip-profiles 100. For more information, see voice class sip-profiles.

    outbound-proxy dns:dfw04.sipconnect-us.bcld.webex.com

    Webex Calling访问 SBC。Insert the Outbound Proxy Address provided in Control Hub when you created your trunk. For more information, see outbound-proxy.

    privacy-policy passthru

    Configures the privacy header policy options for the trunk to pass privacy values from the received message to the next call leg. For more information, see privacy-policy.

  2. Configure the Webex Calling trunk dial-peer. 

     dial-peer voice 100 voip description Inbound/Outbound Webex Calling max-conn 250 destination-pattern BAD.BAD session protocol sipv2 session target sip-server incoming uri request 100 voice-class codec 100 dtmf-relay rtp-nte voice-class stun-usage 100 no voice-class sip localhost voice-class sip tenant 100 srtp no vad

    以下是配置字段的说明:

     dial-peer voice 100 voip  description Inbound/Outbound Webex Calling

    定义网络语音 100 标记的拨号对等项,并提供了有意义的描述,用于简化管理和故障诊断。

    max-conn 250

    Restricts the number of concurrent inbound and outbound calls between the LGW and Webex Calling. For registration trunks, the maximum value configured should be 250. Usea lower value if that would be more appropriate for your deployment. For more information on concurrent call limits for Local Gateway, refer to the Get started with Local Gateway document.

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    指定拨号对等 100 处理 SIP 呼叫段。For more information, see session protocol (dial-peer).

    session target sip-server

    Indicates that the SIP server defined in tenant 100 is inherited and used for the destination for calls from this dial peer.

    incoming uri request 100

    To specify the voice class used to match a VoIP dial peer to the uniform resource identifier (URI) of an incoming call. For more information, see incoming uri.

    voice-class codec 100

    Configures the dial-peer to use the common codec filter list 100. For more information, see voice-class codec.

    voice-class stun-usage 100

    Allows locally generated STUN requests on the Local Gateway to be sent over the negotiated media path. STUN helps to open a firewall pinhole for media traffic.

    no voice-class sip localhost

    禁用在传出消息的“来自”、“呼叫-ID”和“远程方-ID”标头中代替 DNS 本地主机名。

    voice-class sip tenant 100

    The dial-peer inherits all parameters configured globally and in tenant 100. Parameters may be overridden at the dial-peer level.

    srtp

    为呼叫段启用 SRTP。

    no vad

    禁用语音活动检测。

After you define tenant 100 and configure a SIP VoIP dial-peer, the gateway initiates a TLS connection toward Webex Calling. At this point the access SBC presents its certificate to the Local Gateway. The Local Gateway validates the Webex Calling access SBC certificate using the CA root bundle that was updated earlier. If the certificate is recognised, a persistent TLS session is established between the Local Gateway and Webex Calling access SBC. The Local Gateway is then able to use this secure connection to register with the Webex access SBC. When the registration is challenged for authentication:

  • The username, password, and realm parameters from the credentials configuration is used in the response.

  • The modification rules in sip profile 100 are used to convert SIPS URL back to SIP.

Registration is successful when a 200 OK is received from the access SBC.

Configure Local Gateway with a SIP PSTN trunk

Having built a trunk towards Webex Calling above, use the following configuration to create a non-encrypted trunk towards a SIP based PSTN provider:

If your Service Provider offers a secure PSTN trunk, you may follow a similar configuration as detailed above for the Webex Calling trunk. Secure to secure call routing is supported by CUBE.

If you are using a TDM / ISDN PSTN trunk, skip to next section Configure Local Gateway with TDM PSTN trunk.

To configure TDM interfaces for PSTN call legs on the Cisco TDM-SIP Gateways, see  Configuring ISDN PRI.

1

Configure the following voice class uri to identify inbound calls from the PSTN trunk:

 voice class uri 200 sip host ipv4:192.168.80.13

以下是配置字段的说明:

voice class uri 200 sip

Defines a pattern to match an incoming SIP invite to an incoming trunk dial-peer. When entering this pattern, use the IP address of you IP PSTN gateway. For more information, see  voice class uri.

2

Configure the following IP PSTN dial-peer:

 dial-peer voice 200 voip description Inbound/Outbound IP PSTN trunk destination-pattern BAD.BAD session protocol sipv2 session target ipv4:192.168.80.13 incoming uri via 200 voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 voice-class codec 100 dtmf-relay rtp-nte no vad

以下是配置字段的说明:

 dial-peer voice 200 voip  description Inbound/Outbound IP PSTN trunk

定义网络语音 200 标记的拨号对等项,并提供了更轻松管理和故障诊断的有意义的描述。For more information, see dial-peer voice.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

session protocol sipv2

指定拨号对等 200 处理 SIP 呼叫段。For more information, see session protocol (dial peer).

session target ipv4:192.168.80.13

表示发送呼叫段的目标 IPv4 地址。此处的目标会话是 ITSP 的 IP 地址。For more information, see  session target (VoIP dial peer).

incoming uri via 200

为 VIA 报头定义与 IP PSTN IP 地址的匹配标准。Matches all incoming IP PSTN call legs on the Local Gateway with dial-peer 200. For more information, see  incoming url.

bind control source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

bind media source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

voice-class codec 100

Configures the dial-peer to use the common codec filter list 100. For more information, see voice-class codec.

dtmf-relay rtp-nte

将 RTP-NTE (RFC2833) 定义为呼叫段上预期的 DTMF 功能。For more information, see DTMF Relay (Voice over IP).

no vad

禁用语音活动检测。For more information, see vad (dial peer).

3

If you are configuring your Local Gateway to only route calls between Webex Calling and the PSTN, add the following call routing configuration. If you are configuring your Local Gateway with a Unified Communications Manager platform, skip to the next section.

  1. Create dial-peer groups to route calls towards Webex Calling or the PSTN. Define DPG 100 with outbound dial-peer 100 toward Webex Calling. DPG 100 is applied to the incoming dial-peer from the PSTN. Similarly, define DPG 200 with outbound dial-peer 200 toward the PSTN. DPG 200 is applied to the incoming dial-peer from Webex.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 200 description Route calls to PSTN dial-peer 200

    以下是配置字段的说明:

    dial-peer 100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  2. Apply dial-peer groups to route calls from Webex to the PSTN and from the PSTN to Webex: 

     dial-peer voice 100 destination dpg 200 dial-peer voice 200 destination dpg 100

    以下是配置字段的说明:

    destination dpg 200

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

    This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features are configured.

Configure Local Gateway with a TDM PSTN trunk

Having built a trunk towards Webex Calling, use the following configuration to create a TDM trunk for your PSTN service with loop-back call routing to allow media optimization on the Webex call leg.

If you do not require IP media optimization, follow the configuration steps for a SIP PSTN trunk. Use a voice port and POTS dial-peer (as shown in Steps 2 and 3) instead of the PSTN VoIP dial-peer.
1

The loop-back dial-peer configuration uses dial-peer groups and call routing tags to ensure that calls pass correctly between Webex and the PSTN, without creating call routing loops. Configure the following translation rules that will be used to add and remove the call routing tags:

 voice translation-rule 100 rule 1 /^\+/ /A2A/ voice translation-profile 100 translate called 100 voice translation-rule 200 rule 1 /^/ /A1A/ voice translation-profile 200 translate called 200 voice translation-rule 11 rule 1 /^A1A/ // voice translation-profile 11 translate called 11 voice translation-rule 12 rule 1 /^A2A44/ /0/ rule 2/^A2A/ /00/ voice translation-profile 12 translate called 12

以下是配置字段的说明:

voice translation-rule

Uses regular expressions defined in rules to add or remove call routing tags. Over-decadic digits (‘A’) are used to add clarity for troubleshooting.

In this configuration, the tag added by translation-profile 100 is used to guide calls from Webex Calling towards the PSTN via the loopback dial-peers. Similarly, the tag added by translation-profile 200 is used to guide calls from the PSTN towards Webex Calling. Translation-profiles 11 and 12 remove these tags before delivering calls to the Webex and PSTN trunks respectively.

This example assumes that called numbers from Webex Calling are presented in +E.164 format. Rule 100 removes the leading + to maintain a valid called number. Rule 12 then adds a national or international routing digit(s) when removing the tag. Use digits that suit your local ISDN national dial plan.

If Webex Calling presents numbers in national format, adjust rules 100 and 12 to simply add and remove the routing tag respectively.

For more information, see voice translation-profile and voice translation-rule.

2

Configure TDM voice interface ports as required by the trunk type and protocol used. For more information, see Configuring ISDN PRI. For example, the basic configuration of a Primary Rate ISDN interface installed in NIM slot 2 of a device might include the following:

 card type e1 0 2 isdn switch-type primary-net5 controller E1 0/2/0 pri-group timeslots 1-31
3

Configure the following TDM PSTN dial-peer:

 dial-peer voice 200 pots description Inbound/Outbound PRI PSTN trunk destination-pattern BAD.BAD translation-profile incoming 200 direct-inward-dial port 0/2/0:15

以下是配置字段的说明: 

 dial-peer voice 200 pots  description Inbound/Outbound PRI PSTN trunk

定义网络语音 200 标记的拨号对等项,并提供了更轻松管理和故障诊断的有意义的描述。For more information, see dial-peer voice.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

translation-profile incoming 200

Assigns the translation profile that will add a call routing tag to the incoming called number.

direct-inward-dial

Routes the call without providing a secondary dial-tone. For more information, see direct-inward-dial.

port 0/2/0:15

The physical voice port associated with this dial-peer.

4

To enable media optimization of IP paths for Local Gateways with TDM-IP call flows, you can modify the call routing by introducing a set of internal loop-back dial-peers between Webex Calling and PSTN trunks. Configure the following loop-back dial-peers. In this case, all incoming calls will be routed initially to dial-peer 10 and from there to either dial-peer 11 or 12 based on the applied routing tag. After removal of the routing tag, calls will be routed to the outbound trunk using dial-peer groups.

 dial-peer voice 10 voip description Outbound loop-around leg destination-pattern BAD.BAD session protocol sipv2 session target ipv4:192.168.80.14 voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad dial-peer voice 11 voip description Inbound loop-around leg towards Webex translation-profile incoming 11 session protocol sipv2 incoming called-number A1AT voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad dial-peer voice 12 voip description Inbound loop-around leg towards PSTN translation-profile incoming 12 session protocol sipv2 incoming called-number A2AT voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad

以下是配置字段的说明: 

 dial-peer voice 10 pots  description Outbound loop-around leg

Defines a VoIP dial-peer and gives a meaningful description for ease of management and troubleshooting. For more information, see dial-peer voice.

translation-profile incoming 11

Applies the translation profile defined earlier to remove the call routing tag before passing to the outbound trunk.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

session protocol sipv2

Specifies that this dial-peer handles SIP call legs. For more information, see  session protocol (dial peer).

session target 192.168.80.14

Specifies the local router interface address as the call target to loop-back. For more information, see session target (voip dial peer).

bind control source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for messages sent through the loop-back. For more information, see  bind.

bind media source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for media sent through the loop-back. For more information, see  bind.

dtmf-relay rtp-nte

将 RTP-NTE (RFC2833) 定义为呼叫段上预期的 DTMF 功能。For more information, see  DTMF Relay (Voice over IP).

codec g711alaw

Forces all PSTN calls to use G.711. Select a-law or u-law to match the companding method used by your ISDN service.

no vad

禁用语音活动检测。For more information, see  vad (dial peer).

5

Add the following call routing configuration:

  1. Create dial-peer groups to route calls between the PSTN and Webex trunks, via the loop-back.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 200 description Route calls to PSTN dial-peer 200 voice class dpg 10 description Route calls to Loopback dial-peer 10

    以下是配置字段的说明:

    dial-peer 100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  2. Apply dial-peer groups to route calls.

     dial-peer voice 100 destination dpg 10 dial-peer voice 200 destination dpg 10 dial-peer voice 11 destination dpg 100 dial-peer voice 12 destination dpg 200

    以下是配置字段的说明:

    destination dpg 200

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features are configured.
配置具有现有 Unified CM 环境的本地网关

The PSTN-Webex Calling configuration in the previous sections may be modified to include additional trunks to a Cisco Unified Communications Manager (UCM) cluster. In this case, all calls are routed via Unified CM. Calls from UCM on port 5060 are routed to the PSTN and calls from port 5065 are routed to Webex Calling. The following incremental configurations may be added to include this calling scenario.

When creating the Webex Calling trunk in Unified CM, ensure that you configure the incoming port in the SIP Trunk Security Profile settings to 5065. This allows incoming messages on port 5065 and populate the VIA header with this value when sending messages to the Local Gateway.

1

配置以下语音类 URI:

  1. Classifies Unified CM to Webex calls using SIP VIA port:

     voice class uri 300 sip
 pattern :5065

  2. Classifies Unified CM to PSTN calls using SIP via port:

     voice class uri 400 sip pattern 192\.168\.80\.6[0-5]:5060

    Classify incoming messages from the UCM towards the PSTN trunk using one or more patterns that describe the originating source addresses and port number. Regular expressions may be used to define matching patterns if required.

    In the example above, a regular expression is used to match any IP address in the range 192.168.80.60 to 65 and port number 5060.

2

Configure the following DNS records to specify SRV routing to Unified CM hosts:

IOS XE uses these records for locally determining target UCM hosts and ports. With this configuration, it is not required to configure records in your DNS system. If you prefer to use your DNS, then these local configurations are not required.

 ip host ucmpub.mydomain.com 192.168.80.60 ip host ucmsub1.mydomain.com 192.168.80.61 ip host ucmsub2.mydomain.com 192.168.80.62 ip host ucmsub3.mydomain.com 192.168.80.63 ip host ucmsub4.mydomain.com 192.168.80.64 ip host ucmsub5.mydomain.com 192.168.80.65 ip host _sip._udp.wxtocucm.io srv 0 1 5065 ucmpub.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub1.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub2.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub3.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub4.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub5.mydomain.com ip host _sip._udp.pstntocucm.io srv 0 1 5060 ucmpub.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub1.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub2.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub3.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub4.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub5.mydomain.com

以下是配置字段的说明:

The following command creates a DNS SRV resource record. Create a record for each UCM host and trunk:

ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub5.mydomain.com

_sip._udp.pstntocucm.io: SRV resource record name

2: The SRV resource record priority

1: The SRV resource record weight

5060: The port number to use for the target host in this resource record

ucmsub5.mydomain.com: The resource record target host

To resolve the resource record target host names, create local DNS A records. 例如:

ip host ucmsub5.mydomain.com 192.168.80.65

ip host: Creates a record in the local IOS XE database.

ucmsub5.mydomain.com: The A record host name.

192.168.80.65: The host IP address.

Create the SRV resource records and A records to reflect your UCM environment and preferred call distribution strategy.

3

Configure the following dial-peers:

  1. Dial-peer for calls between Unified CM and Webex Calling:

     dial-peer voice 300 voip description UCM-Webex Calling trunk destination-pattern BAD.BAD session protocol sipv2 session target dns:wxtocucm.io incoming uri via 300 voice-class codec 100 voice-class sip bind control source-interface GigabitEthernet 0/0/0 voice-class sip bind media source-interface GigabitEthernet 0/0/0 dtmf-relay rtp-nte no vad

    以下是配置字段的说明:

     dial-peer voice 300 voip  description UCM-Webex Calling trunk

    Defines a VoIP dial-peer with a tag 300 and gives a meaningful description for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    Specifies that dial-peer 300 handles SIP call legs. For more information, see  session protocol (dial-peer).

    session target dns:wxtocucm.io

    Defines the session target of multiple Unified CM nodes through DNS SRV resolution. In this case, the locally defined SRV record wxtocucm.io is used to direct calls.

    incoming uri via 300

    Uses voice class URI 300 to direct all incoming traffic from Unified CM using source port 5065 to this dial-peer. For more information, see  incoming uri.

    voice-class codec 100

    Indicates codec filter list for calls to and from Unified CM. For more information, see  voice class codec.

    bind control source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

    bind media source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

    dtmf-relay rtp-nte

    将 RTP-NTE (RFC2833) 定义为呼叫段上预期的 DTMF 功能。For more information, see  DTMF Relay (Voice over IP).

    no vad

    禁用语音活动检测。For more information, see  vad (dial peer).

  2. Dial-peer for calls between Unified CM and the PSTN:

     dial-peer voice 400 voip description UCM-PSTN trunk destination-pattern BAD.BAD session protocol sipv2 session target dns:pstntocucm.io incoming uri via 400 voice-class codec 100 voice-class sip bind control source-interface GigabitEthernet 0/0/0 voice-class sip bind media source-interface GigabitEthernet 0/0/0 dtmf-relay rtp-nte no vad

    以下是配置字段的说明:

     dial-peer voice 400 voip  description UCM-PSTN trunk

    定义网络语音 400 标记的拨号对等项,并提供了更轻松管理和故障诊断的有意义的描述。

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    Specifies that dial-peer 400 handles SIP call legs. For more information, see  session protocol (dial-peer).

    session target dns:pstntocucm.io

    Defines the session target of multiple Unified CM nodes through DNS SRV resolution. In this case, the locally defined SRV record pstntocucm.io is used to direct calls.

    incoming uri via 400

    Uses voice class URI 400 to direct all incoming traffic from the specified Unified CM hosts using source port 5060 to this dial-peer. For more information, see  incoming uri.

    voice-class codec 100

    Indicates codec filter list for calls to and from Unified CM. For more information, see  voice class codec.

    bind control source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

    bind media source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

    dtmf-relay rtp-nte

    将 RTP-NTE (RFC2833) 定义为呼叫段上预期的 DTMF 功能。For more information, see  DTMF Relay (Voice over IP).

    no vad

    禁用语音活动检测。For more information, see  vad (dial peer).

4

Add call routing using the following configurations:

  1. Create dial-peer groups to route calls between Unified CM and Webex Calling. Define DPG 100 with outbound dial-peer 100 towards Webex Calling. DPG 100 is applied to the associated incoming dial-peer from Unified CM. Similarly, define DPG 300 with outbound dial-peer 300 toward Unified CM. DPG 300 is applied to the incoming dial-peer from Webex.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 300 description Route calls to Unified CM Webex Calling trunk dial-peer 300

  2. Create a dial-peer groups to route calls between Unified CM and the PSTN. Define DPG 200 with outbound dial-peer 200 toward the PSTN. DPG 200 is applied to the associated incoming dial-peer from Unified CM. Similarly, define DPG 400 with outbound dial-peer 400 toward Unified CM. DPG 400 is applied to the incoming dial-peer from the PSTN.

     voice class dpg 200 description Route calls to PSTN dial-peer 200 voice class dpg 400 description Route calls to Unified CM PSTN trunk dial-peer 400

    以下是配置字段的说明:

    dial-peer  100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  3. Apply dial-peer groups to route calls from Webex to Unified CM and from Unified CM to Webex: 

     dial-peer voice 100 destination dpg 300 dial-peer voice 300 destination dpg 100

    以下是配置字段的说明:

    destination dpg 300

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

  4. Apply dial-peer groups to route calls from the PSTN to Unified CM and from Unified CM to the PSTN:

     dial-peer voice 200 destination dpg 400 dial-peer voice 400 destination dpg 200

    This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features have been configured.

使用诊断签名监控本地网关并排查

诊断签名 (DS) 主动检测基于 IOS XE 的本地网关中通常观察到的问题,并生成事件的电子邮件、系统日志或终端消息通知。You can also install the DS to automate diagnostics data collection and transfer-collected data to the Cisco TAC case to accelerate resolution time.

诊断签名 (DS) 是 XML 文件,其中包含有关问题触发事件的信息以及为通知、诊断和修复问题而采取的操作。You can define the problem detection logic using syslog messages, SNMP events and through periodic monitoring of specific show command outputs.

操作类型包括收集 show 命令输出:

  • 生成合并的日志文件

  • Uploading the file to a user-provided network location such as HTTPS, SCP, FTP server.

TAC 工程师可编写 DS 文件,并针对完整性保护进行数字签名。每个 DS 文件都有系统分配的唯一数字标识。Diagnostic Signatures Lookup Tool (DSLT) is a single source to find applicable signatures for monitoring and troubleshooting various problems.

准备工作:

  • 请勿编辑从 DSLT 下载的 DS 文件。由于完整性检查错误,您修改的文件安装失败。

  • 本地网关需要一个简单的邮件传输协议 (SMTP) 服务器来发送电子邮件通知。

  • 如果要使用安全的 SMTP 服务器发送电子邮件通知,请确保本地网关运行 IOS XE 17.6.1 或更高版本。

必要条件

Local Gateway running IOS XE 17.6.1a or higher

  1. 缺省情况下诊断签名处于启用状态。

  2. Configure the secure email server to be used to send proactive notification if the device is running Cisco IOS XE 17.6.1a or higher.

    configure terminal call-home mail-server <username>:<pwd>@<email server> priority 1 secure tls end

  3. Configure the environment variable ds_email with the email address of the administrator to notify you. 

    configure terminal call-home diagnostic-signature environment ds_email <email address> end

The following shows an example configuration of a Local Gateway running on Cisco IOS XE 17.6.1a or higher to send the proactive notifications to tacfaststart@gmail.com using Gmail as the secure SMTP server:

We recommend you to use the Cisco IOS XE Bengaluru 17.6.x or later versions.

call-home mail-server tacfaststart:password@smtp.gmail.com priority 1 secure tls diagnostic-signature environment ds_email "tacfaststart@gmail.com"

在 Cisco IOS XE 软件上运行的本地网关不是支持 OAuth 的典型的基于 Web 的 Gmail 客户端,因此必须配置特定的 Gmail 帐户设置并提供特定权限,才能正确处理来自设备的电子邮件:

  1. Go to Manage Google Account > Security and turn on the Less secure app access setting.

  2. 回答“是的,这是我”,当您收到 Gmail 发送的电子邮件时,表示“Google 禁止其他人使用非 Google 应用程序登录您的帐户。”

安装诊断签名用于主动监控

监控高 CPU 利用率

This DS tracks CPU utilization for five seconds using the SNMP OID 1.3.6.1.4.1.9.2.1.56. 当利用率达到 75% 以上时,它会禁用所有调试并卸载安装在本地网关上的所有诊断签名。请根据以下步骤安装签名。

  1. Use the show snmp command to enable SNMP. If you do not enable, then configure the snmp-server manager command.

    show snmp %SNMP agent not enabled config t snmp-server manager end show snmp Chassis: ABCDEFGHIGK 149655 SNMP packets input 0 Bad SNMP version errors 1 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 37763 Number of requested variables 2 Number of altered variables 34560 Get-request PDUs 138 Get-next PDUs 2 Set-request PDUs 0 Input queue packet drops (Maximum queue size 1000) 158277 SNMP packets output 0 Too big errors (Maximum packet size 1500) 20 No such name errors 0 Bad values errors 0 General errors 7998 Response PDUs 10280 Trap PDUs Packets currently in SNMP process input queue: 0 
SNMP global trap: enabled

  2. 使用下列诊断签名查找工具中的下拉选项下载 DS 64224:

    字段名

    字段值

    平台

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    产品

    Webex Calling 解决方案中的 CUBE 企业版

    问题范围

    性能

    问题类型

    电子邮件通知的高 CPU 利用率。

  3. 将 DS XML 文件复制到本地网关 flash 中。

    LocalGateway# copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:

    下例显示将文件从 FTP 服务器复制到本地网关。 

    copy ftp://user:pwd@192.0.2.12/DS_64224.xml bootflash: Accessing ftp://*:*@ 192.0.2.12/DS_64224.xml...! [OK - 3571/4096 bytes] 3571 bytes copied in 0.064 secs (55797 bytes/sec)

  4. 在本地网关中安装 DS XML 文件。

    call-home diagnostic-signature load DS_64224.xml Load file DS_64224.xml success

  5. 使用 show call-home 诊断签名命令 验证签名安装成功。状态栏中应该存在“已注册”值。 

    show call-home diagnostic-signature Current diagnostic-signature settings: Diagnostic-signature: enabled 
 Profile: CiscoTAC-1 (status: ACTIVE) 
 Downloading  URL(s):https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: username@gmail.com

    Download DSes:

    DS ID

    DS Name

    Revision

    Status

    Last Update (GMT+00:00)

    64224

    DS_LGW_CPU_MON75

    0.0.10

    Registered

    2020-11-07 22:05:33

    触发后,此签名将卸载包括本身在内的所有正在运行的 DS。If necessary, reinstall DS 64224 to continue monitoring high CPU utilization on the Local Gateway.

监控 SIP 中继注册

此 DS 每 60 秒检查一SIP 中继云的本地网关Webex Calling注册。Once the unregistration event is detected, it generates an email and syslog notification and uninstalls itself after two unregistration occurrences. Use the steps below to install the signature:

  1. 使用下列诊断签名查找工具中的下拉选项下载 DS 64117:

    字段名

    字段值

    平台

    Cisco 4300、4400 ISR 系列Cisco CSR 1000V 系列

    产品

    Webex Calling 解决方案中的 CUBE 企业版

    问题范围

    SIP-SIP

    问题类型

    SIP 中继电子邮件通知取消注册。

  2. 将 DS XML 文件复制到本地网关。

    copy ftp://username:password@<server name or ip>/DS_64117.xml bootflash:

  3. 在本地网关中安装 DS XML 文件。 

    call-home diagnostic-signature load DS_64117.xml Load file DS_64117.xml success LocalGateway#

  4. 使用 show call-home 诊断签名命令 验证签名安装成功。状态列必须具有“已注册”值。

监控异常呼叫断开连接

This DS uses SNMP polling every 10 minutes to detect abnormal call disconnect with SIP errors 403, 488 and 503.  If the error count increment is greater than or equal to 5 from the last poll, it generates a syslog and email notification. Please use the steps below to install the signature.

  1. Use the show snmp command to check whether SNMP is enabled. If it is not enabled, configure the snmp-server manager command. 

    show snmp %SNMP agent not enabled config t snmp-server manager end show snmp Chassis: ABCDEFGHIGK 149655 SNMP packets input 0 Bad SNMP version errors 1 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 37763 Number of requested variables 2 Number of altered variables 34560 Get-request PDUs 138 Get-next PDUs 2 Set-request PDUs 0 Input queue packet drops (Maximum queue size 1000) 158277 SNMP packets output 0 Too big errors (Maximum packet size 1500) 20 No such name errors 0 Bad values errors 0 General errors 7998 Response PDUs 10280 Trap PDUs Packets currently in SNMP process input queue: 0 
SNMP global trap: enabled

  2. 使用诊断签名查找工具中的下列选项下载 DS 65221:

    字段名

    字段值

    平台

    Cisco 4300、4400 ISR 系列Cisco CSR 1000V 系列

    产品

    Webex Calling 解决方案中的 CUBE 企业版

    问题范围

    性能

    问题类型

    使用电子邮件和系统日志通知时 SIP 异常呼叫断开连接检测。

  3. 将 DS XML 文件复制到本地网关。 

    copy ftp://username:password@<server name or ip>/DS_65221.xml bootflash:

  4. 在本地网关中安装 DS XML 文件。 

    call-home diagnostic-signature load DS_65221.xml Load file DS_65221.xml success

  5. 使用 show call-home 诊断签名命令 验证签名安装成功。状态列必须具有“已注册”值。

安装诊断签名以对问题进行故障诊断

使用诊断签名 (DS) 快速解决问题。Cisco TAC 工程师编写了几个签名,这些签名可实现对给定问题进行故障诊断、检测问题发生次数、收集正确的诊断数据以及将数据自动转移到 Cisco TAC 案例所需的调试。Diagnostic Signatures (DS) eliminate the need to manually check for the problem occurrence and makes troubleshooting of intermittent and transient issues a lot easier.

您可以使用诊断签名查找工具查找适用的签名并安装它们来自行解决给定问题,或者您也可以安装 TAC 工程师在支持参与中推荐的签名。

以下示例说明了如何查找和安装 DS 以检测是否存在“%VOICE_IEC-3-GW:CCAPI: Internal Error (call spike threshold): IEC=1.1.181.1.29.0“ 系统日志,使用以下步骤自动收集诊断数据:

  1. Configure an additional DS environment variable ds_fsurl_prefix which is the Cisco TAC file server path (cxd.cisco.com) to which the collected diagnostics data are uploaded. The username in the file path is the case number and the password is the file upload token which can be retrieved from Support Case Manager in the following command. The file upload token can be generated in the Attachments section of the Support Case Manager, as needed. 

    configure terminal call-home diagnostic-signature LocalGateway(cfg-call-home-diag-sign)environment ds_fsurl_prefix "scp://<case number>:<file upload token>@cxd.cisco.com" end

    示例: 

    call-home diagnostic-signature environment ds_fsurl_prefix " environment ds_fsurl_prefix "scp://612345678:abcdefghijklmnop@cxd.cisco.com"

  2. Ensure that SNMP is enabled using the show snmp command. If it is not enabled, configure the snmp-server manager command.

    show snmp %SNMP agent not enabled config t snmp-server manager end

  3. 确保安装高 CPU 监控 DS 64224 作为在 CPU 高使用率期间禁用所有调试和诊断签名的主动措施。使用诊断签名查找工具中的下列选项下载 DS 64224:

    字段名

    字段值

    平台

    Cisco 4300、4400 ISR 系列或 Cisco CSR 1000V 系列

    产品

    Webex Calling 解决方案中的 CUBE 企业版

    问题范围

    性能

    问题类型

    电子邮件通知的高 CPU 利用率。

  4. 使用诊断签名查找工具中的下列选项下载 DS 65095:

    字段名

    字段值

    平台

    Cisco 4300、4400 ISR 系列或 Cisco CSR 1000V 系列

    产品

    Webex Calling 解决方案中的 CUBE 企业版

    问题范围

    系统日志

    问题类型

    系统日志 - %VOICE_IEC-3-GW:CCAPI: Internal Error (Call spike threshold): IEC=1.1.181.1.29.0

  5. 将 DS XML 文件复制到本地网关。

    copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash: copy ftp://username:password@<server name or ip>/DS_65095.xml bootflash:

  6. 安装 DS 64224 以监控 CPU 占用率是否过高,然后在本地网关中安装 DS 65095 XML 文件。 

    call-home diagnostic-signature load DS_64224.xml Load file DS_64224.xml success call-home diagnostic-signature load DS_65095.xml Load file DS_65095.xml success

  7. Verify that the signature is successfully installed using the show call-home diagnostic-signature command. 状态列必须具有“已注册”值。 

    show call-home diagnostic-signature Current diagnostic-signature settings: Diagnostic-signature: enabled 
 Profile: CiscoTAC-1 (status: ACTIVE) 
 Downloading  URL(s):https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: username@gmail.com ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com

    Downloaded DSes:

    DS ID

    DS Name

    Revision

    Status

    Last Update (GMT+00:00)

    64224

    00:07:45

    DS_LGW_CPU_MON75

    0.0.10

    Registered

    2020-11-08

    65095

    00:12:53

    DS_LGW_IEC_Call_spike_threshold

    0.0.12

    Registered

    2020-11-08

验证诊断签名执行

In the following command, the “Status” column of the show call-home diagnostic-signature command changes to “running” while the Local Gateway executes the action defined within the signature. 显示呼叫 主诊断签名 统计信息的输出是验证诊断签名是否检测到感兴趣的事件并执行操作的最佳办法。“已触发/最大/Deinstall”列显示给定签名触发事件的时间、用于检测事件的定义的最大次数以及签名是否在检测到最大触发事件数后自动取消安装。 

show call-home diagnostic-signature Current diagnostic-signature settings: Diagnostic-signature: enabled 
 Profile: CiscoTAC-1 (status: ACTIVE) 
 Downloading  URL(s):https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: carunach@cisco.com ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com

Downloaded DSes:

DS ID

DS Name

Revision

Status

Last Update (GMT+00:00)

64224

DS_LGW_CPU_MON75

0.0.10

Registered

2020-11-08 00:07:45

65095

DS_LGW_IEC_Call_spike_threshold

0.0.12

Running

2020-11-08 00:12:53

显示呼叫家庭诊断签名统计信息

DS ID

DS Name

Triggered/Max/Deinstall

Average Run Time (seconds)

Max Run Time (seconds)

64224

DS_LGW_CPU_MON75

0/0/N

0.000

0.000

65095

DS_LGW_IEC_Call_spike_threshold

1/20/Y

23.053

23.053

诊断通知电子邮件期间发送的诊断签名包含关键信息,例如问题类型、设备详细信息、软件版本、运行配置,以及显示与给定的问题故障诊断相关的命令输出。

卸载诊断签名

通常,使用诊断签名进行故障排除是在您检测到某些问题后卸载的。If you want to uninstall a signature manually, retrieve the DS ID from the output of the show call-home diagnostic-signature command and run the following command:

call-home diagnostic-signature deinstall <DS ID>

示例:

call-home diagnostic-signature deinstall 64224

根据部署中通常观察到的问题,定期将新的签名添加到诊断签名查找工具中。TAC 当前不支持新建自定义签名的请求。

Manage and validate Cisco IOS XE Gateways through Control Hub

For better management of Cisco IOS XE Gateways, we recommend that you enroll and manage the gateways through the Control Hub. It is an optional configuration. When enrolled, you can use the configuration validation option in the Control Hub to validate your Local Gateway configuration and identify any configuration issues. Currently, only registration-based trunks support this functionality.

For more information, refer the following:

Design overview

This section describes how to configure a Cisco Unified Border Element (CUBE) as a Local Gateway for Webex Calling, using certificate-based mutual TLS (mTLS) SIP trunk. The first part of this document illustrates how to configure a simple PSTN gateway. In this case, all calls from the PSTN are routed to Webex Calling and all calls from Webex Calling are routed to the PSTN. The following image highlights this solution and the high-level call routing configuration that will be followed.

In this design, the following principal configurations are used:

  • voice class tenants: Used to create trunk specific configurations.

  • voice class uri: Used to classify SIP messages for the selection of an inbound dial-peer.

  • inbound dial-peer: Provides treatment for inbound SIP messages and determines the outbound route with a dial-peer group.

  • dial-peer group: Defines the outbound dial-peers used for onward call routing.

  • outbound dial-peer: Provides treatment for outbound SIP messages and routes them to the required target.

Call routing from/to PSTN to/from Webex Calling configuration solution

While IP and SIP have become the default protocols for PSTN trunks, TDM (Time Division Multiplexing) ISDN circuits are still widely used and are supported with Webex Calling trunks. To enable media optimization of IP paths for Local Gateways with TDM-IP call flows, it is currently necessary to use a two-leg call routing process. This approach modifies the call routing configuration shown above, by introducing a set of internal loop-back dial-peers between Webex Calling and PSTN trunks as illustrated in the image below.

When connecting an on-premises Cisco Unified Communications Manager solution with Webex Calling, you can use the simple PSTN gateway configuration as a baseline for building the solution illustrated in the following diagram. In this case, Unified Communications Manager provides centralized routing and treatment of all PSTN and Webex Calling calls.

Throughout this document, the host names, IP addresses, and interfaces illustrated in the following image are used. Options are provided for public or private (behind NAT) addressing. SRV DNS records are optional, unless load balancing across multiple CUBE instances.

Use the configuration guidance in the rest of this document to complete your Local Gateway configuration as follows:

  • 步骤 1:Configure router baseline connectivity and security

  • 步骤 2:Configure Webex Calling Trunk

    Depending on your required architecture, follow either:

  • 步骤 3:Configure Local Gateway with SIP PSTN trunk

  • 步骤 4:Configure Local Gateway with existing Unified CM environment

    或:

  • 步骤 3:Configure Local Gateway with TDM PSTN trunk

Configure connectivity and security

Baseline configuration

The first step in preparing your Cisco router as a Local Gateway for Webex Calling is to build a baseline configuration that secures your platform and establishes connectivity.

  • All certificate-based Local Gateway deployments require Cisco IOS XE 17.9.1a or later versions. For the recommended versions, see the Cisco Software Research page. Search for the platform and select one of the suggested releases.

    • ISR4000 series routers must be configured with both Unified Communications and Security technology licenses.

    • Catalyst Edge 8000 series routers fitted with voice cards or DSPs require DNA Essentials licensing. Routers without voice cards or DSPs require a minimum of DNA Essentials licensing.

    • For high-capacity requirements, you may also require a High Security (HSEC) license and additional throughput entitlement.

      Refer to Authorization Codes for further details.

  • Build a baseline configuration for your platform that follows your business policies. In particular, configure the following and verify the working:

    • NTP

    • Acl

    • User authentication and remote access

    • DNS

    • IP 路由

    • IP addresses

  • The network toward Webex Calling must use a IPv4 address. Local Gateway Fully Qualified Domain Names (FQDN) or Service Record (SRV) addresses must resolve to a public IPv4 address on the internet.

  • All SIP and media ports on the Local Gateway interface facing Webex must be accessible from the internet, either directly or via static NAT. Ensure that you update your firewall accordingly.

  • Install a signed certificate on the Local Gateway (the following provides detailed configuration steps).

    • A public Certificate Authority (CA) as detailed in  What Root Certificate Authorities are Supported for Calls to Cisco Webex Audio and Video Platforms? must sign the device certificate.

    • The FQDN configured in the Control Hub when creating a trunk must be the Common Name (CN) or Subject Alternate Name (SAN) certificate of the router. 例如:

      • If a configured trunk in the Control Hub of your organization has cube1.lgw.com:5061 as FQDN of the Local Gateway, then the CN or SAN in the router certificate must contain cube1.lgw.com. 

      • If a configured trunk in the Control Hub of your organization has lgws.lgw.com as the SRV address of the Local Gateway(s) reachable from the trunk, then the CN or SAN in the router certificate must contain lgws.lgw.com. 地址解析SRV(CNAME、A 记录或 IP 地址)的记录在 SAN 中是可选的。

      • Whether you use an FQDN or SRV for the trunk, the contact address for all new SIP dialogs from your Local Gateway uses the name configured in the Control Hub.

  • 确保已针对客户端和服务器使用情况签署证书。

  • Upload the Cisco root CA bundle to the Local Gateway.

配置

1

Ensure that you assign valid and routable IP addresses to any Layer 3 interfaces, for example:

 interface GigabitEthernet0/0/0 description Interface facing PSTN and/or CUCM ip address 192.168.80.14 255.255.255.0 ! interface GigabitEthernet0/0/1 description Interface facing Webex Calling (Public address) ip address 198.51.100.1 255.255.255.240

2

Protect STUN credentials on the router using symmetric encryption. Configure the primary encryption key and encryption type as follows:

 key config-key password-encrypt YourPassword password encryption aes
3

Create an encryption trustpoint with a certificate signed by your preferred Certificate Authority (CA).

  1. Create an RSA key pair using the following exec command.

    crypto key generate rsa general-keys exportable label lgw-key modulus 4096

  2. When using cube1.lgw.com as the fqdn for the trunk, create a trustpoint for the signed certificate with the following configuration commands: 

     crypto pki trustpoint LGW_CERT enrollment terminal pem fqdn cube1.lgw.com subject-name cn=cube1.lgw.com subject-alt-name cube1.lgw.com revocation-check none rsakeypair lgw-key

  3. Generate Certificate Signing Request (CSR) with the following exec or configuration command and use it to request a signed certificate from a supported CA provider:

    crypto pki enroll LGW_CERT

4

Authenticate your new certificate using your intermediate (or root) CA certificate, then import the certificate (Step 4). Enter the following exec or configuration command:

 crypto pki authenticate LGW_CERT <paste Intermediate X.509 base 64 based certificate here>

5

Import a signed host certificate using the following exec or configuration command:

 crypto pki import LGW_CERT certificate <paste CUBE host X.509 base 64 certificate here>

6

Enable TLS1.2 exclusivity and specify the default trustpoint using the following configuration commands:

 sip-ua crypto signaling default trustpoint LGW_CERT transport tcp tls v1.2

7

Install the Cisco root CA bundle, which includes the DigiCert CA certificate used by Webex Calling. Use the crypto pki trustpool import clean url command to download the root CA bundle from the specified URL, and to clear the current CA trustpool, then install the new bundle of certificates:

If you need to use a proxy for access to the internet using HTTPS, add the following configuration before importing the CA bundle:

ip http client proxy-server yourproxy.com proxy-port 80
 ip http client source-interface GigabitEthernet0/0/1 crypto pki trustpool import clean url https://www.cisco.com/security/pki/trs/ios_core.p7b
Configure Webex Calling certificate-based trunk
1

Create a CUBE certificate-based PSTN trunk for an existing location in Control Hub. For more information, see Configure trunks, route groups, and dial plans for Webex Calling.

Make a note of the trunk information that is provided once the trunk is created. These details, as highlighted in the following illustration, will be used in the configuration steps in this guide.
2

Enter the following commands to configure CUBE as a Webex Calling Local Gateway:

 voice service voip ip address trusted list ipv4 x.x.x.x y.y.y.y mode border-element allow-connections sip to sip no supplementary-service sip refer stun stun flowdata agent-id 1 boot-count 4 stun flowdata shared-secret 0 Password123$ sip asymmetric payload full early-offer forced sip-profiles inbound

以下是配置字段的说明:

 ip address trusted list  ipv4 x.x.x.x y.y.y.y

  • To protect against toll fraud, the trusted address list defines a list of hosts and networks entities from which the Local Gateway expects legitimate VoIP calls.

  • By default, Local Gateway blocks all incoming VoIP messages from IP addresses not in its trusted list. Statically configured dial-peers with “session target IP” or server group IP addresses are trusted by default so do not need to be added to the trusted list.

  • When configuring your Local Gateway, add the IP subnets for your regional Webex Calling data center to the list, see Port Reference Information for Webex Calling for more information. Also, add address ranges for Unified Communications Manager servers (if used) and PSTN trunk gateways.

  • For more information on how to use an IP address trusted list to prevent toll fraud, see IP address trusted.

mode border-element

Enables Cisco Unified Border Element (CUBE) features on the platform.

allow-connections sip to sip

Enable CUBE basic SIP back to back user agent functionality. For more information, see Allow connections.

By default, T.38 fax transport is enabled. For more information, see fax protocol t38 (voice-service).

stun

Enables STUN (Session Traversal of UDP through NAT) globally.

These global stun commands are only required when deploying your Local Gateway behind NAT.

  • 当您将呼叫转发给 Webex Calling 用户(例如,被叫方和主叫方都是 Webex Calling 订户,如果您将媒体固定到 Webex Calling SBC),那么媒体无法流式到本地网关,因为针孔未打开。

  • The STUN bindings feature on the Local Gateway allows locally generated STUN requests to be sent over the negotiated media path. This helps to open the pinhole in the firewall.

For more information, see  stun flowdata agent-id and  stun flowdata shared-secret.

asymmetric payload full

Configures SIP asymmetric payload support for both DTMF and dynamic codec payloads. For more information on this command, see asymmetric payload.

early-offer forced

Forces the Local Gateway to send SDP information in the initial INVITE message instead of waiting for acknowledgment from the neighboring peer. For more information on this command, see early-offer.

sip-profiles inbound

Enables CUBE to use SIP profiles to modify messages as they are received. Profiles are applied via dial-peers or tenants.

3

Configure voice class codec 100 codec filter for the trunk. In this example, the same codec filter is used for all trunks. You can configure filters for each trunk for precise control.

 voice class codec 100 codec preference 1 opus codec preference 2 g711ulaw codec preference 3 g711alaw

以下是配置字段的说明:

voice class codec 100

Used to only allow preferred codecs for calls through SIP trunks. For more information, see voice class codec.

Opus codec is supported only for SIP-based PSTN trunks. If the PSTN trunk uses a voice T1/E1 or analog FXO connection, exclude codec preference 1 opus from the voice class codec 100 configuration.

4

Configure voice class stun-usage 100 to enable ICE on the Webex Calling trunk.(This step is not applicable for Webex for Government)

 voice class stun-usage 100 stun usage firewall-traversal flowdata stun usage ice lite

以下是配置字段的说明:

stun usage ice lite

Used to enable ICE-Lite for all Webex Calling facing dial-peers to allow media-optimization whenever possible. For more information, see voice class stun usage and stun usage ice lite.

The stun usage firewall-traversal flowdata command is only required when deploying your Local Gateway behind NAT.
You require stun usage of ICE-lite for call flows using media path optimization. To provide media-optimization for a SIP to TDM gateway, configure a loopback dial-peer with ICE-Lite enabled on the IP-IP leg. For further technical details, contact the Account or TAC teams.
5

Configure the media encryption policy for Webex traffic.(This step is not applicable for Webex for Government)

 voice class srtp-crypto 100 crypto 1 AES_CM_128_HMAC_SHA1_80

以下是配置字段的说明:

voice class srtp-crypto 100

Specifies SHA1_80 as the only SRTP cipher-suite CUBE offers in the SDP in offer and answer messages. Webex Calling only supports SHA1_80. For more information, see voice class srtp-crypto.

6

Configure FIPS-compliant GCM ciphers (This step is applicable only for Webex for Government). 

 voice class srtp-crypto 100 crypto 1 AEAD_AES_256_GCM

以下是配置字段的说明:

voice class srtp-crypto 100

Specifies GCM as the cipher-suite that CUBE offers. It is mandatory to configure GCM ciphers for Local Gateway for Webex for Government.

7

Configure a pattern to uniquely identify calls to a Local Gateway trunk based on its destination FQDN or SRV:

 voice class uri 100 sip pattern cube1.lgw.com

以下是配置字段的说明:

voice class uri 100 sip

Defines a pattern to match an incoming SIP invite to an incoming trunk dial-peer. When entering this pattern, use LGW FQDN or SRV configured in Control Hub while creating a trunk.

8

Configure SIP message manipulation profiles. If your gateway is configured with a public IP address, configure a profile as follows or skip to the next step if you are using NAT. In this example, cube1.lgw.com is the FQDN configured for the Local Gateway and "198.51.100.1" is the public IP address of the Local Gateway interface facing Webex Calling:

 voice class sip-profiles 100 rule 10 request ANY sip-header Contact modify "@.*:" "@cube1.lgw.com:" rule 20 response ANY sip-header Contact modify "@.*:" "@cube1.lgw.com:"

以下是配置字段的说明:

rules 10 and 20

To allow Webex to authenticate messages from your local gateway, the 'Contact' header in SIP request and responses messages must contain the value provisioned for the trunk in Control Hub. This will either be the FQDN of a single host, or the SRV domain name used for a cluster of devices.

Skip the next step if you have configured your Local Gateway with public IP addresses.

9

If your gateway is configured with a private IP address behind static NAT, configure inbound and outbound SIP profiles as follows. In this example, cube1.lgw.com is the FQDN configured for the Local Gateway, "10.80.13.12" is the interface IP address facing Webex Calling and "192.65.79.20" is the NAT public IP address.

SIP profiles for outbound messages to Webex Calling 
 voice class sip-profiles 100 rule 10 request ANY sip-header Contact modify "@.*:" "@cube1.lgw.com:" rule 20 response ANY sip-header Contact modify "@.*:" "@cube1.lgw.com:" rule 30 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 1.*) 10.80.13.12" "\1 192.65.79.20" rule 31 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 2.*) 10.80.13.12" "\1 192.65.79.20" rule 40 response ANY sdp-header Audio-Connection-Info modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 41 request ANY sdp-header Audio-Connection-Info modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 50 request ANY sdp-header Connection-Info modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 51 response ANY sdp-header Connection-Info modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 60 response ANY sdp-header Session-Owner modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 61 request ANY sdp-header Session-Owner modify "IN IP4 10.80.13.12" "IN IP4 192.65.79.20" rule 70 request ANY sdp-header Audio-Attribute modify "(a=rtcp:.*) 10.80.13.12" "\1 192.65.79.20" rule 71 response ANY sdp-header Audio-Attribute modify "(a=rtcp:.*) 10.80.13.12" "\1 192.65.79.20 rule 80 request ANY sdp-header Audio-Attribute modify "(a=candidate:1 1.*) 10.80.13.12" "\1 192.65.79.20" rule 81 request ANY sdp-header Audio-Attribute modify "(a=candidate:1 2.*) 10.80.13.12" "\1 192.65.79.20"

以下是配置字段的说明:

rules 10 and 20

To allow Webex to authenticate messages from your local gateway, the 'Contact' header in SIP request and responses messages must contain the value provisioned for the trunk in Control Hub. This will either be the FQDN of a single host, or the SRV domain name used for a cluster of devices.

rules 30 to 81

Convert private address references to the external public address for the site, allowing Webex to correctly interpret and route subsequent messages.

SIP profile for inbound messages from Webex Calling 
 voice class sip-profiles 110 rule 10 response ANY sdp-header Video-Connection-Info modify "192.65.79.20" "10.80.13.12" rule 20 response ANY sip-header Contact modify "@.*:" "@cube1.lgw.com:" rule 30 response ANY sdp-header Connection-Info modify "192.65.79.20" "10.80.13.12" rule 40 response ANY sdp-header Audio-Connection-Info modify "192.65.79.20" "10.80.13.12" rule 50 response ANY sdp-header Session-Owner modify "192.65.79.20" "10.80.13.12" rule 60 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 1.*) 192.65.79.20" "\1 10.80.13.12" rule 70 response ANY sdp-header Audio-Attribute modify "(a=candidate:1 2.*) 192.65.79.20" "\1 10.80.13.12" rule 80 response ANY sdp-header Audio-Attribute modify "(a=rtcp:.*) 192.65.79.20" "\1 10.80.13.12"

以下是配置字段的说明:

rules 10 to 80

Convert public address references to the configured private address, allowing messages from Webex to be correctly processed by CUBE.

For more information, see voice class sip-profiles.

10

Configure a SIP Options keepalive with header modification profile.

 voice class sip-profiles 115 rule 10 request OPTIONS sip-header Contact modify "<sip:.*:" "<sip:cube1.lgw.com:" rule 30 request ANY sip-header Via modify "(SIP.*) 10.80.13.12" "\1 192.65.79.20" rule 40 response ANY sdp-header Connection-Info modify "10.80.13.12" "192.65.79.20" rule 50 response ANY sdp-header Audio-Connection-Info modify "10.80.13.12" "192.65.79.20" ! voice class sip-options-keepalive 100 description Keepalive for Webex Calling up-interval 5 transport tcp tls sip-profiles 115

以下是配置字段的说明:

voice class sip-options-keepalive 100

Configures a keepalive profile and enters voice class configuration mode. You can configure the time (in seconds) at which an SIP Out of Dialog Options Ping is sent to the dial-target when the heartbeat connection to the endpoint is in UP or Down status.

This keepalive profile is triggered from the dial-peer configured towards Webex.

To ensure that the contact headers include the SBC fully qualified domain name, SIP profile 115 is used. Rules 30, 40, and 50 are required only when the SBC is configured behind static NAT.

In this example, cube1.lgw.com is the FQDN selected for the Local Gateway and if static NAT is used, "10.80.13.12" is the SBC interface IP address towards Webex Calling and "192.65.79.20" is the NAT public IP address.

11

Configure Webex Calling trunk:

  1. Create voice class tenant 100 to define and group configurations required specifically for the Webex Calling trunk. Dial-peers associated with this tenant later will inherit these configurations:

    The following example uses the values illustrated in Step 1 for the purpose of this guide (shown in bold). Replace these with values for your trunk in your configuration.

     voice class tenant 100 no remote-party-id sip-server dns:us25.sipconnect.bcld.webex.com srtp-crypto 100 localhost dns:cube1.lgw.com session transport tcp tls no session refresh error-passthru bind control source-interface GigabitEthernet0/0/1 bind media source-interface GigabitEthernet0/0/1 no pass-thru content custom-sdp sip-profiles 100 sip-profiles 110 inbound privacy-policy passthru !

    以下是配置字段的说明:

    voice class tenant 100

    We recommend that you use tenants to configure trunks which have their own TLS certificate, and CN or SAN validation list. Here, the tls-profile associated with the tenant contains the trust point to be used to accept or create new connections, and has the CN or SAN list to validate the incoming connections. For more information, see voice class tenant.

    no remote-party-id

    Disable SIP Remote-Party-ID (RPID) header as Webex Calling supports PAI, which is enabled using CIO asserted-id pai. For more information, see remote-party-id.

    sip-server dns:us25.sipconnect.bcld.webex.com

    Configures the target SIP server for the trunk. Use the edge proxy SRV address provided in Control Hub when you created your trunk

    srtp-crypto 100

    Configures the preferred cipher-suites for the SRTP call leg (connection) (specified in Step 5). For more information, see voice class srtp-crypto.

    localhost dns: cube1.lgw.com

    Configures CUBE to replace the physical IP address in the From, Call-ID, and Remote-Party-ID headers in outgoing messages with the provided FQDN.

    session transport tcp tls

    Sets transport to TLS for associated dial-peers. For more information, see session-transport.

    no session refresh

    Disables SIP session refresh globally.

    error-passthru

    指定 SIP 错误响应传递功能。For more information, see error-passthru.

    bind control source-interface GigabitEthernet0/0/1

    Configures the source interface and associated IP address for messages sent to Webex Calling. For more information, see bind.

    bind media source-interface GigabitEthernet0/0/1

    Configures the source interface and associated IP address for media sent to Webex Calling. For more information, see bind.

    voice-class sip profiles 100

    Applies the header modification profile (Public IP or NAT addressing) to use for outbound messages. For more information, see voice-class sip profiles.

    voice-class sip profiles 110 inbound

    Applies the header modification profile (NAT addressing only) to use for inbound messages. For more information, see voice-class sip profiles.

    privacy-policy passthru

    Configures the privacy header policy options for the trunk to pass privacy values from the received message to the next call leg. For more information, see privacy-policy.

  2. Configure the Webex Calling trunk dial-peer.

     dial-peer voice 100 voip description Inbound/Outbound Webex Calling destination-pattern BAD.BAD session protocol sipv2 session target sip-server incoming uri request 100 voice-class codec 100 voice-class stun-usage 100 voice-class sip rel1xx disable voice-class sip asserted-id pai voice-class sip tenant 100 voice-class sip options-keepalive profile 100 dtmf-relay rtp-nte srtp no vad

    以下是配置字段的说明:

     dial-peer voice 100 voip  description Inbound/Outbound Webex Calling

    定义网络语音 100 标记的拨号对等项,并提供了更轻松管理和故障诊断的有意义的描述。For more information, see dial-peer voice.

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    指定拨号对等 100 处理 SIP 呼叫段。For more information, see session protocol (dial-peer).

    session target sip-server

    Indicates that the SIP server defined in tenant 100 is inherited and used for the destination for calls from this dial peer.

    incoming uri request 100

    To specify the voice class used to match a VoIP dial peer to the uniform resource identifier (URI) of an incoming call. For more information, see  incoming uri.

    voice-class codec 100

    Indicates codec filter list for calls to and from Webex Calling. For more information, see voice class codec.

    voice-class stun-usage 100

    Allows locally generated STUN requests on the Local Gateway to be sent over the negotiated media path. STUN help to open a firewall pinhole for media traffic.

    voice-class sip asserted-id pai

    Sets the outgoing calling information using the privacy asserted ID (PAI) header. For more information, see voice-class sip asserted-id.

    voice-class sip tenant 100

    The dial-peer inherits all parameters configured globally and in tenant 100. Parameters may overridden at the dial-peer level. For more information, see  voice-class sip tenant.

    voice-class sip options-keepalive profile 100

    This command is used to monitor the availability of a group of SIP servers or endpoints using a specific profile (100).

    srtp

    为呼叫段启用 SRTP。

Configure Local Gateway with a SIP PSTN trunk

Having built a trunk towards Webex Calling above, use the following configuration to create a non-encrypted trunk towards a SIP based PSTN provider:

If your Service Provider offers a secure PSTN trunk, you may follow a similar configuration as detailed above for the Webex Calling trunk. Secure to secure call routing is supported by CUBE.

If you are using a TDM / ISDN PSTN trunk, skip to next section Configure Local Gateway with TDM PSTN trunk.

To configure TDM interfaces for PSTN call legs on the Cisco TDM-SIP Gateways, see  Configuring ISDN PRI.

1

Configure the following voice class uri to identify inbound calls from the PSTN trunk:

 voice class uri 200 sip host ipv4:192.168.80.13

以下是配置字段的说明:

voice class uri 200 sip

Defines a pattern to match an incoming SIP invite to an incoming trunk dial-peer. When entering this pattern, use the IP address of you IP PSTN gateway. For more information, see  voice class uri.

2

Configure the following IP PSTN dial-peer:

 dial-peer voice 200 voip description Inbound/Outbound IP PSTN trunk destination-pattern BAD.BAD session protocol sipv2 session target ipv4:192.168.80.13 incoming uri via 200 voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 voice-class codec 100 dtmf-relay rtp-nte no vad

以下是配置字段的说明:

 dial-peer voice 200 voip  description Inbound/Outbound IP PSTN trunk

定义网络语音 200 标记的拨号对等项,并提供了更轻松管理和故障诊断的有意义的描述。For more information, see dial-peer voice.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

session protocol sipv2

指定拨号对等 200 处理 SIP 呼叫段。For more information, see session protocol (dial peer).

session target ipv4:192.168.80.13

表示发送呼叫段的目标 IPv4 地址。此处的目标会话是 ITSP 的 IP 地址。For more information, see  session target (VoIP dial peer).

incoming uri via 200

为 VIA 报头定义与 IP PSTN IP 地址的匹配标准。Matches all incoming IP PSTN call legs on the Local Gateway with dial-peer 200. For more information, see  incoming url.

bind control source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

bind media source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

voice-class codec 100

Configures the dial-peer to use the common codec filter list 100. For more information, see voice-class codec.

dtmf-relay rtp-nte

将 RTP-NTE (RFC2833) 定义为呼叫段上预期的 DTMF 功能。For more information, see DTMF Relay (Voice over IP).

no vad

禁用语音活动检测。For more information, see vad (dial peer).

3

If you are configuring your Local Gateway to only route calls between Webex Calling and the PSTN, add the following call routing configuration. If you are configuring your Local Gateway with a Unified Communications Manager platform, skip to the next section.

  1. Create dial-peer groups to route calls towards Webex Calling or the PSTN. Define DPG 100 with outbound dial-peer 100 toward Webex Calling. DPG 100 is applied to the incoming dial-peer from the PSTN. Similarly, define DPG 200 with outbound dial-peer 200 toward the PSTN. DPG 200 is applied to the incoming dial-peer from Webex.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 200 description Route calls to PSTN dial-peer 200

    以下是配置字段的说明:

    dial-peer 100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  2. Apply dial-peer groups to route calls from Webex to the PSTN and from the PSTN to Webex: 

     dial-peer voice 100 destination dpg 200 dial-peer voice 200 destination dpg 100

    以下是配置字段的说明:

    destination dpg 200

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

    This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features are configured.

Configure Local Gateway with a TDM PSTN trunk

Having built a trunk towards Webex Calling, use the following configuration to create a TDM trunk for your PSTN service with loop-back call routing to allow media optimization on the Webex call leg.

If you do not require IP media optimization, follow the configuration steps for a SIP PSTN trunk. Use a voice port and POTS dial-peer (as shown in Steps 2 and 3) instead of the PSTN VoIP dial-peer.
1

The loop-back dial-peer configuration uses dial-peer groups and call routing tags to ensure that calls pass correctly between Webex and the PSTN, without creating call routing loops. Configure the following translation rules that will be used to add and remove the call routing tags:

 voice translation-rule 100 rule 1 /^\+/ /A2A/ voice translation-profile 100 translate called 100 voice translation-rule 200 rule 1 /^/ /A1A/ voice translation-profile 200 translate called 200 voice translation-rule 11 rule 1 /^A1A/ // voice translation-profile 11 translate called 11 voice translation-rule 12 rule 1 /^A2A44/ /0/ rule 2/^A2A/ /00/ voice translation-profile 12 translate called 12

以下是配置字段的说明:

voice translation-rule

Uses regular expressions defined in rules to add or remove call routing tags. Over-decadic digits (‘A’) are used to add clarity for troubleshooting.

In this configuration, the tag added by translation-profile 100 is used to guide calls from Webex Calling towards the PSTN via the loopback dial-peers. Similarly, the tag added by translation-profile 200 is used to guide calls from the PSTN towards Webex Calling. Translation-profiles 11 and 12 remove these tags before delivering calls to the Webex and PSTN trunks respectively.

This example assumes that called numbers from Webex Calling are presented in +E.164 format. Rule 100 removes the leading + to maintain a valid called number. Rule 12 then adds a national or international routing digit(s) when removing the tag. Use digits that suit your local ISDN national dial plan.

If Webex Calling presents numbers in national format, adjust rules 100 and 12 to simply add and remove the routing tag respectively.

For more information, see voice translation-profile and voice translation-rule.

2

Configure TDM voice interface ports as required by the trunk type and protocol used. For more information, see Configuring ISDN PRI. For example, the basic configuration of a Primary Rate ISDN interface installed in NIM slot 2 of a device might include the following:

 card type e1 0 2 isdn switch-type primary-net5 controller E1 0/2/0 pri-group timeslots 1-31
3

Configure the following TDM PSTN dial-peer:

 dial-peer voice 200 pots description Inbound/Outbound PRI PSTN trunk destination-pattern BAD.BAD translation-profile incoming 200 direct-inward-dial port 0/2/0:15

以下是配置字段的说明: 

 dial-peer voice 200 pots  description Inbound/Outbound PRI PSTN trunk

定义网络语音 200 标记的拨号对等项,并提供了更轻松管理和故障诊断的有意义的描述。For more information, see dial-peer voice.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

translation-profile incoming 200

Assigns the translation profile that will add a call routing tag to the incoming called number.

direct-inward-dial

Routes the call without providing a secondary dial-tone. For more information, see direct-inward-dial.

port 0/2/0:15

The physical voice port associated with this dial-peer.

4

To enable media optimization of IP paths for Local Gateways with TDM-IP call flows, you can modify the call routing by introducing a set of internal loop-back dial-peers between Webex Calling and PSTN trunks. Configure the following loop-back dial-peers. In this case, all incoming calls will be routed initially to dial-peer 10 and from there to either dial-peer 11 or 12 based on the applied routing tag. After removal of the routing tag, calls will be routed to the outbound trunk using dial-peer groups.

 dial-peer voice 10 voip description Outbound loop-around leg destination-pattern BAD.BAD session protocol sipv2 session target ipv4:192.168.80.14 voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad dial-peer voice 11 voip description Inbound loop-around leg towards Webex translation-profile incoming 11 session protocol sipv2 incoming called-number A1AT voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad dial-peer voice 12 voip description Inbound loop-around leg towards PSTN translation-profile incoming 12 session protocol sipv2 incoming called-number A2AT voice-class sip bind control source-interface GigabitEthernet0/0/0 voice-class sip bind media source-interface GigabitEthernet0/0/0 dtmf-relay rtp-nte codec g711alaw no vad

以下是配置字段的说明: 

 dial-peer voice 10 pots  description Outbound loop-around leg

Defines a VoIP dial-peer and gives a meaningful description for ease of management and troubleshooting. For more information, see dial-peer voice.

translation-profile incoming 11

Applies the translation profile defined earlier to remove the call routing tag before passing to the outbound trunk.

destination-pattern BAD.BAD

A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. For more information, see destination-pattern (interface).

session protocol sipv2

Specifies that this dial-peer handles SIP call legs. For more information, see  session protocol (dial peer).

session target 192.168.80.14

Specifies the local router interface address as the call target to loop-back. For more information, see session target (voip dial peer).

bind control source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for messages sent through the loop-back. For more information, see  bind.

bind media source-interface GigabitEthernet0/0/0

Configures the source interface and associated IP address for media sent through the loop-back. For more information, see  bind.

dtmf-relay rtp-nte

将 RTP-NTE (RFC2833) 定义为呼叫段上预期的 DTMF 功能。For more information, see  DTMF Relay (Voice over IP).

codec g711alaw

Forces all PSTN calls to use G.711. Select a-law or u-law to match the companding method used by your ISDN service.

no vad

禁用语音活动检测。For more information, see  vad (dial peer).

5

Add the following call routing configuration:

  1. Create dial-peer groups to route calls between the PSTN and Webex trunks, via the loop-back.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 200 description Route calls to PSTN dial-peer 200 voice class dpg 10 description Route calls to Loopback dial-peer 10

    以下是配置字段的说明:

    dial-peer 100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  2. Apply dial-peer groups to route calls.

     dial-peer voice 100 destination dpg 10 dial-peer voice 200 destination dpg 10 dial-peer voice 11 destination dpg 100 dial-peer voice 12 destination dpg 200

    以下是配置字段的说明:

    destination dpg 200

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features are configured.
配置具有现有 Unified CM 环境的本地网关

The PSTN-Webex Calling configuration in the previous sections may be modified to include additional trunks to a Cisco Unified Communications Manager (UCM) cluster. In this case, all calls are routed via Unified CM. Calls from UCM on port 5060 are routed to the PSTN and calls from port 5065 are routed to Webex Calling. The following incremental configurations may be added to include this calling scenario.

1

配置以下语音类 URI:

  1. Classifies Unified CM to Webex calls using SIP VIA port:

     voice class uri 300 sip
 pattern :5065

  2. Classifies Unified CM to PSTN calls using SIP via port:

     voice class uri 400 sip pattern 192\.168\.80\.6[0-5]:5060

    Classify incoming messages from the UCM towards the PSTN trunk using one or more patterns that describe the originating source addresses and port number. Regular expressions may be used to define matching patterns if required.

    In the example above, a regular expression is used to match any IP address in the range 192.168.80.60 to 65 and port number 5060.

2

Configure the following DNS records to specify SRV routing to Unified CM hosts:

IOS XE uses these records for locally determining target UCM hosts and ports. With this configuration, it is not required to configure records in your DNS system. If you prefer to use your DNS, then these local configurations are not required.

 ip host ucmpub.mydomain.com 192.168.80.60 ip host ucmsub1.mydomain.com 192.168.80.61 ip host ucmsub2.mydomain.com 192.168.80.62 ip host ucmsub3.mydomain.com 192.168.80.63 ip host ucmsub4.mydomain.com 192.168.80.64 ip host ucmsub5.mydomain.com 192.168.80.65 ip host _sip._udp.wxtocucm.io srv 0 1 5065 ucmpub.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub1.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub2.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub3.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub4.mydomain.com ip host _sip._udp.wxtocucm.io srv 2 1 5065 ucmsub5.mydomain.com ip host _sip._udp.pstntocucm.io srv 0 1 5060 ucmpub.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub1.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub2.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub3.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub4.mydomain.com ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub5.mydomain.com

以下是配置字段的说明:

The following command creates a DNS SRV resource record. Create a record for each UCM host and trunk:

ip host _sip._udp.pstntocucm.io srv 2 1 5060 ucmsub5.mydomain.com

_sip._udp.pstntocucm.io: SRV resource record name

2: The SRV resource record priority

1: The SRV resource record weight

5060: The port number to use for the target host in this resource record

ucmsub5.mydomain.com: The resource record target host

To resolve the resource record target host names, create local DNS A records. 例如:

ip host ucmsub5.mydomain.com 192.168.80.65

ip host: Creates a record in the local IOS XE database.

ucmsub5.mydomain.com: The A record host name.

192.168.80.65: The host IP address.

Create the SRV resource records and A records to reflect your UCM environment and preferred call distribution strategy.

3

Configure the following dial-peers:

  1. Dial-peer for calls between Unified CM and Webex Calling:

     dial-peer voice 300 voip description UCM-Webex Calling trunk destination-pattern BAD.BAD session protocol sipv2 session target dns:wxtocucm.io incoming uri via 300 voice-class codec 100 voice-class sip bind control source-interface GigabitEthernet 0/0/0 voice-class sip bind media source-interface GigabitEthernet 0/0/0 dtmf-relay rtp-nte no vad

    以下是配置字段的说明:

     dial-peer voice 300 voip  description UCM-Webex Calling trunk

    Defines a VoIP dial-peer with a tag 300 and gives a meaningful description for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    Specifies that dial-peer 300 handles SIP call legs. For more information, see  session protocol (dial-peer).

    session target dns:wxtocucm.io

    Defines the session target of multiple Unified CM nodes through DNS SRV resolution. In this case, the locally defined SRV record wxtocucm.io is used to direct calls.

    incoming uri via 300

    Uses voice class URI 300 to direct all incoming traffic from Unified CM using source port 5065 to this dial-peer. For more information, see  incoming uri.

    voice-class codec 100

    Indicates codec filter list for calls to and from Unified CM. For more information, see  voice class codec.

    bind control source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

    bind media source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

    dtmf-relay rtp-nte

    将 RTP-NTE (RFC2833) 定义为呼叫段上预期的 DTMF 功能。For more information, see  DTMF Relay (Voice over IP).

    no vad

    禁用语音活动检测。For more information, see  vad (dial peer).

  2. Dial-peer for calls between Unified CM and the PSTN:

     dial-peer voice 400 voip description UCM-PSTN trunk destination-pattern BAD.BAD session protocol sipv2 session target dns:pstntocucm.io incoming uri via 400 voice-class codec 100 voice-class sip bind control source-interface GigabitEthernet 0/0/0 voice-class sip bind media source-interface GigabitEthernet 0/0/0 dtmf-relay rtp-nte no vad

    以下是配置字段的说明:

     dial-peer voice 400 voip  description UCM-PSTN trunk

    定义网络语音 400 标记的拨号对等项,并提供了更轻松管理和故障诊断的有意义的描述。

    destination-pattern BAD.BAD

    A dummy destination pattern is required when routing outbound calls using an inbound dial-peer group. Any valid destination pattern may be used in this case.

    session protocol sipv2

    Specifies that dial-peer 400 handles SIP call legs. For more information, see  session protocol (dial-peer).

    session target dns:pstntocucm.io

    Defines the session target of multiple Unified CM nodes through DNS SRV resolution. In this case, the locally defined SRV record pstntocucm.io is used to direct calls.

    incoming uri via 400

    Uses voice class URI 400 to direct all incoming traffic from the specified Unified CM hosts using source port 5060 to this dial-peer. For more information, see  incoming uri.

    voice-class codec 100

    Indicates codec filter list for calls to and from Unified CM. For more information, see  voice class codec.

    bind control source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for messages sent to the PSTN. For more information, see  bind.

    bind media source-interface GigabitEthernet0/0/0

    Configures the source interface and associated IP address for media sent to PSTN. For more information, see  bind.

    dtmf-relay rtp-nte

    将 RTP-NTE (RFC2833) 定义为呼叫段上预期的 DTMF 功能。For more information, see  DTMF Relay (Voice over IP).

    no vad

    禁用语音活动检测。For more information, see  vad (dial peer).

4

Add call routing using the following configurations:

  1. Create dial-peer groups to route calls between Unified CM and Webex Calling. Define DPG 100 with outbound dial-peer 100 towards Webex Calling. DPG 100 is applied to the associated incoming dial-peer from Unified CM. Similarly, define DPG 300 with outbound dial-peer 300 toward Unified CM. DPG 300 is applied to the incoming dial-peer from Webex.

     voice class dpg 100 description Route calls to Webex Calling dial-peer 100 voice class dpg 300 description Route calls to Unified CM Webex Calling trunk dial-peer 300

  2. Create a dial-peer groups to route calls between Unified CM and the PSTN. Define DPG 200 with outbound dial-peer 200 toward the PSTN. DPG 200 is applied to the associated incoming dial-peer from Unified CM. Similarly, define DPG 400 with outbound dial-peer 400 toward Unified CM. DPG 400 is applied to the incoming dial-peer from the PSTN.

     voice class dpg 200 description Route calls to PSTN dial-peer 200 voice class dpg 400 description Route calls to Unified CM PSTN trunk dial-peer 400

    以下是配置字段的说明:

    dial-peer  100

    Associates an outbound dial-peer with a dial-peer group. For more information, see  voice-class dpg.

  3. Apply dial-peer groups to route calls from Webex to Unified CM and from Unified CM to Webex: 

     dial-peer voice 100 destination dpg 300 dial-peer voice 300 destination dpg 100

    以下是配置字段的说明:

    destination dpg 300

    Specifies which dial-peer group, and therefore dial-peer should be used for the outbound treatment for calls presented to this incoming dial-peer.

  4. Apply dial-peer groups to route calls from the PSTN to Unified CM and from Unified CM to the PSTN:

     dial-peer voice 200 destination dpg 400 dial-peer voice 400 destination dpg 200

    This concludes your Local Gateway configuration. Save the configuration and reload the platform if this is the first time CUBE features have been configured.

使用诊断签名监控本地网关并排查

诊断签名 (DS) 主动检测基于 Cisco IOS XE 的本地网关中通常观察到的问题,并生成事件的电子邮件、系统日志或终端消息通知。也可以安装 DS 自动收集诊断数据,并将收集到的数据转移到 Cisco TAC 案例,从而加快解决时间。

诊断签名 (DS) 是 XML 文件,其中包含有关问题触发事件的信息以及用于通知、故障排除和修复问题的操作。使用系统日志消息、SNMP 事件以及通过定期监控特定的 show 命令输出来定义问题检测逻辑。操作类型包括:

  • 收集 show 命令输出

  • 生成合并的日志文件

  • 将文件上传到用户提供的网络位置,例如 HTTPS、SCP、FTP 服务器

TAC 工程师可编写 DS 文件,并针对完整性保护对文件进行数字签名。每个 DS 文件都有系统分配的唯一数字标识。Diagnostic Signatures Lookup Tool (DSLT) is a single source to find applicable signatures for monitoring and troubleshooting various problems.

准备工作:

  • 请勿编辑从 DSLT 下载的 DS 文件。由于完整性检查错误,您修改的文件安装失败。

  • 本地网关需要一个简单的邮件传输协议 (SMTP) 服务器来发送电子邮件通知。

  • 如果要使用安全的 SMTP 服务器发送电子邮件通知,请确保本地网关运行 IOS XE 17.6.1 或更高版本。

必要条件

运行 IOS XE 17.6.1 或更高版本的本地网关

  1. 缺省情况下诊断签名处于启用状态。

  2. Configure the secure email server that you use to send proactive notification if the device is running IOS XE 17.6.1 or higher.

     configure terminal call-home mail-server <username>:<pwd>@<email server> priority 1 secure tls end

  3. 使用管理员的电子邮件地址 ds_email 配置环境变量,通知您。

     configure terminal call-home diagnostic-signature LocalGateway(cfg-call-home-diag-sign)environment ds_email <email address> end

安装诊断签名用于主动监控

监控高 CPU 利用率

此 DS 使用 SNMP OID 1.3.6.1.4.1.9.2.1.56 跟踪 5 秒钟的 CPU 利用率。当利用率达到 75% 以上时,它会禁用所有调试并卸载安装在本地网关中的所有诊断签名。请根据以下步骤安装签名。

  1. 确保使用 show snmp 命令启用 SNMP。If SNMP is not enabled, then configure the snmp-server manager command.

     show snmp %SNMP agent not enabled config t snmp-server manager end show snmp Chassis: ABCDEFGHIGK 149655 SNMP packets input 0 Bad SNMP version errors 1 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 37763 Number of requested variables 2 Number of altered variables 34560 Get-request PDUs 138 Get-next PDUs 2 Set-request PDUs 0 Input queue packet drops (Maximum queue size 1000) 158277 SNMP packets output 0 Too big errors (Maximum packet size 1500) 20 No such name errors 0 Bad values errors 0 General errors 7998 Response PDUs 10280 Trap PDUs Packets currently in SNMP process input queue: 0 
SNMP global trap: enabled

  2. 使用下列诊断签名查找工具中的下拉选项下载 DS 64224:

    copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:

    字段名

    字段值

    平台

    Cisco 4300, 4400 ISR Series, or Catalyst 8000V Edge Software

    产品

    CUBE Enterprise in Webex Calling solution

    问题范围

    性能

    问题类型

    “电子邮件通知”的 CPU 占用率过高

  3. 将 DS XML 文件复制到本地网关 flash 中。

    copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:

    下例显示将文件从 FTP 服务器复制到本地网关。

    copy ftp://user:pwd@192.0.2.12/DS_64224.xml bootflash: Accessing ftp://*:*@ 192.0.2.12/DS_64224.xml...! [OK - 3571/4096 bytes] 3571 bytes copied in 0.064 secs (55797 bytes/sec)

  4. 在本地网关中安装 DS XML 文件。

     call-home diagnostic-signature load DS_64224.xml Load file DS_64224.xml success

  5. 使用 show call-home 诊断签名命令 验证签名安装成功。状态列必须具有“已注册”值。 

     show call-home diagnostic-signature Current diagnostic-signature settings: Diagnostic-signature: enabled 
 Profile: CiscoTAC-1 (status: ACTIVE) 
 Downloading  URL(s):https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: username@gmail.com

    Download DSes:

    DS ID

    DS Name

    Revision

    Status

    Last Update (GMT+00:00)

    64224

    DS_LGW_CPU_MON75

    0.0.10

    Registered

    2020-11-07 22:05:33

    触发后,此签名将卸载包括本身在内的所有正在运行的 DS。如有必要,请重新安装 DS 64224,以继续监控本地网关上的 CPU 高使用率。

监控异常呼叫断开连接

This DS uses SNMP polling every 10 minutes to detect abnormal call disconnect with SIP errors 403, 488 and 503.  If the error count increment is greater than or equal to 5 from the last poll, it generates a syslog and email notification. Please use the steps below to install the signature.

  1. 使用 show snmp 命令确保 已启用 SNMP。If SNMP is not enabled, configure the snmp-server manager command. 

    show snmp %SNMP agent not enabled config t snmp-server manager end show snmp Chassis: ABCDEFGHIGK 149655 SNMP packets input 0 Bad SNMP version errors 1 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 37763 Number of requested variables 2 Number of altered variables 34560 Get-request PDUs 138 Get-next PDUs 2 Set-request PDUs 0 Input queue packet drops (Maximum queue size 1000) 158277 SNMP packets output 0 Too big errors (Maximum packet size 1500) 20 No such name errors 0 Bad values errors 0 General errors 7998 Response PDUs 10280 Trap PDUs Packets currently in SNMP process input queue: 0 
SNMP global trap: enabled

  2. 使用诊断签名查找工具中的下列选项下载 DS 65221:

    字段名

    字段值

    平台

    Cisco 4300, 4400 ISR Series, or Catalyst 8000V Edge Software

    产品

    Webex Calling 解决方案中的 CUBE 企业版

    问题范围

    性能

    问题类型

    使用电子邮件和系统日志通知时 SIP 异常呼叫断开连接检测。

  3. 将 DS XML 文件复制到本地网关。

    copy ftp://username:password@<server name or ip>/DS_65221.xml bootflash:

  4. 在本地网关中安装 DS XML 文件。 

     call-home diagnostic-signature load DS_65221.xml Load file DS_65221.xml success

  5. Use the command show call-home diagnostic-signature to verify that the signature is successfully installed. 状态栏中应该存在“已注册”值。

安装诊断签名以对问题进行故障诊断

您还可以使用诊断签名 (DS) 快速解决问题。Cisco TAC 工程师编写了几个签名,这些签名可实现对给定问题进行故障诊断、检测问题发生次数、收集正确的诊断数据以及将数据自动转移到 Cisco TAC 案例所需的调试。无需手动检查问题发生次数,并可轻松对间歇性和暂时性问题进行故障诊断。

您可以使用诊断签名查找 工具查找适用的签名并安装它们来自行解决给定问题,或者您也可以安装 TAC 工程师在支持参与中推荐的签名。

以下示例说明了如何查找和安装 DS 以检测是否存在“%VOICE_IEC-3-GW:CCAPI: Internal Error (call spike threshold): IEC=1.1.181.1.29.0“ 系统日志,使用以下步骤自动收集诊断数据:

  1. Configure another DS environment variable ds_fsurl_prefix as the Cisco TAC file server path (cxd.cisco.com) to upload the diagnostics data. The username in the file path is the case number and the password is the file upload token which can be retrieved from Support Case Manager as shown in the following. The file upload token can be generated in the Attachments section of the Support Case Manager, as required. 

     configure terminal call-home diagnostic-signature LocalGateway(cfg-call-home-diag-sign)environment ds_fsurl_prefix "scp://<case number>:<file upload token>@cxd.cisco.com" end

    示例: 

     call-home diagnostic-signature environment ds_fsurl_prefix " environment ds_fsurl_prefix "scp://612345678:abcdefghijklmnop@cxd.cisco.com"

  2. 使用 show snmp 命令确保 已启用 SNMP。If SNMP not enabled, configure the snmp-server manager command.

     show snmp %SNMP agent not enabled config t snmp-server manager end

  3. 我们建议安装高 CPU 监控 DS 64224 作为主动措施,以在 CPU 高使用率期间禁用所有调试和诊断签名。使用诊断签名查找工具中的下列选项下载 DS 64224:

    字段名

    字段值

    平台

    Cisco 4300, 4400 ISR Series, or Catalyst 8000V Edge Software

    产品

    Webex Calling 解决方案中的 CUBE 企业版

    问题范围

    性能

    问题类型

    电子邮件通知的高 CPU 利用率。

  4. 使用诊断签名查找工具中的下列选项下载 DS 65095:

    字段名

    字段值

    平台

    Cisco 4300, 4400 ISR Series, or Catalyst 8000V Edge Software

    产品

    Webex Calling 解决方案中的 CUBE 企业版

    问题范围

    系统日志

    问题类型

    系统日志 - %VOICE_IEC-3-GW:CCAPI: Internal Error (Call spike threshold): IEC=1.1.181.1.29.0

  5. 将 DS XML 文件复制到本地网关。

     copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash: copy ftp://username:password@<server name or ip>/DS_65095.xml bootflash:

  6. Install the high CPU monitoring DS 64224 and then DS 65095 XML file in the Local Gateway. 

     call-home diagnostic-signature load DS_64224.xml Load file DS_64224.xml success call-home diagnostic-signature load DS_65095.xml Load file DS_65095.xml success

  7. 验证已使用 show call-home diagnostic-signature 成功安装签名。状态栏中应该存在“已注册”值。 

     show call-home diagnostic-signature Current diagnostic-signature settings: Diagnostic-signature: enabled 
 Profile: CiscoTAC-1 (status: ACTIVE) 
 Downloading  URL(s):https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: username@gmail.com ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com

    Downloaded DSes:

    DS ID

    DS Name

    Revision

    Status

    Last Update (GMT+00:00)

    64224

    00:07:45

    DS_LGW_CPU_MON75

    0.0.10

    Registered

    2020-11-08:00:07:45

    65095

    00:12:53

    DS_LGW_IEC_Call_spike_threshold

    0.0.12

    Registered

    2020-11-08:00:12:53

验证诊断签名执行

在下列命令中 ,命令的“状态”列显示呼叫主诊断签名 将更改为“正在运行”,而本地网关执行签名中定义的操作。显示呼叫 主诊断签名 统计信息的输出是验证诊断签名是否检测到感兴趣的事件并执行了操作的最佳办法。“已触发/最大/Deinstall”列显示给定签名触发事件的时间、用于检测事件的定义的最大次数以及签名是否在检测到最大触发事件数后自动取消安装。 

show call-home diagnostic-signature Current diagnostic-signature settings: Diagnostic-signature: enabled 
 Profile: CiscoTAC-1 (status: ACTIVE) 
 Downloading  URL(s):https://tools.cisco.com/its/service/oddce/services/DDCEService Environment variable: ds_email: carunach@cisco.com ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com

Downloaded DSes:

DS ID

DS Name

Revision

Status

Last Update (GMT+00:00)
64224

DS_LGW_CPU_MON75

0.0.10

Registered

2020-11-08 00:07:45

65095

DS_LGW_IEC_Call_spike_threshold

0.0.12

Running

2020-11-08 00:12:53

显示呼叫家庭诊断签名统计信息

DS ID

DS Name

Triggered/Max/Deinstall

Average Run Time (seconds)

Max Run Time (seconds)
64224

DS_LGW_CPU_MON75

0/0/N

0.000

0.000

65095

DS_LGW_IEC_Call_spike_threshold

1/20/Y

23.053

23.053

诊断通知电子邮件期间发送的诊断签名包含关键信息,例如问题类型、设备详细信息、软件版本、运行配置和显示与给定的问题故障诊断相关的命令输出。

卸载诊断签名

诊断签名用于疑难解答,通常定义为在检测到某些问题后卸载。如果要手动卸载签名,从 show call-home 诊断签名 的输出中检索 DS 标识并运行以下命令:

call-home diagnostic-signature deinstall <DS ID>

示例:

call-home diagnostic-signature deinstall 64224

根据部署中观察到的问题,定期将新的签名添加到诊断签名查找工具中。TAC 当前不支持新建自定义签名的请求。