SIPGW-XX.XXX#sh run
Building configuration...

Current configuration : 33311 bytes
!
version 17.12
service tcp-keepalives-in
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform ipsec fips-mode
!
hostname SIPGW-XX.XXX
!
boot-start-marker
boot system bootflash:packages.conf
boot-end-marker
!
!
vrf definition MANAGE
 rd 255:255
 !
 address-family ipv4
 exit-address-family
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
vrf definition SIP_INTERNAL
 rd 254:254
 !
 address-family ipv4
 exit-address-family
!
vrf definition SIP_UPLINK
 rd 208:208
 !
 address-family ipv4
 exit-address-family
!
logging userinfo
logging buffered 40960
no logging console
aaa new-model
!
!
aaa group server tacacs+ ISE_TACACS
 server name ISE-PSN1
 server name ISE-PSN2
 server name ISE-PSN3
 ip vrf forwarding MANAGE
!
aaa authentication login default group ISE_TACACS local
aaa authentication enable default group ISE_TACACS enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE_TACACS local if-authenticated 
aaa authorization exec CON none 
aaa authorization commands 1 default group ISE_TACACS local if-authenticated 
aaa authorization commands 15 default group ISE_TACACS local if-authenticated 
aaa accounting exec default start-stop group ISE_TACACS
aaa accounting commands 1 default start-stop group ISE_TACACS
aaa accounting commands 15 default start-stop group ISE_TACACS
!
aaa common-criteria policy PASSWORD_POLICY
 min-length 15
 max-length 127
 numeric-count 1
 upper-case 1
 lower-case 1
 special-case 1
 char-changes 8
!
!
aaa session-id common
clock timezone EST -5 0
!
!
login block-for 900 attempts 3 within 120
login quiet-mode access-class SSH
login on-failure log
login on-success log
!
!
subscriber templating
! 
!
crypto pki trustpoint TP-self-signed-1257946039
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1257946039
 revocation-check none
 rsakeypair TP-self-signed-1257946039
 hash sha256
!
crypto pki trustpoint SLA-TrustPoint
 enrollment terminal
 revocation-check crl
 hash sha256
!
crypto pki trustpoint DNAC-CA
 enrollment mode ra
 enrollment terminal
 usage ssl-client
 revocation-check crl none
 source interface GigabitEthernet0/0/0
 hash sha256
!
crypto pki trustpoint sdn-network-infra-iwan
 enrollment url http://INTERNAL-DNAC-IP:80/ejbca/publicweb/apply/scep/sdnscep
 fqdn SIPGW-XX.XXX.domain
 subject-name CN=C8300-1N1S-6T_sdn-network-infra-iwan
 revocation-check crl
 source interface GigabitEthernet0/0/0
 rsakeypair sdn-network-infra-iwan
 auto-enroll 80 regenerate
 hash sha256
!
!
CRYPTO PKI CERTIFICATE CHAINS 
        quit
!
!
application
 service default dsapp
 !
 global
  service alternate default
  service default dsapp
 !
!
!
!
voice service voip
 ip address trusted list
  ipv4 INTERNAL-UC-IP1
  ipv4 INTERNAL-UC-IP2
  ipv4 INTERNAL-UC-IP3
  ipv4 MASERGY-UC-IP1
  ipv4 MASERGY-UC-IP2
 mode border-element
 allow-connections sip to sip
 fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
 trace
 sip
  early-offer forced
  midcall-signaling passthru
  sip-profiles 1
!
!
voice class uri LOCALUC sip
 pattern (INTERNAL-SANITIZED-PATTERN)
!
voice class uri ITSPUC sip
 pattern (MASERGY-SANITIZED-PATTERN)
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g729r8
 codec preference 3 g729br8
 codec preference 4 g711alaw
!
!
voice class sip-profiles 1
 request ANY sdp-header Audio-Attribute modify "a=inactive" "a=sendrecv" 
 request ANY sdp-header Audio-Attribute modify "a=recvonly" "a=sendrecv" 
 request ANY sdp-header Audio-Attribute modify "a=sendonly" "a=sendrecv" 
 response ANY sdp-header Audio-Attribute modify "a=inactive" "a=sendrecv" 
 response ANY sdp-header Audio-Attribute modify "a=recvonly" "a=sendrecv" 
 response ANY sdp-header Audio-Attribute modify "a=sendonly" "a=sendrecv" 
!
voice class sip-profiles 2
 request ANY sip-header P-Asserted-Identity modify "@(.*)>" "@masergy.com>" 
 request ANY sip-header Diversion modify "@(.*)>" "@masergy.com>" 
 request ANY sdp-header Audio-Attribute modify "a=inactive" "a=sendrecv" 
 request ANY sdp-header Audio-Attribute modify "a=recvonly" "a=sendrecv" 
 request ANY sdp-header Audio-Attribute modify "a=sendonly" "a=sendrecv" 
 response ANY sdp-header Audio-Attribute modify "a=inactive" "a=sendrecv" 
 response ANY sdp-header Audio-Attribute modify "a=recvonly" "a=sendrecv" 
 response ANY sdp-header Audio-Attribute modify "a=sendonly" "a=sendrecv" 
 response ANY sdp-header Session-Owner modify "ROUTER-PRIVATE-IP" "ISP-PUBLIC-GATEWAY-IP" 
!
!
voice class dpg 4
 dial-peer 4
!
voice class server-group 1
 ipv4 INTERNAL-UC-IP1 preference 1
 ipv4 INTERNAL-UC-IP2 preference 2
 ipv4 INTERNAL-UC-IP3 preference 3
!
voice class server-group 2
 ipv4 MASERGY-UC-IP1 preference 1
 ipv4 MASERGY-UC-IP2 preference 2
!
voice class sip-options-keepalive 1
 up-interval 30
 retry 2
!
!
voice iec syslog
!
voice register global
 default mode
 no allow-hash-in-dn
 max-dn 20
 max-pool 20
!
!
diagnostic bootup level minimal
!
!
OBJECT-GROUP NETWORKS
!
license feature hseck9
license udi pid C8300-1N1S-6T sn -----------
license boot level network-advantage
license smart transport off
archive
 log config
  logging enable
  notify syslog contenttype plaintext
memory free low-watermark processor 87534
!
spanning-tree extend system-id
!
!
enable secret 9 $9$8aPi7GKU1RqkBU$TtodxU.bglxQw2RYLoxjls6k0DnzFDlifgFAZgUSZHs
!
username localaccount privilege 15 common-criteria-policy PASSWORD_POLICY secret 9 $9$fQXblo4fvNB7V.$LTDkUbtLCRvm0eEB0hhHxzuizpB6YVHP8tKJ.5f7RRk
!
redundancy
 mode none 
!
!
interface GigabitEthernet0/0/0
 vrf forwarding MANAGE
 ip address CUBE-MGMT-IP 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/0/1
 description SIP_UPLINK
 vrf forwarding SIP_UPLINK
 ip address ROUTER-PRIVATE-IP 255.255.255.248
 negotiation auto
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/3
 description SIP_INTERNAL
 vrf forwarding SIP_INTERNAL
 ip address LOCAL-VOICE-NET 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/0/4
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/5
 no ip address
 shutdown
 negotiation auto
!
ip forward-protocol nd
no ip ftp passive
no ip http server
no ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip tacacs source-interface GigabitEthernet0/0/0 vrf MANAGE
!
no ip rsvp authentication
ip route vrf MANAGE 0.0.0.0 0.0.0.0 MGMT-NET-DEFAULT-GW
ip route vrf SIP_INTERNAL 0.0.0.0 0.0.0.0 VOICE-NET-DEFAULT-GW
ip route vrf SIP_UPLINK 0.0.0.0 0.0.0.0 ROUTER-PRIVATE-IP
ip ssh bulk-mode 131072
ip ssh source-interface GigabitEthernet0/0/0
ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com
ip ssh server algorithm encryption aes256-gcm aes128-gcm aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm kex ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256
ip ssh server algorithm hostkey rsa-sha2-256 rsa-sha2-512
ip ssh server algorithm publickey rsa-sha2-256 x509v3-ecdsa-sha2-nistp256 ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp521 rsa-sha2-512 ecdsa-sha2-nistp521
ip ssh client algorithm mac hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com
ip ssh client algorithm encryption aes256-gcm aes128-gcm aes256-ctr aes192-ctr aes128-ctr
ip ssh client algorithm kex ecdh-sha2-nistp256 ecdh-sha2-nistp521 ecdh-sha2-nistp384
ip scp server enable
!
ip access-list standard SNMP
 5000 deny   any log
ip access-list standard SSH
 5000 deny   any log
!
!
logging trap syslog-format rfc5424
logging host INTERNAL-DNAC-IP
!
! CUT SNMP CONFIG
!
tacacs server ISE-PSN1
 address ipv4 ------------
 key 
tacacs server ISE-PSN32
 address ipv4 ------------
 key 
tacacs server ISE-PSN3
 address ------------
 key 
!
!
radius-server attribute 6 on-for-login-auth
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
dial-peer voice 1 voip
 description ITSP-in-CUBE
 session protocol sipv2
 incoming uri via ITSPUC
 voice-class codec 1  
 voice-class sip nat media-keepalive 10
 voice-class sip bind control source-interface GigabitEthernet0/0/1
 voice-class sip bind media source-interface GigabitEthernet0/0/1
 dtmf-relay rtp-nte
 no vad
!
dial-peer voice 2 voip
 description CUBE-out-CUCM
 huntstop
 destination-pattern +[1-9]..........
 session protocol sipv2
 session server-group 1
 voice-class codec 1  
 voice-class sip bind control source-interface GigabitEthernet0/0/3
 voice-class sip bind media source-interface GigabitEthernet0/0/3
 dtmf-relay rtp-nte
 no vad
!
dial-peer voice 3 voip
 description CUCM-in-CUBE
 session protocol sipv2
 incoming uri via LOCALUC
 voice-class codec 1  
 voice-class sip bind control source-interface GigabitEthernet0/0/3
 voice-class sip bind media source-interface GigabitEthernet0/0/3
 dtmf-relay rtp-nte
 no vad
!
dial-peer voice 4 voip
 description CUBE-out-ITSP
 huntstop
 destination-pattern +[0-9]T
 session protocol sipv2
 session server-group 2
 voice-class codec 1  
 voice-class sip nat media-keepalive 10
 voice-class sip profiles 2
 voice-class sip options-keepalive profile 1
 voice-class sip bind control source-interface GigabitEthernet0/0/1
 voice-class sip bind media source-interface GigabitEthernet0/0/1
 dtmf-relay rtp-nte
 ip qos dscp cs5 signaling
 no vad
!
!
sip-ua 
!
banner login ^C

^C
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
 session-timeout 5 
 access-class SSH in vrf-also
 privilege level 15
 logging synchronous
 transport input ssh
 transport output ssh
line vty 5 15
 session-timeout 5 
 access-class SSH in vrf-also
 privilege level 15
 logging synchronous
 transport input ssh
 transport output ssh
!
! SANITIZED NTP
!
call-home
 contact-email-addr emai.distro@mail
 source-interface GigabitEthernet0/0/0
 vrf MANAGE
 no http secure server-identity-check
 profile "CiscoTAC-1"
  no reporting smart-call-home-data
  no reporting smart-licensing-data
 profile "PRIMARY"
  reporting smart-licensing-data
  destination address http https://INTERNAL-DNAC-IP/ 
!
!
end