Hello Marcelo,

Thanks for your question.

It's recommended not to configure NAT on CUBE if there is no specific reason. Useally as long as CUBE can reach internal and external network, it chooses the best local address and communicate with internal device (e.g. CUCM) and external device (e.g. Telco's SBC) properly.

In some cases, you may need to specific the source ip address of signalling and media on CUBE, which can be archieved by using "SIP bind features". It can be configured globally or under dial-peer as below:

voice service voip

   bind {control | media | all} source-interface ...

or

dial-peer voice tag voip

   session protocol sipv2

   voice-class sip bind {control | media} source interface ...

Also CUBE provides many security features (including but not limited to topology hiding, SIP protocol inspection, toll-fraud protection) for the unified communication sesssions that pass through it.

Please let me know if you have any questions.

Thanks and regards,

Robin

Hi Steven,

Thanks for your question.

As per your description, if I understand correctly, the network topology is as bleow:

CUCM@HQ ---(SIP)----CUBE------(MPLS)----(SIP)----....------TELCO

                                                                      |

                                                                      |--(SIP)---Satellite BR

So the issue here is it's difficult to find an acceptable CAC track on-net and SIP provider calls, please correct me if it's not accurate.

In this case you can use the "max-conn" to limit the max calls being sent to Telco or Satellite Branch office under different dial-peer on CUBE.

Another way may help, which is to use seperate sip trunks with different device pool/location on CUCM. To achieve this, on CUBE add a loopback interface and assign it with another internal address; From CUCM side, there will be two sip trunks pointing to two different addresses of CUBE for different uses (one for on-net call, the other for sip provider). Thus CAC policy can be applied on the sip trunk seperately.

Note, when the call is being routed out CUBE, you need to specify the source address of signaling under dial-peer level.

Hope this helps. Please let me know if you have any questions.

Thanks and regards,

Robin

Robin,

You describe the situation mostly correctly but fail to understand the need. The one item of correction to your diagram is that all the satellite sites are centrally managed by the CUCM cluster.  Thus, I need a way to apply CAC consistently at each satellite site using that site's bandwidth.  Calls can be from the SIP Provider (managed centerally by the CUBE router & CUCM) or they can be on-net calls from the HQ, another satellite location, or another CUCM cluster.  On net calls consist of MeetingPlace, UCCX, Voicemail, or just plain audio/video calls between 8945 model phones.

Since the dialing plan is centralized on CUCM the max-conn command isn't really going to work.  It also doesn't solve the problem of understanding and applying CAC consistently at each site regardles of the call origination point. Right now the only option I have is to carve out bandwidth in QoS just for SIP calls and reduce the amount of bandwidth available for other on-net calls using the normal CAC mechanisms (Locations/RSVP) and then hope the SIP calls don't exceed or overlap with the on-net calls.  This is less than ideal.

The other option you discussed is terminating a SIP signalling session at each site. While this might work it adds undue complexity, cost, and doesn't scale well.  No one wants to maintain copies of the enterprise dialplan at each router, SIP trunks and CUBE licenses are not cheap, and this quickly becomes unmanageable.

I can obtain a consistent CAC experience if I use media flow-through mode but then I have to double up the bandwidth at the HQ site on the CUBE router and hairpin satellite office calls back through the MPLS network to the satellite site.  This doesn't scale.  The bandwidth and circuit sizes quickly become unmanageable.

The current CAC mechanism in place in the scenario is RSVP Call Agent.  This is largely because there are two CUCM 8.6 clusters that are leveraging EMCC and SAF between each other.

Any further ideas?

Hi Steven,

Thanks for your explanation in details.

At the beginning I though all on-net and off-net calls were thru CUBE. As in this situation all branch sites' phones are registered with and controlled by CUCM, the network would be as below:

Here the RTP stream of on-net call will be between two sites, and RTP stream of off-net call will be from site to SIP carrier directly.

Assume all off-net calls (to service provider) goes thru CUBE. I think location based CAC will meet most of the requirements:

- the bandwidth specified for one location (e.g. Site 1) will only allow limited calls, including on-net (inter-site) and off-net, it may have;

- all off-net calls (incluing inbound or outbound) can be limited by a separate location which assigned to SIP trunk for CUBE;

- other on-net calls, such as MeetingPlace, UCCX, Voicemail or intercluster call, would be considered as calls between branch site to HQ as most probably these servers are located at HQ.

Hope the above helps. Please let me know if you have any further questions.

Thanks,

Robin

Hello Gaurav,

Thanks for your question.

In most cases, media flow-through is used in order to  hide address and traverse NAT, as other equipments just communicate with  CUBE directly without being aware of the whole network behind CUBE.  Especially for enterprise VoIP network, you don't need to exposure the  internal network to carrier, instead just give the carrier the public  address of CUBE, which reduces the possibility of being hacked from  outside. Sometime even the internal network (192.X.X.X, 172.X.X.X..) is  not reachable from the carrier, you have to use the media flow-through  mode as CUBE is the device standing between two networks and it will  properly terminate and regenerate the media streams.

Another example would be to convert Multicast MOH to unicast MOH toward Service Provider side. Below is one typical topology:

Phone A---PSTN---(SIP)---CUBE---(SIP)----..WAN..---CUCM---Phone B

To  save the bandwidth, Multicast MOH is used between CUBE and CUCM. CUBE  has to use media through to make sure Phone A hear MOH if it is is put  on hold by Phone B.

Generally speaking media flow-around is applied in some cases  when you don't want to media streams go through CUBE due to bandwidth  limit or voice delay restrain.

When using flow-around, the  SDP related information is visible on CUBE. The codec or codec class  specified under dial-peer still work as it will filter out the  unsupported codecs.

The case of transfer(REFER), I think  you mean the REFER message is consumed on CUBE and CUBE initiates the  new call. In this case, CUBE is also aware of the codecs as it still  needs to match the dial-peer based on the REFER-TO number. If the REFER  message is passed thru to other devices on CUBE, that's easy as there is  only original call on CUBE, and new device will send RE-INVITE to  update the medial address/port via CUBE.

Hope above answers your questions. If you have other questions, please feel free to let me know .

Thanks and regards,

Robin

Hi

We have established sip trunk with the ISP and we have problem with incoming calls

Actually the calls never going to ipphone

i am wondering if you can help in a technical level

Call Flow:

ISP Sip trunk with vg-VG sip dial peer pointing to cucm-CUCM

Regards

chrysostomos

Hi Chrysostomos,

Sure. At this momenet, we are not sure where the call is failing. In order to further investigate, could you please collect the following debug logs on CUBE:

debug ccsip message

debug voip ccapi inout

Alos please provide the running configuration of CUBE.

Thanks and regards,

Robin

Hi Robin

We have similar issue here as Chrysostomos mentioned, intermittent incoming call drop out on answer. I've been working this issue since Nov but no luck to fix it. All outgoing calls seem to be fine.

Call flow as below:

ITSP--SIP--CME--SIP-9971

Please advise how can i upload running config and debugs.

Regards

Fei

Hello Fei,

Thanks for your question.

I am not sure if your account has the privilidge of adding attachments or not. However there are some other ways as below:

1) compress all files to one zip, upload it to ftp://anonymous:cisco@ftp.cisco.com/incoming, then tell me the filename here.

2) upload your file to some share folder in internet, then give me the download link.

Once I get your debug log and config, will help you have a look.

Thanks and regards,

Robin

Hi Robin

I dont think my account has privillege fo adding. I tried to upload to url ur provide, i was asked to provide username/password for. Whether my cisco id should be use or something else.

Regards

Fei

Hi Fei,

You can log in this ftp server by using account annomyous (password can be anything). It's recommended to login and upload via CLI (window command line or unix/linux shell).

Thanks,

Robin