The company where I work is going to contract a service provider to access the PSTN through SIP.
This is the first time I am going to deploy this kind of connection and I will do it using CUBE device but I am wondering which place in my network is the best place for my CUBE.
I mean should I put my CUBE on my LAN network or through DMZ? and if it's LAN or DMZ the connection that my SIP provider gives my should I connect it directly to CUBE?
Can someone give me cisco documentation about deploy CUBE? not configuration example just where is the best place to put it
This is driven by the telco provider requirements and how they hand off the connection. Topically there are 2 ways to deploy CUBEs:
1. If the provider requires dedicated handoff between CUBE and their device you would configure the CUBE with internal facing interface on your LAN so that it can communicate with CUCM, etc. and another interface with /30 network connection to the provider. This external connection may be a new network you agree on with the provider or something they tell you to use, i.e. AT&T uses Public network range for this.
2. If the provider is your existing MPLS, etc provider and already has routing established with your network you can simply assign single LAN interface to the CUBE and have them point to the IP of that interface, with this approach both internal (CUCM_ and external SIP traffic routes to the same IP.
Hello In both scenarios you are tell me the CUBE is in the LAN Network and not through DMZ.
This is a new deploy so I guess is not going to be with our Internet Provider so i can connect the external network directly to my CUBE but I am wondering is this could mean a risk to my network? should I apply ACL?
If it is with our same Internet Provider the scenario could be something like ITSP--- FW --- SWITCH ---CUBE , so the external network is the IP that have been used for internet attached to fw right? and in this scenario I guess my outgoing Dial Peer should point their SIP server right? and obviously my security team would have to allow the traffic
These are the 2 most common scenario assuming direct hand off to your provider either via LAN or WAN. If your provider is Internet based (SIP traffic between you and them needs to go over the internet) i.e. Intelepeer in US then CUBE needs to communicate with them over internet in which case you would consider placing CUBE in DMZ. As to ACL or firewalls, it's always a good idea to have that between you and provider even in LAN/WAN deployments despite the fact that CUBE as built in mechanisms such as trust list to prevent rouge SIP access, which may not be considered sufficient security prevention.
Agree with Chris on this. It's always advisable to have an ACL set on your interface that face the ITSP and if you are using a public internet connection to put a firewall between the SBC (Cube) and the internet circuit. On top of that you should probably look at encryption of the call path to/from the ITSP, both signaling and RTP stream, if the calls are traversing a internet connection.