SIP Trunking Steps to Success, Part One: Key Lessons from IT Managers Who ve Been There Q&A Session Date: Wednesday, April 13, 2011 Q: You have to partner with a provider in order to do SIP trunking, correct? Not something you can do on your own private cloud, correct? Many companies have been provisioning voice over IP for some time. They may use their corporate WAN to carry voice traffic between office locations or to a centralized IP PBX which then connects to the PSTN through PRI or other dial tone at that particular hub. SIP Trunking expands upon this by extending voice over IP beyond the organization s internal network and into the PSTN. A service provider such as Verizon is what enables the organization to make and receive calls (just like you would with a PRI or other dial tone service) directly over a data connection such as Verizon Dedicated Internet Access or our MPLS networking solutions. This consolidates the premise equipment that is necessary to gateway the IP service to the PSTN. Q: Do we need to have a Verizon data network services to deploy Verizon SIP Trunking? It is possible to procure SIP Trunks from a number of providers in one of two ways. First is over the top in which a service provider provisions the trunks over a third party internet access line. Second is a bundled offer where the service provider is responsible for both the SIP Trunk and the network transport that delivers the service to your location. In order to provide customers with comprehensive support and SLAs, Verizon offers SIP Trunking as a bundled service. Verizon provisions IP Trunking (our brand name for SIP trunking) over our own MPLS network infrastructure or over Verizon Dedicated Internet Access lines and can therefore offer
comprehensive support and SLAs because we can monitor and troubleshoot both the service and the access line. Q: We have Avaya Call Managers and Session managers. We were considering using CUBE for the SBC, but the TELCOs said that it is uncertified. Is that true? Cisco has certified CUBE with a number of Avaya and Nortel systems. Cisco TAC will provide interoperability support for the types of configurations listed in the following link. http://www.cisco.com/en/us/solutions/ns340/ns414/ns728/networking_solutions_products_genericco ntent0900aecd805bd13d.html Verizon has not formally certified this design with Verizon IP Trunking but could test it on a customer by customer basis. Verizon has established this process to handle the scenarios that may be created by a number of premise equipment designs. As this would be a multivendor design, the equipment manufacturer support policies of all related components should also be considered. Q: Is Verizon currently supporting T.38?. T.38 will be rolled out starting in July 2011 Q:What does CUBE stand for? Cisco Unified Border Element- Q: In the layered security approach, what do you recommend for policy at the application layer for voice? CUBE natively will offer the application layer security features to protect against 3 primary areas: DoS Attacks, Identity/Service Theft, Privacy. Features on CUBE that can protect the network against each of these threats: DoS: Inherent B2BUA behavior which will do L7 inspection Call Admission Control mechanisms like max-connections, call threshold that will make sure you don t get spammed with fake calls
SIP malformed packet inspection Ability to change SIP listen port from 5060 to non standard UDP port RTP Malformed packet inspection Topology hiding, Co-resident IOS features ACL, FW, IPS Identity/Service Theft: Privacy: SIP Digest Authentication SIP Hostname Validation SIP Trunk registration CDR records Toll Fraud protection feature SIP Header Manipulation Authentication and Encryption of signaling (TLS) and media traffic (srtp) VPN features External appliances may also be used to enhance security. Q: If the MPLS connection to Verizon is a private network and not Internet, why such a big deal with security? Most companies don't even firewall MPLS access circuits for WAN connections to remote sites. If you don t deploy an SBC (such as the Cisco Cube), you lose the capability to control the calls that enter and leave your network. However, an SBC is not required for SIP Trunks on MPLS connections (does not apply to Internet-based SIP Trunks), however, the organization s security policy may drive additional security requirements. Many companies have security policies that dictate a firewall must be utilized when peering via IP. Verizon is able to accommodate high-security customers by providing secure architectures that include appliances that meet the customer s need.
Q: Can you provide an example of how an IP set making a call into my network can hack my network? Does the keypad on the phone become a keyboard after the call is answered? The keypad does not become a keyboard after the call. Verizon IP Trunking uses standards based Session Initiation Protocol & Real Time Protocol (SIP & RTP). Some SIP devices have flaws that can be exploited such that a specifically crafted packet could cause unwanted behavior within the device. Creating a secure architecture, following best practices and peering with a trusted partner like Verizon greatly reduce the possibility that this could happen. Q: If you are connecting via Private IP, isn't an Access Control List (ACL) sufficient for security? ACL to allow communications only from the provider SBC It s ok to have Access Control lists (ACL) as the security mechanism for communications between the enterprise and service provider connection when using a Private IP network. However, the security policy may drive additional security requirements. ACL should still be used in conjunction with an enterprise SBC such as Cisco CUBE. Q: What solutions does Verizon SIP provide to allocate call cost by user or cost center? VZB prices IP Trunking using concurrent calls. These are allocated at the enterprise level using a feature called Burstable Enterprise Shared Trunks or BEST where all locations and all users can both participate in and draw from the enterprise allocated amount of concurrent calls. Arbitrary allocation (fixed cost per phone number divided among branches/users) is a low-cost option for call accounting or cost allocation. There are also a number of third party applications that can provide more sophisticated call and cost accounting in an IP PBX environment. Q: If we were going to centralize SIP trunks in a couple sites; that now means all voice RTP that previously routed out a local TDM gateway now has to traverse the enterprise WAN. How do you make the business case centralized SIP is cost effective? There are several drivers that can support a business case for centralized design. The first of which is the potential cost savings that can be realized as an enterprise shares trunking capacity. Many customers are realizing cost control when converting from TDM to IP Trunking because it frees up idle trunking capacity in branch offices. Second, using G.729 codec, Verizon can increase carrying capacity to 41 Concurrent Calls over a single T1 which helps soften the increased bandwidth requirements of running voice over the network. Third, as an enterprise migrates to centralized design, this typically frees up costs associated with maintaining TDM telephony gear in the branch offices. You can access additional
tools and information on how to develop a business case with SIP Trunking at www.ciscoverizonevent.com. Verizon s Burstable Enterprise Shared Trunk (BEST) feature with Cisco CUBE can also be configured in a distributed design, enabling customers to share trunking capacity across the enterprise but still deliver dial tone locally. This solution requires a greater investment in branch configuration than centralized, but depending on the business applications it may drive a greater return on investment. If a distributed design is preferred, the IT organization can still realize the management benefits of centralized PBX by leveraging managed services, such as Verizon managed WAN and managed IP PBX. Q: Should we deploy the CUBE inside or outside of the firewall when connecting with Verizon MPLS? It depends on whether the access circuit is dedicated internet access, shared internet access or a MPLS circuit and on the customer s security policy. As it would be impossible to cover all scenarios in a short answer, we recommend that you consult with your Verizon representative. Q: If i have a Layer 2 switch between the router and the IP PBX, should I use Class of Service or DSCP packet marking in the IP Phone or ATA? Use DSCP as EF Q: What is the typical bandwidth consumption of a single VOIP call? G.711 is 83k and G.729 is 33k. This value includes both L2 & L3. Refer to this link for more details: http://www.cisco.com/en/us/tech/tk652/tk698/technologies_tech_note09186a0080094ae2.shtml Q: With high bandwidth connections, and no congestion, how is the QoS enabled? For QOS functions on the router to change packet orderings, congestion needs to occur. If there is not congestion, QOS functions will not drop or reorder packets. Q: Does anyone have a test/integration plan for turning up SIP Trunks? I think we're beyond just taking, placing and receiving a phone calls as a go/no-go decision tree.
Verizon has a detailed Retail Test plan we use internally and with customers using non-certified CPE that is shared with a customer once the order process begins. Consult your Verizon representative for more info. For generic SIP Trunking test plans, please consult: http://www.cisco.com/en/us/products/sw/voicesw/ps5640/prod_white_papers_list.html Additional information about test planning can be found in the book SIP Trunking by Cisco Press http://www.ciscopress.com/bookstore/product.asp?isbn=1587059444 Q: Doesn't Cube in a back to back configuration act like a firewall? Yes its acts as a B2BUA, L7 inspection and has many features that a typical firewall or an Application Layer Gateway (ALG) do not provide. Q: Does SRTP increase the packet size for each call? The standard offering for most service providers is to not support SRTP on SIP Trunking service. For general information on SRTP, please visit http://www.cisco.com/web/about/security/intelligence/securing-voip.html- or consult your Verizon representative. Q: Based on slide 21 architecture, is CUCM Location-based CAC the best model (as opposed to RSVP or other method)? The standard offering for most service providers is to not support RSVP on SIP Trunking service. Verizon recommends MPLS Class of service and also enables RTP to go in to the EF class as a method of call admission control. Q: E911. How are you handling it? or are you? Verizon supports full E911 over our SIP Trunks. Q: Which Cisco box is capable of handling SIP Trunking? Cisco recommends the ISR-G2 (29xx and 39xx) and ASR 1k as enterprise session border controllers (CUBE). Support will be extended to the 800 series in the second half of 2011.
Q: Will you discuss the challenges associated with faxing across IP Trunk? Stay tuned as we plan to cover faxing over IP in an upcoming webinar. For now, here are some good resources: http://www.cisco.com/en/us/tech/tk652/tk777/tsd_technology_support_protocol_home.html- http://www.ciscopress.com/bookstore/product.asp?isbn=1587059444 Q: So will a Cisco 2811 work with SIP Trunking w/ a 1.5 meg connection? Yes, but the 2811 is an end of life platform. Migrating to an ISR-G2 (2911) will double the session capacity and provide more features. Q: What is the "tipping point" between an ISR as the CUBE and an ASR as the CUBE? Is it call capacity? More than 5000 sessions generally indicates the need for an ASR solution. The 3945E can support 2500 simultaneous sessions and the ASR1001 supports 10000 simultaneous calls. Anywhere mid-way you can stack ISR-G2s and have SP load-balance across that. Q: Would you need SRTP when using SIP? The standard offering for most service providers is to not support SRTP on SIP Trunking service. For general information on SRTP, please visit. http://www.cisco.com/web/about/security/intelligence/securing-voip.html- Q: We have Lync 2010, some Avaya, 3com and Cisco IP phones. We plan to integrate all on voice but to support h.323 which model do you prefer to integrate all them? CUBE can be deployed within the network and provide interworking between H.323 and SIP. So, you can create dial-plan on these different PBXs to route calls to CUBE (via H.323) and CUBE can then send it across to other PBX/SP on SIP protocol. Q: Does Cube have a good CDR reporting function? for trending and troubleshooting? Yes, it leverages the IOS capabilities for CDR and call accounting: http://www.cisco.com/en/us/docs/ios/voice/cdr/developer/guide/cdrdev.html
Q: How are faxes handled over SIP? Verizon currently is using G.711 but in July 2011 we plan to launch support T.38 For more information, please visit: http://www.cisco.com/en/us/tech/tk652/tk777/tsd_technology_support_protocol_home.html- -http://www.cisco.com/en/us/tech/tk652/tk777/tsd_technology_support_protocol_home.html- Q: I have a few Verizon SIP trunks in service and Verizon recommends terminating circuits on an edge router and the SIP trunk on a CUBE. This increases hardware required. What is Cisco's best practice? Due to scalability, IOS image and other factors there could be some instances where a separate appliance is needed, however, you can combine data and SIP trunk on the same router, and that s why CUBE is software application on the router. Cisco s position is that Session border controller functionality can be an integral part of the network and thus it s built on the router. Q: Will you discuss blended systems (SIP trunking tied to legacy key systems via ATA or similar)? The efficiencies of SIP Trunking provide organizations an opportunity to refresh the enterprise communications network to an integrated platform for unified communications. As many customers will make this evolution over time, Verizon IP Integrated Access enables organizations to migrate to IP at their own pace while still leveraging the network features of IP Trunking such as (BEST which shares trunking capacity across an enterprise and VIPER which enables calling between other VIPER subscribers at no additional cost. Q: How is the hand off made from Verizon to the customer? Is CUBE running on the customers ISR or does Verizon provide a SBC? Generally, customers provision the IP Trunk service on Verizon MPLS so at a physical layer it must terminate on a data device. At a logical level, the IP Trunk terminates on an SBC (session border controller) at the customer premise. The customer can purchase an SBC from Verizon or a third party. Or a customer can integrate the physical and logical terminations on a ISR G2 with CUBE (CUBE is Cisco s SBC). Q: We use Single Number Reach and other mobility type Cisco services. Are there any roadblocks with these services when routing thru SIP that we need to be aware of?
Not specific to SIP Trunking, but as part of general single number reach service, configuration changes are needed to ensure the DID transferred out by UCM to VZB is 10 digits and not the extension length. Other changes may be required depending on the specific situation. Customers may also request the Verizon Unscreened ANI Service on SIP Trunking to pass the original caller data through when the call is connected. Q: How do you deal with porting DIDs over to a single IP provider from the LECs? The transition plan will vary by LEC, but Verizon fully supports porting from any provider. Q: I ve heard that CUCM 5.1 does not support diversion header and we'll have to actually do it at the CUBE GW. Please confirm. Correct. CUBE can support insertion of diversion headers. With the conditional header manipulation feature you can do normalization and header manipulation on CUBE to support many call flows. Q: So if you have SIP trunking at a core PBX and then add a remote site to that core are you saying you can take that site s DID range and port it to your SIP provider and remove the need for local trunking? Correct. You could remove all local trunking at the remote (as long as the DID s can be ported). Several tools and resources are available to help you better understand the cost control opportunity inherent with SIP Trunking including the webinar recording, Building a Business Case for UC&C with SIP Trunking, and call path reduction calculator, available at www.ciscoverizonevent.com Q: Any issues with load sharing between dual SBCs through 4 equal cost paths in/out of centralized corporate solution? Dual Data Centers. Verizon supports the best practice of load balancing across multiple paths. Q: How many Cisco/Verizon customers are using centralized SIP Trunking? More than 80% of our IP Trunking customers deploy centralized design including centralized, multisite, multicountry (for those customers with locations outside US). Q: So, you're billed at the rate center at the centralized gateway, right? Local / LD charges are based on the location that initiated the call.
In a centralized design, concurrent call paths are allocated and billed for each of the remote locations depending on capacity requirements. Each location would incur a concurrent call charge plus the geographically relevant local/ld usage charges. Q: Can anyone talk about using SIP trunks for overflow, e.g., in addition/combination w/pri's (application: inbound contact center) If the customer is using toll-free services, they can direct the overflow TN to a Verizon VOIP number on SIP Trunking. Q: Is it always necessary to use CUBE between call manager and SIP trunking providers? Cisco recommends an enterprise SBC (CUBE) for the following reasons: - Demarcation (Troubleshooting is easier) - Security (Topology hiding, address hiding, and lots of other security features) - Session Management (Control of the session, call admission control etc) - Interworking (easier to interoperate between CUCM and SP. Normalization and other features helps make sure there are no interop issues) - Media Manipulation and Optimization (Transcoding, transrating, media recording (Roadmap item to be released in July 2011) Q: If MPLS is down, is the redirect via PSTN done automatically? The customer can leverage a number of business continuity features. Consult your Verizon rep for more details. Q: Do you guys see 911 centers becoming completely migrated to SIP trunks and not having TDM pots lines as a back up? Best practice is currently to have a combination of TDM and SIP for redundancy.
Q: Does Cisco plan to integrate CUSP with CUBE instead of having them as 2 separate devices? CUSP, Cisco Unified SIP Proxy is a module that can be integrated into the ISR G2 which runs CUBE. Q: CUSP is for SIP failover... correct? The role of CUSP is an enterprise load balancer for SIP trunking and enhances failover and redundancy. Q: For a Greenfield site, how would Verizon/Cisco help define the capacity required for SIP trunking? This is a very broad question if you want a quick rule of thumb, the oversubscription rate used is typically 4:1 but better information leads to better sizing.