Designing and Deploying Managed Voice/Data Services … · Designing and Deploying Managed...

Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

111© 2003, Cisco Systems, Inc. All rights reserved.VVT-20217990_05_2003_c1


Designing and Deploying Managed Voice/Data Services for Enterprise

and SMB SubscribersSession VVT-2021



Agenda

• Managed Business Voice Services Overview

• Architecture Component Overview

• Routing Logic Example

• Scaling the Network

• Billing Considerations

• Security Considerations

• NAT/PAT

• NMS/OSS

• Supplementary Routing Logic

• Summary and Session Reference


SP Business Voice Services

• The SP Business Voice Solution enables Service Providers to offer a portfolio of voice services over a common framework, targeting SMB and enterprise customers

• The service menu consists of the following core services:Business Phone

Site-to-Site Voice/Data Connectivity

Centralized PSTN Access

Centralized Internet Access

Remote Network Operations

• Different customer types have different needsSmall business, single site

Medium/large business, multiple Sites

• Focused on business deployment, not residential



PSTN

Service Provider

Business(Single or Multi-Site)

MPLSMPLSClear IPClear IP IPSECIPSEC

IP/MPLS Converged Network

Common VoIP Connectivity Layer

Scalability

Security RegulatoryPSTN Connectivity

NMS/OSS

QoSCall

Control

Business Phone

Business Phone

InternetAccess InternetAccess

Centralized PSTN AccessCentralized

PSTN AccessDay 2

ManagementDay 2

ManagementSite to SiteSite to Site

CPECallManager

ClusterUnity

VM/UM

CCMCCM

CPE

ITSITS

CPE

PBX

VoIP GW

GW with Legacy PBXGW with Legacy PBX

SP Managed Services Layers


Service Provider Offering:• Features

Dial-ToneDID AssignmentBasic Business Features

CCM—Full IP PBXITS—Keyswitch

• Optional FeaturesvXML Enhanced FeaturesCentralized VoicemailLocal PSTN Connectivity (backup or primary if no centralized offering)

Business Phone Service

CCM

Branch OfficeSupported CPE1. Cisco Call Manager (CCM)2. IOS Telephony System (ITS)3. GW w/ PBX (GW)

ITS

Target Customer Types: All

GW



Service Provider Offering: • Features

Private Dial Plan (small scale can be done without centralized routing)QoS over WANConverged Data/VoiceSite-to-Site Toll Bypass

• Optional FeaturesSecure IP Transport (MPLS VPN or FW)Overlapping Dial Plans through route server (scaling—transparent to end user)

Site-to-Site Voice/Data Connectivity

Multiple Site Offices

Target Customer Types: Multi-Site/Multi-Branch

CCM

GW

ITS

IP Transport

Enterprise A:Site 1

Enterprise A:Site 2

Enterprise B:Site 1


Service Provider Offering: • Features

Centralized PSTN Off-net connection through:

PSTN Hopoff GW/GK (VIA)Interconnect to VoIPWholesaler (VIA)

SS7 or Non-SS7

• Optional FeaturesCentralized PSTN On-Net2 Stage Dial On-Net

Centralized PSTN Access


Multiple or Single Site Offices

CCM

GW

ITS

IP Transport

PSTN




Centralized Internet Connection

• Optional FeaturesSecurity (FW/NAT)

Internet Access


Multiple or Single Site Offices

CCM

GW

ITS

IP Transport

Internet



FaultConfigurationAccountingPerformance

Remote Network Management


Multiple Site Offices

CCM

GW

ITS

IP Transport

NMSPerformance,

Fault, Provisioning

Servers

BILLCAREAAA



Architectural Components

• Operations and Management

• Application and Services

BusinessTransit

• IP TransportSecurityQoS

• AccessT1/E1 Leased LineDSL, Dialup

• End Customer Deployments

EnterpriseSmall Medium Business

Access GKAccess GK

CCM

VGK

DGK

GK V

DGK

BTS/PGWBTS/PGW

GKGK

VPN GK

VPN GK

CPE

IP PhonesIP Phones

CPECallManager

Cluster

Unity VM/UMUnity VM/UM

CCMCCM

CPE

ITSITS

CPE

PBXPBX

VoIP GW

VoIP GW


MPLS Clear IP

PSTNSS7

Long Distance Partner

Performance, Fault,

Provisioning Servers

Performance, Fault,


BILLAAAAAA

CARENMS


Service Layer 1: Customer Endpoint Deployments



Customer Deployment:Service Layer 1

• Service Layer 1 describes the CPE requirements for interfacing into the SP’s network for:Voice application

Dial planQoS requirements

Data applicationInternet accessSite-to-site data routingQoS Requirements

• 4 types of deployments1. CallManager (at business)2. CallManager with SRST (at service provider)3. Cisco IOS Gateway with PBX4. Cisco IOS Telephony Service on IOS Gateway

SAS Section 2.2.1


Customer DeploymentsFunctional Area: Cisco Call Manager

• Cisco CallManager offers Medium to Large Enterprise Customers an IP PBX Solution (**250 users and above)

• CallManager may reside on premise (distributed) or remain hosted in the Service Provider network (centralized)

• SCCP (Skinny) protocol for client signaling and control

• H.323 for RAS and trunk side signaling and control

• MGCP support for gateway signaling and control

• Can perform digit manipulation at endpoint

CallManager Cluster

CallManager Cluster

Unity VM/UM

CPE



Customer Deployment CCM at the Customer Premise

Cust A: Site 1

Cust B: Site 1

• Call Manager clusters are deployed at the customer premise

• Customer may choose to manage the devices, or outsource remote management to service provider

• Multi-site businesses can use a centralized deployment (ie. Branch IP phones to Corporate Call Manager cluster)

SP Transport

Access GK

Enterprise VPN GK

GK

CallManager Cluster

Service ProviderService Provider

CallManager Cluster

Cust A: Site 2


Remote IP Phones w/SRST


CPE/SRST

• A single CCM cluster is allotted for each customer

• Hosting in the Service Provider NOC eliminates CCM NMS access issues

-NMS has no awareness of MPLS tags to overlapping ipaddresses

• Requires backup mechanism in the event that WAN Transport link goes down

Access GK

AEnterprise VPN GK

GK

CallManager Cluster

Voice ApplicationVoice Application





CPE/SRST CPE/SRST

SP Transport

Customer Deployment CCM at the Service Provider

XX



Customer DeploymentsFunctional Area: Remote IP Phones (SRST)

• Capability in branch office routers for IP Telephony redundancy

• Provides backup Call Control to remote site in the event that CallManager connectivity is lost (i.e. WAN failure)

• Designed for centralized CallManager deployment

• CE Router can support SRST functionality on same platform

• Supports 24 to 480 users dependent based on platform performance and feature license


CPE w/SRSTCPE w/SRST

IP PhonesIP Phones

Survivable Remote Site Telephony (SRST)

Survivable Remote Site Telephony (SRST)


Access GK

AEnterprise VPN GK

GK

CallManager Cluster




SP Transport

Customer Deployment Survivable Remote Site Telephony Backup

• IP Phones exchange keepalivemessages and Call Processing messages with centrally located Cisco CallManager (CCM)

• WAN Link fails—IP phones lose contact with CCM

• IP Phones register with local router as router of last resort

• Router queries phones for configuration and auto-configures itself

• Router provides call processing for duration of failure via PSTN

• Upon restoration of WAN, IP Phones revert back to CCM

XXCisco Router with

SRSTPSTN

Re-registerw/ SRST



Introducing the ITS


ITS

Customer DeploymentsFunctional Area: IOS Telephony Service (ITS)

• Software feature added to Cisco IOS CPE to provide call processing for IP phones using SCCP

• Performs local IP Telephony call control

• Offers IP Telephony for small offices (up to 48 users)

• End customer uses VoIP for internal, site-to-site, and PSTN off-net calling

• Supports trunk side H.323, SIP and MGCP


CPE

IP Phones



IOS Telephony Service (ITS) Architecture

• ITS sees IP Phones as emulated fxs phones or “e-fxs ports”

• To the GK, ITS appears as an analog GW

• Like analog GWs, ITS will register it’s individual dial peer destination patterns (E.164)

• GK should not use these E.164 addresses for routing. Turn off E.164 address registration

• Loopback address bindedto RTP and signaling using “bind” command

e-FXS e-FXS

SCCP SCCP

Voip stack

50/1/1

Loopbackinterface ITS

50/1/2


GW w/PBX



Customer DeploymentsFunctional Area: IOS Gateway with PBX

• Cisco IOS GW CPE front-ends a traditional PBX

• Enables migration of existing TDM PBX customer to IP data/voice convergence with minimal investment

• Branch offices use VoIP for PBX tie-line and PSTN off-net calling

• Customers may upgrade to IP Telephony (IP PBX) when ready

SAS Section 2.2.2.4

VoIP GWVoIP GW


Service Layer 2: Access



Access Layer: Service Layer 2

• Types of Access methods:T1/E1

DSL

IPSEC VPN

Any


Service Layer 3: IP Transport



IP Transport: Service Layer 3

• Transport methods:

MPLS—MPLS VPNs provide security and QoS with shared/managed services model

IP “In the Clear”—Basic IP connectivity with security provided by Cisco IOS or PIX Firewall



CPE

Unity VM/UM

IP TransportFunctional Area: MPLS

• Provides the same level of security as a Layer 2 architecture• Allows for overlapping IP address spaces• Creates private and shared VPN architecture

Access GK

Enterprise VPN GKGK

CallManager Cluster


Cisco MPLS VPN Network

CPE w/SRST

PBX

VoIP GW

CPE

PE PEPE

CPE

P

PrivateVPN “A”PrivateVPN “A”

PrivateVPN “B”PrivateVPN “B”

VPN “Shared”

CPE

CallManager Cluster

Unity VM/UM

PE PE

PrivateVPN “A”PrivateVPN “A”

PrivateVPN “B”PrivateVPN “B”

IP Phones GW w/ PBX

CallManager Cluster



MPLS/VPN: Supporting Shared Services

Internet PSTN

Shared Services for all VPNsInternetGatewayInternetGateway

VoIPGateway

VoIPGateway

VideoConference

VideoConference

GatekeeperGatekeeper

VPN “A” VPN “B”VPN “B”

VPN “A” VPN “B”VPN “B”

Service Provider

Cisco MPLS—VPN Network



CallManager Cluster

Unity VM/UMUnity

VM/UM

IP Transport Functional Area: IP “In the Clear”

• Connections may be dedicated access links directly into the service provider or over the Internet

• Typical method of interconnection for single-site small business

Access GKA

Enterprise VPN GK

GK

Voice ApplicationVoice ApplicationVPN

“Shared”

RouterIP Network

Some Customers May Connect over the InternetInternet

CallManager Cluster

Customer “C”Customer “C” Customer “D”Customer “D”Customer “A”Customer “A”Customer “A”Customer “A”

CPE w/SRST

CPE w/SRST IP

PhonesIP

Phones

CPECPE

PBXPBX

VoIP GW

VoIP GW

CPE

Customer “Customer “BB””

PBXPBX

VoIP GW

VoIP GW

CPE

PBXPBX

VoIP GW

VoIP GW

CPE

Customer Sites Connect over a Standard IP Network Directly to the SP; They Send Voice Traffic to the SP as Just as They Would External

Traffic to the Internet

Firewalls Needed to Protect against Access by Unwanted Parties (e.g. Non-SP Shared Resources or Internal Sites)



MPLS based IP Transport: Private VPN per Customer


CE CE

A

CallManager Cluster

Unity VM/UM

Private VPN “A”

CE w/SRST

IP Phones

Private VPN “A”

A

CallManager Cluster

Unity VM/UM

Private VPN “B”

GW w/ PBX

PBX

VoIP GW

CE

Private VPN “B”

PE1

PE2 PE4

PE3

CE

P

Customers can retain private IP addresses that may overlap with

other subscribers

Private VPN RD: 800:10 Private VPN RD: 500:10

Assigns VPN RD = 800:10. Imports and exports these routes to other PEs via MP-

BGP

Assigns VPN RD = 500:10. Imports and exports these routes to other PEs via MP-

BGP

-Route Distinguisher (RD) = 800:10 -Prepended to the IPV4 route for customer isolation

eg. X.Y: a.b.c.d = 800.10:192.1.1.0


Private VPNs with MPLS Configuration

Hostname PE1!ip vrf customerA

rd 800:10route-target import 800:10route-target export 800:10

Hostname PE3!ip vrf customerB

rd 500:10route-target import 500:10route-target export 500:10

CE CE

A

CallManager Cluster

Unity VM/UM

Private VPN “A”

A

CallManager Cluster

Unity VM/UM

Private VPN “B”

PE1 PE3MPLS VPN

Private VPN RD: 800:10 Private VPN RD: 500:10

Private VPN “A”

Private VPN “B”



MPLS based IP Transport Private and Shared VPN VRFs

Access GK

AEnterprise VPN GK

GK

CallManager Cluster

Voice Application


CPE CPE

A

CallManager Cluster

Unity VM/UM

Private VPN “A”

CPE w/SRST

IP Phones

Private VPN “A”

A

CallManager Cluster

Unity VM/UM

Private VPN “B”

GW w/ PBX

PBX

VoIP GW

CPE

Private VPN “B”

Export local shared VPN addresses and private addresses. Import shared voice application host

addresses and private addresses

PE

PE PE

PE

Export shared voice application host addresses. Import all customer shared addresses

Export only shared voice application host addresses

and private addresses. Import shared customer

voice application host addresses and private

addresses

Private VPN: 800:10Shared VPN: 10000:101


Shared VPN: 10000:100


Private and Shared VPN VRF Configuration

hostname PE5!ip vrf VOICE

rd 10000:100export map SHARED-DEV route-target import 10000:100route-target export 10000:100route-target import 10000:101route-target import 10000:102

!route-map SHARED-DEV

match ip-access list 10set extcommunity rt 10000:100

!access-list 10 permit 22.22.22.15 0.0.0.0access-list 10 permit 22.22.22.50 0.0.0.0access-list 10 permit 22.22.22.51 0.0.0.0access-list 10 permit…. (etc)

hostname PE1 !ip vrf PRIVATE

rd 800:10route-target import 800:10route-target export 800:10route-target import 10000:100export route-map CPE-LOOP

!route-map CPE-LOOP

match ip-access list 10set extcommunity rt 10000:101 additive

!access-list 10 permit 171.68.1.1 0.0.0.0access-list 10 permit …. (etc)


CPECPE

A

CallManager Cluster

Unity VM/UM

Private VPN “A”

A

CallManager Cluster

Unity VM/UM

PE1 PE3

PE5

Private VPN “B”


Shared VPN: 10000:100

Access GK

AEnterprise VPN GK

GK



Service Layer 4: Application and Services


Architectural Components

• Operations and Management

• Application and Services

BusinessTransit

• IP TransportSecurityQoS

• AccessT1/E1 Leased LineDSL, Dialup

• End Customer Deployments

EnterpriseSmall Medium Business

Access GKAccess GK

CCM

VGK

DGK

GK V

DGK

BTS/PGWBTS/PGW

GKGK

VPN GK

VPN GK

CPE

IP PhonesIP Phones

CPECallManager

Cluster

Unity VM/UMUnity VM/UM

CCMCCM

CPE

ITSITS

CPE

PBXPBX

VoIP GW

VoIP GW


MPLS Clear IP

PSTNSS7

Long Distance Partner

Performance, Fault,


Performance, Fault,


BILLAAAAAA

CARENMS



Multiservice Application

• Types of applications/functional areas:Voice—Utilize the Voice VPN Route Server

Data—Managed Internet access may be provided as a shared service


Multiservice Applications Functional Area: Voice Application

• Enables the voice service offering

• Performs inter-site routing and PSTN connectivity

• Shares resources amongst enterprise subscribers

• Utilizes Cisco VIA/Global Long Distance network solution architecture for PSTN terminating network

SAS Section 2.2.2.9

Long DistancePartner

PSTNGK Non-SS7 GW

Voice VPN GK

PSTN DGK

DGK

DGK

Access GK

PSTN

SS7 GW

SS7 Softswitch

GK

AGK AGK

PSTN GK

Centralized PSTN Offering

IP Phones



Voice VPN GK and Access GK• Voice VPN GK

Performs all off-premise enterprise call routing (e.g. Site-to-Site, PSTN)Voice VPN (Private Dial-Plan)Intelligent Call Routing (Least Cost, Time Of Day)Collects usage information for billing

• Access GK (optional)Performs final endpoint selection in routing processIncreases Scaling:

Offloads Endpoint Registration and maintenance from Voice VPN GKDirect signaling facilitates high call volumes

Increases Availability:Resource Availability Indicator (RAI)Call Admission Control

Increases Reliability:Dynamic Alternate GK FailoverStatic Alternate GK FailoverSequential-LRQ Failover

Voice VPN GK

Access GK

AGK

Access GK

AGK


PSTN GK/DGK Hierarchical Design

• PSTN Directory GatekeeperPerforms call routing search at highest level (Example = country code distributions)Country codes among other DGKs forwards LRQ to partner DGK if call does not terminate in local SP DGK

• PSTN GatekeeperPerforms call routing search at intermediate level (Example = NPA-NXX)Provides GW resource management (Registrations, RAI, gw -priority…)

• PSTN GatewayActs as interface between PSTN and IPNormalizes numbers from PSTN before entering IP Normalizes numbers from IP before entering PSTNSends RAI to GK for increased availability

LRQ408 212

ARQARQARQARQ

DGKDGK

GK GK

408555 408666 212555

East RegionEast RegionWest RegionWest Region



Primary Functions Required to Enable Voice Services

• Call routingSupport all calling patternsSupport all numbering plansAccommodate scalingProvide fault toleranceEnable high availabilityEnforce call admission (BW) policies

• Call securityEndpoint integrityCall integrity

• BillingFlat rateDuration/destination sensitive

• Network managementProvisioningFaultPerformance

BILL NMS

Billing, NMS, AAA Security, TFTP

Billing, NMS, AAA Security, TFTP

OperationsOperations

Voice Application ResourcesVoice Application Resources

SS7

VIA Partner

PSTN

Non-SS7

Voice VPN GK

PSTN DGK

DGK

Access GK

DGK

DGK

DGK

DGK

DGK



4 Basic Call Routing Design Factors

• Accommodate multiple endpoint optionsCisco CallManagerCisco IOS GWS

Internet Telephony Service (ITS) routers

• Support end user dialing habitsEach enterprise has its own customsEach local region has its own customs

• Co-exist with shared resourcesSupport overlapping dial-plans between enterprisesUniquely identify enterprises

• Use standards-based interconnection mechanismsIncreases solution interoperabilityUses H.323 today




Sample User Dialing Habits

• On-net user habitsStraight extension dialing (e.g. 2xxxx)Supplies indication digit (e.g. 8+extension)

• Off-net user habitsSupplies Indication Digit (e.g. 9+e.164)

• Forced on-net user habits (intra-enterprise)Dials as if off-net (e.g. 9+e.164) but call stays on IPAssumes IP data connectivity possible between sites

• PSTN-to-Enterprise accessVoIP SP owns DIDs (off-net to on-net)LEC owns DIDs (straight Into Enterprise—not much to do)

• CLID presentationUser sees CLID as the number to dial if call were to be returned(e.g. abbreviated extension for on-net or full E.164 for off-net)

These Are Assumptions to Guide Our Examples;

We Can Flexibly Accommodate

Derivatives as Customers Define Them



GW w/ PBX

Endpoint Call Routing Responsibilities

• Endpoints perform “number normalization”

Flexibly support varying end user habits

Present consistent call routing information to the routing engine independent of endpoint type (e.G. CM, GW, ITS)

Provide unique customer identification to support overlapping dialing plans

Insure meaningful CLID display (removal of inserted customer IDS)

• Customer ID =VPN ID + Site ID

Example: 99 + 1 = 991

99 + 2 = 992

PBXPBX

VoIP GWVoIP GW CPE

SS7

Long DistancePartner

PSTN

Non-SS7

Voice VPN GK

PSTN DGK

DGK

Access GK

DGK

DGKDGK

DGK

User Specific Habits

H.323

Number Normalization

Route on Normalized Numbers

DGK




GW w/ PBX

GW w/ PBX

GW w/ PBX

CustID: 991

CustID: 992

CustID: 881

Endpoint Number Normalization

• Remove Any Access Digits from User Dialed Number

International Access Prefixes

Onnet/Offnet Access Codes

calledNumber is Full E.164 for Offnet

calledNumber is Abbreviated Extension for Onnet (optional)

• Insert Customer Identifiers Before Sending to Network

Add CustID (assigned by SP) to callingNumber in ANI

callingNumber is Full E.164 for Offnet

callingNumber is Abbreviated Extension for Onnet (optional)

• Remove Customer Identifiers Received from Network

Enterprise VPN GK will modify DNIS to contain CustID + calledNumber

User Habits

DNIS: X or Y calledNumberANI: (CustID)+full-e.164

DNIS: X or Y calledNumber ANI: (CustID)+full-e.164

DNIS: X or Y calledNumberANI: (CustID)+full-e.164

EntA—N YX: OffnetY: Onnet011: Int’lNULL

EntA—ParisS: OffnetT: Onnet00: Int’lNULL

EntB—NYQ: OffnetR: Onnet011: Int’lNULL



Enterprise VPN GK Routing on Normalized Numbers

• Determine source

GK uses customer ids in ANI to select separate routing tables for each enterprise

Routing tables may contain private or abbreviated numbering plans

Allows overlapping dial plans

• Determine destinationGK modifies outgoing signaling to contain destination customer IDS in DNIS

GK sends pure E.164 for off-net PSTN calls

Voice VPN GK

PSTN DGK

DGK

Customer EndpointsCustomer Endpoints

CustID: 881CustID: 991

DNIS: E.164ANI: E.164

DN

IS:

X o

r Y

ca

lled

Nu

mb

er

AN

I: (

Cu

stID

)+fu

ll-e

.164

DN

IS: (C

ustID

) + called#

AN

I: full e.1648


If CustID = 88x Use Enterprise BRoute Table

If CustID = 99x Use Enterprise ARoute Table



Routing Logic Example


Routing Logic Example

Given:• Offer managed services

offering to enterprisesBusiness phone

Site-to-site

Centralized PSTN

• 2 Enterprises (2 branch offices each)

• 5 digit intra-enterprise dialing

• Full E.164 address on-net to off-net dialing

• Full E.164 address off-net to on-net dialing, full caller ID awareness

Network Design:• Number normalization

at endpoints (on-net to on-net)

Insert VPN and site ID to calling number

Strip destination VPN and site ID on incoming

• Use VPN GK to perform:Match and strip incoming VPN and site ID

Attach destination VPN and site ID



EntASite 2EntA

Site 2CCM

EntASite 1EntA

Site 1PBX

CCMEntBSite 1EntB

Site 1

EntBSite 2EntB

Site 2 ITS

AGK2

GK

AGK1

GK

VPN GateKeeper

GLD Partner

GK

PSTN

DGK

PSTN

GKPSTN

Access GK

Topology

x61000

x21000


EntASite 2EntA

Site 2CCM

EntASite 1EntA

Site 1PBX

CCMEntBSite 1EntB

Site 1

EntBSite 2EntB

Site 2 ITS

AGK2

GK

AGK1

GK

VPN GateKeeper

PSTN

GKPSTN

Access GK

On-Net Call Flow

x61000

x21000

11

1111

Sample Route TableVPNID 88

ext ID GK6.... 881 AGK12.... 882 AGK2

VPNID 99 (source match)ext ID GK6.... 991 AGK12.... 992 AGK2 (dest match)

Strips source ID from calling# and inserts destination ID into called#

Strips destination site ID (992) from called party number for all calls

Inserts source VPN and site ID to calling party number w/ full e.164

88 d: 8+21000s: 99114085261000

1212

d: 21000s: 61000

1010

99d: 99221000s: 14085261000

Sample Route Table992 EntA2882 EntB2ARQ hopoff zone <remote zone>

Sample Route Table991 EntA1881 EntB1ARQ hopoff zone <remote zone>Only needs local enterprise VPN/Site IDs configured.

77d: 8+21000s:99114085261000 IP: VPN GK

55IP: EntA2

66 IP: VPN GK

d: 8+21000s: 9911408526100022

d: 8+21000s: 9911408526100033

d: 99221000s: 1408526100044



EntASite 1EntA

Site 1PBX

DGK

GLD Partner

GK

PSTN

DGK

PSTN

GKPSTN

Access GK

x61000

Off-Net Call Flow

Shared Voice Application

QoS-Enabled

11

12135551212

Inserts source VPN and site ID to calling party number w/ full e.164

d: 9+12135551212s: 99114085261000

22

33 5b5b 6b6b

5a5a

6a6a

1212

44

d: 12135551212s: 14085261000

1111d: 12135551212s: 14085261000

Sample Route Table991 EntA1881 EntB1ARQ hopoff zone <remote zone>

Sample Route Table1213 PSTN GK1213 PartnerLRQ sequential

1010

d: 9+12135551212s: 99114085261000

Sample Route TableEnt ID 99 (source match)

ext ID GK6.... 991 AGK12.... 992 AGK2* “offnet” (dest match)

“Offnet”1408526.... 991 AGK11919392.... 992 AGK21408446.... 881 AGK11212392.... 882 AGK2* DGK (offnet)

77IP: PSTN GW

88IP: VPN GK

d: 12135551212s: 14085261000

GK

99d: 9+12125551212s: 99114085261000IP: VPN GK


EntASite 1EntA

Site 1PBX

PSTN

GK

QoS-Enabled

Incoming PSTN Call Flow

DGKPSTN

Directory GK

Service ProviderGK

140855512121a1a

LEC owns the DIDs. Calls enter through local GW (also used for backup outbound calls) or into PBX.

VoIP SP Owns the Enterprise DIDs

33

44

88

99

1010

1212

Sample Route Table1408526 DGK1408 PSTN GW

* DGKNotice that PSTN GKs Need to Configure Enterprise DIDs to Avoid Loops

Sample Route Table1408526 VPN GateKeeper1408 PSTN GK

DGK Route Table Needs Specific Entries of Enterprise DIDs

Sample Route Table1408526.... 991 AGK11408392.... 992 AGK2 1408446.... 881 AGK11212392.... 882 AGK2

VPN GateKeeper adds VPN/Site IDs to incoming called numbers and does not modify Full E.164. AGKs route based on VPN/Site ID located as part the destination number.

Sample Route Table991 EntA1881 EntB1ARQ hopoff zone <remote zone> 22 d: 14085261000

s: 14085551212

77d: 14085261000s: 14085551212IP: VPN GK

d: 14085261000s: 14085551212

1111

d: 99114085261000s: 14085551212

1313d: 14085261000s: 14085551212

PBX Accepts Both Abbreviated and Full e.164 Numbers to Reach End Station

Original Number!

14085261000

1b1b

66

IP: EntA1

Original Number!

55 d: 99114085261000s: 14085551212



Scaling the Network


GUPGUP

AGKAGK

AGKAGK

AGKAGK

AGKAGK

AGKAGK

Designing the Voice Application Increasing Scale with Access Gatekeepers

• Basic value of AGKOffloads endpoint maintenance tasks from voice VPN GKAllows voice VPN GK to focus on call routing and billing

• GK clusteringCluster is viewed as a single GK Entity to voice VPN GK

Load balances endpoints to support large numbers with high call rates

Uses Gateway Uptime Protocol (GUP)External entity needs to only send LRQ to one member of clusterLRQ load shared between elements of the cluster

Cluster may consist of up to 5 gatekeepers

Voice VPN GKLRQ/LCF



GUPGUP

AGKAGK

AGKAGK

AGKAGK

AGKAGK

AGKAGK

Designing the Voice Application Increasing Reliability Access Gatekeepers

• Cisco IOS Gateways Register to a Primary AGK

Static primary AGK registration statement configured on GW

Lightweight RRQs sent from GW to GK as a Keepalive

• Static Alternate GK can be addedSecondary registration statement configured with lower priorityIf GK fails to send RCF Keepalive back to GW, GW registers to alternate GK

Alt GK is geographically independent

• Dynamic Alternate GK ListsClustered GKs pass back A List of AltGKs (members of the cluster) to GWsGWs give dynamically learned AltGKs priority over statically configured

Alternate GK FailoverAlternate GK Failover

12 RRQ/RCF


Designing the Voice Application Increasing Availability/Voice Quality Using Call Admission Control

• Cisco AGKs perform call admission control based on bandwidth

Maximum bandwidth requested on call admission request (ARQ)

GW updates bandwidth with BRQ once codec is selected

GK tracks bandwidth and can accept or deny based on configured thresholds

• Calls coming into enterprise can be blocked (and potentially rerouted to another destination) if bandwidth unavailable

• Calls placed by the enterprise can be blocked or locally rerouted to the PSTN if bandwidth unavailable PSTN

AGK

Voice VPN GK

AR

J

SAS section 4.6.2

Rotary PeerPSTN

Fallback

LR

J

Can Re-Originate Another LRQ

AR

Q/B

RQ

Is Incoming Call Request Going to Exceed the User’s

Threshold?



Billing Considerations


Billing Considerations

• Accurate collection of usage informationOwnership of CPE determines logical billing points Billing records must be collected at service provider owned devices

• Billing models for on-net vs. off-net callsOn-Net: Flat rate, or usage-based by collecting usage information through VPN GK (GKRCS)On-Net: Insert border proxy device (IPIPGW etc)Off-Net: Usage-based by collecting usage information at hop-off GW

• Integration with billing serverCentralized GKRCS vs. AAA from endpoints



Billing Records Generated from VPN GK

EntASite 1EntA

Site 1CCMCCM GLD Partner

GK

PSTN

DGK

EnterpriseAccess GK

EnterpriseAccess GK

PSTNAccess GK

Directory GK

VPN GKGK

GK

EntASite 2EntA

Site 2PBXPBX PSTN

GK

PSTN

GK

DGK

NMSBILL


Billing Records Generated from Cisco GW/GKs (not recommended)

CCMCCM GLD Partner

PSTN

EnterpriseAccess GK

EnterpriseAccess GK

PSTNAccess GK

Directory GK

VPN GKGK

GK

PSTN

GK

DGK

NMSBILL

GK

DGK

PSTN

GK

EntASite 1EntA

Site 1

EntASite 2EntA

Site 2PBXPBX AAA Billing off of PSTN

Gateways for Off-Net calls

AAA Billing off of Gatekeepers for On-Net Calls

CM Provides Call Duration in DRQ (CM 3.2)



Securing the Network


Security Overview

• H.323 SecurityEndpoint Registration (RRQ)

Admission per call (ARQ)

Interdomain/Intradomain Token (IZCT/CAT)

• NAT Traversal

• Firewall



H.323 VoIP Security Overview

• IZCT(Inter-Zone Clear Token): The token used to validate calls from other networks; IZCT Token (+ CAT) travels in ARQ and LCF messages

• CAT (Cisco Access Token): The token passed between GKs in the LRQ message for GK “hop-to-hop” authentication

• Use IZCT and CAT to insure access control, secured connectivity, and minimum performance impact

• GWs and ITS support registration H.235 security, Call Manager does not


GK to GK Security Using IZCT and CAT

Service ProviderNetwork

Service ProviderNetwork

GKGK

1. ARQ

2. LRQ (IZCT+ CAT)

6. ACF (IZCT)7. Setup (IZCT)

10. ACF

8. Setup (IZCT)

VPN GK

RTPRTP

3. LRQ (IZCT +CAT)

9. ARQ (IZCT)

GK Will Validate the IZCT Token

5. LCF (IZCT)

4. LCF(IZCT)



Software Requirements for Security in Cisco Networks

• IZCT: 12.2(2)XA for 26/3600, 7200 and AS5300; 12.2(4)T except AS5300 and AS5850; 12.2(2)XB1 for AS5850

• CAT: (LRQ authentication): Cisco IOS GK 12.2(11)T• Non-IOS GWs must have the ability to copy

ClearTokens returned in the ACF into the set-up message

• Call Manager does not support token passing today• Non-IOS GKs must have the ability to copy

ClearTokens returned in the LCF into the ACF• 12.2(15)T supports access-lists to allow

interconnection with non-token-enabled networks


NAT/PAT and Firewall



NAT/PAT + Firewall + Voice Protocols

• NATs work at Layer3

• NATs modify the source IP Address

• NATs don’t modify L4/L5/L6/L7 addresses, yet voice protocols (SCCP, H.323) embed IP Address at L4-L7

• Embedded L4-L7 addresses become non-routable, so applications will not work

• Application Layer Gateway (ALG) required on NAT device to “fixup” voice protocol

NAT/PAT +Firewall

CallManagercluster

H.323Gateway

H.323Gateway

IP PhoneSoftPhone

IP Phone

InsideInside OutsideOutside


CallManager Cluster

Unity VM/UMUnity

VM/UM

NAT and FW Demarcation Points

• NAT/PAT is enabled at the CE device; CCM deployments require a separate CE router at customer edge; SRST, ITS and Cisco IOS GWs can be used as the CE edge device

• IP Phones typically use PAT for scaleability• For IP “in the clear”, CPE is ideal location for FW

Internet

PBX

VoIP GW

CPE

Access GK

A

Enterprise VPN GK

GK

Voice ApplicationVoice ApplicationVPN

“Shared”

CPE w/SRST

IP Phones

Router SRST

IP Network

ITSITS IOS GWIOS GW

Firewalls Needed to Protect against Access by Unwanted Parties (e.g. Non-SP Shared Resources or Internal Sites)

CE Device Performs the NAT/PAT Functionality

131.7.33.x

CE DeviceITS IOS GW

10.1.1.x

Call ManagerCall Manager Call ManagerCall Manager

CallManager Cluster



CallManager Cluster

PSTN

NAT for CallManager Deployments (On-Site)

Site ASite A

10.1.1.110.1.1.210.1.1.3

Outside Public:172.16.1.1172.16.1.2172.16.1.3

172.16.1.10

10.1.1.254

Inside Private Addresses10.1.1.10–10.1.1.100

NAT for CCM:10.1.1.1 à 172.16.1.110.1.1.2 à 172.16.1.210.1.1.3 à 172.16.1.3

PAT for IP phones, Unity, GWs:10.1.1.10 through 10.1.1.100 à 172.16.1.10


NAT for SP Hosted Cisco CallManager with SRST

Access GK

Enterprise VPN GKGK

PE1

PE2

PE5

P

CallManager Cluster

Unity VM/UM

CallManager Cluster

Unity VM/UM

These Devices Belong to Both the Private and Shared VPNs of the Customer; CCM Is Assigned

a Public Address; CCMs for Each Customer Appear on

Separate Sub-Interfaces on the PE To Be put into the Separate

Customer VPNsPrivate VPN: 800:10Shared VPN: 10000:101

Shared VPN: 10000:100 Private VPN: 500:10Shared VPN: 10000:102


Private VPN “A”Private VPN “A” Private

VPN “B”Private VPN “B”

CE w/SRST

CE w/SRST

IP Phones

IP Phones

Private VPN “A”Private VPN “A”


PEs Group All Customer Public Addresses into the

Same Shared Customer VRFCE

w/SRSTCE

w/SRST

IP Phones

IP Phones

Private VPN “A”Private VPN “A”

All SCCP Signaling and Any Bearer Traffic Destined to

External Locations Undergo PAT on Local CE



MPLS Customer Network:SRST / ITS / IOS Gateway

• Loopback interface on CPE is in the Public address space• IP phones are PATed to the Loopback interface• On-Net Bearer traffic remains within the customer’s VPN• Off-Net traffic is routed through the SP’s off-net infrastructure

Inside Private Addresses10.x.x.x

PAT for bearer traffic to IP phones. Public address assigned to

loopback interface for signaling with shared voice resources.

Inside Private Addresses10.x.x.x

Site A Site B

Access GK

Enterprise VPN GK

GK GK

Access GK

All calls between sites traverse through shared

resources and undergo PAT for bearer traffic on the CE.

CE w/SRST

IP Phones

CE w/SRST

IP Phones

Outside Public AddressesFor voice resources


ITS Built in NAT/Proxy Functionality

• ITS has eFXS (emulated FXS ports)• ITS perceives the IP Phones behind it as FXS ports• Calls from the IP Phones are sourced from the interface

to which H.323 is bound• IP Phones speak skinny protocol to the ITS

Enterprise VPN GK

GKGK

Access GK

Access GK

VoIP Proxy Function

Public Address: Bearer, H.323

Private Address: Bearer, SCCP

ITS



A

CallManager Cluster

CE

NAT Not Needed between Two Local Segments; MGCP and SCCP Pass Freely; PAT Used Only for Traffic Exchanged with

Shared Service Provider Resources

NAT on H.323

and Bearer

NAT Does Not Support MGCP (Yet)

• MGCP is currently not supported through CiscoNAT/PAT devices:

Therefore, devices controlled by MGCP from the CCM are only usable if there is no NAT device between them

• CCM Controlled MGCP gateways are “on-site” and if used are for “local” PSTN access

Private IP Address Segment(e.g., 10.x.x.x)

Public IP Address Segment(e.g., 172.16.100.x)

PSTN

SCCPSCCP

MGCP


• If IPSec then check input access list

• Decryption—for CET or IPSec

• Check input access list

• Check input rate limits

• Input accounting

• NAT outside to inside (global to local translation)

• Policy routing

• Routing

• Redirect to web cache

• Crypto (check map and mark for encryption)

• Check output access list

• Inspect CBAC

• TCP intercept

• Encryption

• If IPSec then check input access list

• Decryption—for CET or IPSec




• NAT outside to inside (global to local translation)

• Policy routing

• Routing




• Inspect CBAC

• TCP intercept

• Encryption

• If IPSec then check input access list decryption—for CET (Cisco Encryption Technology) or IPSec




• Policy routing

• Routing


• NAT inside to outside (local to global translation)



• Inspect (Context-based Access Control [CBAC])

• TCP intercept

• Encryption

• If IPSec then check input access list decryption—for CET (Cisco Encryption Technology) or IPSec




• Policy routing

• Routing


• NAT inside to outside (local to global translation)



• Inspect (Context-based Access Control [CBAC])

• TCP intercept

• Encryption

NAT Order of Operations

Outside-to-InsideOutside-to-InsideInside-to-OutsideInside-to-Outside



Managing the Network


PSTN/SS7

Int’l

SCP

Carrier X

Cisco Network ServicesCisco Network Services

Performance ManagementApplication

Performance ManagementApplication

Fault ManagementApplication

Fault ManagementApplication

Infrastructure ConfigurationApplication

Infrastructure ConfigurationApplication

Unified Operator and OSS InterfaceUnified Operator and OSS Interface

Accounting Data

Application

Accounting Data

Application

OSSOSS

Security

Security

Cisco OSS for Managed Business Voice Internet OSS for VoIP

Subscriber/ Access Mgmt Application

Subscriber/ Access Mgmt Application

323323323323

323323323323

STP

STP



-

Fault and Performance Management

SRST CCMITSCat

Switches IP Phones

AAARADIUS

AAARADIUS SYSLOGSNMP

SNMP

CNS Bus

CICCIC - Services- Applications

Fault Manager

C-NOTEPerf-Engine

Reports

ITEM/CW2k

NetIQ

PerformanceManager

CNS Bus

Reporting (partner)Reporting (partner)

CPE Router

IOS GW/GK

• Cisco Info Center (CIC)• Manager of Managers (MOM)• End to end view of network• Integrates with lower level collection apps


-

Provisioning and Configuration Management

SRST CCMITSCat

Switches

CPE Router IP Phones

XML overHTTP

SSH Telnet SOAP AXL

PTCPTC

Conf-EngIE2100

Configuration Manager

IOS GW/GK

• Packet Telephony (PTC)• Domain Manager for Voice Network• End to End view• Configures the Dialplan - GW / GK / DGK• Provisions IOS



Supplementary Routing Logicusing the PGW2200


On-net to On-net

• On-net to On-net

• On-net to Off-net

• Off-net to On-net



On-net to On-net

CCGK1 CCGK2

EntASite 1

PBX V

Ext.: 51212Abbr.: 5....VPNID: 222SiteID: 111 EntA

Site 2PBX V

Ext.: 71212Abbr.: 7....VPNID: 222SiteID: 112

PGW VPN

VVHSI-1 (incoming) HSI-2 (outgoing)

S: 22211114085551212D: 871212

S: 14085551212D: 22211271212

Sent to PGW Out PGW after manipulation

H.225 RAS

H.2

25 R

AS

H.22

5 set

up

H.225 setup


HSI 1 PGWCCGK-1 HSI-2AGK-1 CCGK-2 AGK-2

Alerting

ARQ LRQLCF

ACFSetup

E-ISUP:IAM(FS H. 245 IP/Port)

ARQLRQLCF

ACFSetup

A. ARQA. ACF

Proceeding

Proceeding

Alerting Connect

Connect

H.245 End Session

EISUP: NOT

E-ISUP: CPGE-ISUP: CPGE-ISUP: ANM

E-ISUP: ACM(H. 245 IP/Port)E-ISUP: ACM

(H. 245 IP/Port)

E-ISUP: ANM

Release Complete

DRQ

DCFE-ISUP: REL

E-ISUP: RLCRelease Complete E-ISUP: REL

E-ISUP: RLCDRQ

DCF


RTP Stream

Begin H.245 OLC

EP-1 EP-2



On-net to Off-net





On-net to Off-net

CCGK1 CCGK2

EntASite 1

PBX V

E.164.: 14085551212Abbr.: 5….VPNID: 222SiteID: 111

PGW VPN


S: 22211114085551212D: 919167771212

S: 14085551212D: 19167771212

Sent to PGW Out PGW after manipulation

H.2

25 R

AS

H.22

5 set

up

V V

PSTN

GK

PSTNAccess GK

19167771212

S: 14085551212D:19167771212

H.225 RAS

LRQ/LCF

H.225 setup



HSI 1 PGWCCGK-1 HSI-2AGK-1 CCGK-2 PSTNGK PSTNGW

Alerting

ARQ LRQLCF

ACFSetup


ARQLRQLCF

ACFSetup

A. ARQA. ACF

Proceeding

Proceeding

Alerting Connect

Connect

H.245 End Session

EISUP: NOT



(H. 245 IP/Port)

E-ISUP: ANM

Release Complete

DRQ

DCFE-ISUP: REL


E-ISUP: RLCDRQ

DCF


RTP Stream

Begin H.245 OLC

EP-1


Off-net to On-net






Off-net to On-net

CCGK1 CCGK2

EntASite 1

PBX V

E.164.: 14085551212Abbr.: 9….VPNID: 222SiteID: 111

PGW VPN


S: 19167771212D: 22211114085551212

S: 19167771212 D: 14085551212

Sent to PGWOut PGW after manipulation

H.2

25 R

AS

H.22

5 setu

p

V V

PSTN

GK

PSTNAccess GK

19167771212

S: 19167771212 D: 14085551212

H.225 RAS

H.225 setup


HSI 1 PGWCCGK-1 HSI-2PSTNGKPSTNGW CCGK-2 AGK-1 EP-1

Alerting

ARQ LRQLCF

ACFSetup


ARQLRQLCF

ACFSetup

A. ARQA. ACF

Proceeding

Proceeding

Alerting Connect

Connect

H.245 End Session

EISUP: NOT



(H. 245 IP/Port)

E-ISUP: ANM

Release Complete

DRQ

DCFE-ISUP: REL


E-ISUP: RLCDRQ

DCF


RTP Stream

Begin H.245 OLC



Sample CCGK Config

EntASite 1

PBX V

Ext.: 51212Abbr.: 5....VPNID: 222SiteID: 111 EntA

Site 2PBX V

Ext.: 71212Abbr.: 7....VPNID: 222SiteID: 112

PGW VPN


gatekeeperzone local ccgk1 cisco.com 172.19.48.218zone prefix ccgk1 222111* gw-priority 10 RED-C1zone prefix ccgk1 222111* gw-default-priority 0zone prefix ccgk1 222112* gw-priority 10 RED-C2zone prefix ccgk1 222112* gw-default-priority 0zone prefix ccgk1 * gw-priority 10 hsi1zone prefix ccgk1 * gw-default-priority 0gw-type-prefix 1#* default-technologyno shutdown

CCGK1 Config CCGK2 ConfigCCGK1

gatekeeperzone local ccgk2 cisco.com 172.19.48.219zone remote ccgk1 cisco.com 172.19.48.218 1719zone remote pstngk cisco.com 172.19.48.210 1719zone prefix ccgk1 222*zone prefix pstngk *gw-type-prefix 1#* default-technologyno shutdown

CCGK2

GK

PSTNAccess GK


Questions



Thank You


References



Related Networkers Sessions

• VVT 2020 - Designing and Deploying IP Telephony Applications

• VVT 2010 - Designing Service Provider Hosted IP Telephony Networks

• VVT 2022 - Designing Voice Infrastructure and Applications for PSTN Interconnect

• RST 1061 - Deploying MPLS VPNs

• RST 3061 - Troubleshooting MPLS VPNs

• RST 2081 - Deploying Quality of Service for Converged Networks


Reference URLs

• Cisco Call Manager

http://www.cisco.com/

• IOS Telephony System (ITS) – Features

http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_feature_guide09186a0080189132.html

http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html

• Cisco MSoVPNwebpage

http://www.cisco.com /

• MPLS Basics


• NAT/PAT and Voice


http://www.cisco.com/univercd/doc/product/access/sc/rel7/soln/wv_rel1/index.htm



Designing and Deploying Managed Voice/Data Services for Enterprise

and SMB SubscribersSession VVT-2021


Please Complete Your Evaluation Form

Session VVT-2021

Designing and Deploying Managed Voice/Data Services … · Designing and Deploying Managed...

Documents

Transcript of Designing and Deploying Managed Voice/Data Services … · Designing and Deploying Managed...