I had the enjoyable opportunity over the last few weeks to jump in and do a basic Cisco voice install. It was about 110 phones, with the Cisco Unified Communications Manager Business Edition. This is a single box that includes Call Manager 6.1.3, and Unity Connection 2.1. It had to be done fast, and it had to be done right, so I stuck to mostly tried and true configurations.
Since this was a price sensitive design, we used the 2800 router to its maximum potential. The 2800 is an amazingly flexible piece of equipment; it can be configured to do large variety of things. Sometimes known as the Integrated Services Router, or ISR, it can be set up as a router, firewall, VPN, Voice Gateway, SIP session border controller, transoder, conference bridge, and survivable remote gateway, all at the same time, on the same box!
The call manager and unity connection install was straightforward, like punching out license plates. Set up media, device pools, partitions, calling search spaces, translation patterns, gateways, route filters, route patterns, etc. Scan then batch add the phones, set up voicemail and autoattendant call handlers, create expections, deal with the special people, and that’s it. Enough said about that.
The Cisco 2800 Integrated Services Router is used in this example to terminate a Multilink PPP bundle of four Internet T1’s, act as a firewall, provide media services to the Cisco call manager, act as an MGCP controlled analog gateway, and use Cisco Survivable Remote Site Telephony (SRST) to be the backup call processor to the main Cisco Call Manager.
SIP is ok with Network Address Translation as long as the firewall is capable of doing deep packet inspection and NAT’s all references to IP addresses. When I tried to NAT the inside interface of the firewall…it did not work so well. The remote SIP service provider was seeing private IP addresses in the SIP text, which does not make for good two way communications.
The Quality of Service setup on this example is fairly straightforward. Outbound is the standard Cisco MQS low-latency queuing setup, with a priority queue for voice and class based weighted fair queuing for the rest. Even though the service provider has said they prioritize inbound voice, I still set up inbound policing. Non-voice is limited to 4 Mbps, and anything greater than that will be dropped. Voice can use all of the bandwidth, so essentially there is 2 Mbps reserved for inbound voice. This is based on a calculation of 80 kbps for one G.711 call, so 2000 kbps gives us 25 concurrent voice calls, which should be plenty for 110 phones.
Object groups are used, which is new to IOS version 12.4.20T. As a side note, I recommend strongly against using 12.4.22T1 for NAT or SCCP media like MTP’s, since those feature are broken in that version.
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname PriorityQueueRouter
!
boot-start-marker
warm-reboot
boot-end-marker
!
card type t1 0 0
card type t1 0 1
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 100000 warnings
no logging console
enable secret 5 0000000000000000000
!
aaa new-model
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
network-clock-participate wic 0
network-clock-participate wic 1
network-clock-select 1 T1 0/0/0
network-clock-select 2 T1 0/0/1
network-clock-select 3 T1 0/1/0
network-clock-select 4 T1 0/1/1
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
no ip domain lookup
ip domain name MAINSITE.local
ip inspect max-incomplete high 5000
ip inspect max-incomplete low 4500
ip inspect one-minute high 5000
ip inspect one-minute low 4500
ip inspect tcp idle-time 300
ip inspect tcp finwait-time 10
ip inspect tcp max-incomplete host 1000 block-time 0
ip inspect tcp reassembly queue length 1024
ip inspect tcp reassembly timeout 60
ip inspect tcp reassembly memory limit 256000
ip inspect name EXT_FW ssh
ip inspect name EXT_FW https
ip inspect name EXT_FW ntp
ip inspect name EXT_FW tcp
ip inspect name EXT_FW dns
ip inspect name EXT_FW smtp
ip inspect name EXT_FW udp
ip inspect name EXT_FW icmp
ip inspect name EXT_FW ftp timeout 1200
ip inspect name EXT_FW http
ip inspect name EXT_FW sip
ip inspect name EXT_FW appleqtc
ip inspect name EXT_FW l2tp
ip inspect name EXT_FW pptp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
trunk group FXOPORTS
hunt-scheme sequential both up
!
!
voice service voip
address-hiding
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
redirect ip2ip
fax protocol pass-through g711ulaw
modem passthrough nse codec g711ulaw
sip
bind control source-interface Loopback0
bind media source-interface Loopback0
header-passing
registrar server expires max 3600 min 3600
no update-callerid
early-offer forced
!
!
voice class media 1
media flow-through
!
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
!
!
voice translation-rule 1
rule 1 /^\(2…\)/ /770555\1/
!
voice translation-rule 2
rule 1 /^9/ //
!
!
voice translation-profile OUTBOUND
translate calling 1
translate called 2
!
!
voice-card 0
no dspfarm
dsp services dspfarm
!
!
object-group network EXTERNAL_SIP_SERVERS
host 247.10.98.2
!
object-group network INSIDE_NETWORKS
10.108.0.0 255.255.0.0
!
object-group network INTERNAL_SIP_SERVERS
host 251.222.32.206
host 251.222.32.205
object-group network OUTSIDE_INTERFACE
host 250.1.26.7
!
object-group service PING_SERVICE
icmp echo-reply
icmp unreachable
icmp redirect
icmp echo
udp eq ntp
udp eq domain
!
object-group network PRIVATE_NAT_SERVERS
host 10.108.80.5
host 10.108.60.6
host 10.108.60.7
host 10.108.60.10
host 10.108.60.12
!
object-group network PUBLIC_NAT_SERVERS
host 251.222.32.205
host 251.222.32.195
host 251.222.32.197
host 251.222.32.199
host 251.222.32.201
!
object-group network SERVER_NETWORKS
10.108.60.0 255.255.255.0
10.108.80.0 255.255.255.0
!
object-group network SIP_NETWORKS
host 251.222.32.206
host 251.222.32.205
!
object-group service SIP_SERVICE
udp eq 5060
tcp eq 5060
!
!
controller T1 0/0/0
framing esf
linecode b8zs
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
framing esf
linecode b8zs
cablelength long 0db
channel-group 1 timeslots 1-24
!
controller T1 0/1/0
framing esf
linecode b8zs
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/1/1
framing esf
linecode b8zs
cablelength long 0db
channel-group 1 timeslots 1-24
!
ip tcp synwait-time 60
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh version 2
!
class-map match-any VOICE_CLASS
match ip dscp ef
match access-group name VOICEPACKETS_ACL
class-map match-any CALLCONTROL_CLASS
match ip dscp af31
match ip dscp cs3
match ip dscp af21
class-map match-any CONTROL_CLASS
match access-group name NETWORKCONTROL_ACL
match ip dscp af11
class-map match-any FROM_ISP_CLASS
match access-group name FROM_ISP_ACL
!
!
policy-map DROP_NON_VOICE_POLICY
class FROM_ISP_CLASS
police rate 2000000
conform-action set-dscp-transmit ef
exceed-action set-dscp-transmit ef
violate-action set-dscp-transmit ef
class class-default
police rate 4000000
conform-action transmit
exceed-action drop
violate-action drop
policy-map VOICEFIRST_POLICY
class CALLCONTROL_CLASS
bandwidth percent 5
set dscp af21
class CONTROL_CLASS
bandwidth percent 5
set dscp af11
class VOICE_CLASS
priority percent 65 200000
set dscp ef
class class-default
fair-queue
random-detect
!
!
interface Loopback0
ip address 251.222.32.206 255.255.255.255
!
interface Multilink1
ip address 250.1.26.7 255.255.255.252
ip access-group OUTSIDE_IN in
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip inspect EXT_FW out
ip virtual-reassembly
snmp trap ip verify drop-rate
no cdp enable
ppp multilink
ppp multilink group 1
ppp multilink fragment disable
service-policy input DROP_NON_VOICE_POLICY
service-policy output VOICEFIRST_POLICY
!
interface GigabitEthernet0/0
ip address 10.108.100.254 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/0/1:1
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0:0
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/1/1:1
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
ip local pool VPNPOOL 192.168.50.200 192.168.50.250
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Multilink1
ip route 10.108.0.0 255.255.0.0 10.108.100.1
no ip http server
ip http authentication aaa
ip http secure-server
!
!
ip nat inside source route-map DYNAMIC_RMAP interface Multilink1 overload
ip nat inside source static 10.108.60.6 64.206.208.195 route-map STATIC_RMAP
ip nat inside source static 10.108.60.8 64.206.208.197 route-map STATIC_RMAP
ip nat inside source static 10.108.60.10 64.206.208.199 route-map STATIC_RMAP
ip nat inside source static 10.108.60.12 64.206.208.201 route-map STATIC_RMAP
ip nat inside source static 10.108.80.5 64.206.208.205 route-map STATIC_RMAP
!
ip access-list extended DYNAMIC_NAT_ACL
deny ip object-group PRIVATE_NAT_SERVERS any
permit ip 10.108.0.0 0.0.255.255 any
!
ip access-list extended FROM_ISP_ACL
permit ip object-group EXTERNAL_SIP_SERVERS object-group INTERNAL_SIP_SERVERS
!
ip access-list extended OUTSIDE_IN
permit object-group PING_SERVICE any object-group OUTSIDE_INTERFACE
permit object-group PING_SERVICE any object-group INTERNAL_SIP_SERVERS
permit object-group PING_SERVICE any object-group PUBLIC_NAT_SERVERS
permit object-group SIP_SERVICE object-group EXTERNAL_SIP_SERVERS object-group INTERNAL_SIP_SERVERS
permit object-group MGMT_SERVICE object-group MGMT_NETWORKS object-group OUTSIDE_INTERFACE
!
ip access-list extended STATIC_NAT_ACL
permit ip 10.108.0.0 0.0.255.255 any
!
!
route-map DYNAMIC_RMAP permit 1
match ip address DYNAMIC_NAT_ACL
!
route-map STATIC_RMAP permit 1
match ip address STATIC_NAT_ACL
!
control-plane
!
voice-port 2/0/0
!
voice-port 2/0/1
!
voice-port 2/0/2
!
voice-port 2/0/3
!
voice-port 2/0/4
!
voice-port 2/0/5
!
voice-port 2/0/6
!
voice-port 2/0/7
!
voice-port 2/0/8
trunk-group FXOPORTS 6
timing hookflash-out 50
connection plar 2700
!
voice-port 2/0/9
trunk-group FXOPORTS 5
timing hookflash-out 50
connection plar 2700
!
voice-port 2/0/10
connection plar 2700
!
voice-port 2/0/11
connection plar 2700
!
voice-port 2/0/12
connection plar 2700
!
voice-port 2/0/13
connection plar 2700
!
ccm-manager fallback-mgcp
ccm-manager mgcp
ccm-manager music-on-hold
ccm-manager config server 10.108.80.5
ccm-manager config
!
mgcp
mgcp call-agent ucserver 2427 service-type mgcp version 0.1
mgcp dtmf-relay voip codec all mode out-of-band
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp package-capability fxr-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp rtp payload-type g726r16 static
mgcp bind control source-interface GigabitEthernet0/0
mgcp bind media source-interface GigabitEthernet0/0
!
mgcp profile default
!
sccp local Loopback0
sccp ccm 10.108.80.5 identifier 1 priority 1 version 6.0
sccp
!
sccp ccm group 1
associate ccm 1 priority 1
associate profile 4 register MTP2851-729
associate profile 3 register MTP2851
associate profile 2 register CFB2851
associate profile 1 register XCD2851
!
dspfarm profile 1 transcode
codec g711ulaw
codec g729r8
maximum sessions 2
associate application SCCP
!
dspfarm profile 2 conference
codec g711ulaw
codec g729r8
maximum sessions 2
associate application SCCP
!
dspfarm profile 3 mtp
codec g711ulaw
maximum sessions software 50
associate application SCCP
!
dspfarm profile 4 mtp
codec g729r8
maximum sessions software 50
associate application SCCP
shutdown
!
!
dial-peer voice 999200 pots
service mgcpapp
port 2/0/0
!
dial-peer voice 999208 pots
service mgcpapp
port 2/0/8
!
dial-peer voice 1 pots
description Incoming called numbers from FXO or FXS or ccm
incoming called-number .
direct-inward-dial
!
dial-peer voice 59111 pots
trunkgroup FXOPORTS
description 911 service with a leading 9
translation-profile outgoing OUTBOUND
preference 5
destination-pattern 9[49]11
!
dial-peer voice 59112 pots
trunkgroup FXOPORTS
description 911 service without a leading 9
preference 5
destination-pattern [49]11
!
dial-peer voice 5202 pots
trunkgroup FXOPORTS
description International calling with FXOPORTS
translation-profile outgoing OUTBOUND
preference 5
destination-pattern 9011T
!
dial-peer voice 19111 voip
description 911 service with a leading 9 to ISP
translation-profile outgoing OUTBOUND
preference 6
destination-pattern 9[49]11
session protocol sipv2
session target ipv4:247.10.98.2
session transport udp
dtmf-relay rtp-nte
codec g711ulaw
fax-relay ecm disable
fax-relay sg3-to-g3
fax rate 14400
fax protocol pass-through g711ulaw
!
dial-peer voice 1200 voip
description local with a leading 9 to ISP
translation-profile outgoing OUTBOUND
preference 1
destination-pattern 9[2-9]..[2-9]……
session protocol sipv2
session target ipv4:247.10.98.2
session transport udp
dtmf-relay rtp-nte
codec g711ulaw
fax-relay ecm disable
fax-relay sg3-to-g3
fax rate 14400
fax protocol pass-through g711ulaw
ip qos dscp cs3 signaling
no vad
!
dial-peer voice 1201 voip
description long distance with a leading 9 to ISP
translation-profile outgoing OUTBOUND
preference 1
destination-pattern 91[2-9]..[2-9]……
session protocol sipv2
session target ipv4:247.10.98.2
session transport udp
dtmf-relay rtp-nte
codec g711ulaw
fax-relay ecm disable
fax-relay sg3-to-g3
fax rate 14400
fax protocol pass-through g711ulaw
ip qos dscp cs3 signaling
no vad
!
dial-peer voice 1202 voip
description international with a leading 9 to ISP
translation-profile outgoing OUTBOUND
preference 1
destination-pattern 9011T
session protocol sipv2
session target ipv4:247.10.98.2
session transport udp
dtmf-relay rtp-nte
codec g711ulaw
fax-relay ecm disable
fax-relay sg3-to-g3
fax rate 14400
fax protocol pass-through g711ulaw
ip qos dscp cs3 signaling
no vad
!
dial-peer voice 999209 pots
service mgcpapp
port 2/0/9
!
dial-peer voice 5200 pots
trunkgroup FXOPORTS
description Local calling with FXOPORTS
translation-profile outgoing OUTBOUND
preference 5
destination-pattern 9[2-9]..[2-9]……
!
dial-peer voice 5201 pots
trunkgroup FXOPORTS
description Long distance calling with FXOPORTS
translation-profile outgoing OUTBOUND
preference 5
destination-pattern 91[2-9]..[2-9]……
!
dial-peer voice 1100 voip
description ** Incoming call from SIP trunk **
translation-profile incoming INBOUND
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session transport udp
incoming called-number 770…….
dtmf-relay rtp-nte
fax protocol pass-through g711ulaw
ip qos dscp cs3 signaling
no vad
!
!
sip-ua
nat symmetric role active
retry invite 3
retry response 3
retry bye 3
retry cancel 3
retry rel1xx 3
timers connect 100
timers connection aging 30
!
!
!
call-manager-fallback
secondary-dialtone 9
max-conferences 8 gain -6
transfer-system full-consult
limit-dn 7961 6
timeouts interdigit 5
ip source-address 10.108.100.254 port 2000
max-ephones 110
max-dn 200 dual-line
dialplan-pattern 1 770555 extension-length 4
transfer-pattern 9……….
keepalive 10
default-destination 2700
no huntstop
time-zone 13
!
banner login ^CC
*******************************************************************************
Unauthorized access and improper use are prohibited. Any activity on the system
is subject to monitoring by the company at any time. Anyone who uses the system
consents to such monitoring and agrees that the company may use the results of
such monitoring without limitation.
*******************************************************************************
^C
!
line con 0
exec-timeout 60 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 60 0
logging synchronous
line vty 5 15
exec-timeout 60 0
logging synchronous
!
scheduler allocate 20000 1000
ntp server 131.144.4.9
ntp server 198.72.72.10
end