The migration to cloud-based communication solutions offers significant advantages. However, organizations can maintain a measured pace and seamlessly integrate existing on-premises PBX or PSTN infrastructure with Webex Calling through Local Gateway Deployment. This approach allows you to capitalize on your previous investments while enjoying the benefits of cloud calling.
In this blog, we will delve into the deployment process for Local Gateway, focusing on the registration-based trunk configuration method.
Local Gateway Deployment: A Hybrid Solution
Local Gateway bridges the gap between your on-premises environment and Webex Calling. It acts as a translator, seamlessly routing calls between your existing PBX or PSTN and the Webex cloud. This hybrid approach ensures a smooth transition to the cloud while preserving the functionality of your on-premises infrastructure.
Registration-Based Trunk Configuration
This blog will explore the registration-based trunk configuration for Local Gateway. We will provide a detailed explanation of this method, outlining the steps involved and best practices to ensure a successful implementation.
Important Considerations: SIP Trunk Configuration
It is important to note that this blog focuses on Local Gateway deployment and does not cover SIP trunk configuration on Call Manager. Separate configuration is required to define the SIP trunk with the appropriate port usage to avoid conflicts between the trunks connecting to your PSTN and Webex Calling.
By following this guide and ensuring proper SIP trunk configuration, you can successfully deploy Local Gateway and establish a seamless connection between your on-premises environment and Webex Calling.
Prerequisites, Requirements & Assumptions:
- CUCM on premises
- Webex Calling deployment
- On Premises CUBE
- CUBE needs to a minimum release of Cisco IOS XE 16.12 or IOS-XE17.3
- Only Cisco CUBEs Support Registration-Based Local Gateway.
- Ensure you have a Layer 3 interface with routable IP addresses.
- CUBE needs a DNS IP server configured on it for Domain Name Lookup
Now we will go over configuring the requirements to complete the deployment:
Step 1: Enable TLS and configure a Trust Point for SIP-UA
configure terminal
crypto pki trustpoint TLS-TP
revocation-check crl
exit
sip-ua
crypto signaling default trustpoint TLS-TP cn-san-validate server
transport tcp tls v1.2
tcp-retry 1000
end
Step 2: Update the Local Gateway trust Pool
- We need to do this to include DigiCert ROOT CA or IdenTrust Commercial certificates that are needed to validate the server-side certificate during TLS connection with Webex Calling.
- Download the latest “Cisco Trusted Core Root Bundle” http://www.cisco.com/security/pki/
- Or from the CUBE CLI:
crypto pki trustpool import clean url flash:ios_core.p7b - Verify that those certificates are now included on the CUBE:
show crypto pki trustpool | include DigiCert
cn=DigiCert Global Root CA
o=DigiCert Inc
cn=DigiCert Global Root CA
o=DigiCert Inc
show crypto pki trustpool | include IdenTrust Commercial
cn=IdenTrust Commercial Root CA 1
cn=IdenTrust Commercial Root CA 1
Step 3: Revise the Port Reference Information for Webex Calling and Configure Voice Service VoIP
- https://help.webex.com/en-us/article/b2exve/Port-Reference-Information-for-Webex-Calling
- Add the below IP subnets to the ip address trusted list under voice service voip:
voice service voip
ip address trusted list
ipv4 23.89.0.0 255.255.0.0
ipv4 85.119.56.0 255.255.254.0
ipv4 128.177.14.0 255.255.255.0
ipv4 128.177.36.0 255.255.255.0
ipv4 135.84.168.0 255.255.248.0
ipv4 139.177.64.0 255.255.248.0
ipv4 139.177.72.0 255.255.254.0
ipv4 144.196.33.0 255.255.255.128
ipv4 150.253.156.128 255.255.255.128
ipv4 150.253.209.128 255.255.255.128
ipv4 170.72.0.0 255.255.0.0
ipv4 170.133.128.0 255.255.192.0
ipv4 185.115.196.0 255.255.252.0
ipv4 199.19.196.0 255.255.254.0
ipv4 199.19.199.0 255.255.255.0
ipv4 199.59.64.0 255.255.248.0
- Continue with the Voice Service VoIP Configuration
Voice service voip
media statistics
media bulk-stats
allow-connections sip to sip
no supplementary-service sip refer
no supplementary-service sip handle-replaces
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
stun
stun flowdata agent-id 1 boot-count 5
stun flowdata shared-secret 0 Password 123$
sip
bind control source-interface GigabitEthernet0/0/0
bind media source-interface GigabitEthernet0/0/0
asymmetric payload full
early-offer forced
midcall-signaling passthru
privacy-policy passthru
g729 annexb-all
Step 4: Configure SIP Profile 200
- The role of this profile is modify SIP headers so that they interoperate well with Webex Calling:
voice class sip-profiles 200
rule 9 request ANY sip-header SIP-Req-URI modify "sips:(.*)" "sip:\1"
rule 10 request ANY sip-header To modify "<sips:(.*)" "<sip:\1"
rule 11 request ANY sip-header From modify "<sips:(.*)" "<sip:\1"
rule 12 request ANY sip-header Contact modify "<sips:(.*)>" "<sip:\1;transport=tls>"
rule 13 response ANY sip-header To modify "<sips:(.*)" "<sip:\1"
rule 14 response ANY sip-header From modify "<sips:(.*)" "<sip:\1"
rule 15 response ANY sip-header Contact modify "<sips:(.*)" "<sip:\1"
rule 20 request ANY sip-header From modify ">" ";otg=hussain2572_lgu>"
rule 30 request ANY sip-header P-Asserted-Identity modify "sips:(.*)" "sip:\1"
- We will later update the value for that otg in the sip profile
Step 5: Configure Codec, STUN Definition and SRTP Crypto Suite
voice class codec 99
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 opus
voice class srtp-crypto 200
crypto 1 AES_CM_128_HMAC_SHA1_80
voice class stun-usage 200
stun usage firewall-traversal flowdata
stun usage ice lite
Step 6: Configure a Trunk on Webex Control Hub.
- Login to admin.webex.com
- Go to Calling > Call Routing > Trunk > Add Trunk
- Select a location, enter a name, For type select Registration based.
- Click Save
- Make a snapshot or copy the information presented on the pop up window.
Step 7: Configure Voice Class Tenant 200 and adjust OTG in Voice Class sip-profiles 200
- Based on the information you got after you created a trunk, configure the tenant and adjust sip-profiles 200. Use below snapshot as a guide.
- For binding, use whatever interface is supposed to face Webex Calling. It could be a single interface that services both on prem CUCM and Cloud Webex Calling.
voice class tenant 200
registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls
credentials number Hussain6346_LGU username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks
authentication username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks
authentication username Hussain2572_LGU password 0 meX7]~)VmF realm 40462196.cisco-bcld.com
no remote-party-id
sip-server dns:40462196.cisco-bcld.com
connection-reuse
srtp-crypto 200
session transport tcp tls
url sips
error-passthru
asserted-id pai
bind control source-interface GigabitEthernet0/0/1
bind media source-interface GigabitEthernet0/0/1
no pass-thru content custom-sdp
sip-profiles 200
outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com
privacy-policy passthru
Update the SIP profile 200 rule 20 to include the correct otg
rule 20 request ANY sip-header From modify ">" ";otg=hussain2572_lgu>"
This should take care about the integration between Webex Calling and Local Gateway. Not you should configure the dial-peers.
Step 8: Create Voice Class tenant for Call Manager Dial-Peers
voice class tenant 100
session transport udp
url sip
error-passthru
bind control source-interface GigabitEthernet0/0/0
bind media source-interface GigabitEthernet0/0/0
no pass-thru content custom-sdp
Step 9: Configure Dial-Peers to enable Call Routing between Webex Calling and Call Manager
- Inbound/Outbound Dial-Peer for Webex Calling
dial-peer voice 201 voip
description Inbound/Outbound Webex Calling
destination-pattern BAD.BAD
session protocol sipv2
session target sip-server
voice-class codec 99
dtmf-relay rtp-nte
voice-class stun-usage 200
no voice-class sip localhost
voice-class sip tenant 200
srtp
no vad
- Outbound dial-peer toward Call Manager
dial-peer voice 301 voip
description Outgoing dial-peer towards CUCM
destination-pattern BAD.BAD
session protocol sipv2
session server-group 301
voice-class codec 99
voice-class sip bind control source-interface GigabitEthernet 0/0/0
voice-class sip bind media source-interface GigabitEthernet 0/0/0
dtmf-relay rtp-nte
voice-class sip tenant 100
no vad
- Session server-group 301 would contain Call Manager IP addresses.
- Session server-group 301 would contain Call Manager IP addresses.
- Incoming Dial-Peer for Call Manager Calls with Webex Calling as a destination:
dial-peer voice 300 voip
description Incoming dial-peer from CUCM for Webex Calling
session protocol sipv2
destination dpg 200
incoming uri via 300
voice-class codec 99
dtmf-relay rtp-nte
voice-class sip tenant 300
no vad
Step 10: Create Dial-Peer Groups that tie Dial-Peers Together
- DPG 300 Ties Webex Incoming Dial-Peer to CUCM Outgoing Dial-Peer
voice class dpg 300
dial-peer 301 preference 1
- DPG 200 Ties CUCM Incoming Dial-Peer to Webex Calling Outgoing Dial-Peer
voice class dpg 200
dial-peer 201 preference 1
Step 11: Create URI
- URI 300 to match incoming calls from CUCM going to Webex Calling
voice class uri 300 sip
pattern :5065
- URI 200 to match calls coming from Webex Calling
voice class uri 200 sip
pattern dtg=hussain2572.lgu
Step 12: Update Dial Peers with DPG and URIs
dial-peer voice 201 voip
description Inbound/Outbound Webex Calling
max-conn 250
destination dpg 300
incoming uri request 200
dial-peer voice 300 voip
description Incoming dial-peer from CUCM for Webex Calling
destination dpg 200
incoming uri via 300
This concludes the configuration you would need to set up communication between Webex Calling and Call Manager leveraging a Cisco CUBE. A reminder, a SIP trunk still needs to be configured from Call Manager pointing to this CUBE with a sip trunk security profile using port 5065.
For more information always revise the following links:
https://help.webex.com/en-us/article/b2exve
As always if you have any questions and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!
Freddy Tabet, Network Engineer