Wednesday, 29 November 2017

Voice Over WLAN Best Practices

VoWLAN deployments can be challenging - VoIP already imposses strict criteria on the network conditions to facilite good call quality & WiFi itself poses additional challenges. Given that a wireless channel is a shared medium, potentially subject to interference from other devices & that the transmit time on a WiFi device is highly variable due to the nature of CSMA/CA, this is a recipe for jitter & packet loss.
Cisco publish a number of guidelines for VoWLAN success, albeit spread across multiple documents, so below is a summary of some of the main points:

  • Maximum of 15 or 20 associated devices per AP.
  • 5GHz is strongly preferred.
  • Noise levels should not exceed -92 dBm with a signal-to-noise ratio (SNR) of 25 dB or higher.
  • Signal strength should be -67 dBm or better per AP.
  • Minimum 20 to 30 percent overlap of adjacent access points with non-overlapping channels must be considered during design site survey.
  • Packet error rate (PER) should not exceed 1%, jitter should be <100 ms & retries should be < 20%.
  • To avoid one-way audio issues resulting from different power settings between Wi-Fi IP phones & access points, World mode (IEEE 802.11d) should be configured.
  • Traffic Specification (TSPEC) must be enabled for CAC on APs & Platinum QoS for the VoWLAN SSID.
  • Channel utilization levels should be kept below 50 percent.
  • Cisco Compatible Extensions (CCX) should be enabled on wireless infrastructure, where possible.
  • Set the Beacon interval to 100 ms.
  • A DTIM of 2 is recommended where possible to save battery life on the IP phones.
  • WPA2/AES Enterprise with CCKM or 802.11r is recommended for 792x phones to avoid the need for a complete 802.1x re-authentication when roaming.
Some further useful Cisco documentation can be found in the Enterprise Mobility 8.1 Design Guide, Voice Over Wireless LAN (VoWLAN) Troubleshooting Checklist & the excellent Cisco Live presentation Voice over WiFi - Deployment Recommendations and Best Practices (BRKEWN-2000).

Monday, 13 November 2017

CUBE Template

This is the last of a planned series of templates. It provides a baseline template for a CUBE handling a SIP trunk from CUCM to the PSTN. Given that different vendor's SIP implementations vary, adjustments are likely to be needed, such as altering the headers via sip-profiles. Inline commentary explains various settings.

!
! Disable unnecessary services
no ip source-route
!
! Don't use ip options drop if you're using RSVP
! Don't use no service dhcp if you're using DHCP Relay
ip options drop
no ip http server
no ip http secure-server
no service tcp-small-servers
no service udp-small-servers
no service dhcp
no ip bootp server
no ip finger
no ip identd
no service config
no mop enabled
no service pad
!
! Enable password encryption, TCP keepalives & faster config viewing
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
parser config cache interface
!
! Enable buffer overflow detection & correction
exception memory ignore overflow io
exception memory ignore overflow processor
!
! Optimise TFTP transfers
ip tftp blocksize 8192
!
! Enable log time stamps with the timezone & logging to a syslog server
service timestamps debug datetime msec
service timestamps log datetime localtime msec show-timezone
logging buffered 16384
logging host x.x.x.x
!
! Enable voice Internal Error Codes to syslog
voice iec syslog
!
! Enable SSH v2, reduce SSH session establish timeout & create SSH key
hostname [name]
ip domain-name [domain name]
crypto key generate rsa modulus 2048
ip ssh time-out 120
ip ssh version 2
!
! Block logins for 5 minutes after 4 failed attempts within 2 minutes, also log login attempts
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
!
! Define a login banner
banner login ^
************************************************************************
You have logged on to a [COMPANY] proprietary device.

This device may be used only for the authorized business purposes
of [COMPANY]. Anyone found using this device or its information for
any unauthorized purpose may be subject to disciplinary action
and/or prosecution.
************************************************************************
^
!
! Define an admin user, configure local authentication & authorisation (ideally use RADIUS/TACACS+)
username [user] privilege 15 secret [password]
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
! Set correct time zone & configure multiple NTP servers via DNS
ip name-server 208.67.220.220 208.67.222.222
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp update-calendar
!
! Enable DSP farm
voice-card 0
 dsp services dspfarm
!
voice rtp send-recv
!
voice service voip
 !
 ! Restrict call setup messages to trusted IP addresses
 ip address trusted list
  ipv4 1.2.3.4 255.255.255.255
  ipv4 1.2.3.5 255.255.255.255
 !
 ! Best practice settings
 mode border-element license capacity 100
 address-hiding
 dtmf-interworking standard
 allow-connections sip to sip
 supplementary-service h450.12
 no supplementary-service sip moved-temporarily
 no supplementary-service sip refer
 !
 ! T38 fax relay
 fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
 fax-relay sg3-to-g3
 h323
  h225 display-ie ccm-compatible
  call preserve
 sip
  asserted-id pai
  no update-callerid
  header-passing error-passthru
  early-offer forced
  privacy-policy passthru
  mid-call-signaling passthru
  sip-profiles 100
!
voice class codec 1
 codec preference 1 g711alaw
 codec preference 2 g711ulaw
!
!
! Normalise SIP messages to remove display names & remove video attributes
voice class sip-profiles 100
 request ANY sip-header From modify "\"(.*)\" <sip:(.*)@(.*)>" "\"\2\" <sip:\2@\3>"
 request ANY sip-header Remote-Party-ID modify "\"(.*)\" <sip:(.*)@(.*)>" "\"\2\" <sip:\2@\3>"
 request ANY sip-header P-Asserted-Identity modify "\"(.*)\" <sip:(.*)@(.*)>" "\"\2\" <sip:\2@\3>"
 request ANY sdp-header Connection-Info remove
 response ANY sdp-header Connection-Info remove
 request ANY sdp-header Video-Attribute remove
 request ANY sdp-header Video-Session-Info remove
 request ANY sdp-header Video-Bandwidth-Info remove
 request ANY sdp-header Video-Connection-Info remove
 request ANY sdp-header Video-Media modify "m=video(.*)" ""
!
! Strip outside dialling prefix
voice translation-rule 1
 rule 1 /^9\(.+\)/ /\1/
!
!
voice translation-profile SIP-OUT
 translate called 1
!
! Simple QoS configuration
class-map match-any VoIP-Signal
 match ip dscp cs3  af31
class-map match-any VoIP-Media
 match ip dscp ef
!
policy-map VoIP
 class VoIP-Media
  priority percent 33
 class VoIP-Signal
  bandwidth percent 5
 class class-default
  fair-queue
!
interface GigabitEthernet0/0
 description ## WAN Interface ##
 ip address x.x.x.x 255.255.255.192
 duplex auto
 speed auto
 service-policy output VoIP
!
interface GigabitEthernet0/1
 description ## LAN Interface ##
 ip address y.y.y.y 255.255.255.0
 duplex auto
 speed auto
 service-policy output VoIP
!
! Required to receive multicast MoH
ccm-manager music-on-hold
!
mgcp profile default
!
! Template dial-peers
dial-peer voice 1 voip
 description ## SIP Trunk ##
 translation-profile outgoing SIP-OUT
 destination-pattern 9.+
 session protocol sipv2
 session target ipv4:1.2.3.4
 incoming called-number 0.+
 voice-class codec 1 
 voice-class sip dtmf-relay force rtp-nte
 voice-class sip bind control source-interface GigabitEthernet0/0
 voice-class sip bind media source-interface GigabitEthernet0/0
 !
 ! Use keepalives if the SIP trunk supports it
 voice-class sip options-keepalive
 dtmf-relay rtp-nte
 ip qos dscp cs3 signaling
 no vad
!
dial-peer voice 2 voip
 description ## DIDs to Subscriber ##
 destination-pattern 0.+
 session protocol sipv2
 session target ipv4:1.2.3.4
 incoming called-number 9.+
 voice-class codec 1 
 voice-class sip bind control source-interface GigabitEthernet0/1
 voice-class sip bind media source-interface GigabitEthernet0/1
 !
 ! Solves problems with SCCP phones that don't support RFC2833
 dtmf-relay rtp-nte sip-kpml
 ip qos dscp cs3 signaling
 no vad
!
dial-peer voice 3 voip
 description ## DIDs to Publisher ##
 destination-pattern 0.+
 preference 1
 session protocol sipv2
 session target ipv4:1.2.3.5
 incoming called-number 9.+
 voice-class codec 1 
 voice-class sip bind control source-interface GigabitEthernet0/1
 voice-class sip bind media source-interface GigabitEthernet0/1
 !
 ! Solves problems with SCCP phones that don't support RFC2833
 dtmf-relay rtp-nte sip-kpml
 ip qos dscp cs3 signaling
 no vad
!
! Set SIP timers & retries
sip-ua
 no remote-party-id
 retry invite 3
 retry register 3
 retry bye 3
 retry cancel 3
 !
 ! connection-reuse seems to break SIP CME/SRST, disable if necessary
 connection-reuse
 host-registrar
!
! Restrict vty access to SSH & set 15 minute timeout on console & vty
ip access-list standard VTY-IN
 permit x.x.x.x x.x.x.x
line con 0
 logging synchronous
 transport preferred none
 exec-timeout 15
line vty 0 15
 logging synchronous
 transport preferred none
 transport input ssh
 access-class VTY-IN in
 exec-timeout 15