This is the last of a planned series of templates. It provides a baseline template for a CUBE handling a SIP trunk from CUCM to the PSTN. Given that different vendor's SIP implementations vary, adjustments are likely to be needed, such as altering the headers via sip-profiles. Inline commentary explains various settings.
!
! Disable unnecessary services
no ip source-route
!
! Don't use ip options drop if you're using RSVP
! Don't use no service dhcp if you're using DHCP Relay
ip options drop
no ip http server
no ip http secure-server
no service tcp-small-servers
no service udp-small-servers
no service dhcp
no ip bootp server
no ip finger
no ip identd
no service config
no mop enabled
no service pad
!
! Enable password encryption, TCP keepalives & faster config viewing
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
parser config cache interface
!
! Enable buffer overflow detection & correction
exception memory ignore overflow io
exception memory ignore overflow processor
!
! Optimise TFTP transfers
ip tftp blocksize 8192
!
! Enable log time stamps with the timezone & logging to a syslog server
service timestamps debug datetime msec
service timestamps log datetime localtime msec show-timezone
logging buffered 16384
logging host x.x.x.x
!
! Enable voice Internal Error Codes to syslog
voice iec syslog
!
! Enable SSH v2, reduce SSH session establish timeout & create SSH key
hostname [name]
ip domain-name [domain name]
crypto key generate rsa modulus 2048
ip ssh time-out 120
ip ssh version 2
!
! Block logins for 5 minutes after 4 failed attempts within 2 minutes, also log login attempts
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
!
! Define a login banner
banner login ^
************************************************************************
You have logged on to a [COMPANY] proprietary device.
This device may be used only for the authorized business purposes
of [COMPANY]. Anyone found using this device or its information for
any unauthorized purpose may be subject to disciplinary action
and/or prosecution.
************************************************************************
^
!
! Define an admin user, configure local authentication & authorisation (ideally use RADIUS/TACACS+)
username [user] privilege 15 secret [password]
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
! Set correct time zone & configure multiple NTP servers via DNS
ip name-server 208.67.220.220 208.67.222.222
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp update-calendar
!
! Enable DSP farm
voice-card 0
dsp services dspfarm
!
voice rtp send-recv
!
voice service voip
!
! Restrict call setup messages to trusted IP addresses
ip address trusted list
ipv4 1.2.3.4 255.255.255.255
ipv4 1.2.3.5 255.255.255.255
!
! Best practice settings
mode border-element license capacity 100
address-hiding
dtmf-interworking standard
allow-connections sip to sip
supplementary-service h450.12
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
!
! T38 fax relay
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
fax-relay sg3-to-g3
h323
h225 display-ie ccm-compatible
call preserve
sip
asserted-id pai
no update-callerid
header-passing error-passthru
early-offer forced
privacy-policy passthru
mid-call-signaling passthru
sip-profiles 100
!
voice class codec 1
codec preference 1 g711alaw
codec preference 2 g711ulaw
!
!
! Normalise SIP messages to remove display names & remove video attributes
voice class sip-profiles 100
request ANY sip-header From modify "\"(.*)\" <sip:(.*)@(.*)>" "\"\2\" <sip:\2@\3>"
request ANY sip-header Remote-Party-ID modify "\"(.*)\" <sip:(.*)@(.*)>" "\"\2\" <sip:\2@\3>"
request ANY sip-header P-Asserted-Identity modify "\"(.*)\" <sip:(.*)@(.*)>" "\"\2\" <sip:\2@\3>"
request ANY sdp-header Connection-Info remove
response ANY sdp-header Connection-Info remove
request ANY sdp-header Video-Attribute remove
request ANY sdp-header Video-Session-Info remove
request ANY sdp-header Video-Bandwidth-Info remove
request ANY sdp-header Video-Connection-Info remove
request ANY sdp-header Video-Media modify "m=video(.*)" ""
!
! Strip outside dialling prefix
voice translation-rule 1
rule 1 /^9\(.+\)/ /\1/
!
!
voice translation-profile SIP-OUT
translate called 1
!
! Simple QoS configuration
class-map match-any VoIP-Signal
match ip dscp cs3 af31
class-map match-any VoIP-Media
match ip dscp ef
!
policy-map VoIP
class VoIP-Media
priority percent 33
class VoIP-Signal
bandwidth percent 5
class class-default
fair-queue
!
interface GigabitEthernet0/0
description ## WAN Interface ##
ip address x.x.x.x 255.255.255.192
duplex auto
speed auto
service-policy output VoIP
!
interface GigabitEthernet0/1
description ## LAN Interface ##
ip address y.y.y.y 255.255.255.0
duplex auto
speed auto
service-policy output VoIP
!
! Required to receive multicast MoH
ccm-manager music-on-hold
!
mgcp profile default
!
! Template dial-peers
dial-peer voice 1 voip
description ## SIP Trunk ##
translation-profile outgoing SIP-OUT
destination-pattern 9.+
session protocol sipv2
session target ipv4:1.2.3.4
incoming called-number 0.+
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
voice-class sip bind control source-interface GigabitEthernet0/0
voice-class sip bind media source-interface GigabitEthernet0/0
!
! Use keepalives if the SIP trunk supports it
voice-class sip options-keepalive
dtmf-relay rtp-nte
ip qos dscp cs3 signaling
no vad
!
dial-peer voice 2 voip
description ## DIDs to Subscriber ##
destination-pattern 0.+
session protocol sipv2
session target ipv4:1.2.3.4
incoming called-number 9.+
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/1
voice-class sip bind media source-interface GigabitEthernet0/1
!
! Solves problems with SCCP phones that don't support RFC2833
dtmf-relay rtp-nte sip-kpml
ip qos dscp cs3 signaling
no vad
!
dial-peer voice 3 voip
description ## DIDs to Publisher ##
destination-pattern 0.+
preference 1
session protocol sipv2
session target ipv4:1.2.3.5
incoming called-number 9.+
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/1
voice-class sip bind media source-interface GigabitEthernet0/1
!
! Solves problems with SCCP phones that don't support RFC2833
dtmf-relay rtp-nte sip-kpml
ip qos dscp cs3 signaling
no vad
!
! Set SIP timers & retries
sip-ua
no remote-party-id
retry invite 3
retry register 3
retry bye 3
retry cancel 3
!
! connection-reuse seems to break SIP CME/SRST, disable if necessary
connection-reuse
host-registrar
!
! Restrict vty access to SSH & set 15 minute timeout on console & vty
ip access-list standard VTY-IN
permit x.x.x.x x.x.x.x
line con 0
logging synchronous
transport preferred none
exec-timeout 15
line vty 0 15
logging synchronous
transport preferred none
transport input ssh
access-class VTY-IN in
exec-timeout 15
No comments:
Post a Comment