Design and Implementation Considerations
This month’s chalk talk summarizes the contents of SIP Trunking, Chapter 7, "Design and Implementation Considerations." See SIP Trunking for more details about any of the points in this chalk talk and references to further reading materials.
SIP trunks are becoming an increasingly viable option for enterprises wanting to deploy IP-based PSTN access. This chapter highlights many of the network design and implementation considerations you should work through while planning or installing a SIP trunk for production purposes in your network. Migrating to SIP trunking is a fundamental network change that should be accompanied by the appropriate level of planning and configuration and can require several phases of deployment.
After a decision has been reached to connect to a service provider via Session Initiation Protocol (SIP) trunking, and after the choice has been made regarding the appropriate network model (centralized, distributed, or hybrid, as discussed in Chapter 6, "SIP Trunking Models"), consider the following are items when planning the network design and SIP trunk implementation process:
- Geographic and regulatory considerations – If your network spans multiple geographic boundaries, continents, or countries, keep in mind both regulatory and distance considerations: Not all countries regard Voice over IP (VoIP) calls in the same way, and although virtually no country regulates what can be deployed inside an enterprise network, several countries regulate to varying degrees what calls can be handed off between an enterprise and a public (service provider) network. A second consideration is sheer distance, with the hair-pinned media paths resulting from the centralized SIP trunk model discussed in Chapter 6.
Adding latency to signaling paths is much less of a concern (it might add marginally to post-dial delay but does not impact voice quality on the active call), but latency of the media path directly affects voice quality and should be taken into consideration when designing and connecting a SIP trunk into an enterprise network.
For more details and discussion, see "Geographic and Regulatory Considerations" on page 102 of the publication.
- Internet Protocol (IP) connectivity options – Several different types of service providers offer SIP trunks. Enterprises can find offers from service providers to transport just their data services or just their voice services, or both. When the data and voice services are delivered by different providers, each traffic type is typically delivered over a separate physical medium. Also, when the SIP trunk carries high traffic, for example 1000 sessions or more, a separate physical medium for the SIP trunk is often used. Consider the physical medium of delivery and IP addressing aspects of IP connectivity when connecting to a SIP trunk.
For more details and discussion, see "IP Connectivity Options" on page 102 of the publication.
- Dial plans and call routing – Adding a SIP trunk service to your network most likely means there are service changes (accessible numbers and their associated cost), and you should optimize call routing in your network for the most cost–efficient calling patterns. This optimization, in turn, can affect current call admission control (CAC) and bandwidth–allocation policies implemented in your network.
Some specific items that might affect your dial–plan and call–routing configuration include the configuration of the voice gateway; considerations for routing emergency, fax, modem, Point of Service (POS) or Telecommunications Device for the Deaf (TDD) calls; Direct Inward Dial (DID) number reach–ability, and emergency call routing.
Emergency calling is an important consideration to account for when integrating SIP trunk access into the enterprise. Traditionally emergency calling is based on the emergency responder knowing the physical location of the TDM connection from which the call is coming. With a SIP trunk, that relationship between the physical location and the calling number no longer exists. There are several options for handling emergency calls.
For more details and discussion, see "Dial Plans and Call Routing" on page 104 of the publication.
- Supplementary services – Cisco Unified Communications deployments offer a rich set of supplementary services. With the use of SIP trunks, how these services operate might change, and you need to evaluate how they can be maintained when a SIP trunk brings external calls into your enterprise. Different areas of supplementary services to evaluate include voice calls, voice mail, transcoding, and mobility.
For more details and discussion, see "Supplementary Services" on page 106 of the publication.
- Network demarcation – Demarcation has to do with defining and protecting the borders between networks owned or managed by different entities while maintaining interconnectivity and interoperation of traffic and features between the two networks.
TDM PSTN gateways offered an implicit enterprise network demarcation point. Until recently VoIP has been deployed only in private enterprise and small business networks for on–net calls–calls that remain within the organization’s own network. Off–net calls that went from the enterprise to (or from) the PSTN were converted between IP and TDM at the PSTN interconnect point (even though many service provider backbone networks have also been VoIP for many years).
With SIP trunking the provider–to–enterprise interconnect is now also migrating to using VoIP technology. This means you no longer need TDM PSTN gateways, but it also means you lose all the demarcation features TDM gateways implicitly provided to your network:
- Compliance with service provider’s User-to-Network Interface (UNI)
- Codec choice
- Fault isolation
- Statistics and voice quality reporting
- Billing and call accounting
- QoS marking
- Topology hiding (security)
These demarcation features are critical to the maintenance, security, and management of your network.
For more details and discussion, see "Network Demarcation" on page 108 of the publication.
- Security considerations – The security concerns of TDM trunking, primarily toll fraud, exist equally on SIP trunking. In addition, SIP trunking exposes your network to IP level threats similar to data WAN or Internet access, such as denial of service (DOS).
For a hacker to gain access to your enterprise IP network via a TDM voice trunk is virtually impossible to do unless the TDM connection is specifically configured for modem dial–up access–and most voice trunks are not. Perpetrating a DOS attack on a TDM trunk is also highly unlikely as it is both expensive to do and requires large–scale auto–dialer equipment the average Internet hacker does not have access to. Launching these same attacks on IP addresses is significantly easier and open to a much larger pool of –perpetrators because no sophisticated equipment is necessary, and the attacks can be launched for free from any Internet access connection.
When considering security on SIP trunks, you need to take into account different aspects of security. These aspects call for a series of features and capabilities to mitigate the potential threats. Security is always best deployed in a layered architecture, rather than a single box or feature that strives to protect against all possible attacks. Areas worth exploring for SIP trunk security include:
- Determine the level of exposure on the SIP trunk, which depends on how it is deployed and who the provider is.
- Limit the devices that can contact your network via the SIP trunk. Mitigation capabilities include features such as access lists, hostname validation, and voice source group definitions.
- Hide your enterprise network addressing from the outside (which could be Internet–visible) and inspect the validity of traffic that enters your network. Mitigation techniques include network address translation (NAT), topology hiding, firewalls, and intrusion protection services (IPS).
- Determine protocol and session validity. Mitigation techniques include SIP port settings, SIP protocol inspection and termination, registration, and authentication –methods.
- Lock down your SIP trunk against toll fraud access using the same methods you used on your TDM gateways.
- Control the privacy of sessions on the SIP trunk. Mitigation techniques involve the control of originator information available outside the enterprise network with the use of SIP privacy headers, SIP normalization, digit manipulation, and encryption methods of the signaling and the media streams (such as Transport Layer Security [TLS], Secure RTP, and the use of IPSec tunnels or virtual private networks (VPN) on the IP connections).
For more details and discussion, see "Security Considerations" on page 112 of the publication.
- Session management, call traffic capacity, bandwidth control, and Quality of Service (QoS) – Managing simultaneous voice call capacity and IP bandwidth use is essential for providing consistent quality in enterprise communications. Areas regarding session management and CAC to be considered in the design of your network include:
- Trunk provisioning: One of the major benefits of a SIP trunk is that as an enterprise’s needs expand, the number of simultaneous calls can be readily expanded without changing the physical interconnection, or even without an increase in provisioned bandwidth, provided excess bandwidth is already available.
- Bandwidth adjustments and consumption: Bandwidth consumption for IP call traffic inbound from the PSTN on a TDM gateway is easily predicted and controlled because the codec assignment is done by the gateway (or by the enterprise call agent such as CUCM). The use of a CUBE can ensure that this capability is maintained when an enterprise adds a SIP trunk to its communications infrastructure.
- Call admission control (CAC): Top–tier service providers exert CAC control in their networks, and how much protection this offers your enterprise network depends on who your service provider is and how well the controls are implemented. But there is virtually no physical limit, and it is strongly recommended that you protect your own network with your own CAC controls at your Border Element (especially if you are considering a SIP trunk offering without an explicit SLA). This protects against occasional unplanned bursts or surges in legitimate traffic and against potential malicious Dos attack traffic. Lack of CAC control could overrun bandwidth on your network and adversely impact network operations.
- QoS metrics, such as packet marking, delay, jitter, and echo: Cisco provides many methods of measuring and ensuring QoS in an enterprise IP network. You should always use these methods internally when designing a UC system, and you should also extend them to the interconnect point when using a SIP trunk to connect to a service provider. Consider several areas of QoS including traffic marking, delay and jitter, echo, and congestion management.
- Voice–quality monitoring: To ensure business class voice quality within the enterprise network and to determine if a service provider is meeting an agreed–upon SLA, your enterprise should monitor some metrics. Each enterprise might choose to monitor different metrics, but an effective method of collecting the metrics independent from the service provider is important
For more details and discussion, see "Session Management, Call Traffic Capacity, Bandwidth Control, and QoS" on page 124 of the publication.
- Scalability and high availability – One of the attractive cost benefits of SIP trunking is the technical ability to centralize PSTN access for the enterprise into a single large pipe. Doing so, however, creates several design considerations, including both scalability and high availability.
Regarding scalability, routing all calls from the entire enterprise over a single or a small number of centralized SIP trunk access points means that you are looking at a SIP trunk capacity of several hundred to several thousand connections for all enterprises except the really small ones. This implies border handling session capacity equipment that often far outstrips any single TDM gateway that exists in the typical enterprise. Most enterprise gateways are in the 1 to 16 T1/E1 range that equates up to between 384 to 480 sessions. Even a T3 gateway, a relative rarity in the average enterprise, presents only 672 sessions.
Regarding high availability, the more sessions that are concentrated into a single physical pipe, the larger the business impact to your organization of this single point of failure. For this reason few enterprises truly deploy a single SIP trunk entry point into their networks; there are almost always multiple points.
Redundancy also becomes a much more pressing consideration because of the potentially large session capacity of SIP trunks. TDM gateway redundancy amounted to alternative routing over a different gateway when there was a failure. But when a single failure can now easily impact more than a 1000 calls, and potentially the routing of all PSTN–destined calls, the need for mitigation of such a failure escalates.
You can deploy several strategies to protect against the business impact of a SIP trunk failure, such as local and geographical SIP trunk redundancy, border element redundancy, load balancing and clustering, and PSTN TDM gateway failover.
For more details and discussion, see "Scalability and High Availability" on page 130 of the publication.
- SIP trunk monitoring – Several generic IP mechanisms can monitor the health of a network element, such as an Internet Control Message Protocol (ICMP) Ping. Although these are useful, they provide only Layer 3 health. The SIP protocol specifies an Out–of–Dialog (OOD) Options Ping method in RFC–3261 that provides a Layer 7 health indication of a SIP endpoint.
The OOD Options Ping method can provide a health check for a SIP trunk and enables attached devices to reroute traffic upon a failure of any one element in the path. Note that it is a per–hop method and that several Pings might need to be configured to provide end–to–end failure detection on a SIP trunk. This method is illustrated in Figure 7–11 in the publication.
For more details and discussion, see "SIP Trunk Monitoring" on page 138 of the publication.
By Christina Hattingh, Darryl Sladden, ATM Zakaria Swapan.
Published Feb 18, 2010
US SRP $58.50
Publisher: Cisco Press