From DocWiki

Jump to: navigation, search

Back to Unified Communications FAQ


Training resources

Voice of the Engineer (VoE) Events

  • February 8, 2018 CUBE Basic

There have been several sessions in the Cisco Learning Network related to CUBE which I STRONGLY recommend to anyone who wants to learn CUBE, or anyone who wants to hone their skills

  • CUBE Session 1 - Exploring the Various Dial-Plan Methodologies on CUBE
  • CUBE Session 2 - Troubleshooting Various Caller-ID Issues and Implementing Sip-Profile
  • CUBE Session 3 - Troubleshooting Various Media and DTMF Interworking Issues
  • CUBE Session 4 - Exploring CUBE High Availability on ISR
  • CUBE Session 5 - Exploring CUBE High Availability on ISR 4K
  • CUBE Session 6 - Exploring Secure Voice (SIP TLS and SRTP) Support on CUBE

Collaboration Training Videos

Go to CUBE FAQ Content Table

Where can I find more CUBE documentation??

There is a dedicated Box where a lot of CUBE documentation is available and is kept up to date:

Go to CUBE FAQ Content Table

Should I use CUBE?? or not??

A direct SIP trunk is certainly technically feasible, but it is an inflexible and insecure solution and therefore strongly NOT recommended.

Reasons to terminate a SIP trunk on an enterprise demarc such as CUBE include but are not limited to:

  • Lack of call admission control (SLA enforcement and DOS attack mitigation) on the SIP trunk
  • Visibility of the CUCM and endpoint IP addresses to the SP network (and therefore to potential hackers)
  • Very limited SIP trunk load balancing and redundancy capabilities
  • No SIP trunk sharing between multiple CUCM clusters or other IP-PBX/proxy call agents in the enterprise
  • No SIP malformed packet or other protocol level attack mitigation for your CUCM
  • No way to troubleshoot voice quality problems to determine if it's your network or the SPs network at fault
  • Much more limited toll fraud prevention techniques on the SIP trunk
  • No way to control IP QoS settings on the incoming packets from the SP, and no way to customize them on the outgoing packets
  • No way to manipulate SIP msging from the SP before it hits your CUCM to customize it to what CUCM/IP-PBX prefers to see
  • Limited means of complying to the SP UNI (SIP msg manipulation on outbound msgs to the SP, and capabilities such as early-offer)
  • Having to implement the SP UNI on CUCM instead of your enterprise preferred policies (and having to replicate this on every CUCM and IP-PBX routing calls to the SIP trunk)
  • Having no way of doing a SIP registration to the SP when this is required on the SIP trunk

You may want to also read this paper: Best Practices When Implementing SIP Trunks for PSTN Access White Paper

Go to CUBE FAQ Content Table

Can I configure TLS between CUCM and my SIP GW??

Yes, it's not commonly used as all this infrastructure should already be within your internal network and safe from any attacks, but if you wish to secure communication between them, you can follow this guide:
SIP-TLS between IOS SIP Gateway and CallManager Configuration Example

UPDATED 6/12/2018
Suggested training: CUBE Session 6 - Exploring Secure Voice (SIP TLS and SRTP) Support on CUBE
Collaboration Training Videos

This has been simplified quite a lot with the use of a script and you can see it in the above training.

Go to CUBE FAQ Content Table

What SIP trunking deployment model should I choose??

I suggest you read this to take an informed decision:
SIP Trunking Deployment Models: Choose the One That Is Right for Your Company

Go to CUBE FAQ Content Table

Can I modify the failover time for my SIP trunk in CUCM??

Yes, you will need to tweak several parameters to adjust it to your liking:
Failover Timer on SIP Trunks with CallManager Configuration Example

Go to CUBE FAQ Content Table

Can I configure multiple Registrars with my SIP trunk??

Yes, this is possible, but make sure to note the caveats for this:
Configuring Multiple Registrars on SIP Trunks

Go to CUBE FAQ Content Table

Do I need the security license on my ISR for CUBE??

If you want to have TLS and / or SRTP for your CUBE connections, then yes you would need the security license.
If you're not doing TLS / SRTP, then you don't require the security license

Go to CUBE FAQ Content Table

What information do I need to ask my SP for my SIP trunk??

I got this awesome list from the below offering from PEC:

  • PVT Collaboration - Edge track - Collaboration Edge: Deploying SIP Trunks with Cisco Unified Border Element (Cube) Enterprise
  1. SIP trunk IP address (Destination IP Address for INVITES)
  2. SIP trunk port number (Destination port for INVITES)
  3. SIP trunk transport layer (UDP or TCP)
  4. Codecs supported
  5. Fax protocol support
  6. DTMF signaling mechanism
  7. Does the provider require SDP info in initial INVITE (Early Offer required)
  8. SBC's external IP address that is required for the SP to accept / authenticate calls (Source IP address for INVITES)
  9. Does SP require SIP trunk registration for each DID? If yes, what is the username and password
  10. Does SP require Digest Authentication? If yes, what is the username and password

If you're a Cisco Partner, I strongly encourage you to review the whole recording as SIP is becoming the technology of choice for PSTN access and you should keep up to date with the new enhancements.

UPDATED 6/12/2018
I removed the link as the session doesn't seem to be available anymore, there are a few Live sessions which have similar content, I'll add them at a later date.

Go to CUBE FAQ Content Table

Is there anyway to test my SIP normalization scripts for my CUBE??

Yes, there is site, it's still in BETA, so always validate after you configure this in your CUBE to make sure they work as expected

Go to CUBE FAQ Content Table

How can I monitor my CUBE??

Besides CLI commands, or SNMP, I just heard about an app from a company called Arcana that does this:

Go to CUBE FAQ Content Table

What is Early Offer and Delayed Offer??

This refers to the SIP INVITE message which is used to start a call to a SIP endpoint. If the INVITE contains SDP (Session Description Protocol), then this would be an Early Offer, because you're already sending out what capabilities you have and want for the call. If you send the INVITE without SDP, and then wait for the OK message to come back from the called party with his capabilities, then this would be a Delayed Offer.
It's very important to know, specially for SIP trunks, whether they are expecting DO, or EO for the session establishment.

This topic is nicely explained here:

Go to CUBE FAQ Content Table

How to configure a SIP trunk to a provider??

Cisco has tested several SIP trunk integrations to many Service Providers, you can find the ones we have tested and documented here:
Cisco Interoperability Portal, Cisco Unified Border Element (CUBE) / SIP Trunking Solutions

Unfortunately we have not tested each and every single telco out there, in case your telco is not listed, you may want to reach your local Cisco team for assistance, or ask your telco for a sample configuration.

Go to CUBE FAQ Content Table

How to configure CUBE redundancy??

You can find all the details about how to configure HSRP for CUBE redundancy here:
Cisco Unified Border Element High Availability (HA) Using HSRP Configuration Example

Go to CUBE FAQ Content Table

CUBE redundancy, what does not work??

I've received several requests on which they want to have PVDMs and use them directly registered in CUBE, or have them registered in CUCM. The problem here lies in the fact that this depends on the same HSRP configuration and if you failover to the secondary CUBE, those calls will fail.
If you want to have DSP resources on both CUBEs, and have them register at the same time in CUCM, this will also fail, you will only register the resources from the active CUBE, and in calls using them, they will also fail upon failover.
This feature is really only meant for SIP calls directly flowing through the CUBE which are not pinned in DSP resources directly in the CUBE. If you need to have DSP resources involved for this kind of calls, you would need to have them in a separate ISR which is always reachable via CUCM and for the RTP call flow.
What about a loopback?? That's a no-go, loopbacks are NOT supported when using CUBE HSRP. From the CUBE HSRP config doc:

So, in short, if you want DSP resources on both CUBEs for HSRP:

  • DSP resources will only be registered for the active CUBE
  • DSP resources will de-register if there's a failover, this will cause calls, or conferences using them to fail
  • DSP resources from failover CUBE, will then register only when it's active
  • It's impossible to configure the DSP resources for load balancing, or have them both register at the same time

UPDATED 6/25/2018
At the top of the page in the recommended training you can see several sessions on CUBE HA which contain a lot of information around this in several platforms.

Currently the supported DSP HA mechanism and features when in a CUBE HA pair is explained here:
DSP High Availability Support

Go to CUBE FAQ Content Table

Can I have CUBE HA with TDM??

No, such configuration is unsupported, you would need to have TDM (and redundancy if applicable) in a separate pair of ISRs.

Go to CUBE FAQ Content Table

Can I configure independent settings (timer, credentials, bind requests, etc) for my SIP trunks??

This was not possible in the past as you would try all your credential with all your trunks (I will add a Live session or CUBE material with the explanation at a later date), but it has been recently made possible by using the concept of tenants:

Go to CUBE FAQ Content Table

Is CUBE and SRST supported on the same ISR??

This depends on the platform, protocol and IOS release.

Prior to SRST 12.1 / IOS-XE 16.7.1:

  • SCCP SRST on ISR G2 with CUBE IS supported.
  • SIP SRST on ISR G2 with CUBE IS NOT supported.
  • SRST (SCCP / SIP) on ISR 4K with CUBE IS NOT supported.

With SRST 12.1+

  • SIP SRST on ISR 4K with CUBE IS supported.
  • Only the 78xx and 88xx series phones were validated, no SCCP endpoints.
  • No E-SRST or secure-SRST.

The use of voice tenants is required for this, complete explanation can be found here:

On documentation it is mentioned here, not with all the above points:
Cisco Unified Border Element Configuration Guide: Supported Platforms

Go to CUBE FAQ Content Table

What are the maximum sessions I can have on my platform??

That information can be found in the CUBE Datasheet, refer to table 3 for the information.

A session is considered an end to end call across CUBE, two call legs per session. Assumes G.711-G711, call flow through, RTP-RTP and IPT. Higher complexity codecs or other scenarios might affect those numbers.

Go to CUBE FAQ Content Table

Are there memory (DRAM) requirements to deploy CUBE enterprise??

Yes, they're as follow:

  • ASR 1K require 16 GB
  • ISR 4400 require 8 GB
  • ISR 4300 require 4 GB
  • ISR G2 require 2 GB

Adding more memory will not affect the number of sessions.

Go to CUBE FAQ Content Table

Is there any impact if I enable Network Based Recording (NBR)??

Yes, media forking has a ~50% impact on session counts.

Go to CUBE FAQ Content Table

Can I have a SW MTP and CUBE on the same ISR??

Yes, you can find more information in this Cisco Live presentation: SIP Trunking with Cisco Unified Border Element (CUBE/vCUBE) Enterprise and SRST Co-location - BRKCOL-2125 on slide 12.

The recording can be found here: SIP Trunking with Cisco Unified Border Element (CUBE/vCUBE) Enterprise and SRST Co-location - BRKCOL-2125

The recommendation for sizing, and there is an example in the session, is to consider 1 SW MTP session ~ 1 CUBE IPT session.

Go to CUBE FAQ Content Table

How do you license your CUBE??

I'm not an expert in licensing, so if I'm wrong and someone notices this, feel free to reach out to me so I can correct this. This might also change in the future at an undisclosed date as more products start using smart licensing and licensing is enforced.

While that happens, a regular CUBE deployment has RTU licenses, which would be like the following SKU: FL-CUBEE-25= Unified Border Element Enterprise RTU license - 25 sessions

The actual limits of the ISR working as CUBE are HW defined, but you need to buy the above to be in compliance and for legal reasons.

For an HA deployment, the licenses are slightly different: FL-CUBEE-25-RED= Unified Border Element Ent Lic, 25 Sessions, Redundancy

These special kind of licenses are shared across the CUBE pair, which means you only buy the total number of sessions you want to have. For example, if you want to have 100 redundant CUBE licenses, you only need to buy 100-RED licenses, and not 100 for each CUBE.

Go to CUBE FAQ Content Table

Back to Unified Communications FAQ

Any comments, questions, suggestions, contributions, etc. please send them to Please make sure the subject is formatted "UC FAQ <anything else>" as I'll have rules in my mail to match them, otherwise, they'll end up in my spam folder.

Rating: 3.3/5 (3 votes cast)

Personal tools