In this section:
Use the following topics to configure your network to send SBC Core media quality statistics as well as Security and Audit logs to Ribbon Analytics.
Report Media Quality Statistics to Ribbon Analytics
To facilitate monitoring and management of voice quality by the SBC Core and Ribbon Analytics, the SBC supports the following functionality to allow service providers to see discrete variations in voice quality, as well as monitor SLA and network operations. NOTE: Ribbon Protect is rebranded to Ribbon Analytics. Any references to 'Ribbon Protect' and 'Protect' in the SBC Core documentation apply to the Ribbon Analytics product.
The Media Probe feature facilitates monitoring and management of voice quality by the SBC Core and Ribbon Analytics. Use the following example configurations to establish communication with, and send media quality statistics (RTP/RTCP) and DTMF packets to, Ribbon Analytics using the Media Probe feature.
Configuring SBC Core using CLI for Ribbon Analytics
Media Probe CLI
The Media Probe functionality is added to the System Media configuration to capture and report on media quality statistics (RTP/RTCP) and DTMF packets. Configuration details are explained below.
Command Syntax
% set system media mediaProbe dscpValue <0-63> encryptionType <None> format <rtcp> mediaProbeAddressContext <addressContext> mediaProbeIpInterfaceGroup <mediaIpInterfaceGroup> protocolType <udp> reportingInterval <1-8> state <disabled | enabled>
Command Parameters
While configuring system media, the parameter mediaProbe
is optional because its default state
is disabled
. However, when configuring the parameter mediaProbe
, ensure to configure all values (or accept defaults, where applicable).
Parameter | Description |
---|---|
mediaProbe | The object that captures and reports media quality statistics (RTP/RTCP) and DTMF packets. Media Probe accepts the following values:
|
Configuration Example
set system media mediaProbe dscpValue 0 encryptionType none format rtcp mediaProbeAddressContext ADDR_CONTEXT_1 mediaProbeIpInterfaceGroup INGRESS_LIG protocolType udp reportingInterval 1 state enabled commit show system media mediaProbe state enabled; reportingInterval 1; protocolType udp; encryptionType none; format rtcp; dscpValue 0; mediaProbeAddressContext ADDR_CONTEXT_1; mediaProbeIpInterfaceGroup INGRESS_LIG;
Protect CLI
The Protect functionality is added to the System configuration to allow the SBC to communicate to the Ribbon Analytics server.
Command Syntax
% set system protect clusterName <Cluster name> serverAddress <DIG IP Address of the Ribbon Analytics Server> serverPort <port number>
Command Parameters
Parameter | Length/Range | Description |
---|---|---|
clusterName | 1-255 characters |
|
serverAddress | 1-255 characters | <IP Address> – Specify the DIG IP Address of the Ribbon Analytics server. |
serverPort | 1-255 characters |
|
Configuration Example
set system protect serverAddress 10.50.100.10 serverPort 5558 clusterName default commit show system protect serverAddress 10.50.100.10; serverPort 5558; clusterName default;
Configuring SBC Core using EMA for Ribbon Analytics
Media Probe
Use the Media Probe object to capture and report media quality statistics (RTP/RTCP) and DTMF packets.
EMA UI path: All > System > Media > Media Probe
Figure 1: Media Probe
Media Probe Parameters
The Media Probe fields are described below.
While configuring System Media, the parameter Media Probe is optional because its default state is "Disabled". However, when configuring the parameter Media Probe, ensure to configure all values (or accept defaults, where applicable).
Configure the following fields:
Table 1: Media Probe
Field | Length/Range | Description |
---|---|---|
State | N/A | Use this flag to enable/disable the system-wide Media Probe state. If the state is set to Enabled, the Media Probe captures and reports media quality statistics (RTP/RTCP) and DTMF packets. If the state is set to Disabled (default), the Media Probe does not capture and report media quality statistics (RTP/RTCP) and DTMF packets.
|
Reporting Interval | 1-8 | The interval at which RTCP application packets are sent to the remote Ribbon Analytics server, expressed as an integral multiple of the Media RTCP Control Sender Report Interval value (configurable to 5-120 seconds). Default is "1". For example, if Sender Report Interval is set to 5 seconds, then
|
Protocol Type | N/A | The network protocol used to transfer the data to the remote server. Currently, the SBC supports only UDP. |
Encryption Type | N/A | The encryption type used towards the Ribbon Analytics server. Currently, the SBC does not support any encryption. Default is "None". |
Format | N/A | The Media Probe format used to report qCDR (quality CDR capturing QoS statistics associated for a leg for each RTP-based stream). Currently, the SBC only supports RTCP. |
DSCP Value | 0-63 | The DSCP value for Media Probe RTCP application packets. Default = 0. |
Media Probe Address Context | N/A | The Address Context associated with the Media Probe IP Interface Group. |
Media Probe IP Interface Group | N/A | The Media IP Interface Group used to transmit Media Probe packets to the remote Ribbon Analytics server. |
Protect
Use the System > Protect object to allow the SBC to communicate to the Ribbon Analytics server.
EMA UI path: All > System > Protect
Figure 2: Protect
Protect Parameters
Configure the following fields.
Table 2: System - Protect
Parameter | Length/Range | Description |
---|---|---|
Server Address | 1-255 characters | Specify the DIG IP Address of the Analytics server. |
Server Port | 1-255 characters | Enter the Analytics server port number. |
Cluster Name | 1-255 characters | The Ribbon Analytics cluster name, which is currently set to the static value of "default". |
Configuration and Verification Steps
Step | Action |
---|---|
Ribbon Analytics Prerequisites |
|
SBC Core Configuration Steps | Configure the SBC to communicate with Ribbon Analytics. Configure the Protect functionality to establish communication with Ribbon Analytics and the Media probe functionality to collect QoS statistics and send the statistics to Analytics. Ensure to set the variables correctly to send the QoS statistics to Ribbon Analytics. Note: To use the EMA, refer to the procedure in System - Protect and System - Media - Media Probe. To configure via the CLI, refer to the procedure in Protect - CLI and Media System - CLI. |
To configure the Protect functionality, execute the following commands (refer to the procedure in Protect - CLI): % set system protect serverAddress <Ribbon Analytics DIG IP address> serverPort <Ribbon Analytics port #> clusterName <Ribbon Analytics clusterName> | |
To configure the Media Probe functionality, execute the following commands (refer to the procedure in Media System - CLI):
| |
Verify Ribbon Analytics functionality | The SBC Core devices that push data to Ribbon Analytics are added automatically to the list of devices in the Ribbon Analytics system. You do not have to add them manually. Verify if the SBC appears automatically in the Ribbon Analytics device list. |
Statistics
Media Probe License Availability
Service Authorised Cur Stats
On the SBC, go to All > Global > Service Authorised Cur Stats. The Service Authorisation Cur Stats window displays.
Use the Service Authorisation Cur Stats window to view current global statistics that report which licensed features are authorized for use on the SBC. A value of 0 indicates the feature license is not available. If the Media Probe Authorisation column is set to "1", the MEDIA-PROBE license is available.
Figure 3: Service Authorization Cur Stats Window - Partial
Service Authorised Int Stats
On the SBC main screen, go to All > Global > Service Authorised Int Stats. The Service Authorisation Int Stats window displays.
Use the Service Authorisation Int Stats window to view global statistics for a series of time intervals that report which licensed features are authorized for use on the SBC. A value of 0 indicates the feature license is not available.
Figure 4: Service Authorisation Int Stats Window - Partial
The statistics Media Probe Authorisation displays under the objects "Service Authorised Cur Stats" and "Service Authorised Int Stats".
Table 3: Media Probe Authorisation
Statistics | Description |
---|---|
Media Probe Authorisation | This statistic is set based on whether Media Probe is enabled/authorized.
|
Service Authorised Cur Stats
> show status global serviceAuthorisedCurStats mediaProbeAuthorisation serviceAuthorisedCurStats entry { licenseMode nodeLocked; encryptAuthorisation 1; srtpAuthorisation 1; enhancedVideoAuthorisation 1; amrnbLegAuthorisation 1; amrwbLegAuthorisation 1; evrcLegAuthorisation 1; niceRecAuthorisation 1; mrfSessionsAuthorisation 1; sipRecAuthorisation 1; transcodeAuthorisation 1; pdcsAuthorisation 1; liSessionsAuthorisation 1; sbcRtuSessionsAuthorisation 1; dspG722SessionsAuthorisation 1; gmp4x1SessionsAuthorisation 1; sipISessionsAuthorisation 1; sip323SessionsAuthorisation 1; gmp1x10SessionsAuthorisation 1; polRtuSessionsAuthorisation 1; psxRtuSessionsAuthorisation 1; capacityLicenseAuthorisation 0; e911SessionsAuthorisation 1; enumSessionsAuthorisation 1; swInstanceLicenseAuthorisation 1; evsLegAuthorisation 1; silkLegAuthorisation 1; slbAuthorisation 1; slbSessionsAuthorisation 1; mediaProbeAuthorisation 1; } [ok][<YYYY-MM-DD HH:MM:SS>]
Similar result displays for the corresponding show table
command, but in a tabular format.
Service Authorised Int Stats
> show status global serviceAuthorisedIntStats mediaProbeAuthorisation serviceAuthorisedIntStats 646 entry { intervalValid true; time 581362; licenseMode nodeLocked; encryptAuthorisation 1; srtpAuthorisation 1; enhancedVideoAuthorisation 1; amrnbLegAuthorisation 1; amrwbLegAuthorisation 1; evrcLegAuthorisation 1; niceRecAuthorisation 1; mrfSessionsAuthorisation 1; sipRecAuthorisation 1; transcodeAuthorisation 1; pdcsAuthorisation 1; liSessionsAuthorisation 1; sbcRtuSessionsAuthorisation 1; dspG722SessionsAuthorisation 1; gmp4x1SessionsAuthorisation 1; sipISessionsAuthorisation 1; sip323SessionsAuthorisation 1; gmp1x10SessionsAuthorisation 1; polRtuSessionsAuthorisation 1; psxRtuSessionsAuthorisation 1; capacityLicenseAuthorisation 0; e911SessionsAuthorisation 1; enumSessionsAuthorisation 1; swInstanceLicenseAuthorisation 1; evsLegAuthorisation 1; silkLegAuthorisation 1; slbAuthorisation 1; slbSessionsAuthorisation 1; mediaProbeAuthorisation 1; } [ok][<YYYY-MM-DD HH:MM:SS>]
Similar result displays for the corresponding show table
command, but in a tabular format.
License
Depending upon the licensing type, install the following license to use the Media Probe feature.
- NWDL: MEDIA-PROBE-D license
- Node Locked: MEDIA-PROBE license
Push SEC and AUD logs to Ribbon Analytics
The SBC Core routinely logs and reports invalid login attempts for access to all its accounts and interfaces. These logs and reports serve as an important data set for Ribbon Analytics, which warns administrators when many invalid attempts are seen across the network. The event reporting notes the IP and port from which the invalid attempt was made, and makes logs available in the SEC and AUD logs.
The SBC currently logs this information along with the remote IP to the file auth.log. The SBC also pushes the auth.log via syslogd so that Ribbon Analytics can access messages.
If the SBC is configured with a call trace filter to capture all SIP PDU messages in the trace log, then you must update the settings for the fields diskThrottleLimit
, eventLogValidation
, fileSize and
messageQueueSize
using the information provided in the Event Log - CLI page.
To configure the SBC to push SEC and AUD logs to Ribbon Analytics, refer to the "Type Admin" topic at Event Log - CLI.
Improve Traffic Between Ribbon Analytics and SBC
The Bucket Size value is insignificant if the Fill Rate value is unlimited. If the ACL rules with action = discard, the Fill Rate and the Bucket Size values are irrelevant, and the packets are dropped based on the Type, IP address, or Port. The Fill Rate and the Bucket Size parameters do not play any role since the policer portion of an ACL is only applicable for the "accept" action and is ignored with the "discard" action since all the packets are already discarded by the criteria.
Using the default Access Control List (ACL) rules, Ribbon Analytics traffic can be throttled when trying to collect files from the SBC. Using the CLI, follow these steps to improve traffic:
Update
operatorAggregatePolicer
with afillRate
of "30000" and abucketSize
of "250."Exampleset addressContext default operatorAggregatePolicer fillRate 30000 bucketSize 250
Create a new user ACL for the traffic between Ribbon Analytics and the SBC using the following parameters:
ACL Parametersadmin@PTBF05> show table addressContext default ipAccessControlList rule RA precedence 7003; protocol any; mgmtIpInterfaceGroup mgmtGroup; sourceIpAddress <RA IP>; sourceAddressPrefixLength 32; destinationIpAddress <SBC IP>; destinationAddressPrefixLength 32; sourcePort any; destinationPort any; action accept; fillRate 30000; bucketSize unlimited; state enabled; aggregatePolicer OPERATOR;
Generating SSH Keys for Default Users
The following section outlines how to generate SSH keys for Default Users on the SBC.
Generating a SSH Key on a Non-cloud Based SBC
The following steps outline how to generate SSH keys from the command line on a non-cloud based SBC. The second section also outlines how to install the SSH keys to a linuxadmin user:
Input the following command:
ssh-keygen -f <filename>.pem -t rsa
NoteTo add a password to the key, enter a passphrase in the fields provided. To decline adding a password, leave the fields blank.
Extract the public key from the newly generated private key using the following command:
ssh-keygen -y -f <keyname>
Examplejmulcock@jmulcock01:~$ ssh-keygen -f example.pem -t rsa Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in example.pem Your public key has been saved in example.pem.pub The key fingerprint is: SHA256:caJAkQzCTgQjSKim//234Rzz4ReGSnUDpR6/t8UQ6Qc jmulcock@jmulcock01 The key's randomart image is: +---[RSA 3072]----+ |%o.ooo .. | |+= .o .. . | |+ . o . o.E | |.o . . + ..+oo | |o . S ..o+..| |. . . o= | | . .+.....+| | . . oo* ...o| | .. ....+.o. . | +----[SHA256]-----+
Copying and installing a SSH key to the linuxadmin user
- Run the following command:
ssh-copy-id -i <key name> -p2024 linuxadmin@<SBC Mgt IP>
- Enter the password for the linuxadmin user.
Perform a login test using the following command:
ssh -i <key name> -p2024 linuxadmin@<SBC Mgt IP>
The user must install the key on all SBC instances (e.g. in a HA setup, install the key on both the active and standby instances).
To authenticate a public key, refer to:
Examplejmulcock@jmulcock01:~$ ssh-copy-id -i example.pem -p2024 linuxadmin@10.31.243.20 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "example.pem.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys ###################### # This system is restricted to authorized users only. Unauthorized access or access attempts to this system or services are prohibited. All user activity is logged. Evidence of unauthorized use collected during monitoring may be provided to appropriate personnel for administrative, criminal or other adverse action. # ###################### linuxadmin@10.31.243.20's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh -p '2024' 'linuxadmin@10.31.243.20'" and check to make sure that only the key(s) you wanted were added. jmulcock@jmulcock01:~$ ssh -p 2024 -i example.pem linuxadmin@10.31.243.20 ###################### # This system is restricted to authorized users only. Unauthorized access or access attempts to this system or services are prohibited. All user activity is logged. Evidence of unauthorized use collected during monitoring may be provided to appropriate personnel for administrative, criminal or other adverse action. # ###################### Last login: Thu May 4 15:27:53 BST 2023 from 172.26.223.243 on ssh Ribbon ConnexIP OS 10.01.00-A004 GNU/Linux linuxadmin@SBXUK20-1:~$
Public Cloud Key Generation
The following steps outline how to generate keys for public clouds. When creating keys for public clouds, two options are available:
- Allow terraform to generate the keys:
- IAC provides the option to generate the key for the linuxadmin user.
- Terraform tfvars will contain a variable like 'generate_ssh_key'.
- In AWS, use the AWS console to generate the key:
- Go to EC2 → Key Pairs
- Select Create Key Pair
- On screen
- Enter Name
- Select .pem
- Select Create key pair
- Save the private key somewhere.
SBC SSH Keys in Public Clouds
This section will outline how the SSH keys are handled on the SBC for linuxadmin and admin users for public clouds. All keys supplied to the cloud/instance are the public keys. The creator is responsible for storing the keys on the private side. Key types are always RSA. Any updates require the SBC instance to be rebooted to take effect.
For more information on updating SSH keys, refer to: Recovering SSH Key Access in Public Cloud and Updating User Data in Azure
AWS
Storage
- Linuxadmin - Stored in AWS Key Pairs (Orchestration)
- The key is generated by AWS Key Pairs via the console, or the user can import a public key.
- Admin - User Data
Orchestration
- Linuxadmin - Supplied as Key Name, extracted by cloud init
- Admin - Supplied in value for the 'AdminSshKey' key in user data
Update
- Linuxadmin - Update not supported (as it is not supported in AWS itself)
- Admin - Update Value of 'AdminSshKey' in User Data
GCP
Storage
- Linuxadmin - Part of instance Metadata
- Admin - User Data
Orchestration
- Linuxadmin - In SSH Keys section:
- Block Project Wide SSH Keys
- Supply key in the form ssh-rsa ... linuxadmin
- Admin - Supplied in value for the 'AdminSshKey' key in user data
Update
- Linuxadmin - Update the key against Username 'linuxadmin' in SSH keys
- Admin - Update Value of 'AdminSshKey' in User Data
Azure
Storage
- Linuxadmin - Part of instance Metadata (Orchestration) or User Data (Update)
- Admin - Custom Data (Orchestration) or User Data (Update)
Orchestration
- Linuxadmin -Suplied via
--ssh-key-values
flag - Admin - Supplied in value for the 'AdminSshKey' key in Custom Data
Update
- Linuxadmin - Attach User Data to the Azure instance, and add the updated key as:
"LinuxadminSshKey": "ssh-rsa YYYYYY",
- Admin - Attach User Data to the Azure instance, and update value of 'AdminSshKey'