In this section:
Use the following topics to configure your network to send SBC Core media quality statistics as well as Security and Audit logs to Ribbon Analytics.
To facilitate monitoring and management of voice quality by the SBC Core and Ribbon Analytics, the SBC supports the following functionality to allow service providers to see discrete variations in voice quality, as well as monitor SLA and network operations. NOTE: Ribbon Protect is rebranded to Ribbon Analytics. Any references to 'Ribbon Protect' and 'Protect' in the SBC Core documentation apply to the Ribbon Analytics product.
The Media Probe feature facilitates monitoring and management of voice quality by the SBC Core and Ribbon Analytics. Use the following example configurations to establish communication with, and send media quality statistics (RTP/RTCP) and DTMF packets to, Ribbon Analytics using the Media Probe feature.
The Media Probe functionality is added to the System Media configuration to capture and report on media quality statistics (RTP/RTCP) and DTMF packets. Configuration details are explained below.
% set system media mediaProbe dscpValue <0-63> encryptionType <None> format <rtcp> mediaProbeAddressContext <addressContext> mediaProbeIpInterfaceGroup <mediaIpInterfaceGroup> protocolType <udp> reportingInterval <1-8> state <disabled | enabled>
While configuring system media, the parameter mediaProbe
is optional because its default state
is disabled
. However, when configuring the parameter mediaProbe
, ensure to configure all values (or accept defaults, where applicable).
Parameter | Description |
---|---|
mediaProbe | The object that captures and reports media quality statistics (RTP/RTCP) and DTMF packets. Media Probe accepts the following values:
|
set system media mediaProbe dscpValue 0 encryptionType none format rtcp mediaProbeAddressContext ADDR_CONTEXT_1 mediaProbeIpInterfaceGroup INGRESS_LIG protocolType udp reportingInterval 1 state enabled commit show system media mediaProbe state enabled; reportingInterval 1; protocolType udp; encryptionType none; format rtcp; dscpValue 0; mediaProbeAddressContext ADDR_CONTEXT_1; mediaProbeIpInterfaceGroup INGRESS_LIG;
The Protect functionality is added to the System configuration to allow the SBC to communicate to the Ribbon Analytics server.
% set system protect clusterName <Cluster name> serverAddress <DIG IP Address of the Ribbon Analytics Server> serverPort <port number>
Parameter | Length/Range | Description |
---|---|---|
clusterName | 1-255 characters |
|
serverAddress | 1-255 characters | <IP Address> – Specify the DIG IP Address of the Ribbon Analytics server. |
serverPort | 1-255 characters |
|
set system protect serverAddress 10.50.100.10 serverPort 5558 clusterName default commit show system protect serverAddress 10.50.100.10; serverPort 5558; clusterName default;
Use the Media Probe object to capture and report media quality statistics (RTP/RTCP) and DTMF packets.
EMA UI path: All > System > Media > Media Probe
Figure 1: Media Probe
The Media Probe fields are described below.
While configuring System Media, the parameter Media Probe is optional because its default state is "Disabled". However, when configuring the parameter Media Probe, ensure to configure all values (or accept defaults, where applicable).
Configure the following fields:
Table 1: Media Probe
Field | Length/Range | Description |
---|---|---|
State | N/A | Use this flag to enable/disable the system-wide Media Probe state. If the state is set to Enabled, the Media Probe captures and reports media quality statistics (RTP/RTCP) and DTMF packets. If the state is set to Disabled (default), the Media Probe does not capture and report media quality statistics (RTP/RTCP) and DTMF packets.
|
Reporting Interval | 1-8 | The interval at which RTCP application packets are sent to the remote Ribbon Analytics server, expressed as an integral multiple of the Media RTCP Control Sender Report Interval value (configurable to 5-120 seconds). Default is "1". For example, if Sender Report Interval is set to 5 seconds, then
|
Protocol Type | N/A | The network protocol used to transfer the data to the remote server. Currently, the SBC supports only UDP. |
Encryption Type | N/A | The encryption type used towards the Ribbon Analytics server. Currently, the SBC does not support any encryption. Default is "None". |
Format | N/A | The Media Probe format used to report qCDR (quality CDR capturing QoS statistics associated for a leg for each RTP-based stream). Currently, the SBC only supports RTCP. |
DSCP Value | 0-63 | The DSCP value for Media Probe RTCP application packets. Default = 0. |
Media Probe Address Context | N/A | The Address Context associated with the Media Probe IP Interface Group. |
Media Probe IP Interface Group | N/A | The Media IP Interface Group used to transmit Media Probe packets to the remote Ribbon Analytics server. |
Use the System > Protect object to allow the SBC to communicate to the Ribbon Analytics server.
EMA UI path: All > System > Protect
Figure 2: Protect
Configure the following fields.
Table 2: System - Protect
Parameter | Length/Range | Description |
---|---|---|
Server Address | 1-255 characters | Specify the DIG IP Address of the Analytics server. |
Server Port | 1-255 characters | Enter the Analytics server port number. |
Cluster Name | 1-255 characters | The Ribbon Analytics cluster name, which is currently set to the static value of "default". |
Step | Action |
---|---|
Ribbon Analytics Prerequisites |
|
SBC Core Configuration Steps | Configure the SBC to communicate with Ribbon Analytics. Configure the Protect functionality to establish communication with Ribbon Analytics and the Media probe functionality to collect QoS statistics and send the statistics to Analytics. Ensure to set the variables correctly to send the QoS statistics to Ribbon Analytics. Note: To use the EMA, refer to the procedure in System - Protect and System - Media - Media Probe. To configure via the CLI, refer to the procedure in Protect - CLI and Media System - CLI. |
To configure the Protect functionality, execute the following commands (refer to the procedure in Protect - CLI): % set system protect serverAddress <Ribbon Analytics DIG IP address> serverPort <Ribbon Analytics port #> clusterName <Ribbon Analytics clusterName> | |
To configure the Media Probe functionality, execute the following commands (refer to the procedure in Media System - CLI):
| |
Verify Ribbon Analytics functionality | The SBC Core devices that push data to Ribbon Analytics are added automatically to the list of devices in the Ribbon Analytics system. You do not have to add them manually. Verify if the SBC appears automatically in the Ribbon Analytics device list. |
On the SBC, go to All > Global > Service Authorised Cur Stats. The Service Authorisation Cur Stats window displays.
Use the Service Authorisation Cur Stats window to view current global statistics that report which licensed features are authorized for use on the SBC. A value of 0 indicates the feature license is not available. If the Media Probe Authorisation column is set to "1", the MEDIA-PROBE license is available.
Figure 3: Service Authorization Cur Stats Window - Partial
On the SBC main screen, go to All > Global > Service Authorised Int Stats. The Service Authorisation Int Stats window displays.
Use the Service Authorisation Int Stats window to view global statistics for a series of time intervals that report which licensed features are authorized for use on the SBC. A value of 0 indicates the feature license is not available.
Figure 4: Service Authorisation Int Stats Window - Partial
The statistics Media Probe Authorisation displays under the objects "Service Authorised Cur Stats" and "Service Authorised Int Stats".
Table 3: Media Probe Authorisation
Statistics | Description |
---|---|
Media Probe Authorisation | This statistic is set based on whether Media Probe is enabled/authorized.
|
Service Authorised Cur Stats
> show status global serviceAuthorisedCurStats mediaProbeAuthorisation serviceAuthorisedCurStats entry { licenseMode nodeLocked; encryptAuthorisation 1; srtpAuthorisation 1; enhancedVideoAuthorisation 1; amrnbLegAuthorisation 1; amrwbLegAuthorisation 1; evrcLegAuthorisation 1; niceRecAuthorisation 1; mrfSessionsAuthorisation 1; sipRecAuthorisation 1; transcodeAuthorisation 1; pdcsAuthorisation 1; liSessionsAuthorisation 1; sbcRtuSessionsAuthorisation 1; dspG722SessionsAuthorisation 1; gmp4x1SessionsAuthorisation 1; sipISessionsAuthorisation 1; sip323SessionsAuthorisation 1; gmp1x10SessionsAuthorisation 1; polRtuSessionsAuthorisation 1; psxRtuSessionsAuthorisation 1; capacityLicenseAuthorisation 0; e911SessionsAuthorisation 1; enumSessionsAuthorisation 1; swInstanceLicenseAuthorisation 1; evsLegAuthorisation 1; silkLegAuthorisation 1; slbAuthorisation 1; slbSessionsAuthorisation 1; mediaProbeAuthorisation 1; } [ok][<YYYY-MM-DD HH:MM:SS>]
Similar result displays for the corresponding show table
command, but in a tabular format.
Service Authorised Int Stats
> show status global serviceAuthorisedIntStats mediaProbeAuthorisation serviceAuthorisedIntStats 646 entry { intervalValid true; time 581362; licenseMode nodeLocked; encryptAuthorisation 1; srtpAuthorisation 1; enhancedVideoAuthorisation 1; amrnbLegAuthorisation 1; amrwbLegAuthorisation 1; evrcLegAuthorisation 1; niceRecAuthorisation 1; mrfSessionsAuthorisation 1; sipRecAuthorisation 1; transcodeAuthorisation 1; pdcsAuthorisation 1; liSessionsAuthorisation 1; sbcRtuSessionsAuthorisation 1; dspG722SessionsAuthorisation 1; gmp4x1SessionsAuthorisation 1; sipISessionsAuthorisation 1; sip323SessionsAuthorisation 1; gmp1x10SessionsAuthorisation 1; polRtuSessionsAuthorisation 1; psxRtuSessionsAuthorisation 1; capacityLicenseAuthorisation 0; e911SessionsAuthorisation 1; enumSessionsAuthorisation 1; swInstanceLicenseAuthorisation 1; evsLegAuthorisation 1; silkLegAuthorisation 1; slbAuthorisation 1; slbSessionsAuthorisation 1; mediaProbeAuthorisation 1; } [ok][<YYYY-MM-DD HH:MM:SS>]
Similar result displays for the corresponding show table
command, but in a tabular format.
Depending upon the licensing type, install the following license to use the Media Probe feature.
The SBC Core routinely logs and reports invalid login attempts for access to all its accounts and interfaces. These logs and reports serve as an important data set for Ribbon Analytics, which warns administrators when many invalid attempts are seen across the network. The event reporting notes the IP and port from which the invalid attempt was made, and makes logs available in the SEC and AUD logs.
The SBC currently logs this information along with the remote IP to the file auth.log. The SBC also pushes the auth.log via syslogd so that Ribbon Analytics can access messages.
If the SBC is configured with a call trace filter to capture all SIP PDU messages in the trace log, then you must update the settings for the fields diskThrottleLimit
, eventLogValidation
, fileSize and
messageQueueSize
using the information provided in the Event Log - CLI page.
To configure the SBC to push SEC and AUD logs to Ribbon Analytics, refer to the "Type Admin" topic at Event Log - CLI.
The Bucket Size value is insignificant if the Fill Rate value is unlimited. If the ACL rules with action = discard, the Fill Rate and the Bucket Size values are irrelevant, and the packets are dropped based on the Type, IP address, or Port. The Fill Rate and the Bucket Size parameters do not play any role since the policer portion of an ACL is only applicable for the "accept" action and is ignored with the "discard" action since all the packets are already discarded by the criteria.
Using the default Access Control List (ACL) rules, Ribbon Analytics traffic can be throttled when trying to collect files from the SBC. Using the CLI, follow these steps to improve traffic:
Update operatorAggregatePolicer
with a fillRate
of "30000" and a bucketSize
of "250."
set addressContext default operatorAggregatePolicer fillRate 30000 bucketSize 250
Create a new user ACL for the traffic between Ribbon Analytics and the SBC using the following parameters:
admin@PTBF05> show table addressContext default ipAccessControlList rule RA precedence 7003; protocol any; mgmtIpInterfaceGroup mgmtGroup; sourceIpAddress <RA IP>; sourceAddressPrefixLength 32; destinationIpAddress <SBC IP>; destinationAddressPrefixLength 32; sourcePort any; destinationPort any; action accept; fillRate 30000; bucketSize unlimited; state enabled; aggregatePolicer OPERATOR;
The following section outlines how to generate SSH keys for Default Users on the SBC.
The following steps outline how to generate SSH keys from the command line on a non-cloud based SBC. The second section also outlines how to install the SSH keys to a linuxadmin user:
Input the following command: ssh-keygen -f <filename>.pem -t rsa
To add a password to the key, enter a passphrase in the fields provided. To decline adding a password, leave the fields blank.
Extract the public key from the newly generated private key using the following command: ssh-keygen -y -f <keyname>
jmulcock@jmulcock01:~$ ssh-keygen -f example.pem -t rsa Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in example.pem Your public key has been saved in example.pem.pub The key fingerprint is: SHA256:caJAkQzCTgQjSKim//234Rzz4ReGSnUDpR6/t8UQ6Qc jmulcock@jmulcock01 The key's randomart image is: +---[RSA 3072]----+ |%o.ooo .. | |+= .o .. . | |+ . o . o.E | |.o . . + ..+oo | |o . S ..o+..| |. . . o= | | . .+.....+| | . . oo* ...o| | .. ....+.o. . | +----[SHA256]-----+
ssh-copy-id -i <key name> -p2024 linuxadmin@<SBC Mgt IP>
Perform a login test using the following command: ssh -i <key name> -p2024 linuxadmin@<SBC Mgt IP>
The user must install the key on all SBC instances (e.g. in a HA setup, install the key on both the active and standby instances).
To authenticate a public key, refer to:
jmulcock@jmulcock01:~$ ssh-copy-id -i example.pem -p2024 linuxadmin@10.31.243.20 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "example.pem.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys ###################### # This system is restricted to authorized users only. Unauthorized access or access attempts to this system or services are prohibited. All user activity is logged. Evidence of unauthorized use collected during monitoring may be provided to appropriate personnel for administrative, criminal or other adverse action. # ###################### linuxadmin@10.31.243.20's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh -p '2024' 'linuxadmin@10.31.243.20'" and check to make sure that only the key(s) you wanted were added. jmulcock@jmulcock01:~$ ssh -p 2024 -i example.pem linuxadmin@10.31.243.20 ###################### # This system is restricted to authorized users only. Unauthorized access or access attempts to this system or services are prohibited. All user activity is logged. Evidence of unauthorized use collected during monitoring may be provided to appropriate personnel for administrative, criminal or other adverse action. # ###################### Last login: Thu May 4 15:27:53 BST 2023 from 172.26.223.243 on ssh Ribbon ConnexIP OS 10.01.00-A004 GNU/Linux linuxadmin@SBXUK20-1:~$
The following steps outline how to generate keys for public clouds. When creating keys for public clouds, two options are available:
This section will outline how the SSH keys are handled on the SBC for linuxadmin and admin users for public clouds. All keys supplied to the cloud/instance are the public keys. The creator is responsible for storing the keys on the private side. Key types are always RSA. Any updates require the SBC instance to be rebooted to take effect.
For more information on updating SSH keys, refer to: Recovering SSH Key Access in Public Cloud and Updating User Data in Azure
--ssh-key-values
flag"LinuxadminSshKey": "ssh-rsa YYYYYY",