Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Automatic update to correct links
Add_workflow_for_techpubsAUTH1REV5REV6REV3REV4REV1REV2
Panel
borderColorgreenbgColortransparentborderWidth
2
Noprint

Back to Table of Contents

Back to SBC System Security

Additional sections:

Children Display
styleh6

 

Overview

In voice communications, traffic volume is regulated using the Call Admission Control (CAC) feature. CAC prevents over subscription of a managed network by monitoring packets entering the network in the call setup phase. CAC averts voice traffic congestion by ensuring that there is enough bandwidth for authorized flows.

The IP peer-based Call Admission Control (CAC) feature provides operators the ability to reject calls if the bandwidth usage from a given IP peer reaches the configured maximum allowed bandwidth limit (2 Mbps). CAC session call limits and emergency oversubscription controls may be applied both globally and separately (against ingress and egress traffic).

Dynamic peers are created with the registrations. The lifespan of dynamic peers are associated with their registration period. As soon as registration expires dynamic peers are deleted from the peer table. Similar to static peers, dynamic peers are also restricted to work under ceiling limit of bandwidth.

The 

Spacevars
0series4
supports bandwidth Call Admission Control (CAC) per supported media type1 by limiting video streams to specified bandwidth limits in order to provide a level of protection from video calls consuming call bandwidth otherwise needed for audio calls. This protection is implemented on the 
Spacevars
0product
by setting video thresholds (bandwidthVideoThreshold) to specific limits at the zone, trunk group, endpoint and shared CAC levels. The thresholds are a percentage of the total bandwidth limit such that any traffic above this level is reserved for audio-only calls. This video threshold limit behaves the same for emergency as well as non-emergency calls. Any video calls above the video threshold limit are dropped to allow audio calls to use this bandwidth.

Note

If the routing Packet Service Profile is configured with “Audio Only If Video Is Prevented” flag enabled (the default value), The

Spacevars
0product
reduces the session to audio-only calls if bandwidthVideoThreshold limit is reached.

Info
iconfalse

There is no bandwidth CAC for MSRP, data channels, FECC, and BFCP streams.

The 

Spacevars
0product
implements CAC at the application layer using Zone CAC, SIP Trunk Group CAC and SIP CAC Profile. For each of these CACs, the following configuration rules apply:

  • The individual Ingress or Egress call limit cannot exceed the Global call limit. For example, if the Global call limit = 100, Ingress or Egress call limit MUST be less than 100.
  • The sum of Ingress and Egress call limit can exceed the Global call limit. For example, if Global call limit = 100, Ingress call limit + Egress call limit can be greater than 100 (70+80).

Zone CAC

Zone CAC applies call, media bandwidth, and registration controls to a set of peers in a zone. Since a zone typically correlates to a single customer, this is equivalent to applying controls to that customer.
A Zone can be viewed as representing a customer. The 

Spacevars
0product
supports CAC for calls, media bandwidth, and registrations at the zone level.

Before admitting a call or, placing a call from/to a peer, both CAC associated with that trunk group and CAC associated Zone are applied. A call from/to a trunk group is not admitted or placed (outbound) if CAC fails at either trunk group or zone level. The default behavior of the CAC at Zone level is to admit/emit all the calls (and SIP registrations).

A Zone maintains a set of counters/statistics for keeping track of number of active calls, SIP registrations, total bandwidth usage for ingress and egress side.
Zone CAC achieves call control by managing allowed "call limit" and "call rate".

Call Limit

Zone CAC is configurable to control the number of simultaneous calls globally as well as separately (ingress and egress). A normal call within this zone will only be completed if the current active call count for the zone is less than the configured call limit. Zone CAC also updates the status and performance statistics parameters.

Zone CAC can be configured to provide an emergencyOversubscription percentage globally to give priority treatment to emergency calls. This percentage represents allowed emergency calls beyond the configured call limit. When the call limit is reached, normal calls are rejected but emergency calls are accepted up to an expanded limit. When the emergencyOversubscription percentage is set to zero it effectively prevents emergency calls from having priority over normal calls.

Similar processing applies for media bandwidth controls. A normal call is completed if the remaining bandwidth equals or exceeds the expected bandwidth for the call (based on the highest bandwidth codec in the signaling). However, an emergency call will be allowed up to an expanded limit based on the configured limit plus the emergencyOversubscription percentage.

The extendedEmergencyIpLimit feature allows an additional configurable number of emergency calls in case the call limit quota and emergency oversubscription factor quota are exhausted. See CAC Provisioning - SIP CAC Profile, Sip SIP Trunk Group - CacCAC (EMA) or Zone - CAC - CLI for  for CAC configuration details.

Call Rate Control

Zone CAC controls the call rate by using Token bucket policers. These policers monitor inbound and outbound call rates from/to peers within a zone.

If the emergencyOversubscription percentage is non-zero, then emergency calls are given preference over normal calls when restricting call rates. For example, if the allowed rate is 10 cps, and the 

Spacevars
0product
is presented with a call rate of 10 cps of normal calls and 5 cps of emergency calls, then on average the 
Spacevars
0product
will allow 5 cps of emergency calls and just 5 cps of normal calls.

Registration Control

The Registration control policer addresses the fact that the

Spacevars
0product
, as a whole, can support a limited number of SIP endpoint registrations. With no limit restrictions, subscribers belonging to a customer network might over-register resulting in no registration space for other customers/subscribers.

This Registration Limit CAC feature also permits provisioning an estimated number of implicit (child) registrations per explicit registrations that may be needed. The actual number of implicit registrations is set based on the number of P-Associated-URIs in the 200 response to the Register message.

Zone CAC controls the number of simultaneous registrations from peers in the zone. A registration is processed only if the current active registration count for the zone is less than the configured limit.

Zone CAC achieves registration control by managing the allowed "registration rate" and "registration limit".Zone CAC controls the number of initial SIP REGISTER simultaneously admitted from/to peers in a zone by maintaining a configurable initial registration count. A REGISTER request is not permitted if the value of this counter is zero.

Zone CAC also updates the status and performance statistics parameters.

Initial REGISTER Rate

Zone CAC controls the new registration rate by using Token bucket policers. These policers monitor inbound registration rates from peers within a zone.

Media Bandwidth Control

Media Bandwidth Control involves applying call control against maximum interface(s) bandwidth or a configurable bandwidth parameter based on the codec that the call selects.

SIP Trunk Group CAC

Trunk group CAC applies call, media bandwidth, message rate limiting and registration controls at the trunk group level. This is a finer level of granularity than a zone since a zone may contain many trunk groups. For example, Trunk Group CAC may be used to apply different controls to different peers belonging to the same customer.

Trunk group CAC controls the number of simultaneous calls globally, as well as separately (ingress and egress) for a subset of peers within a zone. A normal call within a trunk group is only completed if the current active call count for the trunk group is less than the configured call limit.

Trunk Group CAC provides an emergencyOversubscription percentage to give priority treatment to emergency calls at global level, as well as in inbound and outbound directions. This percentage is an additional amount beyond the configured call limit. When the call limit is reached, no additional normal calls are admitted. However, an emergency call is accepted up to the expanded limit.

When the emergencyOversubscription percentage is set to zero it effectively prevents emergency calls from taking priority over normal calls. Call limits are for total calls (both ingress calls and egress calls apply against this total limit).

Similar processing applies for media bandwidth controls. A normal call is only completed if the remaining bandwidth equals or exceeds the expected bandwidth for the call (based on the highest bandwidth codec in the signaling). However, an emergency call is allowed up to the expanded limit based on the base configured limit and the emergencyOversubscription percentage. Trunk group CAC controls the number of simultaneous calls (both ingress and egress) for a subset of peers within a zone. A normal call within a trunk group is only completed if the current active call count for the trunk group is less than the configured call limit.

Call Limit

Trunk group CAC controls the number of simultaneous calls (both ingress and egress). A normal call within this trunk group will only be completed if the current active call count for the zone is less than the configured call limit.

Trunk group CAC provides an emergencyOversubscription percentage to give priority treatment to emergency calls. This percentage is an additional amount beyond the configured call limit. When the call limit is reached, no additional normal calls are admitted. However, an emergency call is accepted up to an expanded limit.

When the emergencyOversubscription percentage is set to zero it effectively prevents emergency calls from having priority over normal calls. Call limits are for total calls (that is both ingress calls and egress calls apply against this total limit).

Similar processing applies for media bandwidth controls. A normal call will only be completed if the remaining bandwidth equals or exceeds the expected bandwidth for the call (based on the highest bandwidth codec in the signaling). However, an emergency call is allowed up to the expanded limit based on the base configured limit and the emergency oversubscription percentage.

The extendedEmergencyIpLimit feature allows an additional configurable number of emergency calls in case the call limit quota and emergency oversubscription factor quota are exhausted. See the following pages for EMA and CLI command details:

Call Rate Control

Trunk group CAC controls the call rate by using Token bucket policers which monitor inbound and outbound call rates from/to peers within a trunk group.

If the emergency oversubscription percentage is non-zero, then emergency calls are given preference over normal calls when restricting call rates. For example, if the allowed rate is 10 cps, and the 

Spacevars
0product
is presented with a call rate of 10 cps of normal calls and 5 cps of emergency calls, then, on average, the 
Spacevars
0product
allows 5 cps of emergency calls and just 5 cps of normal calls.

Shared CAC Limits Pool

Support for SIP Trunk Group

The 

Spacevars
0product
uses the Shared CAC-Limits Pool global object to support connectivity to multiple peering partners concurrently through one or more IP Trunk Groups to each partner network. Call Admission Control for a given IP Trunk Group limits the total number of calls exchanged and/or bandwidth consumed between the 
Spacevars
0product
and a peering partner, or limits only ingress or egress calls based on IP Trunk Group.

The Shared CAC-Limits Pool contains capacity limits such as bandwidth, call limits and call rates. Trunk group hierarchy is defined by associating the Shared CAC-limits pool (parent) to another Shared CAC-limits pool (child) or Trunk Group (child). The hierarchy has a maximum of three levels: two levels of Shared CAC-limits pool and an IP trunk at the bottom. The hierarchy is built bottom up by assigning a parent trunk group to an existing trunk group or CAC-limits pool. Note that a parent trunk group object should exist before assigning a child to it.

Validation rules:

  • There can only be one parent for any object.
  • An IP trunk group can be assigned as child to any CAC-limits pool (parent).
  • A CAC-limits pool can be assigned as a parent to any other CAC-limits pool that does not have a parent of its own.
  • A CAC-limits pool cannot be assigned to a parent if it already has a CAC-limits pool child.
  • The children of a particular CAC-limits pool can be either CAC-limits pools or IP trunks.

A shared CAC limits pool is not tied to a specific zone or address context. There may be up to 2,000 shared CAC limits pools on the 

Spacevars
0product
.

Figure 1 CAC-Limits Pool and Trunk Group Hierarchy

Image Modified

SIP CAC Profile

Support for Gateway Trunk Group

The

Spacevars
0product
associates a Gateway Trunk Group with an existing Shared CAC Limits Pool. Once associated, the Gateway Trunk Group is referred as a child of the Shared CAC Limits Pool (parent). A Gateway Trunk Group is associated with only one parent Shared CAC Limits Pool. However, a Shared CAC Limits Pool can be parent of multiple IP Trunk Groups (Gateway Trunk Groups, SIP Trunk Groups, and H323 Trunk Groups). The resource allocation is controlled between the IP Trunk Groups based on the availability and allowed limits. The purpose of this feature is to allow associating an existing Gateway Trunk Group with an existing Shared CAC Limits Pool, so that the basic call control parameters of a Gateway Trunk Group like call limit and bandwidth limit can be set, modified or deleted easily.

Info
iconfalse
titleNote

During switchover (for an HA pair), the configurations of a Gateway Trunk Group with respect to its Parent Shared CAC Limits Pool and CAC are preserved.

If a Shared CAC Limits Pool is a child, it cannot be a parent of another Shared CAC Limits Pool. The hierarchy of parent-child relationships between Shared CAC Limits Pools and the IP Trunk Groups is limited to three levels.

Caption
0Figure
1Three Level Hierarchy - Parent-Child Relationships.
 Image Added

Info
iconfalse
titleNote

If a Shared CAC Limits Pool has "C" number of children, only one of them can be another Shared CAC Limits Pool, and the rest (C - 1) must be a combination of Gateway Trunk Groups, SIP Trunk Groups, and H323 Trunk Groups.

If the IP Trunk Groups need resource, and their parent Shared CAC Limits Pool are unable to allocate it:

  • If the parent Shared CAC Limits Pool has a parent, which is another Shared CAC Limits Pool (and is effectively the grandparent of IP Trunk Groups), then the request for resources is passed on to the grandparent. However, if the grandparent cannot allocate resources from its pool, then the request is rejected.
  • If the parent Shared CAC Limits Pool does not have a parent, then the request for resources is rejected.

For example, the call limit for a Gateway Trunk Group is set to "L". From the figure Resource Allocation, if L is greater than (n - k), the Gateway Trunk Group is restricted to (n - k) calls only, and the difference (L - (n - k)) is a deficit. However, if the parent Shared CAC Limits Pool has a parent in the form of another Shared CAC Limits Pool (grandparent, with respect to Gateway Trunk Groups), then the resource allocation request is forwarded to the grandparent. The grandparent either allocates resources or rejects the request, depending on the availability of the resources.

Anchor
Resource Allocation
Resource Allocation
Caption
0Figure
1Resource Allocation

Image Added

SIP CAC Profile

This object creates and configures a CAC profile providing the ability for each SIP registered or static endpoint to have both global and separate (ingress and egress) call limits and emergency oversubscriptions. This is the highest level of granularity for CAC and applies to a specific SIP peer within a zone. This can be used, for example, to apply specific CAC controls to a particular IP PBX within a customer network.

The ability to limit call establishment for an individual endpoint is an important factor in helping to prevent voice-spam or abusive use of network resources. The 

Spacevars
0product
supports CAC controls for both registered and statically configured peers on a per SIP endpoint basis. With this feature, each SIP registered or static endpoint can have individualized limits on the number of active calls and the call rate. The control for the active call limit applies to calls in either direction. The call rate policing controls apply to ingress and egress calls separately. All three controls are provisioned on the SIP CAC Profile. For statically configured peers, the SIP CAC Profile is applied to the IP Peer object. For peers that register, the SIP CAC Profile is provisioned on the SIP trunk object associated with the SIP trunk group.

Similarly as for trunk group CAC and zone CAC, SIP Endpoint CAC supports an emergency oversubscription percentage. If this percentage is non-zero, emergency calls are allowed when normal calls are not, and emergency calls take precedence over normal calls through the call rate policers.

The

Spacevars
0product
is enhanced to support per-endpoint and peer CAC profiles for non-registered endpoints. The signaling IP address for a non-registered endpoint is not known and cannot be configured in the
Spacevars
0product
. When the This object creates and configures a Call Admission Control (CAC) profile providing the ability for each SIP registered or static endpoint to have both global and separate (ingress and egress) call limits and emergency oversubscriptions. This is the highest level of granularity for CAC and applies to a specific SIP peer within a zone. This can be used, for example, to apply specific CAC controls to a particular IP PBX within a customer network.The ability to limit call establishment for an individual endpoint is an important factor in helping to prevent voice-spam or abusive use of network resources. The 
Spacevars
0product
supports CAC controls profile for both registered and statically configured peers on a per SIP endpoint basis. With this feature, each SIP registered or static endpoint can have individualized limits on the number of active calls and the call rate. The control for the active call limit applies to calls in either direction. The call rate policing controls apply to ingress and egress calls separately. All three controls are provisioned on the SIP CAC Profile. For statically configured peers, the SIP CAC Profile is applied to the IP Peer object. For peers that register, the SIP CAC Profile is provisioned on the SIP trunk object associated with the SIP trunk group.

Similarly as for trunk group CAC and zone CAC, SIP Endpoint CAC supports an emergency oversubscription percentage. If this percentage is non-zero, emergency calls are allowed when normal calls are not, and emergency calls take precedence over normal calls through the call rate policers.

non-registered endpoints, the Registrar and Application Server (AS) check the authenticity of the non-registered endpoint.

Note
  • The existing Require Registration configuration functions independently from CAC Profiles. However, the parameter Require Registration continues to verify whether the calls from the non-registered endpoints are allowed or not.
  • The 3xx responses are used for redirection. The
    Spacevars
    0product
    processes and honors these responses without terminating the CAC profile for a non-registering endpoint.
  • If a non-registered endpoint CAC profile is terminated due to an error response, the source of the initial INVITE is not blacklisted.
  • After a switchover, the CAC values for Maximum Number of Calls, and Allocated Bandwidth are retained for non-registered endpoints too. However, the CAC value for Maximum Call Rate starts as a new instance.

The SIP CAC Profile also supports extendedEmergencyIpLimit feature which allows an additional configurable number of emergency calls in case the call limit quota and emergency oversubscription factor quota are exhausted. See SIP CAC Profile (EMA) or SIP CAC Profile - CLI for SIP CAC Profile CLI command details.

The 

Spacevars
0product
can be configured from EMA or CLI using SIP CAC Profile to limit the message rate of the following messages on a per IP trunk group basis:

  • Call/INVITE (initial request)
  • REGISTER (initial registration)
  • SUBSCRIBE (initial request)
  • OTHER (out-of-dialog request)
  • NOTIFY (out-of-dialog request)
  • MESSAGE (out-of-dialog request)
  • OPTIONS (out-of-dialog request)
  • REFER (initial request)
  • RESPONSE

Priority Call Handling

As described in the previous sections, emergency calls are given priority over normal calls if the emergency oversubscription percentage is set to an non-zero value. In this scenario, emergency calls are completed when the active call limit reaches the configured limit up to the expanded limit specified. Additionally, when the emergency oversubscription percentage is non-zero, emergency calls experience policing priority over normal calls. When the applied call rate exceeds the configured limits, the emergency calls take precedence. For example, if the configured rate is 10 cps, and 10 cps of normal calls are applied along with 5 cps of emergency calls, the policer passes 5 cps of emergency calls and just 5 cps of normal calls.

This emergency call preference applies (when emergency oversubscription is non-zero) at the Zone level, Trunk Group level and SIP endpoint CAC level.

Note
All CAC controls can run concurrently. When more than one control applies, each control must allow the call or registration before the request is accepted. This applies to higher-level requests such as call setups (SIP INVITE, H.323 SETUP) and registrations (SIP REGISTER). Additional controls exist on the raw underlying packet rates.

Call Gapping

Call gapping is only supported in the centralized PSX. Please see PSX documentation for details.

Active and Stable Sessions for a Configurable Time Interval

The 

Spacevars
0product
supports a percentage of sessions beyond the purchased session license capacity to measure the maximum amount of simultaneously active and stable sessions over a configurable time interval. For example, you can configure the time interval for 5 minutes or more. This enhanced statistics is used to validate if the
Spacevars
0product
's maximum licensed session capacity is breached along with the level of breach during the configured intervals. These measurement samples collected from many
Spacevars
0product
s determine the actual peak session usage. This statistics is also used by Sonus Ribbon to perform periodic audits.

Two new objects, The callCountCurrentStatistics and callCountIntervalStatistics are added to Global object to provide Current and Interval call statistics.

A new The callCountStatistics performance table callCountStatistics with provided the Current and Interval options are introduced.

Note

Currently, only the Max Session Count is supported under the performance table.

A new The configuration flag, callCountTimeInterval, is added to Interval Statistics object in the same lines of existing interval configuration. The default value of this configuration is 15 minutes and the value ranges from 5 minutes to 60 minutes.

Note

Currently, the

Spacevars
0product
applies a single interval period across all performance table with default value of 15 minutes. However, for Maximum Session Count, a more granular interval of 5 minutes is required. Hence, the need arises for a separate interval period configuration.

After an 

Spacevars
0product
switchover, all the callCountTimeInterval configuration values are retained. The currentIntervalStatistics value is re-calculated and updated based on the number of stable calls post the switchover process which are in-line with the other statistics.

The EMS supports this new metric such that the values are polled by the Insight Performance Reporting Engine and exported in .CSV format. The EMS support is inline with how other performance statistics are reported.

 

Pagebreak