In this section:

Related articles:

Use the following topics to configure your network to send SBC Core media quality statistics as well as Security and Audit logs to Ribbon Analytics.

Report Media Quality Statistics to Ribbon Analytics

To facilitate monitoring and management of voice quality by the SBC Core and Ribbon Analytics, the SBC supports the following functionality to allow service providers to see discrete variations in voice quality, as well as monitor SLA and network operations.

  • Communicate with Ribbon Analytics
  • Report media quality statistics (RTP/RTCP) and DTMF packets to Ribbon Analytics using the Media Probe configuration

NOTE: Ribbon Protect is rebranded to Ribbon Analytics. Any references to 'Ribbon Protect' and 'Protect' in the SBC Core documentation apply to the Ribbon Analytics product.

The Media Probe feature facilitates monitoring and management of voice quality by the SBC Core and Ribbon Analytics. Use the following example configurations to establish communication with, and send media quality statistics (RTP/RTCP) and DTMF packets to, Ribbon Analytics using the Media Probe feature.

Configuring SBC Core using CLI for Ribbon Analytics

Media Probe CLI

The Media Probe functionality is added to the System Media configuration to capture and report on media quality statistics (RTP/RTCP) and DTMF packets. Configuration details are explained below. 

Command Syntax

% set system media mediaProbe
	dscpValue <0-63>
	encryptionType <None>
	format <rtcp>
	mediaProbeAddressContext <addressContext>
	mediaProbeIpInterfaceGroup <mediaIpInterfaceGroup>
	protocolType <udp>
	reportingInterval <1-8>
	state <disabled | enabled>


Command Parameters

Note

While configuring system media, the parameter mediaProbe is optional because its default state is disabled. However, when configuring the parameter mediaProbe, ensure to configure all values (or accept defaults, where applicable).


ParameterDescription
mediaProbe

The object that captures and reports media quality statistics (RTP/RTCP) and DTMF packets. Media Probe accepts the following values:

  • dscpValue <DSCP value> – The DSCP value for Media Probe RTCP application packets. Range: 0-63. Default = 0.
  • encryptionType – The encryption type used towards the Ribbon Analytics server. Currently, the SBC does not support any encryption.
    • none (Default).
  • format – The Media Probe format used to report qCDR (quality CDR capturing QoS statistics associated for a leg for each RTP-based stream). Currently, the SBC only supports RTCP.
    • rtcp
  • mediaProbeAddressContext – Address Context associated with the Media Probe IP Interface Group.
  • mediaProbeIpInterfaceGroup – Media IP Interface Group used to transmit Media Probe packets to the remote Ribbon Analytics server.
  • protocolType – The network protocol used to transfer the data to the remote server. Currently, the SBC supports only UDP
    • udp 
  • reportingInterval <1-8> – The interval at which RTCP application packets are sent to the remote Ribbon Analytics server, expressed as an integral multiple of the Media RTCP Control senderReportInterval value (configurable to 5-120 seconds). Default is "1". 
    For example, if senderReportInterval is set to 5 seconds, then
    • set reportingInterval to "1" to send media probe packets every 5 seconds (senderReportInterval x 1).
    • set reportingInterval to "8" to send media probe packets every 40 seconds (senderReportInterval x 8).
  • state – Use this flag to enable/disable the system-wide Media Probe state. If the state is set to enabled, the Media Probe captures and reports media quality statistics (RTP/RTCP) and DTMF packets. If the state is set to disabled (default), the Media Probe does not capture and report media quality statistics (RTP/RTCP) and DTMF packets.
    • disabled (default)
    • enabled

Configuration Example

Command Example: system media mediaProbe
set system media mediaProbe dscpValue 0 encryptionType none format rtcp mediaProbeAddressContext ADDR_CONTEXT_1 mediaProbeIpInterfaceGroup INGRESS_LIG protocolType udp reportingInterval 1 state enabled
commit

show system media mediaProbe
state                      enabled;
reportingInterval          1;
protocolType               udp;
encryptionType             none;
format                     rtcp;
dscpValue                  0;
mediaProbeAddressContext   ADDR_CONTEXT_1;
mediaProbeIpInterfaceGroup INGRESS_LIG;

Protect CLI

The Protect functionality is added to the System configuration to allow the SBC to communicate to the Ribbon Analytics server. 

Command Syntax

% set system protect
	clusterName <Cluster name>
	serverAddress <DIG IP Address of the Ribbon Analytics Server>
	serverPort <port number>

Command Parameters

ParameterLength/RangeDescription
clusterName1-255 characters

<cluster name> – Specify the Ribbon Analytics cluster name.

serverAddress1-255 characters<IP Address> – Specify the DIG IP Address of the Ribbon Analytics server.
serverPort 1-255 characters

<port number> – Enter the Ribbon Analytics server port number.

Configuration Example

Command Example: system protect
set system protect serverAddress 10.50.100.10 serverPort 5558 clusterName default
commit

show system protect
serverAddress              10.50.100.10;
serverPort                 5558;
clusterName                default;

Enabling DoD Mode on the SBC Core for Ribbon Analytics

Use the following section to use Ribbon Analytics on the SBC Core while DoD mode is enabled. 

  1. Remove iptables rule for 2024 that was added on DoD enable. Run the following command as root from a linux shell.

    iptables -D INPUT -i mgt0 -p tcp --syn --dport 2024 -m connlimit --connlimit-above 0 -j REJECT

  2. Add an ACL rule to allow connection from specific IP used by Ribbon Analytics to port 2024. Run the following command from the CLI in config mode.

    set addressContext default ipAccessControlList rule RARule sourceIpAddress <IP> destinationPort 2024 action accept sourceAddressPrefixLength 32 precedence 5 state enabled

  3. Add ACL rule to override the default allow rule and disallow connections to port 2024. Run the following command from CLI in config mode.

    set addressContext default ipAccessControlList rule rejectAll action discard sourceIpAddress 0.0.0.0 destinationPort 2024 precedence 100 state enabled
Note

The precedence value for the rejectAll rule is 100. Precedence value of any additional ALLOW rules for extra IPs should be less than 100.

Configuring SBC Core using EMA for Ribbon Analytics

Media Probe

Use the Media Probe object to capture and report media quality statistics (RTP/RTCP) and DTMF packets.

EMA UI path: All > System > Media > Media Probe

Media Probe Parameters

The Media Probe fields are described below.

Note

While configuring System Media, the parameter Media Probe is optional because its default state is "Disabled". However, when configuring the parameter Media Probe, ensure to configure all values (or accept defaults, where applicable).

Configure the following fields:

FieldLength/RangeDescription
StateN/A

Use this flag to enable/disable the system-wide Media Probe state. If the state is set to Enabled, the Media Probe captures and reports media quality statistics (RTP/RTCP) and DTMF packets. If the state is set to Disabled (default), the Media Probe does not capture and report media quality statistics (RTP/RTCP) and DTMF packets.

  • Disabled (default)
  • Enabled
Reporting Interval 1-8

The interval at which RTCP application packets are sent to the remote Ribbon Analytics server, expressed as an integral multiple of the Media RTCP Control Sender Report Interval value (configurable to 5-120 seconds). Default is "1". 

For example, if Sender Report Interval is set to 5 seconds, then

  • set Reporting Interval to "1" to send media probe packets every 5 seconds (Sender Report Interval x 1).
  • set Reporting Interval to "8" to send media probe packets every 40 seconds (Sender Report Interval x 8).
Protocol TypeN/A

The network protocol used to transfer the data to the remote server.

Currently, the SBC supports only UDP. 

Encryption Type N/A

The encryption type used towards the Ribbon Analytics server.

Currently, the SBC does not support any encryption. Default is "None".

FormatN/A

The Media Probe format used to report qCDR (quality CDR capturing QoS statistics associated for a leg for each RTP-based stream).

Currently, the SBC only supports RTCP.

DSCP Value 0-63

The DSCP value for Media Probe RTCP application packets. Default = 0.

Media Probe Address ContextN/AThe Address Context associated with the Media Probe IP Interface Group.
Media Probe IP Interface Group N/A

The Media IP Interface Group used to transmit Media Probe packets to the remote Ribbon Analytics server.

Protect

Use the System > Protect object to allow the SBC to communicate to the Ribbon Analytics server.

EMA UI pathAll > System > Protect

Protect Parameters

Configure the following fields.

ParameterLength/RangeDescription
Server Address 1-255 characters

Specify the DIG IP Address of the Analytics server.

Server Port 1-255 characters

Enter the Analytics server port number.

Cluster Name1-255 characters

The Ribbon Analytics cluster name, which is currently set to the static value of "default".

Configuration and Verification Steps

StepAction
Ribbon Analytics Prerequisites
  1. Enable the  Packet Capture (PCIG) Interface on the Ribbon Analytics system. If this was not done during installation, use the "Enabling the PCIG Interface After Installation or Upgrade" procedure in Ribbon SBC Core MVQ Metrics.
  2. In Ribbon Analytics, note the DIG IP, port, and Cluster name. These are required later for configuring the SBC Core to send data to Analytics.

SBC Core Configuration Steps




Configure the SBC to communicate with Ribbon Analytics. 

Configure the Protect functionality to establish communication with Ribbon Analytics and the Media probe functionality to collect QoS statistics and send the statistics to Analytics. Ensure to set the variables correctly to send the QoS statistics to Ribbon Analytics.

Note: To use the EMA, refer to the procedure in System - Protect and System - Media - Media Probe.

To configure via the CLI, refer to the procedure in Protect - CLI  and Media System - CLI.

To configure the Protect functionality, execute the following commands (refer to the procedure in Protect - CLI):

% set system protect serverAddress <Ribbon Analytics DIG IP address> serverPort <Ribbon Analytics port #> clusterName <Ribbon Analytics clusterName>
% commit

To configure the Media Probe functionality, execute the following commands (refer to the procedure in Media System - CLI):

% set system media mediaProbe dscpValue 0 encryptionType none format rtcp mediaProbeAddressContext ADDR_CONTEXT_1 mediaProbeIpInterfaceGroup INGRESS_LIG protocolType udp reportingInterval <integral multiple: 1-8> state enabled
% commit

Verify Ribbon Analytics functionality

The SBC Core devices that push data to Ribbon Analytics are added automatically to the list of devices in the Ribbon Analytics system. You do not have to add them manually. Verify if the SBC appears automatically in the Ribbon Analytics device list.

Statistics

Media Probe License Availability

Service Authorised Cur Stats

On the SBC, go to All > Global > Service Authorised Cur StatsThe Service Authorisation Cur Stats window displays.

Use the Service Authorisation Cur Stats window to view current global statistics that report which licensed features are authorized for use on the SBC. A value of 0 indicates the feature license is not available. If the Media Probe Authorisation column is set to "1", the MEDIA-PROBE license is available.

Service Authorised Int Stats

On the SBC main screen, go to All > Global > Service Authorised Int Stats. The Service Authorisation Int Stats window displays.

Use the Service Authorisation Int Stats window to view global statistics for a series of time intervals that report which licensed features are authorized for use on the SBC. A value of 0 indicates the feature license is not available.


The statistics Media Probe Authorisation displays under the objects "Service Authorised Cur Stats" and "Service Authorised Int Stats".

StatisticsDescription
Media Probe Authorisation

This statistic is set based on whether Media Probe is enabled/authorized.

  • 1 – enabled/authorized
  • 0 – disabled/not authorized


Service Authorised Cur Stats

Service Authorised Cur Stats
> show status global serviceAuthorisedCurStats mediaProbeAuthorisation
serviceAuthorisedCurStats entry {
    licenseMode                    nodeLocked;
    encryptAuthorisation           1;
    srtpAuthorisation              1;
    enhancedVideoAuthorisation     1;
    amrnbLegAuthorisation          1;
    amrwbLegAuthorisation          1;
    evrcLegAuthorisation           1;
    niceRecAuthorisation           1;
    mrfSessionsAuthorisation       1;
    sipRecAuthorisation            1;
    transcodeAuthorisation         1;
    pdcsAuthorisation              1;
    liSessionsAuthorisation        1;
    sbcRtuSessionsAuthorisation    1;
    dspG722SessionsAuthorisation   1;
    gmp4x1SessionsAuthorisation    1;
    sipISessionsAuthorisation      1;
    sip323SessionsAuthorisation    1;
    gmp1x10SessionsAuthorisation   1;
    polRtuSessionsAuthorisation    1;
    psxRtuSessionsAuthorisation    1;
    capacityLicenseAuthorisation   0;
    e911SessionsAuthorisation      1;
    enumSessionsAuthorisation      1;
    swInstanceLicenseAuthorisation 1;
    evsLegAuthorisation            1;
    silkLegAuthorisation           1;
    slbAuthorisation               1;
    slbSessionsAuthorisation       1;
    mediaProbeAuthorisation        1;
}
[ok][<YYYY-MM-DD HH:MM:SS>]
Note

Similar result displays for the corresponding show table command, but in a tabular format.


Service Authorised Int Stats

Service Authorised Int Stats
> show status global serviceAuthorisedIntStats mediaProbeAuthorisation
serviceAuthorisedIntStats 646 entry {
    intervalValid                  true;
    time                           581362;
    licenseMode                    nodeLocked;
    encryptAuthorisation           1;
    srtpAuthorisation              1;
    enhancedVideoAuthorisation     1;
    amrnbLegAuthorisation          1;
    amrwbLegAuthorisation          1;
    evrcLegAuthorisation           1;
    niceRecAuthorisation           1;
    mrfSessionsAuthorisation       1;
    sipRecAuthorisation            1;
    transcodeAuthorisation         1;
    pdcsAuthorisation              1;
    liSessionsAuthorisation        1;
    sbcRtuSessionsAuthorisation    1;
    dspG722SessionsAuthorisation   1;
    gmp4x1SessionsAuthorisation    1;
    sipISessionsAuthorisation      1;
    sip323SessionsAuthorisation    1;
    gmp1x10SessionsAuthorisation   1;
    polRtuSessionsAuthorisation    1;
    psxRtuSessionsAuthorisation    1;
    capacityLicenseAuthorisation   0;
    e911SessionsAuthorisation      1;
    enumSessionsAuthorisation      1;
    swInstanceLicenseAuthorisation 1;
    evsLegAuthorisation            1;
    silkLegAuthorisation           1;
    slbAuthorisation               1;
    slbSessionsAuthorisation       1;
    mediaProbeAuthorisation        1;
}
[ok][<YYYY-MM-DD HH:MM:SS>]
Note

Similar result displays for the corresponding show table command, but in a tabular format.

License

Depending upon the licensing type, install the following license to use the Media Probe feature.

  • NWDL: MEDIA-PROBE-D license
  • Node Locked: MEDIA-PROBE license

Push SEC and AUD logs to Ribbon Analytics

The SBC Core routinely logs and reports invalid login attempts for access to all its accounts and interfaces. These logs and reports serve as an important data set for Ribbon Analytics, which warns administrators when many invalid attempts are seen across the network. The event reporting notes the IP and port from which the invalid attempt was made, and makes logs available in the SEC and AUD logs.

The SBC currently logs this information along with the remote IP to the file auth.log. The SBC also pushes the auth.log via syslogd so that Ribbon Analytics can access messages.

If the SBC is configured with a call trace filter to capture all SIP PDU messages in the trace log, then you must update the settings for the fields diskThrottleLimit, eventLogValidation, fileSize and messageQueueSize using the information provided in the Event Log - CLI page.


Note

 To configure the SBC to push SEC and AUD logs to Ribbon Analytics, refer to the "Type Admin" topic at Event Log - CLI.

Improve Traffic Between Ribbon Analytics and SBC


Note

The Bucket Size value is insignificant if the Fill Rate value is unlimited.

  • The Fill Rate is the maximum rate you expect for the traffic to pass the policer.
  • The Bucket Size is the number of additional packets allowed to pass in a given period if available packets are in the bucket. The credit balance is consumed before the packets are discarded.

If the ACL rules with action = discard, the Fill Rate and the Bucket Size values are irrelevant, and the packets are dropped based on the Type, IP address, or Port.

The Fill Rate and the Bucket Size parameters do not play any role since the policer portion of an ACL is only applicable for the "accept" action and is ignored with the "discard" action since all the packets are already discarded by the criteria.

Using the default Access Control List (ACL) rules, Ribbon Analytics traffic can be throttled when trying to collect files from the SBC. Using the CLI, follow these steps to improve traffic:

  1. Update operatorAggregatePolicer with a fillRate of "30000" and a bucketSize of "250."

    Example
    set addressContext default operatorAggregatePolicer fillRate 30000 bucketSize 250

  2. Create a new user ACL for the traffic between Ribbon Analytics and the SBC using the following parameters:

    ACL Parameters
    admin@PTBF05> show table addressContext default ipAccessControlList rule RA
	precedence                     7003;
	protocol                       any;
	mgmtIpInterfaceGroup           mgmtGroup;
	sourceIpAddress                <RA IP>;
	sourceAddressPrefixLength      32;
	destinationIpAddress           <SBC IP>;
	destinationAddressPrefixLength 32;
	sourcePort                     any;
	destinationPort                any;
	action                         accept;
	fillRate                       30000;
	bucketSize                     unlimited;
	state                          enabled;
	aggregatePolicer               OPERATOR;

Generating SSH Keys for Default Users 

The following section outlines how to generate SSH keys for Default Users on the SBC

Generating a SSH Key on a Non-cloud Based SBC

The following steps outline how to generate SSH keys from the command line on a non-cloud based SBC. The second section also outlines how to install the SSH keys to a linuxadmin user:

  1. Input the following command: ssh-keygen -f <filename>.pem -t rsa

    Note

    To add a password to the key, enter a passphrase in the fields provided. To decline adding a password, leave the fields blank.

  2. Extract the public key from the newly generated private key using the following command: ssh-keygen -y -f <keyname>

    Example
    jmulcock@jmulcock01:~$ ssh-keygen -f example.pem -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in example.pem
Your public key has been saved in example.pem.pub
The key fingerprint is:
SHA256:caJAkQzCTgQjSKim//234Rzz4ReGSnUDpR6/t8UQ6Qc jmulcock@jmulcock01
The key's randomart image is:
+---[RSA 3072]----+
|%o.ooo       ..  |
|+= .o       .. . |
|+   .   o . o.E  |
|.o   . . + ..+oo |
|o     . S  ..o+..|
|.         . . o= |
| .       .+.....+|
|  .  .   oo* ...o|
|   .. ....+.o. . |
+----[SHA256]-----+

Copying and installing a SSH key to the linuxadmin user

  1. Run the following command: ssh-copy-id -i <key name> -p2024 linuxadmin@<SBC Mgt IP> 
  2. Enter the password for the linuxadmin user.

  3. Perform a login test using the following command: ssh -i <key name> -p2024 linuxadmin@<SBC Mgt IP>

    The user must install the key on all SBC instances (e.g. in a HA setup, install the key on both the active and standby instances).

    To authenticate a public key, refer to:

    Example
    jmulcock@jmulcock01:~$ ssh-copy-id -i example.pem -p2024 linuxadmin@10.31.243.20
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "example.pem.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
######################
#
This system is restricted to authorized users only.
Unauthorized access or access attempts to this system
or services are prohibited. All user activity is logged.
Evidence of unauthorized use collected during monitoring
may be provided to appropriate personnel for
administrative, criminal or other adverse action.
#
######################
linuxadmin@10.31.243.20's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '2024' 'linuxadmin@10.31.243.20'"
and check to make sure that only the key(s) you wanted were added.

jmulcock@jmulcock01:~$ ssh -p 2024 -i example.pem linuxadmin@10.31.243.20
######################
#
This system is restricted to authorized users only.
Unauthorized access or access attempts to this system
or services are prohibited. All user activity is logged.
Evidence of unauthorized use collected during monitoring
may be provided to appropriate personnel for
administrative, criminal or other adverse action.
#
######################
Last login: Thu May  4 15:27:53 BST 2023 from 172.26.223.243 on ssh
Ribbon ConnexIP OS 10.01.00-A004 GNU/Linux
linuxadmin@SBXUK20-1:~$

Public Cloud Key Generation

The following steps outline how to generate keys for public clouds. When creating keys for public clouds, two options are available:

  1. Allow terraform to generate the keys:
    1. IAC provides the option to generate the key for the linuxadmin user.
    2. Terraform tfvars will contain a variable like 'generate_ssh_key'.
  2. In AWS, use the AWS console to generate the key:
    1. Go to EC2 → Key Pairs
    2. Select Create Key Pair
    3. On screen
      1. Enter Name
      2. Select .pem
      3. Select Create key pair
      4. Save the private key somewhere.

SBC SSH Keys in Public Clouds

This section will outline how the SSH keys are handled on the SBC for linuxadmin and admin users for public clouds. All keys supplied to the cloud/instance are the public keys. The creator is responsible for storing the keys on the private side. Key types are always RSA. Any updates require the SBC instance to be rebooted to take effect.

For more information on updating SSH keys, refer to: Recovering SSH Key Access in Public Cloud and Updating User Data in Azure

AWS

Storage

  • Linuxadmin - Stored in AWS Key Pairs (Orchestration)
    • The key is generated by AWS Key Pairs via the console, or the user can import a public key.
  • Admin - User Data

Orchestration

  • Linuxadmin - Supplied as Key Name, extracted by cloud init
  • Admin - Supplied in value for the 'AdminSshKey' key in user data

Update

  • Linuxadmin - Update not supported (as it is not supported in AWS itself)
  • Admin - Update Value of 'AdminSshKey' in User Data

GCP

Storage

  • Linuxadmin - Part of instance Metadata
  • Admin - User Data

Orchestration

  • Linuxadmin - In SSH Keys section:
    • Block Project Wide SSH Keys
    • Supply key in the form ssh-rsa ... linuxadmin
  • Admin - Supplied in value for the 'AdminSshKey' key in user data

Update

  • Linuxadmin - Update the key against Username 'linuxadmin' in SSH keys
  • Admin - Update Value of 'AdminSshKey' in User Data

Azure

Storage

  • Linuxadmin - Part of instance Metadata (Orchestration) or User Data (Update)
  • Admin - Custom Data (Orchestration) or User Data (Update)

Orchestration

  • Linuxadmin -Suplied via --ssh-key-values flag
  • Admin - Supplied in value for the 'AdminSshKey' key in Custom Data

Update

  • Linuxadmin - Attach User Data to the Azure instance, and add the updated key as: "LinuxadminSshKey": "ssh-rsa YYYYYY",
  • Admin - Attach User Data to the Azure instance, and update value of 'AdminSshKey'