Overview

In voice communications, traffic volume is regulated using the Call Admission Control (CAC) feature. CAC prevents over subscription of a managed network by monitoring packets entering the network in the call setup phase. CAC averts voice traffic congestion by ensuring that there is enough bandwidth for authorized flows.

The IP peer-based Call Admission Control (CAC) feature provides operators the ability to reject calls if the bandwidth usage from a given IP peer reaches the configured maximum allowed bandwidth limit (2 Mbps). CAC session call limits and emergency oversubscription controls may be applied both globally and separately (against ingress and egress traffic).

Dynamic peers are created with the registrations. The lifespan of dynamic peers are associated with their registration period. As soon as registration expires dynamic peers are deleted from the peer table. Similar to static peers, dynamic peers are also restricted to work under ceiling limit of bandwidth.

The SBC Core supports bandwidth Call Admission Control (CAC) per supported media type1 by limiting video streams to specified bandwidth limits in order to provide a level of protection from video calls consuming call bandwidth otherwise needed for audio calls. This protection is implemented on the SBC by setting video thresholds (bandwidthVideoThreshold) to specific limits at the zone, trunk group, endpoint and shared CAC levels. The thresholds are a percentage of the total bandwidth limit such that any traffic above this level is reserved for audio-only calls. This video threshold limit behaves the same for emergency as well as non-emergency calls. Any video calls above the video threshold limit are dropped to allow audio calls to use this bandwidth.

If the routing Packet Service Profile is configured with “Audio Only If Video Is Prevented” flag enabled (the default value), The SBC reduces the session to audio-only calls if bandwidthVideoThreshold limit is reached.

There is no bandwidth CAC for MSRP, data channels, FECC, and BFCP streams.

The SBC implements CAC at the application layer using Zone CAC, SIP Trunk Group CAC and SIP CAC Profile. For each of these CACs, the following configuration rules apply:

  • The individual Ingress or Egress call limit cannot exceed the Global call limit. For example, if the Global call limit = 100, Ingress or Egress call limit MUST be less than 100.
  • The sum of Ingress and Egress call limit can exceed the Global call limit. For example, if Global call limit = 100, Ingress call limit + Egress call limit can be greater than 100 (70+80).

Zone CAC

Zone CAC applies call, media bandwidth, and registration controls to a set of peers in a zone. Since a zone typically correlates to a single customer, this is equivalent to applying controls to that customer.
A Zone can be viewed as representing a customer. The SBC supports CAC for calls, media bandwidth, and registrations at the zone level.

Before admitting a call or, placing a call from/to a peer, both CAC associated with that trunk group and CAC associated Zone are applied. A call from/to a trunk group is not admitted or placed (outbound) if CAC fails at either trunk group or zone level. The default behavior of the CAC at Zone level is to admit/emit all the calls (and SIP registrations).

A Zone maintains a set of counters/statistics for keeping track of number of active calls, SIP registrations, total bandwidth usage for ingress and egress side.
Zone CAC achieves call control by managing allowed "call limit" and "call rate".

Call Limit

Zone CAC is configurable to control the number of simultaneous calls globally as well as separately (ingress and egress). A normal call within this zone will only be completed if the current active call count for the zone is less than the configured call limit. Zone CAC also updates the status and performance statistics parameters.

Zone CAC can be configured to provide an emergencyOversubscription percentage globally to give priority treatment to emergency calls. This percentage represents allowed emergency calls beyond the configured call limit. When the call limit is reached, normal calls are rejected but emergency calls are accepted up to an expanded limit. When the emergencyOversubscription percentage is set to zero it effectively prevents emergency calls from having priority over normal calls.

Similar processing applies for media bandwidth controls. A normal call is completed if the remaining bandwidth equals or exceeds the expected bandwidth for the call (based on the highest bandwidth codec in the signaling). However, an emergency call will be allowed up to an expanded limit based on the configured limit plus the emergencyOversubscription percentage.

The extendedEmergencyIpLimit feature allows an additional configurable number of emergency calls in case the call limit quota and emergency oversubscription factor quota are exhausted. See CAC Provisioning - SIP CAC Profile, SIP Trunk Group - CAC (EMA) or Zone - CAC - CLI for CAC configuration details.

Call Rate Control

Zone CAC controls the call rate by using Token bucket policers. These policers monitor inbound and outbound call rates from/to peers within a zone.

If the emergencyOversubscription percentage is non-zero, then emergency calls are given preference over normal calls when restricting call rates. For example, if the allowed rate is 10 cps, and the SBC is presented with a call rate of 10 cps of normal calls and 5 cps of emergency calls, then on average the SBC will allow 5 cps of emergency calls and just 5 cps of normal calls.

Registration Control

The Registration control policer addresses the fact that the SBC, as a whole, can support a limited number of SIP endpoint registrations. With no limit restrictions, subscribers belonging to a customer network might over-register resulting in no registration space for other customers/subscribers.

This Registration Limit CAC feature also permits provisioning an estimated number of implicit (child) registrations per explicit registrations that may be needed. The actual number of implicit registrations is set based on the number of P-Associated-URIs in the 200 response to the Register message.

Zone CAC controls the number of simultaneous registrations from peers in the zone. A registration is processed only if the current active registration count for the zone is less than the configured limit.

Zone CAC achieves registration control by managing the allowed "registration rate" and "registration limit".Zone CAC controls the number of initial SIP REGISTER simultaneously admitted from/to peers in a zone by maintaining a configurable initial registration count. A REGISTER request is not permitted if the value of this counter is zero.

Zone CAC also updates the status and performance statistics parameters.

Initial REGISTER Rate

Zone CAC controls the new registration rate by using Token bucket policers. These policers monitor inbound registration rates from peers within a zone.

Media Bandwidth Control

Media Bandwidth Control involves applying call control against maximum interface(s) bandwidth or a configurable bandwidth parameter based on the codec that the call selects.

SIP Trunk Group CAC

Trunk group CAC applies call, media bandwidth, message rate limiting and registration controls at the trunk group level. This is a finer level of granularity than a zone since a zone may contain many trunk groups. For example, Trunk Group CAC may be used to apply different controls to different peers belonging to the same customer.

Trunk group CAC controls the number of simultaneous calls globally, as well as separately (ingress and egress) for a subset of peers within a zone. A normal call within a trunk group is only completed if the current active call count for the trunk group is less than the configured call limit.

Trunk Group CAC provides an emergencyOversubscription percentage to give priority treatment to emergency calls at global level, as well as in inbound and outbound directions. This percentage is an additional amount beyond the configured call limit. When the call limit is reached, no additional normal calls are admitted. However, an emergency call is accepted up to the expanded limit.

When the emergencyOversubscription percentage is set to zero it effectively prevents emergency calls from taking priority over normal calls. Call limits are for total calls (both ingress calls and egress calls apply against this total limit).

Similar processing applies for media bandwidth controls. A normal call is only completed if the remaining bandwidth equals or exceeds the expected bandwidth for the call (based on the highest bandwidth codec in the signaling). However, an emergency call is allowed up to the expanded limit based on the base configured limit and the emergencyOversubscription percentage. Trunk group CAC controls the number of simultaneous calls (both ingress and egress) for a subset of peers within a zone. A normal call within a trunk group is only completed if the current active call count for the trunk group is less than the configured call limit.

Call Limit

Trunk group CAC controls the number of simultaneous calls (both ingress and egress). A normal call within this trunk group will only be completed if the current active call count for the zone is less than the configured call limit.

Trunk group CAC provides an emergencyOversubscription percentage to give priority treatment to emergency calls. This percentage is an additional amount beyond the configured call limit. When the call limit is reached, no additional normal calls are admitted. However, an emergency call is accepted up to an expanded limit.

When the emergencyOversubscription percentage is set to zero it effectively prevents emergency calls from having priority over normal calls. Call limits are for total calls (that is both ingress calls and egress calls apply against this total limit).

Similar processing applies for media bandwidth controls. A normal call will only be completed if the remaining bandwidth equals or exceeds the expected bandwidth for the call (based on the highest bandwidth codec in the signaling). However, an emergency call is allowed up to the expanded limit based on the base configured limit and the emergency oversubscription percentage.

The extendedEmergencyIpLimit feature allows an additional configurable number of emergency calls in case the call limit quota and emergency oversubscription factor quota are exhausted. See the following pages for EMA and CLI command details:

Call Rate Control

Trunk group CAC controls the call rate by using Token bucket policers which monitor inbound and outbound call rates from/to peers within a trunk group.

If the emergency oversubscription percentage is non-zero, then emergency calls are given preference over normal calls when restricting call rates. For example, if the allowed rate is 10 cps, and the SBC is presented with a call rate of 10 cps of normal calls and 5 cps of emergency calls, then, on average, the SBC allows 5 cps of emergency calls and just 5 cps of normal calls.

Shared CAC Limits Pool

Support for SIP Trunk Group

The SBC uses the Shared CAC-Limits Pool global object to support connectivity to multiple peering partners concurrently through one or more IP Trunk Groups to each partner network. Call Admission Control for a given IP Trunk Group limits the total number of calls exchanged and/or bandwidth consumed between the SBC and a peering partner, or limits only ingress or egress calls based on IP Trunk Group.

The Shared CAC-Limits Pool contains capacity limits such as bandwidth, call limits and call rates. Trunk group hierarchy is defined by associating the Shared CAC-limits pool (parent) to another Shared CAC-limits pool (child) or Trunk Group (child). The hierarchy has a maximum of three levels: two levels of Shared CAC-limits pool and an IP trunk at the bottom. The hierarchy is built bottom up by assigning a parent trunk group to an existing trunk group or CAC-limits pool. Note that a parent trunk group object should exist before assigning a child to it.

Validation rules:

  • There can only be one parent for any object.
  • An IP trunk group can be assigned as child to any CAC-limits pool (parent).
  • A CAC-limits pool can be assigned as a parent to any other CAC-limits pool that does not have a parent of its own.
  • A CAC-limits pool cannot be assigned to a parent if it already has a CAC-limits pool child.
  • The children of a particular CAC-limits pool can be either CAC-limits pools or IP trunks.

A shared CAC limits pool is not tied to a specific zone or address context. There may be up to 2,000 shared CAC limits pools on the SBC.

Figure 1 CAC-Limits Pool and Trunk Group Hierarchy


Support for Gateway Trunk Group

The SBC associates a Gateway Trunk Group with an existing Shared CAC Limits Pool. Once associated, the Gateway Trunk Group is referred as a child of the Shared CAC Limits Pool (parent). A Gateway Trunk Group is associated with only one parent Shared CAC Limits Pool. However, a Shared CAC Limits Pool can be parent of multiple IP Trunk Groups (Gateway Trunk Groups, SIP Trunk Groups, and H323 Trunk Groups). The resource allocation is controlled between the IP Trunk Groups based on the availability and allowed limits. The purpose of this feature is to allow associating an existing Gateway Trunk Group with an existing Shared CAC Limits Pool, so that the basic call control parameters of a Gateway Trunk Group like call limit and bandwidth limit can be set, modified or deleted easily.

Note

During switchover (for an HA pair), the configurations of a Gateway Trunk Group with respect to its Parent Shared CAC Limits Pool and CAC are preserved.

If a Shared CAC Limits Pool is a child, it cannot be a parent of another Shared CAC Limits Pool. The hierarchy of parent-child relationships between Shared CAC Limits Pools and the IP Trunk Groups is limited to three levels.

Three Level Hierarchy - Parent-Child Relationships.

 

Note

If a Shared CAC Limits Pool has "C" number of children, only one of them can be another Shared CAC Limits Pool, and the rest (C - 1) must be a combination of Gateway Trunk Groups, SIP Trunk Groups, and H323 Trunk Groups.

If the IP Trunk Groups need resource, and their parent Shared CAC Limits Pool are unable to allocate it:

  • If the parent Shared CAC Limits Pool has a parent, which is another Shared CAC Limits Pool (and is effectively the grandparent of IP Trunk Groups), then the request for resources is passed on to the grandparent. However, if the grandparent cannot allocate resources from its pool, then the request is rejected.
  • If the parent Shared CAC Limits Pool does not have a parent, then the request for resources is rejected.

For example, the call limit for a Gateway Trunk Group is set to "L". From the figure Resource Allocation, if L is greater than (n - k), the Gateway Trunk Group is restricted to (n - k) calls only, and the difference (L - (n - k)) is a deficit. However, if the parent Shared CAC Limits Pool has a parent in the form of another Shared CAC Limits Pool (grandparent, with respect to Gateway Trunk Groups), then the resource allocation request is forwarded to the grandparent. The grandparent either allocates resources or rejects the request, depending on the availability of the resources.

Resource Allocation


SIP CAC Profile

This object creates and configures a CAC profile providing the ability for each SIP registered or static endpoint to have both global and separate (ingress and egress) call limits and emergency oversubscriptions. This is the highest level of granularity for CAC and applies to a specific SIP peer within a zone. This can be used, for example, to apply specific CAC controls to a particular IP PBX within a customer network.

The ability to limit call establishment for an individual endpoint is an important factor in helping to prevent voice-spam or abusive use of network resources. The SBC supports CAC controls for both registered and statically configured peers on a per SIP endpoint basis. With this feature, each SIP registered or static endpoint can have individualized limits on the number of active calls and the call rate. The control for the active call limit applies to calls in either direction. The call rate policing controls apply to ingress and egress calls separately. All three controls are provisioned on the SIP CAC Profile. For statically configured peers, the SIP CAC Profile is applied to the IP Peer object. For peers that register, the SIP CAC Profile is provisioned on the SIP trunk object associated with the SIP trunk group.

Similarly as for trunk group CAC and zone CAC, SIP Endpoint CAC supports an emergency oversubscription percentage. If this percentage is non-zero, emergency calls are allowed when normal calls are not, and emergency calls take precedence over normal calls through the call rate policers.

The SBC is enhanced to support per-endpoint and peer CAC profiles for non-registered endpoints. The signaling IP address for a non-registered endpoint is not known and cannot be configured in the SBC. When the SBC supports CAC profile for non-registered endpoints, the Registrar and Application Server (AS) check the authenticity of the non-registered endpoint.

  • The existing Require Registration configuration functions independently from CAC Profiles. However, the parameter Require Registration continues to verify whether the calls from the non-registered endpoints are allowed or not.
  • The 3xx responses are used for redirection. The SBCprocesses and honors these responses without terminating the CAC profile for a non-registering endpoint.
  • If a non-registered endpoint CAC profile is terminated due to an error response, the source of the initial INVITE is not blacklisted.
  • After a switchover, the CAC values for Maximum Number of Calls, and Allocated Bandwidth are retained for non-registered endpoints too. However, the CAC value for Maximum Call Rate starts as a new instance.

The SIP CAC Profile also supports extendedEmergencyIpLimit feature which allows an additional configurable number of emergency calls in case the call limit quota and emergency oversubscription factor quota are exhausted.

Refer to Profiles - SIP CAC Profile (EMA) or SIP CAC Profile - CLI for SIP CAC Profile CLI command details.

The SBC can be configured from EMA or CLI using SIP CAC Profile to limit the message rate of the following messages on a per IP trunk group basis:

  • Call/INVITE (initial request)
  • REGISTER (initial registration)
  • SUBSCRIBE (initial request)
  • OTHER (out-of-dialog request)
  • NOTIFY (out-of-dialog request)
  • MESSAGE (out-of-dialog request)
  • OPTIONS (out-of-dialog request)
  • REFER (initial request)
  • RESPONSE

Priority Call Handling

As described in the previous sections, emergency calls are given priority over normal calls if the emergency oversubscription percentage is set to an non-zero value. In this scenario, emergency calls are completed when the active call limit reaches the configured limit up to the expanded limit specified. Additionally, when the emergency oversubscription percentage is non-zero, emergency calls experience policing priority over normal calls. When the applied call rate exceeds the configured limits, the emergency calls take precedence. For example, if the configured rate is 10 cps, and 10 cps of normal calls are applied along with 5 cps of emergency calls, the policer passes 5 cps of emergency calls and just 5 cps of normal calls.

This emergency call preference applies (when emergency oversubscription is non-zero) at the Zone level, Trunk Group level and SIP endpoint CAC level.

All CAC controls can run concurrently. When more than one control applies, each control must allow the call or registration before the request is accepted. This applies to higher-level requests such as call setups (SIP INVITE, H.323 SETUP) and registrations (SIP REGISTER). Additional controls exist on the raw underlying packet rates.

Call Gapping

Call gapping is only supported in the centralized PSX. Refer to PSX Documentation for details.

Active and Stable Sessions for a Configurable Time Interval

The SBC supports a percentage of sessions beyond the purchased session license capacity to measure the maximum amount of simultaneously active and stable sessions over a configurable time interval. For example, you can configure the time interval for 5 minutes or more. This enhanced statistics is used to validate if the SBC's maximum licensed session capacity is breached along with the level of breach during the configured intervals. These measurement samples collected from many SBCs determine the actual peak session usage. This statistics is also used by Ribbon to perform periodic audits.

The callCountCurrentStatistics and callCountIntervalStatistics are added to Global object to provide Current and Interval call statistics.

The callCountStatistics performance table provided the Current and Interval options.

Currently, only the Max Session Count is supported under the performance table.

The configuration flag, callCountTimeInterval, is added to Interval Statistics object in the same lines of existing interval configuration. The default value of this configuration is 15 minutes and the value ranges from 5 minutes to 60 minutes.

Currently, the SBC applies a single interval period across all performance table with default value of 15 minutes. However, for Maximum Session Count, a more granular interval of 5 minutes is required. Hence, the need arises for a separate interval period configuration.

After an SBC switchover, all the callCountTimeInterval configuration values are retained. The currentIntervalStatistics value is re-calculated and updated based on the number of stable calls post the switchover process which are in-line with the other statistics.

The EMS supports this metric such that the values are polled by the Insight Performance Reporting Engine and exported in .CSV format. The EMS support is inline with how other performance statistics are reported.