Chapter 5: The VoIP Gateway — CUBE, CUCM, and SIP Trunk Migration from Legacy NIMs
Learning Objectives
Describe the role of a Cisco ISR router as a voice gateway bridging PSTN/ISDN to VoIP networks
Explain how CUBE handles SIP trunking and protocol interworking
Describe how CUCM provides call control for NIM-equipped gateways
Plan a migration strategy from legacy PRI/BRI/analog lines to SIP trunks
5.1 The Voice Gateway Concept
A voice gateway is a network device (typically a Cisco ISR router) that bridges the circuit-switched PSTN and the packet-switched IP world. It sits at the boundary between two fundamentally different communication technologies, translating signaling, media, and features so that traditional phones and IP-based endpoints can communicate seamlessly.
Three Essential Functions
Signaling conversion — Translates call setup/teardown messages between protocols (e.g., ISDN Q.931 to SIP).
Media conversion — Digitizes analog voice or repackages TDM voice into IP packets using codecs (G.711, G.729), including packetization and jitter buffering.
Feature mediation — Maps telephony features (caller ID, call transfer, supplementary services) between PSTN and IP, handling mismatches.
NIM Cards: Physical PSTN Interfaces
On a Cisco ISR 4000-series router, NIM (Network Interface Module) cards provide the physical connection to the PSTN. These are the hardware that plug into the telephone company's copper or fiber infrastructure:
NIM Card
PSTN Interface
Typical Use Case
NIM-2FXS
2 analog phone ports (FXS)
Connecting analog phones or fax machines directly
NIM-4FXO
4 analog trunk ports (FXO)
Connecting to analog PSTN lines from the carrier
NIM-2BRI-NT/TE
2 ISDN BRI ports
Connecting to ISDN Basic Rate lines (2B+D)
NIM-1MFT-T1/E1
1 T1/E1 PRI port
Connecting to ISDN PRI trunks (23B+D or 30B+D)
Voice DSP Resources
Digital Signal Processors (DSPs) are specialized chips built directly onto ISR 4000-series NIM cards (no separate PVDM required). They handle:
Transcoding — Converting between codecs in real time (e.g., G.711 at 64 kbps to G.729 at 8 kbps).
Echo cancellation — Removing echo caused by impedance mismatches in analog circuits.
Codec negotiation — Selecting the best codec both sides support, balancing quality against bandwidth.
Gateway vs. Gatekeeper vs. SBC
Role
Function
Analogy
Voice Gateway
Converts between PSTN and IP signaling/media
A translator at a border crossing
Gatekeeper
Centralized call admission control and address resolution for H.323
An air traffic controller
SBC
Controls SIP signaling/media at network boundaries between domains
A customs officer who inspects and authorizes crossings
A single Cisco ISR can serve as both a voice gateway and an SBC (via CUBE). Gatekeepers are largely legacy, as SIP has replaced most H.323 deployments.
Key Points — Section 5.1
A voice gateway performs three essential functions: signaling conversion, media conversion, and feature mediation between PSTN and IP.
NIM cards (FXS, FXO, BRI, T1/E1) provide the physical PSTN interfaces on ISR 4000 routers.
DSPs are built directly onto ISR 4000 NIM cards — no separate PVDM modules needed — and handle transcoding, echo cancellation, and codec negotiation.
A gateway translates protocols; an SBC (like CUBE) controls signaling at administrative boundaries; a gatekeeper provides H.323 call admission control (legacy).
A single ISR can serve as both a voice gateway and an SBC simultaneously via CUBE.
Pre-Study Quiz — Partition A (Sections 5.1 & 5.2)
1. What is the primary function of a voice gateway in a Cisco voice architecture?
To provide centralized call admission control for H.323 networks
To bridge circuit-switched PSTN and packet-switched IP networks by converting signaling and media
To manage IP phone registration and feature services
To distribute SIP sessions across multiple servers for load balancing
2. On the ISR 4000 series, where are voice DSP resources located?
On separate PVDM modules installed in dedicated motherboard slots
In the ISR's main CPU, shared with routing functions
Built directly onto the NIM voice cards themselves
On an external DSP farm server connected via Ethernet
3. What does it mean that CUBE operates as a SIP back-to-back user agent (B2BUA)?
CUBE passes SIP messages transparently between endpoints without modification
CUBE terminates the incoming SIP session and originates a completely new session on the other side
CUBE only handles the signaling plane; media always flows directly between endpoints
CUBE requires two separate physical routers — one for each SIP leg
4. Which IOS-XE command activates CUBE functionality on a router?
voice service voip / mode cube-enterprise
sip-ua / enable-cube
voice service voip / mode border-element
interface sip0/0 / cube enable
5. What security benefit does CUBE provide by operating as an SBC?
It encrypts all voice traffic using IPsec by default
It hides internal network topology so external parties only see CUBE's IP address
It eliminates the need for firewalls in the voice path
It automatically blocks all international calls
5.2 CUBE — Cisco Unified Border Element
CUBE (Cisco Unified Border Element) acts as a Session Border Controller on the ISR, sitting at the edge of the enterprise voice network. It controls every SIP session crossing the boundary to an external network — whether a SIP trunk to a service provider, a cloud UC platform, or a partner's phone system.
CUBE as SIP B2BUA
CUBE does not simply proxy SIP messages. As a B2BUA, it terminates the incoming SIP session on one side and originates a completely new session on the other. This gives CUBE full control over signaling and media:
Hides internal topology — External parties see only CUBE's IP address, never internal phones or CUCM.
Normalizes SIP — Modifies SIP headers to ensure interoperability between different vendors' SIP implementations.
Enforces security — Filters calls via trusted IP lists, ACLs, and Class of Restriction (COR).
Controls media flow — Supports flow-through (media transits router, enables transcoding/IP hiding) and flow-around (media direct between endpoints, lower router load).
SIP Trunk Configuration
A SIP trunk is the IP equivalent of a PRI trunk. Where PRI carries 23 (T1) or 30 (E1) channels over a physical circuit, SIP carries sessions over IP — limited by bandwidth and licensing, not physical channel counts.
Key configuration steps:
Enable CUBE mode:voice service voip / mode border-element / allow-connections sip to sip
Configure inbound dial-peer (from CUCM toward CUBE) with session protocol sipv2 and incoming called-number .
Configure outbound dial-peer (from CUBE toward provider) with destination-pattern and provider's session target IP.
Protocol Interworking
Interworking Pair
Use Case
SIP to SIP
Most common: enterprise SIP to provider SIP with header normalization
SIP to H.323
Connecting SIP trunk to legacy H.323 video/voice system
ISDN to SIP
Converting PRI/BRI signaling (via NIM card) to SIP for IP network
Analog to SIP
Converting FXO/FXS signaling (via NIM card) to SIP
High Availability and Capacity
CUBE supports an active/standby HA model using a virtual IP address on two ISR routers. Capacity planning considers: concurrent calls at peak hour, bandwidth per call (G.711 ~87 kbps, G.729 ~31 kbps), DSP resources for transcoding, and CPU headroom. Large deployments scale to 64,000 sessions using CUSP for load distribution.
Key Points — Section 5.2
CUBE is Cisco's SBC that operates as a SIP back-to-back user agent (B2BUA), terminating and re-originating SIP sessions for full control.
CUBE hides internal network topology, normalizes SIP headers, and enforces security policies at the voice network edge.
SIP trunk configuration requires enabling mode border-element, permitting allow-connections sip to sip, and creating inbound/outbound dial-peers.
CUBE supports protocol interworking between SIP, H.323, ISDN, and analog — critical for migration scenarios where legacy and modern trunks coexist.
High availability uses an active/standby pair with a virtual IP; capacity scales to 64,000 sessions via CUSP load distribution.
5.3 CUCM — Cisco Unified Communications Manager
CUCM (Cisco Unified Communications Manager) is the centralized call control platform — the brain that decides where every call goes, which phones ring, and what features are available. It runs on dedicated servers or VMs and provides call routing, phone registration, feature services, and user management.
Gateway Registration Protocols
NIM-equipped ISR gateways must register with CUCM so that CUCM can route calls through them. The registration protocol determines how much control CUCM has:
Moderate — shared control between gateway and CUCM
Modern deployments, CUBE integration
SCCP
High — CUCM controls analog ports
Legacy analog phone/fax integration
H.323
Lower — gateway has local routing logic
Legacy, being phased out
Version requirements: CUCM 10.5+ for ISR 44xx; CUCM 10.5.2+ for ISR 43xx. The ISR must run IOS-XE 3.16+ with the UC license package.
Route Patterns, Route Lists, and Route Groups
CUCM uses a layered call routing hierarchy:
Route Pattern matches dialed digits (e.g., 9.1[2-9]XX[2-9]XXXXXX strips the leading 9 access code).
Route List contains one or more route groups, providing failover capability.
Route Group contains the actual gateways or SIP trunks as members.
This layered structure enables redundancy: if the PRI gateway is unavailable, CUCM automatically fails over to the SIP trunk — a critical capability during migration.
Integration with Webex Calling
In hybrid architectures, CUCM manages on-premises phones and gateways while CUBE provides the SIP trunk to Webex cloud. NIM-equipped gateways provide local PSTN survivability — if the WAN link to the cloud fails, the local gateway still routes calls through its PRI or analog lines. This hybrid model is often a stepping stone for phased cloud migration.
CUCM is the centralized call control brain — it manages phone registration, call routing (route patterns, route lists, route groups), and feature services.
MGCP is the primary recommended protocol for CUCM-managed gateways because it gives CUCM complete control over gateway behavior.
The route pattern → route list → route group hierarchy enables redundant call routing with automatic failover (e.g., PRI to SIP trunk).
Webex Calling integration uses CUBE as the SIP trunk to the cloud, while NIM-equipped gateways provide local PSTN survivability if the WAN fails.
Post-Study Quiz — Partition A (Sections 5.1 & 5.2)
1. What is the primary function of a voice gateway in a Cisco voice architecture?
To provide centralized call admission control for H.323 networks
To bridge circuit-switched PSTN and packet-switched IP networks by converting signaling and media
To manage IP phone registration and feature services
To distribute SIP sessions across multiple servers for load balancing
2. On the ISR 4000 series, where are voice DSP resources located?
On separate PVDM modules installed in dedicated motherboard slots
In the ISR's main CPU, shared with routing functions
Built directly onto the NIM voice cards themselves
On an external DSP farm server connected via Ethernet
3. What does it mean that CUBE operates as a SIP back-to-back user agent (B2BUA)?
CUBE passes SIP messages transparently between endpoints without modification
CUBE terminates the incoming SIP session and originates a completely new session on the other side
CUBE only handles the signaling plane; media always flows directly between endpoints
CUBE requires two separate physical routers — one for each SIP leg
4. Which IOS-XE command activates CUBE functionality on a router?
voice service voip / mode cube-enterprise
sip-ua / enable-cube
voice service voip / mode border-element
interface sip0/0 / cube enable
5. What security benefit does CUBE provide by operating as an SBC?
It encrypts all voice traffic using IPsec by default
It hides internal network topology so external parties only see CUBE's IP address
It eliminates the need for firewalls in the voice path
It automatically blocks all international calls
5.4 Migration: From Legacy NIMs to SIP Trunks
Legacy PRI, BRI, and analog PSTN interfaces are deep into their sunset phase. Three forces drive migration to SIP trunks:
Cost — SIP trunks typically cost 40-60% less than equivalent PRI capacity, with pay-per-use pricing instead of fixed bundles.
Flexibility — SIP trunks are location-independent. Adding capacity means purchasing sessions, not waiting weeks for circuit provisioning.
PSTN sunset — Carriers worldwide are decommissioning legacy TDM infrastructure. ISDN PRI is often no longer available for new installations.
The Five-Phase Migration Approach
Phase
Name
Key Activities
Duration
1
Assess & Inventory
Catalog NIM cards, PRI/BRI/analog lines, channel utilization, special circuits (fax, alarm, elevator)
2-4 weeks
2
Prepare Gateway
Convert gateway protocol to SIP; update IOS-XE and CUCM; deploy CUBE
Run legacy PRI/BRI and SIP trunks simultaneously; validate quality and reliability
4-8 weeks
5
Cutover & Decommission
Port remaining numbers; cut over all traffic to SIP; decommission legacy NIM cards
2-4 weeks
Total timeline: approximately 3-5 months for a typical mid-sized deployment.
PRI vs. SIP Trunk Comparison
Feature
PRI (via NIM Card)
SIP Trunk (via CUBE)
Capacity
Fixed: 23 (T1) or 30 (E1) channels
Flexible: add sessions as needed
Physical connection
Dedicated copper/fiber circuit
Shared IP network (Internet or MPLS)
Location dependency
Tied to building where circuit terminates
Location-independent
Cost model
Fixed monthly for all channels
Per-channel or usage-based pricing
Codec flexibility
G.711 only (TDM native)
Any codec both endpoints support
Time to provision
Weeks to months
Hours to days
Decommissioning Legacy Cards
Verify zero traffic — Use show voice call summary and show isdn status to confirm no active calls.
Update dial plans — Remove/redirect CUCM route patterns, route groups, and route lists referencing the legacy gateway.
Cancel carrier circuits — Ensure number porting is complete before cancellation (allow 2-4 weeks).
Document the change — Update network diagrams, inventory systems, and DR plans.
Physically remove cards — NIM cards support OIR (Online Insertion and Removal) but best practice is during a maintenance window.
Reclaim resources — DSP resources on removed NIM are freed; consider redeploying the ISR if no longer needed for voice.
Key Points — Section 5.4
Three forces drive migration: cost savings (40-60% less), flexibility (location-independent, elastic capacity), and PSTN sunset (carriers decommissioning TDM).
The five-phase approach — Assess, Prepare, Set Up SIP, Parallel Run, Cutover — minimizes risk over a 3-5 month timeline.
The parallel run phase is critical: legacy PRI and SIP trunks run simultaneously while quality and failover behavior are validated.
Number porting from PRI to SIP provider typically requires 2-4 weeks of lead time — plan accordingly before decommissioning circuits.
Decommissioning is not just pulling a card: verify zero traffic, update CUCM dial plans, cancel carrier circuits, document changes, then physically remove NIMs during a maintenance window.
Pre-Study Quiz — Partition B (Sections 5.3 & 5.4)
1. Which gateway registration protocol gives CUCM the highest level of control over gateway behavior?
SIP
H.323
MGCP
SCCP
2. In CUCM's call routing hierarchy, what is the correct order from dialed digits to the physical gateway?
Route Group → Route List → Route Pattern → Gateway
Route Pattern → Route List → Route Group → Gateway
Route Pattern → Route Group → Route List → Gateway
Route List → Route Pattern → Route Group → Gateway
3. During a NIM-to-SIP migration, what is the primary purpose of the parallel run phase?
To allow the carrier time to disconnect PRI circuits
To validate SIP trunk quality and reliability while maintaining legacy fallback
To train end users on the new phone system
To configure CUCM route patterns for the first time
4. Which of the following is a key advantage of SIP trunks over PRI trunks?
SIP trunks use dedicated copper circuits for higher reliability
SIP trunks are limited to G.711 codec for guaranteed quality
SIP trunks offer flexible, location-independent capacity that can be provisioned in hours
SIP trunks require no SBC or border element for security
5. Before physically removing a legacy NIM card, what must you verify first?
That the card's firmware has been updated to the latest version
That zero calls are routing through the legacy NIM and all numbers have been ported
That CUCM has been upgraded to the latest major release
That the ISR router has been rebooted within the past 24 hours
Post-Study Quiz — Partition B (Sections 5.3 & 5.4)
1. Which gateway registration protocol gives CUCM the highest level of control over gateway behavior?
SIP
H.323
MGCP
SCCP
2. In CUCM's call routing hierarchy, what is the correct order from dialed digits to the physical gateway?
Route Group → Route List → Route Pattern → Gateway
Route Pattern → Route List → Route Group → Gateway
Route Pattern → Route Group → Route List → Gateway
Route List → Route Pattern → Route Group → Gateway
3. During a NIM-to-SIP migration, what is the primary purpose of the parallel run phase?
To allow the carrier time to disconnect PRI circuits
To validate SIP trunk quality and reliability while maintaining legacy fallback
To train end users on the new phone system
To configure CUCM route patterns for the first time
4. Which of the following is a key advantage of SIP trunks over PRI trunks?
SIP trunks use dedicated copper circuits for higher reliability
SIP trunks are limited to G.711 codec for guaranteed quality
SIP trunks offer flexible, location-independent capacity that can be provisioned in hours
SIP trunks require no SBC or border element for security
5. Before physically removing a legacy NIM card, what must you verify first?
That the card's firmware has been updated to the latest version
That zero calls are routing through the legacy NIM and all numbers have been ported
That CUCM has been upgraded to the latest major release
That the ISR router has been rebooted within the past 24 hours