Network Operating Systems

This page is an attempt to maintain a list of all network operating systems (NOSs) and network-centric applications that that are available in the market today, in no particular order.

Network Operating Systems

Sometimes it can be hard to tell the difference between a dis-agreggated  “operating system” which is modular and open source or a full stack (closed) solution. Where its a full-stack product, I’ll list it as an OS.

Stratum Project

Backed by a broad spectrum of organizations from across the networking industry, Stratum is building an open, minimal, production-ready distribution for white box switches.  Stratum exposes a set of next-generation SDN interfaces including P4Runtime and OpenConfig, enabling interchangeability of forwarding devices and programmability of forwarding behaviors. Stratum delivers a complete white box switch solution truly delivering on the ‘software defined’ promise of SDN.

Stratum Project – Developing a reference implementation for white box switches supporting next-generation SDN interfaces

Cumulus Networks

Cumulus Linux is a Debian based Linux distribution that runs on a variety of commodity hardware. Cumulus is active in the Open Compute Project and contributed multiple projects back to the community.

  • Open Network Install Environment(ONIE) contributed to the OCP
  • ifupdown2 now in Debian stable

Cumulus Networks | Linux Network OS

Big Switch Switch Light

Switch Light OS is an SDN-centric NOS that Big Switch has developed to closely integrate with whitebox hardware and ensure that OpenFlow-like functions will operate on the current generation of switching silicon for the data center.

  • Built on Linux
  • Open-sourced to form the basis of Open Network Linux (see next)

Big Switch Networks, Inc. | The Leader in Open Software Defined Networking

Open Network Linux

Open Network Linux (ONL) is a Linux distribution for “bare metal” switches, that is, network forwarding devices built from commodity components. ONL uses ONIE to install onto on-board flash memory.

  • Open Network Linux is a part of the Open Compute Project
  • Currently ONL is OpenFlow-centric

Open Network Linux


PicOS is qualified to run bare metal switches from several manufacturers. Pica8 sells PicOS separately or bundled with their own whitebox switches.

  • Switching and routing stack built on the XORP routing community (General public license now owned by Pica8)
  • Switching and routing support for existing networks
  • Open-vSwitch (OVS) support and CrossFlow technology enables mixing of switching, routing and OpenFlow traffic


Dell Systems

FTOS was originally developed by Force10 Networks. Dell acquired Force10 and has continued to develop the NOS with new features. At the same time, Dell Networks has embraced partnerships with Cumulus and BigSwitch to sell Whitebrand (or britebox) switching using open network hardware for those customers who want choices for NOS on their hardware.

Network Hardware – Switches, Routers – Dell


OcNOS™ is a NOS  for data center and enterprise networking, including advanced capabilities such as extensive protocol support for MPLS (Multiprotocol Label Switching). Available for OCP hardware.

IPFusion has previously been OEMing its operating system to network vendors in a modular format and many vendors routing protocols are actually ZebOS components. Management APIs may also be provided by ZebOS. (See also Tail-F)

IP Infusion

Cisco Systems

Cisco has had many operating systems over the decades and several of them are listed here.

IOS – a monolithic operating system that runs single threaded on a wide range of CPUs. Designed and developed in a different era. Obsolete at current time and on life support for recalcitrant customers. The software architecture was a product of its time and made it prone to memory leaks and packaging problems for different CPUs and motherboards. It was difficult to fix bugs and hard to add features. Bugs would often reappear in the mainline due to internal problems with library management at compile time.

IOS-SX – a fork of IOS was made in the mid-2000s, with Ethernet Switching features added to the code. It had all the limitations of IOS and took some years to stabilise into a reliable operating system. Many customers remain fearful to move on based on the pain experienced to date. Attempts to modularise this code and support modern features like process restart, ISSU, etc have been abandoned due to poor results (aka bugs).

  • Supports Spanning Tree
  • Instant Access is an 802.1BR implementation for Cat6800 family and acts like a virtual stacking function
  • Backward compatibility remains vital for many customers and will be around for many years to come

IOS-XE – Addresses to IOS monolithic problem by abstracting some modules.

  • The underlying operating system is based on a Linux distro but there is no access to it
  • Runs on multi-core CPUs
  • Isolates control plane and data plane in the software architecture
  • Stabilises the operational interfaces for SNMP, XML, HTTP for external operations
  • Runs on multiple hardware platforms from different business units but mostly in the mid-to-low end market (perhaps reflecting the its rumoured skunkworks development internally)

Since, historically, IOS has served as an Operating System as well as providing the key Routing Infrastructure, there has always been an aspect of Platform Dependent (PD) and Platform Independent (PI) code within IOS. IOS XE allows the platform dependent code to be abstracted from a single monolithic image. By moving drivers outside of IOS, IOS XE enables a more purely PI-focused IOS process. This provides a more efficient software delivery model for both the core IOS team, as well as platform developers, since the software can be developed, packaged and released independently. LINK

NX-OS – “Nexus Operating System” was developed to replace IOS-SX and modernise Cisco’s internal development process and tooling for software. Targeted at the Data Centre and

  • A highly customised version Linux is the base operating system
  • Support for multiple CPUs (although most versions use only one CPU)
  • Multithreaded preemptive multitasking capabilities
  • Support for Virtual Device Contexts and 802.1BR–called Fabric Extensions (FEX) by Cisco
  • Implements memory protected process for process recovery and fault detection
  • Fault detection through process monitoring to detect internal errors

Cisco NX-OS Software – Cisco

IOS-XR – The premium, high-end operating system developed internally by Cisco using a range of third party software.

  • Preemptive, memory protected, multitasking, microkernel-based operating system
  • Uses QNX (aka Blackberry) as the operating system kernel on CRS and ASR families. Uses Linux kernel on NCS family where routing functions and the system administration functions are run on separate virtual machines (VMs)
  • Improved high availability (largely through support for hardware redundancy and fault containment methods such as protected memory spaces for individual processes and process restartability)
  • Better scalability for large hardware configurations (through a distributed software infrastructure and a two-stage forwarding architecture)
  • A package based software distribution model (allowing optional features such as multicast routing and MPLS to be installed and removed while the router is in service)
  • The ability to install package upgrades and patches (potentially while the router remains in service)
  • A web-based GUI for system management (making use of a generic, XML management interface)
  • intended for service provider operations

This software is usually found on the largest of Cisco routers and premium pricing applies. The Cisco CRS, NCS and ASR routers are the current product families.

CatOS/CatalystOS – acquired when Cisco bought Crescendo communications in the late 1990’s. Used for the now obsolete Catalyst 5000 and 6000/6500 product families.

  • Although supported for many years because of customer reluctance to upgrade, it is now widely regarded as obsolete
  • The CLI was unlike any other Cisco IOS product (and was awful)

Juniper Networks

Junos is loosely based on FreeBSD. (needs more info here)

Junos OS


In June 2016, Avaya announced disagregation of its NOS from their hardware.

From the press release: Avaya’s approach to network operating system software is fundamentally different. Avaya has implemented a protocol change at the most foundational layer of the operating system software. This change negates the need for up to 10 legacy protocols (for details see Appendix A) that makes once formidable networking tasks now possible, all while improving performance elements in a switch.

Avaya NOS

Arista Networks

The EOS (Extensible Operating System) is

  • A single image of EOS that runs on all Arista switches
  • Uses a Linux kernel
  • All networking software runs in user processes for compatibility
  • Full access to Linux operating system – can run most Linux software

Arista EOS


Conf-D is a set of software modules for a wide range of hardware platforms that offers NetCONF and YANG, SNMP and other management APIs.

Tail-F was acquired by Cisco in 2014 but still sells its Conf-D products pseudo-independently to support existing contracts (and could be a good source of competitor intelligence for Cisco).



Facebook developed its own applications for switch/routing inside its data centre and then released parts of the code into the public domain via the OpenCompute project.


Microsoft SONiC (Azure Cloud Switch)

Microsoft announced that is has built its own network operating system for whitebox switches in its own data centres.

Software for Open Networking in the Cloud – SONiC

HP Enterprise

HP Enterprise has two operating systems in active development – ProVision and Comware (not including Aruba for Campus/Wireless).

ComWare – HP acquired 3Com to build out its networking business, the ComWare operating system has been at the centre of the HP Networking for big iron. It runs on the chassis-based switches and WAN routers, has a broad range of features and protocols. Comware was part of the network portfolio sold to Tsinghua.

Last Updated: 20170615

ProVision – This operating system runs on ProCurve network hardware that we developed internally at HP. Mostly focussed on LAN Switching and very popular in campus networks.

Note that HP Enterprise has a Whitebrand product strategy that offers their own brand of whitebox Ethernet switches running 3rd party operating systems such as Cumulus, PicOS etc. HP Enterprise seems keen to offer a wide range of products so that customers can partner for all their needs.

Aruba HPE – ArubaOS-CX

Aruba Networks announced a new operating system for the Aruba 8400 Switch Series platform focussed on the campus core and aggression.

Last Updated: 20170615


OpenSwitch is a community-based, open source network operating system. In June 2016, the project transferred to Linux Foundation (reference).

Announced Oct 2015 and a consortium led by HP with notable support from VMware, Arista and Broadcom. Will update when I understand more.


Aricent ConvergedOS

Don’t know much about this one. Check out the Aricent website and see if you can find more information. Not sure what sort of distribution there is.

Looks reasonably complete:

  • Network virtualization overlay with VXLAN, MP-BGP-based EVPN
  • Advanced QoS
  • Traffic monitoring with sFLOW and remote mirroring
  • Multi-Chassis Link-Aggregation Group (MC-LAG)
  • Event-driven BGP and time synchronization for packet tracing
  • Port density and flexible port speeds supporting 10, 25, 40, 50 and 100 GbE
  • Policy-based telemetry

Last updated 20170615

NoviFlow Noviware

Don’t know much about this company but the website suggests that the focus here is about programmability including OpenFlow, P4 and others.

“Designed from the ground up to be the industry’s most complete and highest performance NOS for programmable forwarding planes, switches and routers.” NoviWare

Last updated : 20171013

Pluribus Networks Open Netvisor Linux



Once Vyatta, then Brocade the open source code based live on as VYOS after Broadcom sucked profitable Fibrechannel and discarded the IP Networking like a used dishcloth. A software only, open source operating system with a comprehensive set of apps for routing. Popular with telcos, carriers and the smarter end of Enterprise who know how software and routers operate.

“VyOS is more similar to traditional hardware routers, with a focus on comprehensive support for advanced routing features such as dynamic routing protocols and command line interface. However, we do not neglect other features such as VPN and firewalls.”

Last updated : 20171013

Extreme Networks


Huawei VRP




MicroTik RouterOS


Nokia AlcatelLucent SROS

Link: Service Router Operating System | Nokia Networks –

Firewall Operating Systems

Fortinet FortiOS

Palo Alto Networks PanOS

Cisco ASA

Cisco SourceFire

Network Applications

These are applications that run on a Network Operating System. Since the only NOSs available are Linux, they are all  Linux applications.


A pre-release product that is “Developer-friendly and operations-focussed L2 & L3 network protocol stack, written in Go, open source and runs on all commoditized network hardware with any open linux operating system.

Snap Route


FBOSS is Facebook’s software stack for controlling and managing network switches that consists of a number of user-space applications, libraries, and utilities.

Github- FBOSS



GDPR effects any company that handles personal data of EU citizens so also your company
for example: if you are planning to do marketing e-mail campaigns which includes European customers, you have to ask their approval for sending to those e-mail addresses.
You also need to describe for what purposes you will use their personal data and for how long and you need to guarantee the protection of this data and that you don’t use it for other purposes that the customer didn’t agree on.
If you plan on sharing this data with a partner company (example the website designer) you also need to ask approval from the end customer and describe this in your agreement.

You also need to provide a way that the customer has insights on what kind of data you own from him/her and the customer has the right to be forgotten. this means that you must delete all personal data if the customers ask you to do so.

Refer to this article which discusses how the GDPR will affect cloud hosting for both providers and users:

If your organization collects, hosts or analyzes personal data of EU residents, GDPR provisions require you to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR. To further earn your trust, we are making contractual commitments available to you that provide key GDPR-related assurances about our services. Our contractual commitments guarantee that you can:

    Respond to requests to correct, amend or delete personal data.
    Detect and report personal data breaches.
    Demonstrate your compliance with the GDPR.


Here is a checklist that is designed to assist organisations in complying with the GDPR:

Things You Should Know About Governance and Management System for GDPR Compliance:….

GDPR in a nutshell:

According to Rec.81; Art.28(1)-(3) of the GDPR regulation,

“The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller”

A controller that wishes to appoint a processor must only use processors that guarantee compliance with the GDPR. The controller must appoint the processor in the form of a binding written agreement, which states that the processor must:

  • only act on the controller’s documented instructions
  • impose confidentiality obligations on all personnel who process the relevant data
  • must ensure the security of the personal data that it processes
  • abide by the rules regarding appointment of sub-processors
  • implement measures to assist the controller in complying with the rights of data subjects
  • assist the controller in obtaining approval from DPAs where required
  • at the controller’s election, either return or destroy the personal data at the end of the relationship (except as required by EU or Member State law)
  • and provide the controller with all information necessary to demonstrate compliance with the GDPR
  • Respond to requests to correct, amend or delete personal data
  • Detect and report personal data breaches
  • Demonstrate your compliance with the GDPR

GDPR and Logfiles on WebServer:

I found a good reading here at: EU GDPR and personal data in web server logs

EU GDPR and personal data in web server logs

Web server logs contains information classified as personal data by default under the European Union’s General Data Protection Regulation (GDPR). The new privacy regulation comes in effect in , and just about everyone needs to take action now to become compliant.

Disclaimer: I’m not a lawyer and I’m not providing you legal advise. Contact your legal council for help interpreting and implementing the GDPR. This article is provided for entertainment purposes, and amounts to nothing but my interpretation of the GDPR.

The General Data Protection Regulation shifts the default operating mode for personal data collection from collect and store as much information about everyone as possible for all eternityto don’t collect any information about anyone unless there is documented and informed consent for the collection; and don’t use that information for anything but the specific purposes consent were given for. The GDPR turns big-data collection of personal data on the web from an asset to a liability with fines as high as 20 000 000 Euro or 4 % of global revenue (whichever is greater).

I’ve limited the scope of this article to discuss and focus on some of the technical requirements surrounding personal data collected by default in the logs generated by popular web server software. I’ll not go through the entire GDPR and all the requirements, but focus on some actionable points.

Personal data in server logs

The default configuration of popular web servers including Apache Web Server and NGINX collect and store at least two of the following three types of logs:

  1. Access logs
  2. Error logs (including processing-language logs like PHP)
  3. Security audit logs (e.g. ModSecurity)

All of these logs contains personal information by default under the new regulation. IP addresses are specifically defined as personal data per Article 4, Point 1; and Recital 49. The logs can also contain usernames if your web service use them as part of their URL structure, and even the referral information that is logged by default can contain personal information (e.g. unintended collection of sensitive data; like being referred from a sensitive-subject website).

If you don’t have a legitimate need to store these logs you should disable logging in your web server. You’re not even allowed to store this type of information without having obtained direct consent for the purposes you intend to store the information for from the persons you’re storing information about. The less customer information you store the lower the risk to your organization.

Legal basis for collecting and storing logs without consent

You can’t collect and store any personal data without having obtained, and being able to document that you obtained, consent from the persons you’re collecting data from. You can, however, still collect and store personal data in your server logs for the limited and legitimate purpose of detecting and preventing fraud and unauthorized system access, and ensuring the security of your systems.

Here are the relevant excerpts from the GDPR that allows data collection for this type of purposes:

“Processing shall be lawful only if and to the extent that at least one of the following applies: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Article 6, Paragraph 1, Point F

“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”

Recital 49 (excerpt)Notably, this doesn’t exempt such collection from the strict requirements of the GDPR. Gandalf the Grey offers some great advice for how you should treat personal data to achieve GDPR compliance in your organization:

“Keep it secret; keep it safe.”

Encryption, access restriction, and timely erasure

The specific requirements under the GDPR that apply to your organization depends on the scope and type of data you collect set against the needs to store the data. The regulation with all its recitals is 54 800 words long, but I’ll try to summarize some practical implementation requirements from the regulation:

“Personal data shall be: (b) […] collected for specified, explicit and legitimate purposes and not further processed […] (c) […] limited to what is necessary in relation to the purposes for which they are processed […] (e) […] personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest […] (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Article 5, Paragraph 1, Point B (excerpt); C (excerpt); E (excerpt); and F (excerpt)

There are no specific technical details offered regarding how these requirements should be implemented besides the suggestion to use “encryption” in Article 6, Paragraph 4, Point E and Recital 83. The take-away is still clear: data should be secured, access should be limited even within your organization, and data should be deleted (including from backups) when there is no longer a need to retain it.

Utility of the day: logrotate (+ gnupg)

logrotate is a very useful tool that can be used to encrypt logs in storage even on edge servers, and can help automate deletion of old log files. It can also be used to encrypt log files in storage which when combined with organizational measures can limit access to decrypting the log files.. Unless you encrypt your logs, an unauthorized third-party who gained access to your servers could extract a lot of data about your users from your logs. Depending on how much private information is stored in your log files and the potential sensitive nature of your business, you shouldn’t store log files for more than a few hours or days unless you take measures to protect them.

Managing PGP keys in GnuPG is beyond the scope of this article. However, in short you would create a key-pair on a secure machine, and then import the public key into the GnuPG key chain on your servers while storing the private key on a secure medium with limited access for authorized employees only (e.g. printed on paper or kept on a removable storage media). The server can then use the public key to encrypt its log files without with public key cryptography; resulting in the server being able to encrypt the data without being able to decrypt it without the private. The log files could even be transferred to a centralized log-storage server for cold storage.

I believe such a setup could be used to achieve GDPR compliance while still maintaining auditable logs in the event of breach of server security or other incident that would require a log trail.

The following logrotate configuration example demonstrates secure encrypted storage (using GnuPG) erasure after time intervals (rotate in days) appropriate to how important it is to store the various log files following a security incident.

In the above example, access logs are deleted after 100 days, error logs after 200 days, and ModSecurity logs (which would only contain suspicious activity), are retained for 400 days. After this time, the logs would be securely erased using the shred utility.

The logs are still kept unencrypted for up to 24-hours when they were first recorded. This is a small time window when the data is not stored encrypted, but it is required to allow human technicians and automated log analyzing tools (like SSHGuard or Fail2Ban) to process the data and act upon it to help detect and prevent unauthorized or unlawful system access.

You can reduce the time window when data is kept unencrypted by rotating logs hourly instead of daily, or by piping logs directly from your web server into an encrypted storage. This may have a serious performance impact on your server and complicate the configuration of automated security monitoring tools.


Any identifier, including network or equipment identifiers like an IP address, are considered personal data. Don’t store server logs if you don’t have to. Encrypt logs in storage and limit access to decryption credentials. Delete logs as early as possible, including from any backups. Document what steps you’ve taken to secure data and limit impact in the case of a server breach.

This article has focused on server logs as they’re something every organization with a website or an online service will have to deal with. However, the same principles and even stricter requirements apply to other types of data that your organization keeps on people. The deadline for GDPR compliance is , and that is barely enough time to read through the 54 800 word regulation. With fines up in the 20 Million Euro range; you better get started auditing personal information collection and storage in your organization right away. This is the perfect time to rethink old decisions regarding what data your organization really needs to keep and for how long.

In Depth Explanation of Cisco IOS and IOS-XE Call Routing

Updated:June 13, 2017
Document ID:211306



The purpose of this document is to explain IOS and IOS-XE Call Routing and the mechanisms behind inbound and outbound dial-peer matching with Plain Old Telephone Service (POTS) and Voice over IP (VoIP) Network call legs.

In addition to dial-peer information this document covers important topics that pertain to call routing. These include digit manipulation, a quick overview of Session Initiation Protocol (SIP) message manipulation, a few methods for restricting calling capabilities, a quick media and signaling binding overview, and lastly a bit of troubleshooting.

This document utilizes configuration examples as well as debug and show command outputs as reference points. The many features in this document are clearly marked with the version the feature was introduced to both IOS and IOS-XE. This information can also be referenced quickly by checking the Command and Feature Roadmap section. If there is a very notable defect it is linked within the text so that readers are aware.

Contributed by Kyzer Davis and edited by Ramiro Amaya, Cisco TAC Engineers



While there is no formal prerequisite needed to read this document; it was written with the expectation that the reader already has some working knowledge of underlying voice signaling protocols that are used to establish and connect phone calls. These protocols are referenced many times throughout the book.

Signaling Protocols: Session Initiation Protocol (SIP), H323 (h225 / h245), Media Gateway Control Protocol (MGCP), Skinny Client Control Protocol (SCCP), ISDN Q931, E1 R2.

Media Protocols: Real Time Protocol (RTP), voice codecs, video codecs.

Analog Technologies: Ear and Mouth (E&M), Foreign Exchange Subscriber (FXS) and Foreign Exchange Office (FXO).

Components Used

The information in this document is based on these software and hardware:

Cisco IOS and IOS-XE Gateways

2800 / 3800 / 2900 / 3900 / 4300 / 4400 / CSR1000v / ASR100X

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Common Definitions

Attribute Description
Digit String Also referred to as number string, phone number, number, or E164 number.Consists entirerly of digits 0 through 9 with an optional leading plus symbol (+).


Dialed Number Identification Service (DNIS) This is the Called Number or the Destination Number for a call.
Automatic Number Identification (ANI) This is the Calling Number or the Originating Calling Number for a call.This can also be referred to as the Calling Line Identifier (CLID) which can also be titled the Caller ID
Uniform Resource Identifier (URI) A URI is either a sip: or tel: string most commonly used with VoIP Protocols SIP and H323.

URI Examples:

Carrier-id CID Examples:

Note: CSCua14749 Carrier-ID does not work on IOS-XE platforms

Route-String A Cisco Proprietary Header for ILS Route-Strings used with SIP.

X-cisco-dest-route-string: <sip:configured-value>

ENUM ENUM is a protocol that uses Domain Name Service (DNS) to translate E164 phone numbers into URIs. This is not be covered in this document.
PSTN Public Switched Telephone Network
ITSP Internet Telephony Service Provider
SBC Session Border Controller.

This is the device that stands as the demarcation point between a customer LAN and an ITSP/PSTN Network

Command and Feature Roadmap

Feature IOS Version IOS-XE Version
Number Expansion (num-exp)

Dial-peers (POTS and VOIP)



incoming called-number

session target (IPv4 and DNS)

Max Connections (max-conn)


forward-digits (POTS)

prefix (POTS)

timeouts inter-digit (voice-port)

11.3(1)T All
dial-peer terminator 12.0 All
huntstop 12.0(5)T All
ISDN Maps 12.0(6)T All
Dial-peer Hunting Schemes 12.0(7)XK All
Voice Translation Rule and Profile



digit-strip (POTS)

12.0.(7)XR1 All
session target (sip-server) 12.1(1)T All
POTS Trunk Group 12.1(3)T All
DNIS-Map (Outbound) 12.2(2)XB All
trunk-group-label 12.2(11)T All
Dial-peer (Data) 12.2(13)T All
Voice Class URI (Outbound) 12.3(4)T All
session target (IPv6) 12.4(22)T All
SIP Profiles (Outbound) 15.0(1)M All
Voice Class URI (Inbound) 15.1(2)T 3.8S
SIP Copylist

session target (Registrar)

15.1(3)T 3.6S
call-route (url) 15.2(1)T 3.3S
max-bandwidth 15.2(2)T 3.7S
E164-Pattern-Maps (Outbound) 15.2(4)M 3.7S
Voice Class Route-String

call-route (dest-route-string)

15.3(3)M 3.10S
Dial-Peer Groups (VOIP)

E164-Pattern-Maps (Inbound)

Destination Server Group


session target (sip-uri)

15.4(1)T 3.11S
Dial-peer Provision Policy

SIP-Profiles (Inbound)

15.4(2)T 3.12S
Dial-Peer Group (POTS) 15.5(1)T 3.14S
Voice Class Tenants 15.6(2)T 16.3.1
VRF Filtering for dial-peers 15.6(3)M 16.3.1

IOS / IOS-XE Call Routing Fundamentals

Cisco IOS and IOS-XE gateways utilize a concept of a dial-peer to control call routing and capabilities negotiation for each leg of a call. A call leg is the bidirectional communication between two call agents. A call agent is a device that initiates, processes, or forwards telephony calls. This can be and is not limited to Telephony Provider equipment, a Cisco Gateway, an IP Phone, a Cisco Unified Communication Manager (CUCM), Cisco Unity connection (CUC), etc. There are far too many Call Agents to list.

Scenario: A call arriving at a Cisco gateway from another call agent is the inbound call leg (in-leg). The gateway processes the call and based on its processing send the call to the next call agent. This is the outbound call leg (out-leg).

Image 1 shows a call from the PSTN to CUCM routing through a Cisco Voice Gateway and the respective inbound and outbound call leg information.

Image 1 – Inbound and Outbound Call Legs Illustrated

A successful call through a Cisco Gateway ALWAYS* matches an inbound or outbound dial-peer to route properly. Inbound and outbound dial-peers are similar to the call-legs mentioned earlier. In Image 1 the call arriving from the PSTN at the Cisco Gateway needs to match an inbound dial-peer. Then the gateway utilizes an outbound dial-peer to route the call to the next call agent. It is important to remember that these terms are defined from the perspective of the Cisco Gateway.

By matching a dial-peer for each side of the call an administrator has the power to control many aspects of the one specific call leg. Examples of these include voice codecs, DTMF preferences, digit manipulation, where the call is to be routed and many many other settings. Dial-peers can be configured with both inbound and outbound match statements so matching the same dial-peer for both the in-leg and out-leg is possible if a valid inbound and outbound matching configuration is applied to that specific dial-peer.

* The exception to this rule is with MGCP and SCCP voice-ports. These signaling protocols do not follow normal dial-peer matching mechanism during call routing. See the SCCP and MGCP section for further details

Image 2 illustrates the same inbound and outbound call legs as Image 1 but with the respective dial-peers for a call from the PSTN to CUCM routing through an Cisco Voice Gateway.

Image 2 – Inbound and Outbound dial-peers Illustrated

Cisco Voice Gateways can interwork many different types of voice calls and protocols including IP to IP, POTS to POTS and IP to POTS or vice versa.

Image 3 illustrates a VoIP to VoIP call through Cisco Unified Border Element (CUBE).

Image 3 – Inbound and Outbound dial-peers for a Voip to VoIP call

Image 4 displays a POTS to POTS call through a Cisco Gateway.

Image 4 – Inbound and Outbound dial-peers for a POTS to POTS call

Voice Dial-Peer Types

POTS Plain Old Telephony Service Dial-peers are matched for analog connections such as Analog FXS, FXO, ISDN T1 / E1s, E1 R2, and Ear and Mouth (E&M) connections.
These send or receive a call to / from a physical voice-port on the gateway.
VOIP Voice Over IP Dial-peers are used to mainly control H323 and SIP connections to and from the gateway.
These dial-peers send and receive signaling from IPs both IPv4 and IPv6 as well as Fully Qualified Domain Names (FQDN) using Domain Name System (DNS).

VoIP dial-peers can also be used for Voice over Frame Relay (VoFR), Voice over ATM (VoATM), Voice over High-Level Data Link Control (VoHDLC) and Registration, Admission, and Status (RAS) signaling and session targets for these dial-peers can also include settlements and ENUM values.

Note: Some of these types of configurations are older technologies not seen in newer networks and with IOS-XE some are no longer supported. As a result they are not be covered in this document.

MMOIP Multimedia Mail Over IP Dial-peers are utilized to send emails to exchange servers.
These are mostly utilized for t37 on-ramp / off-ramp faxing. These dial-peer types are not within the scope of this document.


Note:The maximum number of dial-peers that can be configured on a Cisco gateway depends on the available memory (DRAM). Each dial-peer consumes approximately 6KB of memory so ensure that the gateway has at least 20% of the total memory reserved for other CPU processes. A large number of configured dial-peers may add to the delay to route a call. This can be significant as the Cisco voice application looks through dial-peers from the top down, similar to an Access Control List (ACL). This is usually not a problem on nwere Cisco Gateways.

 Sample Error:

Inbound dial-peer Matching

When a Cisco Gateway receives a call setup request the gateway begins searching for an applicable incoming dial-peer for this call. This is not a digit-by-digit analysis rather the full message is utilized to determine which inbound dial-peer is selected. The order of items in the message checked is largely dependent on the protocol for the call as indicated by the preference lists defined in Tables 1 through 3. A dial-peer only needs to satisfy one of the conditions for matching. It is not necessary for all the attributes to be configured in the dial peer or that every attribute match the call setup information. All dial peers are searched based on the first match criteria. The gateway moves on to the next criteria only if no match is found.

Table 1. Inbound SIP dial-peer Selection Preference

Preference Match Criteria Dial-peer Commands*
1 URI incoming uri via <uri-tag>

incoming uri request <uri-tag>

incoming uri to <uri-tag>

incoming uri from <uri-tag>

2 Called Number incoming called-number <number-string>

incoming called e164-pattern-map <pattern-map-number>

3 Calling Number incoming calling e164-pattern-map <pattern-map-number>

answer-address <number-string>

4 Destination-pattern (ANI) destination-pattern <number-string>
5 Carrier-ID carrier-id source <string>

Table 2. Inbound H323 Dial-peer Selection Preference

Preference Match Criteria Dial-peer Commands*
1 URI incoming uri called <uri-tag>
incoming uri calling <uri-tag>
2 Called Number incoming called-number <number-string>
incoming called e164-pattern-map <pattern-map-number>
3 Calling Number incoming calling e164-pattern-map <pattern-map-number>
answer-address <number-string>
4 Destination-pattern (ANI) destination-pattern <number-string>
5 Carrier-ID carrier-id source <string>

Table 3. Inbound POTS Dial-peer Selection Preference

Preference Match Criteria Dial-peer Commands*
1 Called Number incoming called-number <number-string>
2 Calling Number answer-address <number-string>
3 Destination-pattern (ANI) destination-pattern <number-string>
4 Voice-port port <voice-port-number>

When No Matches Exist / Default Dial-Peer 0 peer_tag=0, pid:0

When there are no eliglbe matches for an inbound dial-peer for either POTS or VoIP calls the gateway allocates dial-peer 0. This is not ideal as dial-peer 0 has limited capabilities and can cause issues with calls. The outlier to this is SCCP and MGCP protocols which don’t use dial-peers for routing calls. See the MGCP and SCCP section for further details.

dial-peer 0 capabilities

  • No dtmf-relay mechanisms
  • Advertised all voice codecs for VoIP calls
  • Fax-rate voice
  • Voice Activity Detection (VAD) is enabled
  • No RSVP Support
  • No IVR Application Support for POTS calls
  • Direct-inward-dial is enabled

Outbound dial-peer Matching

Outbound dial-peers are utilized to route POTS or VoIP calls from the gateway to the next call agent. Like inbound dial-peer matching there is a list of items the gateway can use to match dial-peers based on the preference order for the specific protocol. However, unlike inbound dial-peers, if there is no eligible outbound dial-peer to route the call the call then fails. Like inbound dial-peer matching all dial peers are searched based on the first match criteria. The gateway moves on to the next criteria only if no match is found.

Table 4. Outbound SIP Dial-peer Selection Preference

Preference Match Criteria Dial-peer Commands*
1 Dial-peer Group Dial-peer destination dpg <dpg-tag>

(configured on inbound dial-peer)

2 Dial-peer Provision Policy URI destination uri-from <uri-tag>
destination uri-to <uri-tag>
destination uri-via <uri-tag>
destination uri-diversion <uri-tag>
destination uri-referred-by <uri-tag>
3 ILS Route String destination route-string <route-string-tag>
4 URI and Carrier-ID destination uri <uri-tag> AND carrier-id target <string>
5 Called Number and Carrier-ID destination-pattern <number-string>  AND carrier-id target <string>
6 URI destination uri <uri-tag>
7 Called Number destination-pattern <DNIS-number>

destination e164-pattern-map <pattern-map-number>

dnis-map <dnis-map-number>

8 Calling Number destination calling e164-pattern-map <pattern-map-number>

Table 5. Outbound H323 Dial-peer Selection Preference

Preference Match Criteria Dial-peer Commands*
1 Dial-peer Group Dial-peer destination dpg <dpg-tag>

(configured on inbound dial-peer)

2 URI and Carrier-ID destination uri <uri-tag> AND carrier-id target <string
3 Called Number and Carrier-ID destination-pattern <number-string> AND carrier-id target <string>
4 URI destination uri <uri-tag>
5 Called Number destination-pattern <number-string>

destination e164-pattern-map <pattern-map-number>

dnis-map <dnis-map-number>

6 Calling Number destination calling e164-pattern-map <pattern-map-number>

Table 6. Outbound POTS Dial-peer Selection Preference

Preference Match Criteria Dial-peer Comamnds*
1 Dial-peer Group Dial-peer destination dpg <dpg-tag>

(configured on inbound dial-peer)

2 URI and Carrier-ID destination uri <uri-tag> AND carrier-id target <string>
3 Called Number and Carrier-ID destination-pattern <number-string> AND carrier-id target <string>
4 URI destination uri <uri-tag>
5 Called Number destination-pattern <DNIS-number>

dnis-map <map-number>

Note: * All commands within each Dial-peer Commands cell are treated equal in weight. The Number String dial-peer Hunting and URI Dial-peer Hunting section go into how the gateway evaluates a list of potential commands for each match criteria row before moving to the next match criteria. i.e Evaluating all potential URI matches and URI matching commands before looking at the called number.


Number String Dial-Peer Hunting

Number String Preference:

Much like URI’s have a specific order of operations for evaluationg matches there is also a set of rules used when evaluating a numeric digit-string. The default dial-peer hunt scheme for is set to 0. This means the gateway searches for a pattern with the longest match (most specific). If there are two dial-peers with the same match length the gateway look at the explicitly defined dial-peer preference. Lastly if both of those are the same it chooses one in a random order.

There are other dial-peer hunt schemes available for configuration however most deploymens keep the default of 0. If dial-peers being matched outside the default order an administrtor should examine the running configuration for a non-default dial-peer hunt scheme.

Longest match is defined as the most specific match based on the possible number of numbers that string could match.

Scenario: Eligible dial-peers have been configured with the following possible matches and the gateway is evaluating a digit-string of 2001. Dial-peer 1 can match any number 2000 through 2999 while dial-peer 2 can match 2000 through 2009. dial-peer 2 would be matched for this call as it is the longest match (most specific) for the digit string 2001 when the default dial-peer hunting mechanisms is employed (dial-peer hunt 0).

Preference is defined as the administrator defined weight for each dial-peer. Administrators can configure a preference so the call always use a specific dial-peer before others. By default all dial-peers are preference 0. A dial-peer with preference 0 is matched before another dial-peer with preference 1 through 10. Most administrators setup multiple dial-peers to send a call to a specific CUCM subscriber with a backup subscriber or another call agent being configured another dial-peer with a lower preference.

Scenario: Two dial-peers are configured with the same match length for the digit string of 2001. The Administrator has defined an explicit preference. The gateway evaluates both dial-peers the same since their match length is the same. However the administrator has set dial-peer 1 with a higher preference so that dial-peer be chosen as the first dial-peer used in routing the call. dial-peer 2 would remain as a secondary option should a failure occur on the first dial-peer.

A Cisco Gateway only attempt to route a call via one eligible outbound dial-peer at a time. If a failure condition observed on the first selected dial-peer the gateway then attempts to route the call out the next eligible dial-peer. This continues until the call either succeeds or fails because there are no more eligible dial-peers left to try. A common symptoms of dial-peer hunting and failure is a noticeable delay in ringback while making calls. Debugs are usually needed to verify exactly why the call is failing on the first few dial-peers before finally working across another. The command huntstop can be employed on a dial-peer if an administrator does not want a gateway to look for another dial-peer when a failure condition is observed.

Scenario: Two dial-peers are configured with the same match length for the digit string of 2001. The Administrator has defined an explicit preference and does not want to match dial-peer 2 for this particular call. Since we have two dial-peers with the same match-length the preference is used to determine the dial-peer used. Dial-peer 1 has a configured preference is used to route the call. If a failure condition occurs on the outbound call leg using dial-peer 1 then the gateway immediately stop dial-peer hunting since the huntstop command is configured. So in our scenario dial-peer 2 is never utilized for outbound routing.

Note:hunstop and preference commands can also be used in conjunction with URI matching statements.

URI Dial-peer Hunting

The gateway looks at each match criteria before and exhaust it before it moves to the next match criteria. An example of this would be on inbound SIP call. We know that the first thing the Cisco Gateway checks is the URI and evaluate all potential URI commands to find one that fits. If there is no match OR none are configured then the gateway moves to the next matching item, perform an evaluation on the criteria. This process repeats until the call either routes based on a match or the gateway runs out of match criteria to check.

When an inbound or outbound dial-peer is configured with a URI command applied the gateway examines the URI that was received in multiple headers for a potential match. The match preference is based on the most specific match and the exact preference goes Full URI match, Host Portion, User Portion, or telephone URI. Knowing the order of operations for URI matching can aid greatly in dial-peer matching with SIP and CUBE deployments.

This preference order can be manipulated using the command voice class uri sip preference to specify the user-id as the first option instead of host.

URI Preference:

  1. Exact match for the full URI. Examples: (, user@a.b.c.d,,
  2. The Host portion of the URI. Examples: (@a.b.c.d or
  3. The User portion of the URI. Examples: (sip:8675309 or sip:user)
  4. The tele-uri. Example: (tel:18005532447)

Scenario: An administrator has the configuration of dial-peer below and send a call to the gateway. The FROM header in our received INVITE is “From: <sip:testuser@>” The Gateway can match potentially match two different dial-peers based on this header. dial-peer 1 based on the user portion and dial-peer 2 based on the host portion. However since a host match is a preference above a user match dial-peer 2 is used for the inbound dial-peer in our call.


voice class uri

URI matching for inbound and outbound dial-peers allows an administrator the ability and flexibility to perform matches on more than a phone number string for VoIP protocols supporting URIs in their messaging. Prior to IOS 15.4(1)T and IOS-XE 3.11S a request URI must contain an alphanumeric “user@host” else a Cisco Gateway would reject the call with a 4xx message. Now a URI can contain just the host portion and the gateway routes the call based on just the host provided. i.e

Additionally, prior to IOS 15.4(1)T and IOS-XE 3.11S voice-class URI user-ids could only be numeric e.164 values ( This was changed so administrators can configure alphanumeric user-ids on CUBE (

The host or user portion of a voice class uri can contain regex patterns which greatly expands the possible values that can be matched.

Example Voice Class URIs

Note: Only 10 hosts, 1 pattern, or 1 user-id can be configured per voice clas uri.

Inbound URI dial-peer Matching

This feature was added in IOS 15.1(2)T and IOS-XE 3.8S and utilizes a voice class uri configured and applied to an inbound dial-peer. Incoming URI has been adopted by many customers over the traditional incoming called-number statement for SIP calls as it the first match criteria checked when selecting inbound dial-peers. The command also allows administrators the ability better match calls coming from a particular call agent or user.

Full Documentation

Common Use Cases

  1. An inbound dial-peer matching on the host portion of the URI to answer OPTIONS ping requests from CUCM.
  2. An inbound dial-peer matching on the host portion of the URI to control inbound calls from an Internet Telephony Service Provider (ITSP)
  3. An inbound dial-peer matching on the user-id portion of the URi for call treatment from certian users or numbers.

Configuration Example

The example output below matches dial-peer 777 for any SIP request sourcing from the two HOST IPs defined in the voice class uri. The header being watched was defined as the FROM header on the dial-peer however an administrator can define many others including VIA, TO, and REQUEST (Request URI). If my CUCM sends an OPTIONS ping to the CUBE now matches dial-peer 777 and source my 200 OK reply to the OPTIONS from the specified interface. If my CUCM sends an INVITE to the CUBE matches dial-peer 777 as the inbound dial-peer.

Outbound URI dial-peer Matching

Cisco IOS Gateways can match an outbound dial-peer using a URI by applying a voice class uri to an outbound dial-peer. This feature was added in IOS 12.3(4)T and is present in all IOS-XE versions. By default the outgoing SIP Request-URI and To header URI are going to have the session target of the outbound-dial-peer. This can be disabled by using the command requri-passing which allows the gateway to pass the in-leg URI host portion to the out-leg instead of replacing the URI host portion with the session-target. The command requri-passing was added in 15.4(1)T and IOS-XE 3.11S.

Configuration Example

In addition to voice class uri‘s administrators can use a dial-peer provision-policy to match an in-leg URI for an outbound dial-peer match. This feature was added in IOS 15.4(2)T and IOS-XE 3.12S. A dial-peer provision-policy requires defining a primary match attribute with a secondary match attribute being optional. The provision-policy is applied to an inbound dial-peer and when that dial-peer is selected for use on an inbound call-leg the policy is invoked. The result is an outbound dial-peer selection based on the attribute from the dial-peer provision-policy.

Configuration Example:

This configuration example routes the inbound call using the FROM header on the in-leg SIP message. Please note that although we are routing the call on the FROM header the INVITE that leaves the gateway still has the original Request URI. We only chose the dial-peer based on the FROM header. The call is still being sent to a specific destination as it was received that way. So in the example below we recieve an INVITE with the following two headers:

INVITE sip:123456789@ SIP/2.0


The gateway is going to match dial-peer 1234 based on the incoming called-number statement as there is no incoming URI statements. We have a provision policy in place to check the FROM header. We now look at the FROM header when making a choice about the outbound dial-peer. We see a host of in the FROM header. This matches with dial-peer 56789 so we are going to route the call using this dial-peer.

The SIP message the leaves the gateway:



Note how the original called number of 123456789 remains. The host portion changes to be that of the session target on the dial-peer. We routed the call via the FROM header but the egress message is still for 123456789.

session target sip-uri

Prior to IOS 15.4(1)T and IOS-XE 3.11S if the host portion of a URI was different but the user was the same this would require two separate outbound dial-peers.

After this release an administrator can configure one dial-peer to service multiple hosts for the same user. i.e and under the same dial-peer. Using session target sip-uri triggers DNS resolution of the domain of incoming INVITE Req-URI and dynamically determine the session target IP.

Example Configuration:

The gateway recieves two SIP INVITEs with the following headers INVITE SIP/2.0 INVITE SIP/2.0 The gateway matches the incoming SIP request of and on dial-peer 1 because of the incoming uri command and the user-id definition both match “testuser”. The command voice-class sip call-route url being present means we evaluate outbound dial-peers based on the request URI of this inbound INVITE. Weans we match dial-peer 2 because of the same reasons we matched dial-peer 1, the user-id of “testuser”. The session target of this dial-peer is the original sip-uri as defined by “session target sip-uri” which was a FQDN. After a DNS resolution has taken place and change and into an IP for layer 3 routing we send a message out of the gateway.



Dial-peer Wildcards

An administrator can utilize dial-peer wildcards when defining inbound and outbound matching mechanisms that involve a number string. These include destination-pattern, incoming called-number, e164-pattern-maps, and answer-address as well as the prefix command. Dial-peer wilcards are regular expressions (regex) available for configuration which allow greater flexibility over the matching of dial-peers.

Wildcard Table

Character Definition Examples
* On a dial-peer this is a literal value of * (star) on the keypad. 12345*
# On a dial-peer this is a literal value of # (pound) on the keypad. 8675309#
, Inserts a 1 second pause between digits.

A comma can also be used within brackets [ ] to break up a continuous range.



. Regex character for matching any value 0-9, A-F and *, #, +

Up tot 15 dot characters can be defined per dial-peer although the CLI lets an administrator configure as many as they see fit.

If more than 15 dots are requiree please use T.



% Regex for proceeding digit occurring zero or more times.
+ When used at the beginning of a string it means a literal + used in E164 numbers.

When used anywhere else in the string it is a regex value for the proceeding digit occurring one or more times.

? Regex for the proceeding digit occurring zero or one time. (206)?5015111
^ Regex character to indicate the start of the string when used outside of brackets

When used inside brackets it is treated as an exclude or a DO NO MATCH Statement

This is no longer required in later versions as the gateway automatically assume a ^ when processing a regex string without a ^.



$ Regex character to indicate the end of a string. 8675309$
\ Escape character to mean a literal value
[ ] Brackets define a range of characters for a single position.

Commas must be used to break up continuous strings.



( ) Parenthesis define a group of characters in a set. 9(258)7777
T A variable length match of up to 32 digits.

The router waits on the inter-digit timeout to occur before routing the call.

The default value for the interdigit timeout is 10 seconds and is modifiable via timeouts inter-digit on a voice-port.
Administrators can terminate the inter-digit timeout using # on the keypad. This is modifiable via the command dial-peer terminator configured globally

T also references the T302 timer

Used in brackets to define the range. [5-9]1234

Output from Gateway displaying the possible regular expression inputs


Dial-peer States

Dial-peers can be in one of two Operational states.

  1. Up
  2. Down

For a dial-peer to be in a valid operational state and eligible for use with call routing it needs to be in the UP state. For outbound VOIP dial-peers this means there should be a valid outbound matching mechanisms as well as a valid session target to route the call towards. For outbound POTS dial-peers a valid valid outbound matching mechanisms as well as a valid voice-port should be configured. With inbound dial-peers only a valid inbound matching mechanisms must be configured.

The busyout state is seen when a dial-peer is configured with a keepalive mechanisms and the remote target has failed the parameters of that keepalive mechanism. The gateway then moves the dial-peer into a busyout state so it is no longer used for call routing decisions and when the keepalive mechanism is fulfilled again the gateway puts the dial-peer back into an up state. If a dial-peer is selected as an outbound dial-peer and this dial-peer is in a busyout state the gateway fails the call with a cause code 188.

Along with operational states there are Administrative states.

  1. Up
  2. Down

An administrator can disable a dial-peer without removing it from the configuration by entering the shutdown command on the dial-peer. To re-enable the dial-per enter no shutdown.

Note: A dial-peer with a voice-port that is down, shutdown, or not operational remains in operational state of UP however the Out State shows as Down


Virtual Routing and Forwarding (VRF) and Dial-peer Hunting

Inbound dial-peer Matching with VRF

Starting with IOS 15.6(3)M and IOS-XE 16.3.1 Cisco gateways can match inbound dial-peers using VRF IDs. To take advantage of this an administrator must bind the inbound dial-peer to an interface which in turn binds the dial-peer to the VRF ID on the specified interface. After the bind is complete inbound calls are filtered by the Cisco Gateway to only only include eligible inbound dial-peers that match the VRF ID of the interface the packet was received on. From here the inbound dial-peer is matched based on regular dial-peer matching order of operations.

Prior to these IOS / IOS-XE releases the Cisco Gateway would make an inbound selection based on regular inbound dial-peer matching without any filtering. This means a VRF1 call could be matched by a VRF2 dial-peer. Additionally since only one VRF was supported by H323 and SIP prior to these releases other issues arise when attempting to use multi-VRF features. The use of a single VRF for voice applications was known as VRF-Aware configuration.

Full VRF-Aware Documentation:

Full Multi-VRF Documentation

Outbound dial-peer Matching with VRF

Cisco Gateways have the ability to bridge calls across VRFs without the need for route leaks to be configured. This means an inbound call on VRF1 can be routed outbound on a dial-peer for VRF2 if the normal outbound dial-peer matching selection is satisfied. Dial-peer groups can be employed to force the Cisco gateway to keep the call within the same VRF.

VRF and Dial-peer Group Configuration Example

This configuration example has VRF1 and VRF2 with two overlapping IP Ranges and two overlapping phone number ranges.
We utilize VRF binding to ensure the correct inbound dial-peer is matched and Dial-peer Groups to ensure the correct VRF bound outbound dial-peer is matched.\ If a SIP packet for a call to 8675309 arrives on gig0/0/1.2 then the gateway filters out all available inbound dial-peers based on the VRF2 ID. This means we cannot match dial-peer 10. Now that we check the digit-string we match dial-peer 20. Dial-peer 20 has a dial-peer group which tells the gateway the only outbound dial-peer that can be matched is also dial-peer 20. This dial-peer group allows us to avoid matching dial-peer 10 and crossing a call coming from VRF1 into VRF2. From there the call should proceed as normal.


Advanced Call Routing Techniques

Over the years as business needs grow, the company expands and require more more DIDs to an enterprise administrators may find that the basic dial-peers don’t meet scale well. There may be on-off situations that need to be addressed, or perhaps there is just too many dial-peers in general. Having thousands of dial-peers doesn’t make administration and troubleshooting easy. Having a dial-peer for each specific CUCM server or call agent starts to compound the problem of too many dial-peers because now an administrator needs to configure a dial-peer for for each digit-string. Perhaps there is have more than one SIP provider connecting to a gateway or a few different customers using the same CUBE. This makes isolating a specific tenant very tough.

Cisco has taken this feedback and created a set of items that can address tnese issues and more. Dial-peer Groups, Voice Class tenants, destination server-groups, e164-pattern-maps and POTS trunk groups allow for an administrator to solve all of the problems above and many more not listed.

Dial-peer Groups

Dial-peer groups were added in IOS 15.4(1)T and IOS-XE 3.11S and POTS dial-peers were added as an option in IOS 15.5(1)T and IOS-XE 3.14S. A dial-peer group allows administrators to specify an exact dial-peer for outbound routing based on the inbound dial-peer matched. Once an inbound dial-peer with a dial-peer group configured is matched the call uses the dial-peer defined in the dial-peer group even if the destination-pattern doesn’t match. The only prerequisite is the outbound dial-peer must be UP so an outbound matching method must be configured however this is not actually used to route the call.

The best way to describe dial-peer groups is to liken them to the concept of static routes in a routing table. These are static inbound to outbound routing decisions take away some of guesswork for the gateway because they are telling it exactly how to route the call.

Full Documentation

Configuration Example

With the following example the called number is 8675309. This matches dial-peer 1234 based on the incoming called-number statement. This dial-peer is configured with a dial-peer group that states the call should now route out dial-peers 2 then 3 and finally 1 if dial-peer 2 fails. Knowing this the gateway now try to route the call out dial-peer 2 as it has been explicitly told via the dial-peer group that is what it should do.

Note how the destination-pattern on dial-peer 1, 2, and 3 is not the called number of 8675309. This is fine and the call still routes without an issue. Remember as discussed in the “dial-peer states” section we need something/anything configured as an outbound matching statment. In our case destination pattern is only to bring the dial-peer into an UP operational state and the digit-string of that command is never evaluated. It is recommended to configure a pattern like “destination-pattern AAAA” as this is a valid destination-pattern. Since this is technally a valid dial-peer other calls could match it. Thus the AAAA digit-string means that we may never use it for anything other than our specific scenario involing a dial-peer group as the likelyhood of a call coming in for AAAA is very very very low.



This feature give administrators the ability to reduce the number of total dial-peers by combining many possible number matches (destination-patterns, incoming called-number, etc) into a single pattern map. Outbound dial-peer e164-pattern-map support was added in IOS 15.2(4)M and IOS-XE 3.7S while inbound dial-peer e164-pattern-map support was added in IOS 15.4(1)T and IOS-XE 3.11S.

An e164-pattern-map can be configured via the the CLI or pre-configured and saves as a .cfg file. The .cfg file is then added to the flash of the gateway and then referenced when configuring the rest of the command. The .cfg file can utilize 5000 entries.

The entries in both configuration methods can utilize all normal dial-peer wildcards for further aggregation!

Full Documentation:

CLI Configuration Example – Calling Numbers

CLI Configuration Example – Called Number


Flash Configuration Example


Notable Defects

  • CSCva64393 – e164-pattern-map doesn’t parse the last line of the config file

Destination Server-Groups

Server-groups give administrators the ability to configure multiple destinations (session-targets) on the same VOIP dial-peer. By default the sort order is the preference defined in the server-group entries. Round-robin hunting can be employed by using the command hunt-scheme round-robin. Server-Groups were added in IOS 15.4(1)T and IOS-XE 3.11S.

Note: The maximum number of entries is 5 per server-group.

Full Documentation

Configuration Example


Destination Server Group and OPTIONS keepalive

It is worth noting that Server Groups do not follow normal Out-of-dialog OPTIONS Keepalive mechanisms. They utilize a feature called an option-keepalive profile. This allows the gateway to monitor each call agent defined in the specific server-group.

Option-keepalive Example with Server Group


POTS Trunk Groups

Trunk Groups are a collection of physical voice-ports with similar signaling capabilities. This is a feature which can be employed to reduce the total number of POTS dial-peers that need to be configured. Trunk groups were introduced into IOS in 12.1(3)T and are present in all versions of IOS-XE.

Full Documentation

Configuration Example:

Voice Class Tenants

IOS 15.6(2)T and IOS-XE 16.3.1 introduced voice class tenants which allows each tenant to have their own individual configurations. A tenant can be an Telephony Provider, Cisco Unified Communication Manager (CUCM), or any other 3rd Party Call Agent an administrator would like have specific global settings for. First an administrator creates a voice class tenant and defines the parameters. The voice class tenant is then applied to the specific dial-peer or choice. This new configuration gives administrators another level of control over calls beyond dial-peers and global configuration.

Full Documentation:

Normal Order of Command Preference without Tenants

  1. Dial-peer command
  2. Global command (voice service voip and sip-ua)

Order of Command Preference with Tenants

  1. Dial-peer command
  2. Tenant command
  3. Global command (voice service voip and sip-ua)

Multi-Tenant Configuration Example

We have two tenants 777 and 999. We have configured them with slightly different configurations and applied them to our dial-peers. This means that calls using the different dial-peers have the dial-peer based configurations as well as the tenant specific configurations. The options below are only a snippet of the power of voice class tenants. Refer to the documentation to see what all can be configured on a tenant. It is recommend to employ strict matching mechanisms like voice class uri or tagging numbers with certian number strings to sperate tenant dial-peer matching, or even configuring VRFs so that Tenant A never overlaps with Tenant B and accidently matches a dial-peer they should not.


Currently there are no individual commands to see voice class tenant configurations. The following command should be sufficient for filtering the running config to just the tenant information.

ILS URI Calls CUBE (voice class Route-String)

Route Strings are used with CUCM Intercluster Lookup Service (ILS) and can be configured to allow Cisco Gateways to route VoIP calls via the route-string included in the SIP INVITE received from a CUCM 9.5+ running the ILS service. This feature was added in IOS 15.3(3)M and IOS-XE 3.10S. Most ILS connections are CUCM to CUCM and administrators don’t bother involving a CUBE for intercluster trunking. However if we need to perform the function with CUBE in the middle the options are there.

Full Documentation:

Configuration Example: CUCM – SIP – CUBE – SIP – CUCM



Legacy Call Routing Techniques

The items covered in this section are considered legacy techniques. While the ability to configure these are still present within a Cisco Gateway it is not recommended to make use of these commands in modern configurations. This document only cover them because they could be encountered while working with legacy configurations or when performing upgrades.


DNIS-maps could be considered the precursor for what would now be an E164-pattern-map. DNIS maps were added to IOS in 12.2(2)XB and have always existed in IOS-XE.

If  there are DNIS-maps configured it would be worth converting them to the more robust e164-pattern-map feature.

Command Syntax

Configuration Example:

Trunk Group Labels

Trunk Group Labels were added in IOS 12.2(11)T and exist in all IOS-XE Versions. The purpose of a trunk-group-label is similar to a Carrier-ID in the sense that it can be used to augment the matching of dial-peers. This is available for configuration within POTS trunk groups, VOIP and POTS dial-peers as well as voice source groups. The use of Trunk Group Labels rarely seen in modern Cisco Gateway configurations.

Command Syntax

Configuration Example:

Numbering Type

With ISDN Q.931 integrations there exists the ability to match a dial-peer based on the calling or called number as well as the specific ITU number type from the Q.931 SETUP messaging. This is configurable via the numbering-type command on a VOIP or POTS dial-peer. Numbering-type cannot be used alone and must be used in conjunction with destination-pattern, answer-address, or incoming called-number. This means both the condition of the inbound / outbound matching statement AND the number type must match to be a success for the dial-peer to be considered for inbound and outbound call routing.

Numbering-match can be thought of as a dial-peer filtering mechanism rather than a matching mechanism. This is because a dial-peer with and without a numbering type command applied are considered the same default preference weight if no administrator preference is applied. This is unlike carrier-id which, when applied to a dial-peer along side other matching mechanism, adds preference to that dial-peer over others if both conditions are true.

Numbering Type matching was added in IOS 12.0(7)XR1 and is present in all IOS-XE releases. With the decline of traditional POTS ISDN lines being deployed in Collboration networks the use of numbering-type is rarely seen in modern deployments.

Command Syntax

Configuration Example:

This dial-peer can match 4085150000 through 4085159999 only if the ISDN number type is National

Possible Number Types:

Abbreviated Abbreviated representation of the complete number as supported by this network
International Number called to reach a subscriber in another country
National Number called to reach a subscriber in the same country, but outside the local network
Network Administrative or service number specific to the serving network
Reserved Reserved for extension
Subscriber Number called to reach a subscriber in the same local network
Unknown Type of number is unknown by the network

Dial-peer Data

Data Dial-peers were introduced in IOS 12.2(13)T and the useful of such dial-peers was for incoming data modem calls on a Cisco Gateway. This dial-peer is only for use in the inbound direction and rarely seen in modern deployments.

Command Syntax

Configuration Example:


URI and Digit Manipulation

At some point in a collaboration deployment an administrator may need to manipulate digits or a URI / SIP Header. Cisco Gateways have numerous methods for digit manipulation which allows an administrator complete control over how and when a digit should be manipulated. However, this can be daunting to some as they are overwhelmed with the different options OR the administrator doesn’t know an option exists.

Digit Manipulation via POTS Dial-peers

POTS dial-peers have a few unique digit manipulations techniques unique to them that VOIP dial-peers do not have.

The first is the stripping of explicitly defined left-justified digits in a destination-pattern. This can be disabled by using the command no digit-strip on the POTS dial-peer.


In this example we have defined 9011T as the string for the destination-pattern.

With this in place we receive a call for 90113227045555. This matches our dial-peer for outbound call routing and the explicitly defined digits of 9011 are stripped off before the call is routed out the voice-port.

The following example shows a configuration with no digit-strip in place.

If the same number is called the 9011 is sent

The second is the ability to specify how many digits we would like to forward on the POTS dial-peer.

Take the following example where we receive a call for 918005532447 from CUCM. In this situation we want to remove the 9 but send the rest of the number starting with the 1.

If we configure the forward-digits command on the POTS dial-peer we can specify exactly how many digits we send.

Lastly, POTS dial-peers can make use of the prefix command to add digits to a call before routing out the voice-port. The following example strips off the explicitly defined 91 and prefix 007 to the number before sending the call out the voice-port.

Digit Manipulation via Voice Translation Rules and Profiles

Voice translation-rules are regular expressions (regex) used to transform digits. Translation-rules and Profiles were added to IOS in 12.0(7)XR1. A translation-rule us applied to voice translation-profiles which are then applied to a dial-peer or voice-port. Translation-rules contain a match input and a modification output. Along with the match input on the number there is a match and modify input for the ISDN plan and type. The combination of match number string, plan and type is considered an AND match. This means all match inputs defined must be true for the translation to take place.

Translation-rules have the ability to change Called, Calling, redirect-called, redirect-target, and callback-number in ISDN, SIP, and H323 signaling protocols. Translation-rules match based on a top-down search so order of the rules is of utmost importance. If a match is found in a higher rule the gateway immediately stops searching and process the translation. Translation rules cannot change non-numeric sip headers such as “testuser@”. For this manipulation please utilize a SIP profile.

Transition-rules can be used to block calls on Cisco Gateways.

Translation-profile Selection Preference

  1. Incoming voice translation-profile on the voice-port
  2. Incoming voice translation-profile on Trunk Group applied to Serial Interface
  3. Incoming voice translation-profile on the inbound dial-peer
  4. Incoming voice translation-profile defined via voice service pots
  5. Outbound voice translation-profile defined via voice service pots
  6. Outbound voice translation-profile or translate-outgoing on the outbound dial-peer
  7. Outbound voice translation-profile on Trunk Group applied to Serial Interface
  8. Outbound voice translation-profile on the voice-port

In addition to dial-peer regex and wilcards translation-rules have their own regex characters.

Character Definition
* When used in translation-rules this is regex for 0 or more of the previous character.

To match a literal * use an escape character: \*

\ Commonly used to escape sets in translation rule \( \)
& Ampersand is used to bring over anything matched in the initial match set for the modification set
( ) Items wrapped in parenthesis are considered a set.
^ Defines the explicit start of a string.

Unlike dial-peers translation-rules do not define the start of the string.

This means defining a string without a ^ can possible match anywehre in the input string which may lead to unwanted translations in the middle of a number.

Modification Sets

  • Sets are specified as \0, \1, \2, etc.
  • \0 matches anything in between the first match-set. This can also be accomplished via an ampersand character: &.
  • \1 matches the first set of ( ) in the match-set
  • \2 matches the second set of ( ) in the match-set
  • So on and so forth.

Translation-rule example with two sets

In this example we examine the number 000111000222.

We want to remove the 0s from the number and realize a final number of 111222.

To do this we configure set 1 and 2 to grab the 111 and 222 respectively while dropping the 0s.

Example to strip the 9 out-dial pattern from a called number

Truncating Called Number to 4 Digits

Stripping Plus + From the Called Number

Translation Rules can also be applied directly to a dial-peer without first being applied to a translation-profile.

Translation Profile on Trunk Group

Debugging Voice Translation Rules and Profiles

Digit Manipulation via ISDN Maps

ISDN MAPS are an older technique for modifying digits. This was added in IOS 12.0(6)T and most new configurations don’t utilize this feature as they are not as robust as voice translation-rules and profiles. ISDN Maps are defined under the Serial interface.

Configuration Example:

Digit Manipulation via Number Expansion (num-exp)

Like ISDN Maps Number Expansion is an older technique added in IOS 11.3(1)T and not used much in new networks. This feature was added before voice translation-rules and profiles existed. Number Expansion is a global change of digits applied to all dial-peers on a Cisco Gateway. The modification is applied to the called number AFTER the dial-peer has been matched and right before the call is sent to the next call-agent.

Configuration Example:

Inbound / Outbound SIP Profiles

SIP profiles are robust Regular Expression (regex) Match statements which allow an administrator to change any aspect of a SIP message including SDP and SIP headers. These can be enabled globally, per dial-peer or per tenant. SIP Profiles are available for inbound modifications starting with with IOS 15.4(2)T and IOS-XE 3.12S . Since SIP profiles are so robust that this document only cover a few specific examples.

Key Points about inbound versus outbound SIP Profiles

  • Inbound SIP Profiles change the message BEFORE the CUBE processes the message for call routing.
  • Outbound SIP Profiles change the message AFTER the CUBE has processed the call routing and before the message is sent to the next hop.

Other notes about sip-profile Configuration: 

  • SIP Profiles cannot manipulate m=image SDP attributes. The enhancment for this was filed under CSCsr20474 . Additionally SIP profiles cannot remove or add values to SDP. We can only modify these values. However it is possible to modify an SDP value into a null value by specifying the entire value then setting the output to a set of empty quotes without a space.
  • There are no checks performed to see if the current command being entered already exists or a version of that command already exists when entering commands within voice class sip-profile. If an administrator pastes a line 7 times into a sip-profile it displays 7 times in the running configuration. It is advised to remove the command being modifed and then enter the new command when editing sip-profiles to avoid multiple commands being present.

Full Documentation

SIP Profile Testing Tool:

Inbound/Outbound SIP Profile Example Syntax

Outbound SIP Profile Application Methods

Inbound SIP Profile Application Methods

Please note: It is required to enable “sip-profile inbound” under voice service voip sip whether the global application or dial-peer application is used.

Example SIP Profile to modify Host, Domain, or both portions of a URI

Example SIP Profile to add, modify, or remove Diversion headers

Example SIP Profile to modify Caller ID Name portion of SIP headers

Example SIP Profile to change a 183 Session In Progress to a 180 Ringing.

Example SIP Profile for one-way or no-way audio interoperability with a provider

Example SIP profile to remove UPDATE method for interoperability issues.

Example SIP Profile showing SET use within SIP profile. This is the same concept of Sets described within the voice translation-rule section.

Configurating IF logic and newline breaks with a SIP profile.

Newline breaks are supported in SIP profiles however there is only one very specific use case for these. Since SIP profiles do not have any IF, Then, Else logic there is now way to perform modifcations to one header based on an input from another header. I.e  an administrator only want to modify a diversion header if the FROM header contains Utilizing the newline break we can “spoof” the IF statement within a SIP profile. See the example configuration below: We match 1234 at any domain in the From header. Then we bring over the first set and add a new line break “\x0D\x0AD”. Finally we add the header we want. See that this method only allows us to ADD a header. There is no way to modify another header. So this only partially meets the requirements an administrator wanted to achieve above.


SIP Copylist

SIP Copylist are an extension of SIP Profiles which allows the gateway to COPY a header from the in-leg of a call and then PASTE to another spot in the egress SIP message on the out-leg. SIP Copylist support was added in IOS 15.1(3)T and IOS-XE 3.6S. This is bery powerful way of creating dynamic headers based on other headers from the in-leg of the call.

The most common use-case is dynamically copying a FROM header to a different header like diversion or p-asserted-id so that the value of the user portion is the from user. This is mostly done for authentication as well as caller ID purposes.

Full Documentation

SIP Copylist Example

Debugging SIP Profiles and Copylist

Debug Output From the Example SIP Copylist

Special Notes

Protocol Signaling and Media Binding

All Signaling protocols allow administrators the ability to bind the signaling to a specific interface. By default a gateway without a static defined binding the gateway sources the signaling for a call from the physical interface the packet traverses. With binding on a dial-peer the packet features source headers, messaging, and packets from the specified interface but the actual packet still routes over the physical interface. Dial-peer binding always supersedes voice class tenant and global voice service voip binding with Session Initiation Protocol (SIP).

Many times administrators bind signaling to a loopback. This being a logical interface means no packets traverse this interface. In order to perform packet captures the cpature must be performed on a physical interface. The command show ip cef <remote-ip> displays the physical interface a packet utilize to route to the destination / remote IP even if it is bound to a virtual interface.

Media and signaling binding do not always need to be the same IP. If we need to bind to a specific interface for signaling to / from a CUCM but the audio / media between the phone and the gateway may need to bind to another interface.

Configuration Example

This example shows a dial-peer bound to loopback 1 and it receives a call from CUCM.
Even though the media and signaling (control) are bound to loopback 1 the show ip cef command shows that any packets sent to CUCM leave on the physical interface GigabitEthernet0/0/1.

SIP Binding

MGCP Binding

SCCP Binding

 H323 Binding

DNS and VoIP Dial-Peers

DNS with VOIP is employed just any other DNS solution. A common configuration is to utilize session target

A Cisco Gateway performs a DNS Resolution even when no ip domain lookup is configured globally on the gateway. This means that even though we are disabling DNS the VOIP dial-peers still resolve the DNS entry. However recently in IOS-XE 3.16S there was some changes to the overall DNS functionality within IOS-XE platforms.

After this change dial-peers configured with session target now obey the fact that DNS is disabled with no ip domain lookup.
I recommend always ensuring the command “ip domain lookup” is configured when working with DNS to avoid this issue.

Testing 3.15S and Below

Testing 3.16S and Above

Maximum Connections and Bandwidth

By default VOIP and POTS dial-peers allow for unlimited connections (calls) and bandwidth (VOIP dial-peers only). For trunks that have a limit on the number of calls or bandwidth that can be utilized it may be useful to employ the max-conn or max-bandwidth commands. max-conn was added in IOS 11.3(1)T and is present in all IOS-XE version while max-bandwidth was added in 15.2(2)T and IOS-XE 3.7S

Configuration Example:

Below we are telling the gateway to limit dial-peer 1 to 30 calls using “max-conn 30”.
Dial-peer 2 is limiting bandwidth for that dial-peer so that we do not go over the allocated limit.


Direct Inward Dial (DID)

One-Stage Dialing

With Direct Inward Dial enabled on POTS dial-peers the inbound messaging should contain all the digits necessary to route the call. The Cisco Gateway should not do subsequent digit collection. When the router or gateway searches for an outbound dial peer, the device uses the entire incoming dial string. This matching is variable-length by default. This match is not done digit-by-digit because by DID definition, all digits have been received. This is the default configurations for POTS dial-peers.

Full Documentation

Configuration Example:


Two-Stage Dialing

IIf the incoming POTS dial-peer is configured with no direct-inward-dial the router or gateway enters the digit collection mode (digits are collected inband). Outbound dial peer matching is done on a digit-by-digit basis. The router or gateway checks for dial peer matches after the device has received each digit and then routes the call when a full match is made.

Configuration Example:

Blocking Calls

Each protocol handles call blocking a bit different. Most protocols can make use of the translation-rule reject pattern which blocks based on a digit string.

Configuration Example:

If an administrator wants to still apply an inbound translation-profile for normal digit manipulation but not block any numbers within there is an option of implementing a call-block using the call-block translation-profile command.

Within E1 R2 there exists the ability for an administrator to block Collect Calls. This is mainly seen and employed in Brazil deployments but can be configured via any cas-custom group.

The two options are:

  1. Block the incoming collect call based on the category II-8 which is recieved from the telco switch. This is the default mechanism and all Cisco Gateways perform this without any configuration. This method of blocking requires a newer telco switch which supports category based marking. To disable this method use the command collect-call-enable on the cas-customer group
  2. Utilize the double-answer feature on an r2-digital E1 R2 cas-custom group. The double-answer configuration disables the category based blocking and replace it with the double-answer feature. This works by first answering the incoming call and starting a 1 second timer. After 1 second the gateway sends a release in the form of a CLEAR BWD command. The Telco should then send a CLEAR FWD to the gateway and the call should disconnect. A timer starts after the gateway sends the CLEAR BWD and if this timer expires the gateway sends another ANSWER signal thus assuming the call is not a collect call and from here the call proceeds as normal. This timer can be coinfigured using  cc-reanswer-to within the the cas-custom group.

Double-Answer Configuration Example

Double-Answer Debugs (debug vpm signal)

ISDN overlap-receiving

There are implications for inbound dial peer matching when the isdn overlap-receiving command is configured on ISDN interfaces. After every digit is received at the ISDN layer, dial peers are checked for matches. If a full match is made, the call is routed immediately (to the session app in this case) without waiting for additional digits. The ‘T’ terminator can be used to suspend this digit-by-digit matching and force the router or gateway to wait until all digits are received. The ‘T’ refers to the T302 interdigit timer at the ISDN level, configurable under the serial interface associated with the ISDN interface. ISDN also provides other mechanisms to indicate the end of digits, such as setting the Sending Complete Information Element (IE) in Q.931 information messages.

Empty Called Number

The Warning message shown below, displays when dial-peer is configured with incoming called-number T

Sample Output:

Special Notes about incoming dial-peer match with an empty called number:

  • A “null” called-number is considered “less” qualified compared to a voice-port and/or in some cases answer-address. Therefore, a match based on a “null” called number can occur ONLY if there is no match based on either answer-address or port-number.

  • In case of overlap dialing, a “null” called number does not match “incoming called-number T” because timeout has not occurred.

  • A “null” called-number can match “incoming called-number T” only in case of ENBLOCK and there is no match either because of answer-address and port-number. The warning displayed see when an administrator configures “incoming called-number T” refers to this specific case.

Class of Restriction

Class of Restriction is a way to limit calls on a Cisco Gateway. COR is often described as a lock and key mechanism. Locks are assigned to dial peers with an outgoing COR list. Keys are assigned to dial peers with an incoming COR list. When COR Lists are applied the available outbound dial-peers are those that the key can unlock. This filtering occurs before the rest of the outbound dial-peer matching methods are then checked.

Two important rules with Class of Restriction:

  1. If there is no outgoing COR list applied the call is always routed
  2. If there is no incoming COR list the call is always routed

Configuration of Class of Restriction (COR), Logical Partitioning Class of Restriction (LPCOR), and LPCOR with Forced Authorization Codes (FAC) are beyond the scope of this document but the following documents can be referenced for further reading.


Cisco Unified Communications Manager Express (CUCME) Dial-peers

CME creates system dial-peers for ephones and voice register pools. These cannot be seen in the running config. To make changes to the CME dial-peers the changes need to be done on the actual ephone or voice register pool. When viewing show dial-peer voice summary outputs the dial-peer starting with 2000 are SCCP ephones and dial-peers starting with 4000 are SIP voice register pools. This dial-peer shows up as the inbound dial-peer for calls from CME registered phones and the outbound dial-peer in debugs for call to CME registered phones.

Example Output for show dial-peer voice summary with CME

Example output for show voice register dial-peers with SIP CME

MGCP and SCCP with Dial-peers

MGCP and SCCP follow their own rules for dial-peers. The only concept they utilize is that they must be configured with the desired voice-port for the call. The rest is handled by the STCAPP and MGCPAPP process. When we examine the configuration of these dial-peers they either have the command “service mgcpapp” or “service stcapp”. These enable the dial-peer for the application of choice as well as tell the application which dial-peer it should handle.

When debugging these protocols the output never displays an inbound dial-peer match. This should always show as dial-peer 0. Because it doesn’t exist. The Call Agent handling the application has already chosen which port to send the call to and inbound dial-peer matching is useless since the gateway has no control over that leg of the call. However an outbound dial-peer match can be observed. This is merely for show as ultimately the call agent handling the process has control over that side of the call as well.

Remember, the dial-peer only tells the application of choice which physical voice-port to control. Since the majority of this is controlled by an external call agent and the gateway is just does what it is told we are going to be skipping the underlying “how to” on this section and provide a few configurations to get started.

Sample MGCP configuration [with CUCM Auto-Configuration*]:

Full MGCP Documentation:

Sample SCCP / STCAPP Configuration [with CUCM Auto-Configuration*]

Full SCCP Documentation:\_vg204/software/vg2\_vg4\_scg/vg2\_vg4\_voip.html

* If an administrator does not want CUCM to configure the gateway simply remove the “ccm-manager” commands. We have included the dial-peer configuration to drive home the point about how the concept works. With ccm-manager configurations present CUCM creates these dial-peers based on the port configuration in CUCM so there is no need to actually define the dial-peer. The CUCM created dial-peers usually start with 999 and are then three more digits.

Call Routing Troubleshooting and Verification


General Debugs

Advanced Debugs*

Show Commands

All Calls debug voip ccapi inout

debug voip dialpeer default

debug voice translation

debug voip application all

debug voip ccapi all

show dial-peer voice summary

show dial-peer voice <dial-peer-id>

show dialplan number <number>
show call active voice compact

show call active voice brief

show call history voice brief

show call history stats cps

show voip rtp connection

show run dial-peer sort

SIP debug ccsip messages

debug ccsip info

debug ccsip feature <feature-name>

debug ccsip non-call

debug ccsip error

debug ccsip verbose show cube status

show sip-ua status

show sip-ua calls brief

show sip-ua register status

show sip-ua connections tcp detail

show sip-ua connections udp detail

show sip-ua statistics

ISDN debug isdn q931

debug isdn q921

debug isdn events

debug isdn standard
debug isdn mgmnt
debug isdn events detail
debug isdn mgmnt detail
show isdn q931

show isdn service

show controller t1

show controller e1

show voice dsp group all

H323 debug h225 asn1

debug h245 asn1

n/a n/a
MGCP debug mgcp packet

debug ccm-manager backhaul events

debug ccm-manager backhaul packets

n/a show mgcp

show mgcp endpoint

show ccm-manager

show tcp brief

SCCP debug sccp messages

debug voip application stcapp all

debug sccp all show sccp

show stcapp device summary

show ccm-manager


(FXS / FXO / E&M / E1 R2 / T1 / E1)

debug vpm signal

debug voip vtsp session

debug vpm all

debug voip vtsp all

show voice port summary

show voice call summary

show voice dsp group all

* Advanced debugs are resource intensive and may impact performance of CPU and Memory if they are enabled while there are a lot of calls. Even with no calls a gateway may become non-responsive. it is recommended to run these after-hours, during a change window, or when there is no load on the Gateway unless you are with Cisco TAC.

TAC Authored

Contributed by Cisco Engineers

  • Kyzer Davis, Cisco TAC Engineer

SSDs (Solid State Drives) use NAND flash chips. Each of these chips contain millions of cells with limited number of write cycles. There are different types of NAND flash chips in use today with different characteristics as follows:

SLC (Single Level Cell)

– highest performance, at a very high cost, enterprise grade NAND
~ 50-100k P/E (Program/Erase) cycles per cell, highest endurance
– lowest density (1 bit per cell, lower is better for endurance)
– lower power consumption
– faster write speeds
– much higher cost (3+ times higher than MLC)
– good fit for industrial grade devices, embedded systems, critical applications.

eMLC (Enterprise Multi Level Cell)

– good performance, aimed at enterprise use
~ 20-30k P/E cycles per cell, great endurance
– high density (2 bits per cell)
– lower endurance limit than SLC, higher than MLC
– lower cost
– good fit for light enterprise use and high-end consumer products with more disk writes than MLC.

MLC (Multi Level Cell)

– average performance, consumer grade NAND
~ 5-10k P/E cycles per cell
– higher density (2 or more bits per cell)
– lower endurance limit than SLC/eMLC
– lower cost (3 times lower than SLC)
– good fit for consumer products. Not suggested for critical applications which require frequent updates of data

TLC (Three Level Cell)

– lower performance, lowest cost NAND
~ 1-5k P/E cycles per cell
– highest density (3 bits per cell)
– lower endurance limit than MLC and SLC
– best price point (30% lower than MLC)
– somewhat slower read and write speed than MLC
– good fit for lower-end consumer products. Not recommended for critical applications which require frequent updating of data

3D Vertical NAND

– newer TLC NAND with different architecture, larger geometry and much higher endurance than TLC
~ 1-10k P/E cycles per cell
– faster and more reliable than TLC
– uses less power than TLC
– performance and P/E cycles comparable to MLC

Generally, SLC drives are traditionally the fastest, most reliable and most expensive drives available, usually used in the enterprise because of their considerably higher cost. Both MLC and TLC are widely used consumer grade memory, with MLC being better in terms of endurance. Newer 3D NAND TLC is comparable in performance to MLC drives, with even better price point.

The move from 34nm to 25nm (and then to 19nm) has generally reduced the NAND PE lifespan – on 34nm each cell was rated for 5-10k PE cycles, on 25nm this drops down to 3-5k. On 19nm TLC NAND it varies a lot, but it can drop down to as low as ~1k estimated PE cycles.

NAND Endurance ratings for common/older SSDs:

  • ADATA (S511) – 5k PE cycles, 25nm
  • Corsair (Force 3/GT) – 3k PE cycles, 25nm
  • Corsair (Performance 3) – 5k PE cycles, 32nm
  • Crucial (M4) – 3k PE cycles, 25nm
  • Intel (SSD 320) – 5k PE cycles, 25nm
  • Intel (SSD 510) – 5k PE cycles, 34nm
  • Kingston (HyperX) – 5k PE cycles, 25nm
  • Mushkin (Chronos) – 5k PE cycles, 32nm
  • OCZ (Agility 3, Vertex 3, Solid 3) – 3k PE cycles, 25nm
  • Patriot (Pyro) 3k PE cycles, 25nm
  • Plextor (PX-128M2S/P) 5k PE cycles, 32nm
  • Samsung (SSD 830) 5k PE cycles

Larger TLC drives may yield similar longevity as smaller MLC drives, considering you can average out the wear over higher number of cells.
Over-provisioning (OP) is sometimes used to increase drive endurance by setting aside free space that is inaccessible by the user for controller swap space.
To improve SSD endurance, one can leave at least 10-20% of free space to simulate over-provisioning. This can also be achieved with formatting to a lower capacity.
Even with low PE cycles NAND, endurance of most modern SSDs is over 10 years of typical use.

My current SSD favourites for a ZFS tank:

  1. HGST Ultrastar SS300 SAS SSD
    Be aware there is a MLC NAND (HUSM*, higher IOPs, higher write throughput) and a TLC NAND (HUST*, lower IOPs, lower write throughput) version
    Product ID: 0B34897 (HUSTR7696ASS200)
  2. Toshiba PX05 960GB
    Product ID: PX05SRB096
  3. HGST Ultrastar SS200 SAS SSD
    Product ID: 0TS1396