AT&T IP Flex implementation

  Several years ago I did my first Asterisk/AT&T IP Flex implementation and it was pretty challenging. At that time I did a little write up for the community at large, basically a “how-to” http://pbxinaflash.com/community/index.php?threads/how-to-at-t-ip-flex-trunk-configuration.9155/

  Recently I did my ninth implementation and had a pretty tough time because this one presented some challenges with V-LANs and multiple gateways. At one point (after they had been offline for several hours) the customers’ network tech said “Hey, let me Google for some help on this” and entered “Asterisk AT&T IP Flex” into the search bar and said “Great, the first link is a how-to!” he clicked on it, looked at it for a minute and said “isn’t that your picture?” and when I confirmed that I had written it, he said “uh-oh, if the guy who wrote the number one Google returned article on this can’t get it to work, we’re in trouble.”

  Whenever you’re done laughing at me we can continue this article… go ahead, get it out of your system…

   O.K. then, moving on; AT&Ts’ IP Flex (Flexible Reach, Business-In-a-Box, whatever the rep is selling it as that day) is a good solid VOIP SIP service. Once you get it working it just works continuously day-in day-out with great call quality and reliability.

  The product is great… getting to the implementation and then getting through the implementation is the tough part. Whenever a customer calls me and says “AT&T called me and wants me to replace my PRI with their VOIP product. They will include high-speed internet in the package for a total that saves about 10% per month!” I have a little speech I make;

  “AT&T wants to get out of the traditional trunk business and go all VOIP, so do all the carriers, it’s a natural technological progression, a good thing and it’s going to happen across the board eventually. AT&T has a good VOIP product. BUT, if you go forward with them be prepared to exchange a minimum of forty emails, fill out several electronic forms (that will largely not make sense) and have at least four conference calls with four-five (revolving) AT&T people… just to get to the implementation.

   The sales Rep. will tell you this will take sixty to ninety days… it will really take at least one hundred fifty days to eleven months, with at least two or three AT&T technician visits to your site. On the cutover day, (working with remote AT&T techs over the phone) something will be wrong i.e. they won’t be ready to port your numbers, or the DIDs they are providing won’t be in the right area code/exchange… you will have to stop and reconvene for another attempt… probably sixty to ninety days later.

   When you finally get it working, and it will probably be a four to 10 hour technical marathon to make that happen…. It. Will. Work. Great.  But then the “Billing Odyssey” begins; because nothing happened on schedule, except the billing initiation, you will be paying for two services overlapping for several months or more. You will probably spend the rest of your initial contract period with them (2-3 years) trying to sort this out. Oh and by the time you enter this phase you will have a new Rep. as the old one will have transferred, been fired or otherwise became unavailable at some point in the saga.”

   Now, after the above speech you would think most people would start looking for an alternative… but notice I said I have now done nine of these implementations even with my warning speech on the last few; maybe I’m just not that believable…

Implementation Scenarios:

   The most common scenario you will find is replacing existing AT&T trunks; PRI or POTS, and the first thing AT&T will want to do is what they sometimes call “Business-in-a-Box”. They will bring in an internet connection (1.5MG up to 50MG depending on availability) install a Cisco router/gateway with PRI or POTS outputs in it. This device basically connects back to the AT&T SIP service and then translates the signal to PRI or POTS signals delivered to the site phone system… and this seems to work pretty well for a phone system that has that type of connectivity.

   If you have an Asterisk system (or other that does SIP natively) that doesn’t make much sense. In essence you are getting a SIP/IP signal that is converted to PRI/POTS then hops through a patch cable to a device in/attached to the Asterisk box to de-convert it back to a digital signal that Asterisk can use…. So two conversions in 4-10 feet when your Asterisk server can connect to the SIP service directly in the first place.

   Whichever way you go, AT&T manages the VOIP QOS over the WAN for you and that is a good service (you are still on the hook to manage QOS on your LAN). Generally when AT&T offers this service they also offer to deliver the internet bandwidth in excess of VOIP needs to the LAN. Though in six of the nine I have done, the pricing worked out that the customer went with the minimum T1 from AT&T and kept a cheaper/faster connection for general LAN internet access, at least they always had the T1 available to switch to if their main internet access went down. You must have an internet circuit from AT&T they do not offer their VOIP/SIP service as (BringYourOwnBroadband) at this time.

Actual VOIP/SIP Implementations:

   Before your “cutover” date, AT&T will have installed/tested the internet circuit and router and provided the customer with their “Information Packet” here is a redacted example. This document has the IP addresses to reach the AT&T system (they call them “border elements”) Circuit ID for the internet circuit and a whole host of other information you won’t need or be able to make sense of (keep it for the IP addresses and circuit ID).

   If you are adding the AT&T service to your existing network as a secondary gateway device you will need to give the AT&T tech a static address/mask in your LANs range to assign to the Cisco router/gateway. He will also need to know the address of your Asterisk server (these two addresses must be in appropriate LAN segments to be able to communicate). Then reconfigure the NIC on your Asterisk server to use the IP address you gave to the AT&T gateway LAN port as its default gateway. This makes your server go through AT&T every time it goes to an outside address… in particular when it sends a call to the AT&T “border elements” (IP addresses) so your outbound calling is ready to go. As for inbound calling, that is up to the AT&T tech and why he asked for the address of your server. AT&T delivers the calls to the outside address of the Cisco router they installed and the tech puts a rule in place in that router to deliver calls to your server.

   Create two trunks (one using each of the “Border Elements” AT&T assigned) with both outgoing and incoming peer settings like this;

   You don’t need to enter any registration string the SIP trunk from AT&T doesn’t use any credentials other than IP addresses and router ID. The incoming settings part is primarily to identify the incoming calls as permitted so you can leave your “Allow Anonymous Calls” system setting to “No” and also for tracking purposes in the logs. The settings shown reflect what I have had best luck with regarding DTMF and reliable hand-off.

   Now for a more challenging implementation. One in which for some reason you need to keep the Asterisk server pointed to the original network gateway and add a secondary gateway to its routing table. This might be because the AT&T tech tells you “we are not allowing internet access via the Cisco gateway due to policy”… when you hear “policy” from an AT&T tech, just give up and start looking for a work-around, even if this policy doesn’t match the last four times you have done the exact same thing… you won’t overcome it.

   This happened in the last implementation I did and the Asterisk server needed to see the internet to send voice-mail-to-email, access a remote NTP system, get system updates and, of course, be accessed remotely for system support. None of which was going to happen through the new AT&T circuit… only VOIP calls… “policy”. In that case the customer was also separating the phone sets onto one V-LAN and data access onto another, so we needed to have the server access both. That allowed the phones to attach and users to access the ARI (user/voicemail) GUI and also administrative access to the server.

   So, dual gateways on the same Linux server… a WARNING here; Centos will allow you to add a second default gateway on a server, it looks like this:

And it screwed things up royally. Calls didn’t know which gateway to use outbound and the system started running erratically and crashed… YOU SHOULD NOT DO THIS.  From the guy who did it…

   In the above example (which I copied live from a system I was implementing AT&T IP Flex on) the server had two NICs in two different IP ranges. One each for two V-LANs; 1 and 5, Each NIC was connected to a dedicated V-LAN port on the network switching system, V-LAN 1 being the data (192.168.1.xxx eth1) and V-LAN 5 being the VOIP (192.168.5.xxx eth0). The LAN port on the AT&T Cisco router was connected to a dedicated V-LAN 5 port (using an appropriate static IP address) and the phones and PCs were connected to V-LAN ports that defaulted to V-LAN 1 but delivered tagged V-LAN 5 packets.

   The phones actively pick up V-LAN 5 packets but route V-LAN 1 out their PC ports… hence a phone could be plugged into a port, connect via V-LAN 5, pick up its IP address in the appropriate range and connect to the Asterisk server. A PC then could be plugged into the PC port of that same phone and only see V-LAN 1, pick up its appropriate IP address and access the data services/domain, etc.

   The answer to get this working correctly was to route outbound calls via the AT&T “Border Elements” to a specific gateway on V-LAN 5. And the commands that accomplished that in this case were:

One for each border element IP address range, giving me a final route table that looked like this:

With the above configuration calls began to flow in/out correctly.

------------------------------------

   I should warn you that the above two examples reflect only about four of the implementations I have done and that there has been a wide variation in how the different AT&T techs wanted to configure things on the Cisco router/gateway. These include; “Solid firewall with nothing through but VOIP from AT&T”, “wide-open with nothing blocked (Lock down your server!?!?!)” and in one instance the tech required me to hand off outgoing calls to an IP address within the Cisco that did not match its LAN or WAN address ranges or the border elements (I struggled with that one).

   So…. be prepared to be “flexible”….

This is the AT&T document on AT&T/Asterisk SIP Trunk Compatibility Testing that their techs will often point you to. It does have some pertinent info in it, but is dated, harkening back to Asterisk 1.4 from 2008

Things I have had to do to get it to work.

1.     NAT  This trips up Asterisk/SIP implementation a lot. Depending on your network configuration and that of the AT&T installed Cisco router/gateway you may have to make changes to these settings. Now that most Asterisk Distros include the “Asterisk SIP Settings” module that is a lot easier.

Again, because this depends on your individual circumstances I can’t tell you how to set it. But… the options are obvious. You might try a simple “no” first… then maybe click the “Public IP” and test. Try entering the systems LAN address as “Static IP” External, etc.. etc…

2.     Reboot   After changing multiple system settings, particularly regarding routing, NICs etc. a reboot is always in order (it also gives you time to think while everyone is waiting for it to come back up… think hard.)

3.     Video Support This setting in that same “Asterisk SIP settings” module will definitely cause AT&T to fail outbound calls. Disable it… if you need it on some other trunk then just enable it within that particularly trunk.

4.     Wire Shark Have this (free) tool available and be prepared to tcpdump out to a pcap file to look at what is going on within your calls. This guy does a good video tutorial how-to on this subject.

5.     Add your own firewall Be prepared to put a quick firewall device between your Asterisk box and the AT&T Cisco router. I like to keep a DD-WRT router available; it’s cheap, flexible and lets you secure a network with hardware if you end up with a wide-open Cisco that passes everything through.