ResourcesWebex Calling — Local Gateway

// Study CardsReference Material

Webex Calling: Local Gateway

Study cards covering the Webex Calling Local Gateway (LGW) architecture — trunk types, capacity planning, Cisco IOS XE configuration patterns, TDM and UCM integration, E911, and the SIP registration flow. Built from Cisco official documentation for reference material.

// Card 01 - System OverviewLocal Gateway

What is it?

Webex Calling Local Gateway (LGW)

RoleBridges on-premises telephony (PSTN/UCM) with the Webex Calling cloud
PlatformCisco CUBE (IOS XE) or validated third-party SBC
SignalingSIP over TLS
MediaSRTP
PSTN modelByoPSTN: reuse your existing PSTN connection
MigrationGradual: coexist with on-prem UCM during transition

Prerequisites

  • VoIP knowledge — SIP, media protocols, basic troubleshooting
  • SBC familiarity — device platform being configured as LGW
  • Required licenses — to operate the SBC platform
  • On-prem UCM or PBX — if integrating with an existing environment
// Card 02 - Trunk ArchitectureLocal Gateway

Choose your model

Registration-Based vs. Certificate-Based

Registration-Based

Simple, fast to set up

  • Max 250 concurrent calls per trunk
  • Cisco CUBE only
  • Auth via digest: username + password
  • Works with dynamic NAT
  • No public DNS record needed
  • Supports automated troubleshooting via Control Hub connector
  • Min IOS XE: 17.6.1a (17.12.2+ recommended)
Certificate-Based

Scale + third-party SBCs

  • Supports 250+ concurrent calls
  • CUBE + Oracle, AudioCodes, Ribbon, anynode, Italtel
  • Auth via mutual TLS: LGW FQDN verified
  • Requires public IP or static NAT
  • Requires domain claim + DNS A or SRV record
  • Only option for Webex for Government (FedRAMP)
  • Min IOS XE: 17.9.1a
Cert requirementServer Auth EKU only — no wildcard certs. Some SBCs enforce Client Auth EKU; configure your SBC to accept Server Auth EKU alone.
Gov noteWebex for Gov: cert-based only. Must use FIPS-compliant GCM ciphers. Min IOS XE 17.12.1a. T.38 fax and STUN/ICE-Lite not supported.
// Card 03 - Operational ParametersLocal Gateway

Capacity tiers

Calling Capacity & Connectivity

250Max calls — Reg-based
2K–6.5KCalls, cert-based interconnect
2Media PoPs per gateway

Connection quality thresholds

Latency (1-way)100 ms max
Packet jitter10 ms max
Packet loss0.5% max
Network facingIPv4 only toward Webex Calling
PoP assignmentTwo geographically separated Media PoPs in same region, managed via DNS SRV

Trunk status — Control Hub

OnlineAll Webex edge proxies connected to LGW
OfflineNo connection between Webex Calling and LGW
ImpairedAt least one edge proxy cannot reach LGW
UnknownRecently added — connection still being established
// Card 04 - TDM PSTN IntegrationLocal Gateway

When to use this

TDM / ISDN PSTN Trunk

Use caseTDM/ISDN circuits (PRI) as the PSTN connection instead of SIP
ChallengeTDM-IP call flows require a two-leg routing model to enable media path optimization on the Webex call leg
Loopback peersDial-peers 10, 11, 12 create an internal IP hop between the Webex and PSTN legs
Routing tagsOver-decadic digits (A) added/removed via translation rules to guide calls and prevent loops

Translation rule logic

Webex direction (A1A tag)

voice translation-rule 200 rule 1 /^/ /A1A/ voice translation-rule 11 rule 1 /^A1A/ //

PSTN direction (A2A tag)

voice translation-rule 100 rule 1 /^\+/ /A2A/ voice translation-rule 12 rule 1 /^A2A44/ /0/

PRI interface example

card type e1 0 2 isdn switch-type primary-net5 controller E1 0/2/0 pri-group timeslots 1-31
// Card 05 - Unified CM IntegrationLocal Gateway

Architecture

Integrating Cisco Unified CM (UCM)

Role of UCMCentralized routing hub — all PSTN and Webex Calling calls route through UCM
Port splitTwo SIP trunk ports used to distinguish call direction from UCM
UCM configSet incoming port to 5065 in the Webex Calling SIP Trunk Security Profile in UCM

Port assignment

:5065UCM to Webex Calling — pattern :5065
:5060UCM to PSTN — pattern 192\.168\.80\.6[0-5]:5060

Local DNS SRV records (IOS XE)

A records for UCM nodes ip host ucmpub.mydomain.com 192.168.80.60 SRV — priority weight port host ip host _sip._udp.wxtocucm.io srv 0 1 5065 ucmpub.mydomain.com ip host _sip._udp.pstntocucm.io srv 0 1 5060 ucmpub.mydomain.com

Routing summary

Webex inbound (DP100) routes to DPG300 (UCM-Webex trunk). PSTN inbound (DP200) routes to DPG400 (UCM-PSTN trunk). UCM-Webex (DP300) routes back to DPG100. UCM-PSTN (DP400) routes to DPG200.

// Card 06 - E911 / Nomadic Emergency CallingLocal Gateway

Purpose

Geo-Location Header Pass-Through

Why it mattersPreserves caller location data (PIDF-LO) across the LGW so Nomadic E911 services receive accurate location info
Headers passedGeolocation-Routing, Geolocation
Body passedPIDF-LO (Presence Information Data Format — Location Object)
Apply toBoth inbound and outbound dial-peers

Configuration options

Global (all headers)

voice service voip sip pass-thru headers unsupp

Specific headers (voice class)

voice class sip-hdr-passthrulist 200 passthru-hdr Geolocation-Routing passthru-hdr Geolocation passthru-hdr-unsupp
Apply to dial-peers (inbound and outbound) dial-peer voice 100 voip voice-class sip pass-thru headers 200 For PIDF-LO body pass-through voice service voip sip pass-thru content unsupp
// Card 07 - Registration FlowLocal Gateway

What happens after config is pushed

Registration Flow (Registration-Based Trunk)

1

TLS Connection Initiated

CUBE initiates a TLS connection toward the Webex Calling access SBC

2

Certificate Presented and Validated

Access SBC presents its certificate. CUBE validates it against the Cisco root CA bundle (IdenTrust Commercial Root CA1) imported to the gateway.

3

Persistent TLS Session Established

Secure session established and reused for both registration and call processing via connection-reuse

4

SIP REGISTER Sent

CUBE sends a SIP REGISTER to the access SBC using the registrar configured in voice class tenant

5

401 Challenge Received

Access SBC responds with 401 Unauthorized. CUBE replies using credentials from the tenant: username, password, realm

6

SIP Profile Rules Applied

sip-profiles 100 converts SIPS URLs back to SIP in response headers as required by Webex proxies

7

200 OK Received — Registration Complete

Access SBC sends 200 OK. Control Hub trunk status updates to Online

// Download Individual Cards

// Card 01
System OverviewDownload HTML  ↓
// Card 02
Trunk ArchitectureDownload HTML  ↓
// Card 03
Operational ParametersDownload HTML  ↓
// Card 04
TDM PSTN IntegrationDownload HTML  ↓
// Card 05
Unified CM IntegrationDownload HTML  ↓
// Card 06
E911 Emergency CallingDownload HTML  ↓
// Card 07
Registration FlowDownload HTML  ↓

// Sources

Built from Cisco/Webex official documentation: Get started with Local Gateway and Configure Local Gateway on Cisco IOS XE for Webex Calling. These cards are reference material — not a substitute for reading the full documentation.