Out of Office Messages on CME

Announcements can be sent from a voice gateway (router) without the need to write complex gateway scripts or the use of CUE (Cisco Unity Express).

All you need is a VXML script and an audio file (I would suggest recorded in G729r8 format see future post of how to create these from the router too).

Instructions

Create the vxml script which should contain something like the following:

<?xml version="1.0" encoding="iso-8859-1"?>
<vxml version="2.0">

<!--
Out Of Office Announcement
File Name : oooa.vxml
Description: Plays back an out of office announcement message

-->

<var name="option"/>
<form id="main">
 <block>
 <prompt><audio src="flash:oooa.au"/></prompt>
 </block>
</form>
</vxml>

Upload this script along with the audio file (which I’ve called oooa.vxml and oooa.au) to the router flash. Then install the application by entering the following commands :

Router# conf t
Router(config)# application
Router(config-app)# service oooa flash:oooa.vxml
Router(config-app-param)# end
Router# wr mem

The next thing is to associate the service oooa with a dial-peer. This can be an in or an outbound dial-peer, my personal preference is inbound which is the example I’ll give. The being said to test this you need to generate an inbound call into the gateway. One thing that isn’t obvious from the documentation is that you can associate this with both pots and also voip dial-peers. The fact this it can be associated with voip is the reason I would record the message using g729r8 !

Router# conf t
Router(config)# dial-peer voice 3901 voip
Router(config-dial-peer)# incoming called-number 3901
Router(config-dial-peer)# service oooa
Router(config-dial-peer)# codec g729r8
Router(config-dial-peer)# end
Router# wr mem

(The default codec is g729r8 so the codec command is only included for completeness).
UPDATE: 22/06/2009 – On more recent version of IOS the default codec for ephone’s has been iLBC !

Now if a call arrives at this router using H323 looking for the number 3901 will have the message associated with oooa.au played to them.

UPDATED:

This application really comes into it’s own if you call forward on busy no answer etc. However the problem is that for this type of application it must exist on the inbound dial peer. So if you are already in the call manager your are stuck. A simple solution to this is to create a dialpeer pointing at a loopback on the same router. The setup both a destination-pattern and also an incoming called-number the same and your problems are solved.

Router# conf t
Router(config)# interface Loopback 3901
Router(config-if)# ip address 10.10.10.10 255.255.255.255
Router(config-if)# dial-peer voice 3901 voip
Router(config-dial-peer)# incoming called-number 3901
Router(config-dial-peer)# destination-pattern 3901
Router(config-dial-peer)# session target ipv4:10.10.10.10
Router(config-dial-peer)# dtmf-relay h245-alphanumeric
Router(config-dial-peer)# codec g729r8
Router(config-dial-peer)# no vad
Router(config-dial-peer)# end
Router# wr mem

A couple of gotcha’s I recently walked into if you have changed the default H323 port on this device from TCP 1720 (to TCP 1844 for example) you need to ensure that the session target is session target ipv4:10.10.10.10:1844 otherwise it all looks fine but doesn’t work.

Creating a Thawte CSR and then installing the SSL Certificate on Cisco IOS

This brief note covers getting an SSL certificate registered with Thawte onto a Cisco router running IOS.

1. Create the Trustpoint

This binds the SSL cert to the CA (Certificate Authority) which in this case is Thawte.  The subject is where you will specify all the usual bits you need in the cert. Also ensure that fqdn defined and is that same as the common name. If you don’t the name of the router will be used instead.

Router# conf t
Router(config)# crypto pki trustpoint thawte.com
Router(ca-trustpoint)# enroll terminal
Router(ca-trustpoint)# serial-number none
Router(ca-trustpoint)# fqdn hostname.domain.com
Router(ca-trustpoint)# ip-address none
Router(ca-trustpoint)# subject-name CN=hostname.domain.com,O=Organisation, OU=Department,L=Location,ST=State,C=Country
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# end
Router# wr mem

Note the ‘subject-name’ is all on one line – due to the width of this page and spaces it is wrapping.

2. Authenticate the CA with the trustpoint

This means loading Thawte’s Premium signing certificate into the router.

It took quite a while to locate Thawte’s Premium Signing Certificate from their website so there is nothing to stop you cut’n’pasting from this post.

If you wish to get your own copy then you can download the complete set from http://www.thawte.com/roots/. Accept their terms (assuming you do) then download and unpack the zip file.

The file you need is : Thawte SSLWEB Server Rootsthawte Premium Server CAThawte Premium Server CA.pem

It is really important you get the right CA Certificate file on your router. Unfortunately the process won’t fail until you try and import your new certificate if you get the wrong one !!!!

Open the file in a text editor and you can then cut and paste at the appropriate time.

Router# conf t
Router(config)# crypto pki authenticate thawte.com
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: 069F6979 16669002 1B8C8CA2 C3076F3A
Fingerprint SHA1: 627F8D78 27656399 D27D7F90 44C9FEB3 F33EFA9A
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Router(config)# end
Router(config)# wr mem

You can now check this certificate

Router#show crypto pki certificate
CA Certificate
 Status: Available
 Certificate Serial Number: 0x1
 Certificate Usage: General Purpose
 Issuer:
 e=premium-server@thawte.com
 cn=Thawte Premium Server CA
 ou=Certification Services Division
 o=Thawte Consulting cc
 l=Cape Town
 st=Western Cape
 c=ZA
 Subject:
 e=premium-server@thawte.com
 cn=Thawte Premium Server CA
 ou=Certification Services Division
 o=Thawte Consulting cc
 l=Cape Town
 st=Western Cape
 c=ZA
 Validity Date:
 start date: 01:00:00 BST Aug 1 1996
 end   date: 23:59:59 GMT Dec 31 2020
 Associated Trustpoints: thawte.com

3. Generate CSR – Begin Certificate enrollment.

This starts the process of getting your own certificate by generating a CSR or Certificate Request.

Router# conf t
Router(config)# crypto pki enroll thawte.com
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=hostname.domain.com,O=Organisation,OU=Department,L=Location,ST=State,C=Country
% The subject name in the certificate will include: hostname.domain.com
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIICDjCCAXcCAQAwgawxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzAN
BgNVBAcTBkxvbmRvbjEcMBoGA1UECxMTQWNjb3VudHMgRGVwYXJ0bWVudDEdMBsG
A1UEChMUT3VyIfsjkfjsdkfhksdjfklssdfsdfsdfdsfdsWQxGzAZBgNVBAMTEnNzbHZwbi5wb2Jv
eC5jby51azEhMB8GCSqGSIb3DQEJAhYSc3NsdnBuLnBvYm94LmNvLnVrMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzlVpHnVWmZK+krq6J/R3fQwf9kceyLB8u
iis91j5EON4pMvVcKiCpJDa+kGLTSzalmKERHO4Tz6Nm53HLmCo3JGGkox+Pnv7C
oVlZu23ukAZmF0/fzfsaJkrDeWWagsDgdFseee+ffDse4XfbWVnIVqYGoWtyxdGQm3vSJ
569/tKQV5QIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEApaSo522bW34bcGgA5zr1uuoi2IUyV+1IBb3K+teG
RtUyrw1Z+4aVhBlsi1kSoVoLdKiUTAr5IwtEEO6pVq2uxxYvia7D1g24R5m8JN1h
HgafrfnnAvtP8EFH//0XLrdWVAUL25KtMpqjhJricWsc62CnbCiGPb/AsmaIJcBe
hxQ=
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
Router(config)# end
Router# wr mem

Now cut out the CSR the router has generated and send it to Thawte.

4. Import Certificate

Once you have received your certificate back from Thawte you need to import it into the router.

Router# conf t
Router(config)# crypto pki import thawte.com certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
 Fingerprint MD5: 069F6979 16669002 1B8C8CA2 C3076F3A
 Fingerprint SHA1: 627F8D78 27656399 D27D7F90 44C9FEB3 F33EFA9A

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Router(config)# end
Router# wr mem

An you should find you have your certificate registered on your router for use as required secure website or ssl vpn.

RENEWALS:

Unless Thawte’s CA Certificate has expired or changed – it presently expires in 2020 – you only need to go through enrolment. Also your certificate will only be effected when you import the replacement.

So to renew a certificate go back to step 3 and run enrolment.

Update: Please note that in IOS Cisco are in the process of changing the command ‘crypto ca’ to ‘crypto pki’ these are presently interchangable. The commands in this note are in the new style but you could just as easily have typed ‘crypto ca trustpoint thawte.com’ for example. The config however seems to show the new format.

Ubuntu Changing Network Device ID udev/rules.d

I do quite a bit of work with Virtual machines based on an ESX platform. One of the advantages of such a platform is the ability to create a template server, then duplicate copies as and when you need one. With most operating systems it’s just a question of changing the IP and hostname and you are in business.

In the case of Ubuntu Linux a udev rule is created for each network interface and which is bound to the MAC address of the card. Which makes loads of sense in the “Real World” but when you create a new VM an additional MAC address is generated. This can be a little frustrating as the first machine would have an eth0 the second an eth1 the third and eth2 and so on.

The database which stores these values is located in a file :

/etc/udev/rules.d/70-persistent-net.rules

An example of one of mine – on a third install.

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.
#
# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:c9:f4:13", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"
#
# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:c9:f3:19", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
#
# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:38:fd:fa", ATTR{type}=="1", KERNEL=="eth*", NAME="eth2"

In this case whilst I would prefer the device to be known as eth0 it is in fact known as eth2.

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.
#
# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:38:fd:fa", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

If the file is amended to the following and a reboot done all is sorted.
Don’t forget to amend the network configuration to reflect the change of device ID. In the case of UBUNTU this would be /etc/network/interfaces.

Ubuntu 9.04 installation on ESX

Firstly grab a copy of the 64bit Ubuntu server ISO from the ubuntu website and store is somewhere you can get to from your ESX box. Over the years I have taken the approach of storing server VMDK’s on ESX’s local hard disk pushing installation media onto a NAS.

(Note: Earlier this year we went gigabit ethernet on the NAS LAN so plans are there to potentially store VM’s a NAS too).

Install the virtual machine as you would do normally. I selected 64bit Ubuntu – I’m finding that telling ESX the O/S is a 64bit version regardless of whether you actually install the 64bit version or not seems to make the virtual machine more stable.

Edit the VM and set the boot media to be the Ubuntu ISO you downloaded ealier and mark it as connected and connected on boot.

Run the installation as you would do on normal hardware.

Now it’s time to install VMWare tools.

From the VMWare menu select Install/Upgrade VMWare Tools.

Mount the media and extract the installation files into /tmp

mount /cdrom
cd /tmp
tar zxf /media/cdrom/VMwareTools*.tar.gz

As part of the installation some compiling needs to be done so we’ll need to put some source libraries on unless they’re already there.

sudo apt-get install build-essential linux-headers-`uname -r`

The config.h file whilst needed is not created by default so an empty one is created so the build will complete.

sudo touch /usr/src/linux-headers-`uname -r`/include/linux/config.h

(Thanks https://help.ubuntu.com/community/VMware for the tip on this).

cd vmware-distribution
sudo ./vmware-install.pl

Follow the prompts for the installation – shared folders fails to build but in the ESX environment they’re not essential.

Reboot the box and you are in buisiness.

Using sftp on a non-standard port

Just a quick note about sftp.

It makes good security sense to change the ssh port on servers that are Internet accessable. To take advantage of this using ssh is quite straight forward as their is a parameter -p to support this eg:

ssh -p 3432 mick@mickvaites.com

Unfortunately the same is not true for sftp (secure file transfer). To achieve the same result with sftp we need to use specify an option of “Port 3432” eg:

sftp -o "Port 3432" mick@mickvaites.com

Once done log it as you would normally.

Cisco V3PN & QoS on ADSL Uk for VoIP

SoHo workers now share their lines with other PC’s in the house. The following is a config snippet from my router to provide some protection for my VoIP and business traffic.

!
! policy and classes to mark local incoming traffic
!
! whilst QoS pre-clasify should be used I have found it
! unreliable on certain IOS releases.  Also this allows us
! to be more specific about how we want to handle our traffic.
!
class-map match-all BIZAPPS1_VLAN1
 match access-group name BIZAPPS1    ! an acl to match biz apps
!
class-map match-all BIZAPPS2_VLAN1
 match access-group name BIZAPPS2    ! an acl to match biz apps
!
class-map match-all SCAVENGER_VLAN1
 match access-group name SCAVENGER   ! low priority stuff
!
policy-map VLAN1
 class BIZAPPS1_VLAN1
  set dscp af21                      ! low drop probability
 class BIZAPPS2_VLAN1
  set dscp af22                      ! med drop probability
 class SCAVENGER_VLAN1
  set dscp cs1
!
! Policy and Classes to on outbound connection
!
class-map match-all BIZAPPS
 match  dscp cs2  af21  af22  af23   ! all business aps
class-map match-any VOICE_SIG
 match  dscp cs3                     ! new dscp values signalling
 match  dscp af31                    ! old dscp value signalling
class-map match-all SCAVENGER
 match  dscp cs1                     ! unwanted traffic
class-map match-any IPCONTROL
 match  dscp cs6                     ! routing protocols etc
class-map match-all VOICE_RTP
 match  dscp ef                      ! voice packets
!
! Based on using no more than 30% for voice traffic this policy
! is enough for two voice calls (52k). DSL has a fixed uplink speed
! so I have used percentages to make carving up easier. Where a pipe
! which is likely to have speed changes it might be easier to use
! absolute 'bandwidth' statements to simplify calculations.
!
! NB: You cannot mix absolute and percentages in the same
! policy-map so decide up front what you are going to use.
!
policy-map V3PNWAN
 class VOICE_RTP
  priority 52 5348            ! 52k for 2 voice calls
 class VOICE_SIG
  bandwidth percent 5         ! 5% for call control traffic
 class IPCONTROL
  bandwidth percent 5         ! 5% for routing protocols etc
 class BIZAPPS
  bandwidth percent 30        ! 30% for business apps
 class SCAVENGER
  bandwidth percent 1         ! limit scavenger to 1%
  class class-default
  fair-queue
!
! The device snippets are just enough info to show how the
! policys are applied and any other relevant settings.
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
 bandwidth 384                   ! your upstream speed
 pvc 0/38
 vbr-nrt 384 384                 ! your upstream speed
 tx-ring-limit 3                 ! tx-ring set to 3
 encapsulation aal5mux ppp dialer
 dialer pool-member 1
 service-policy out V3PNWAN      ! associate to phys interface
!
interface Dialer0
 ip tcp adjust-mss 542           ! make tcp packets much smaller
!
interface Tunnel0
 qos pre-classify                ! allow acls based on pre-encrypted data

Good luck

Mick

Enable Caller-id globally on Cisco Unity Express (CUE)

By default Cisco Unity Express only reports the called number in your message for internal calls.

It’s quite simple to change this so that all calls (where a number is available) have their numbers reported.

Router# service-module service-enable 1/0 session
Trying 192.168.n.2, 2066 ... Open
se-192-168-n-2#
se-192-168-n-2# conf t
se-192-168-n-2(config)# voicemail callerid
se-192-168-n-2(config)# end
se-192-168-n-2# wr mem
se-192.168-n-2# exit

Session closed

[Connection to 192.168.n.2 closed by foreign host]
Router#

Simple really.

Sam Knows – LLU Information for the Uk

This is more of a memory jogger for me as I’ve been using this excellent site for years. So for my benefit as well as anyone else who needs it the URL is :

http://www.samknows.com

This is an excellent site originally setup by campaigners to find the latest information on broadband pre-registrations. Since then things have changed dramatically in the Uk. This site now contains excellent information on what services are via your own local telephone exchange.

This site will now be added to my links … !