Cisco Multiple SSID assigned to VLAN

Armed with a Cisco 877W or an AironetAP it would be good to have multiple SSID’s assigned to their own VLAN’s with their own WPA passwords.

The only restriction is that only one SSID can broadcast it’s name (guest-mode). In my application I have a “public” SSID with limited access and then addition ones which connect to other devices.

Define your SSID’s along with their vlans etc.

dot11 ssid PUBLIC
  vlan 1
  authentication open
  authentication key-management wpa
  guest-mode
  wpa-psk ascii PUBLICPASSWORD

dot11 ssid PRIVATE1
  vlan 2
  authentication open
  authentication key-management wpa
  wpa-psk ascii PRIVATEPASSWORD1

dot11 ssid PRIVATE2
  vlan 3
  authentication open
  authentication key-management wpa
  wpa-psk ascii PRIVATEPASSWORD2

Next setup your radio interface

interface Dot11Radio0
  no ip address
  no ip route-cache

  encryption vlan 1 mode ciphers tkip
  encryption vlan 2 mode ciphers tkip
  encryption vlan 3 mode cipthers tkip

  ssid PUBLIC
  ssid PRIVATE1
  ssid PRIVATE2

  speed default (you may wish to leave this at defaults)
  channel least-congested (you may wish to hard code this)
  station-role root
  rts threshold 2312

Now configure “integrated routing and bridging” which allows the L3 interfaces to be integrated with multiple bridged interfaces.

bridge irb

bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip

Now join the create layer 2 radio interfaces in each bridge group.

interface Dot11Radio0.1
  no ip address
  encapsulation dot1q 1 native
  bridge-group 1
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled

interface Dot11Radio0.2
  no ip address
  encapsulation dot1q 2 native
  bridge-group 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled

interface Dot11Radio0.3
  no ip address
  encapsulation dot1q 3 native
  bridge-group 3
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  bridge-group 3 spanning-disabled

Now if you have an 877W and the vlans exist then you just need to put the VLAN interfaces intot the bridge groups.

interface Vlan1
  no ip address
  bridge-group 1

interface Vlan2
  no ip address
  bridge-group 2

interface Vlan3
  no ip address
  bridge-group 3

(or if you have you have physical interfaces)

interface FastEthernet0/0.1
  encapsulation dot1q 1 native
  no ip address
  bridge-group 1

interface FastEthernet0/0.2
  encapsulation dot1q 2
  no ip address
  bridge-group 2

interface FastEthernet0/0.3
  encapsulation dot1q 3
  no ip address
  bridge-group 1

Now create the Layer3 interface associated with the bridge groups.

interface BVI1
  ip address 10.10.1.1 255.255.255.0

interface BVI2
  ip address 10.10.2.1 255.255.255.0

interface BVI3
  ip address 10.10.3.1 255.255.255.0

The is other non multi-SSID specific config on this device which is outside the scope of the note. Including for example creating the VLAN’s in the first place an also configuring connected devices.

Good luck

Mick

Out of Office Messages on CME

Announcements can be sent from a voice gateway (router) without the need to write complex gateway scripts or the use of CUE (Cisco Unity Express).

All you need is a VXML script and an audio file (I would suggest recorded in G729r8 format see future post of how to create these from the router too).

Instructions

Create the vxml script which should contain something like the following:

<?xml version="1.0" encoding="iso-8859-1"?>
<vxml version="2.0">

<!--
Out Of Office Announcement
File Name : oooa.vxml
Description: Plays back an out of office announcement message

-->

<var name="option"/>
<form id="main">
 <block>
 <prompt><audio src="flash:oooa.au"/></prompt>
 </block>
</form>
</vxml>

Upload this script along with the audio file (which I’ve called oooa.vxml and oooa.au) to the router flash. Then install the application by entering the following commands :

Router# conf t
Router(config)# application
Router(config-app)# service oooa flash:oooa.vxml
Router(config-app-param)# end
Router# wr mem

The next thing is to associate the service oooa with a dial-peer. This can be an in or an outbound dial-peer, my personal preference is inbound which is the example I’ll give. The being said to test this you need to generate an inbound call into the gateway. One thing that isn’t obvious from the documentation is that you can associate this with both pots and also voip dial-peers. The fact this it can be associated with voip is the reason I would record the message using g729r8 !

Router# conf t
Router(config)# dial-peer voice 3901 voip
Router(config-dial-peer)# incoming called-number 3901
Router(config-dial-peer)# service oooa
Router(config-dial-peer)# codec g729r8
Router(config-dial-peer)# end
Router# wr mem

(The default codec is g729r8 so the codec command is only included for completeness).
UPDATE: 22/06/2009 – On more recent version of IOS the default codec for ephone’s has been iLBC !

Now if a call arrives at this router using H323 looking for the number 3901 will have the message associated with oooa.au played to them.

UPDATED:

This application really comes into it’s own if you call forward on busy no answer etc. However the problem is that for this type of application it must exist on the inbound dial peer. So if you are already in the call manager your are stuck. A simple solution to this is to create a dialpeer pointing at a loopback on the same router. The setup both a destination-pattern and also an incoming called-number the same and your problems are solved.

Router# conf t
Router(config)# interface Loopback 3901
Router(config-if)# ip address 10.10.10.10 255.255.255.255
Router(config-if)# dial-peer voice 3901 voip
Router(config-dial-peer)# incoming called-number 3901
Router(config-dial-peer)# destination-pattern 3901
Router(config-dial-peer)# session target ipv4:10.10.10.10
Router(config-dial-peer)# dtmf-relay h245-alphanumeric
Router(config-dial-peer)# codec g729r8
Router(config-dial-peer)# no vad
Router(config-dial-peer)# end
Router# wr mem

A couple of gotcha’s I recently walked into if you have changed the default H323 port on this device from TCP 1720 (to TCP 1844 for example) you need to ensure that the session target is session target ipv4:10.10.10.10:1844 otherwise it all looks fine but doesn’t work.

Creating a Thawte CSR and then installing the SSL Certificate on Cisco IOS

This brief note covers getting an SSL certificate registered with Thawte onto a Cisco router running IOS.

1. Create the Trustpoint

This binds the SSL cert to the CA (Certificate Authority) which in this case is Thawte.  The subject is where you will specify all the usual bits you need in the cert. Also ensure that fqdn defined and is that same as the common name. If you don’t the name of the router will be used instead.

Router# conf t
Router(config)# crypto pki trustpoint thawte.com
Router(ca-trustpoint)# enroll terminal
Router(ca-trustpoint)# serial-number none
Router(ca-trustpoint)# fqdn hostname.domain.com
Router(ca-trustpoint)# ip-address none
Router(ca-trustpoint)# subject-name CN=hostname.domain.com,O=Organisation, OU=Department,L=Location,ST=State,C=Country
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# end
Router# wr mem

Note the ‘subject-name’ is all on one line – due to the width of this page and spaces it is wrapping.

2. Authenticate the CA with the trustpoint

This means loading Thawte’s Premium signing certificate into the router.

It took quite a while to locate Thawte’s Premium Signing Certificate from their website so there is nothing to stop you cut’n’pasting from this post.

If you wish to get your own copy then you can download the complete set from http://www.thawte.com/roots/. Accept their terms (assuming you do) then download and unpack the zip file.

The file you need is : Thawte SSLWEB Server Rootsthawte Premium Server CAThawte Premium Server CA.pem

It is really important you get the right CA Certificate file on your router. Unfortunately the process won’t fail until you try and import your new certificate if you get the wrong one !!!!

Open the file in a text editor and you can then cut and paste at the appropriate time.

Router# conf t
Router(config)# crypto pki authenticate thawte.com
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: 069F6979 16669002 1B8C8CA2 C3076F3A
Fingerprint SHA1: 627F8D78 27656399 D27D7F90 44C9FEB3 F33EFA9A
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Router(config)# end
Router(config)# wr mem

You can now check this certificate

Router#show crypto pki certificate
CA Certificate
 Status: Available
 Certificate Serial Number: 0x1
 Certificate Usage: General Purpose
 Issuer:
 e=premium-server@thawte.com
 cn=Thawte Premium Server CA
 ou=Certification Services Division
 o=Thawte Consulting cc
 l=Cape Town
 st=Western Cape
 c=ZA
 Subject:
 e=premium-server@thawte.com
 cn=Thawte Premium Server CA
 ou=Certification Services Division
 o=Thawte Consulting cc
 l=Cape Town
 st=Western Cape
 c=ZA
 Validity Date:
 start date: 01:00:00 BST Aug 1 1996
 end   date: 23:59:59 GMT Dec 31 2020
 Associated Trustpoints: thawte.com

3. Generate CSR – Begin Certificate enrollment.

This starts the process of getting your own certificate by generating a CSR or Certificate Request.

Router# conf t
Router(config)# crypto pki enroll thawte.com
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=hostname.domain.com,O=Organisation,OU=Department,L=Location,ST=State,C=Country
% The subject name in the certificate will include: hostname.domain.com
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIICDjCCAXcCAQAwgawxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzAN
BgNVBAcTBkxvbmRvbjEcMBoGA1UECxMTQWNjb3VudHMgRGVwYXJ0bWVudDEdMBsG
A1UEChMUT3VyIfsjkfjsdkfhksdjfklssdfsdfsdfdsfdsWQxGzAZBgNVBAMTEnNzbHZwbi5wb2Jv
eC5jby51azEhMB8GCSqGSIb3DQEJAhYSc3NsdnBuLnBvYm94LmNvLnVrMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzlVpHnVWmZK+krq6J/R3fQwf9kceyLB8u
iis91j5EON4pMvVcKiCpJDa+kGLTSzalmKERHO4Tz6Nm53HLmCo3JGGkox+Pnv7C
oVlZu23ukAZmF0/fzfsaJkrDeWWagsDgdFseee+ffDse4XfbWVnIVqYGoWtyxdGQm3vSJ
569/tKQV5QIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEApaSo522bW34bcGgA5zr1uuoi2IUyV+1IBb3K+teG
RtUyrw1Z+4aVhBlsi1kSoVoLdKiUTAr5IwtEEO6pVq2uxxYvia7D1g24R5m8JN1h
HgafrfnnAvtP8EFH//0XLrdWVAUL25KtMpqjhJricWsc62CnbCiGPb/AsmaIJcBe
hxQ=
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
Router(config)# end
Router# wr mem

Now cut out the CSR the router has generated and send it to Thawte.

4. Import Certificate

Once you have received your certificate back from Thawte you need to import it into the router.

Router# conf t
Router(config)# crypto pki import thawte.com certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
 Fingerprint MD5: 069F6979 16669002 1B8C8CA2 C3076F3A
 Fingerprint SHA1: 627F8D78 27656399 D27D7F90 44C9FEB3 F33EFA9A

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Router(config)# end
Router# wr mem

An you should find you have your certificate registered on your router for use as required secure website or ssl vpn.

RENEWALS:

Unless Thawte’s CA Certificate has expired or changed – it presently expires in 2020 – you only need to go through enrolment. Also your certificate will only be effected when you import the replacement.

So to renew a certificate go back to step 3 and run enrolment.

Update: Please note that in IOS Cisco are in the process of changing the command ‘crypto ca’ to ‘crypto pki’ these are presently interchangable. The commands in this note are in the new style but you could just as easily have typed ‘crypto ca trustpoint thawte.com’ for example. The config however seems to show the new format.

Cisco V3PN & QoS on ADSL Uk for VoIP

SoHo workers now share their lines with other PC’s in the house. The following is a config snippet from my router to provide some protection for my VoIP and business traffic.

!
! policy and classes to mark local incoming traffic
!
! whilst QoS pre-clasify should be used I have found it
! unreliable on certain IOS releases.  Also this allows us
! to be more specific about how we want to handle our traffic.
!
class-map match-all BIZAPPS1_VLAN1
 match access-group name BIZAPPS1    ! an acl to match biz apps
!
class-map match-all BIZAPPS2_VLAN1
 match access-group name BIZAPPS2    ! an acl to match biz apps
!
class-map match-all SCAVENGER_VLAN1
 match access-group name SCAVENGER   ! low priority stuff
!
policy-map VLAN1
 class BIZAPPS1_VLAN1
  set dscp af21                      ! low drop probability
 class BIZAPPS2_VLAN1
  set dscp af22                      ! med drop probability
 class SCAVENGER_VLAN1
  set dscp cs1
!
! Policy and Classes to on outbound connection
!
class-map match-all BIZAPPS
 match  dscp cs2  af21  af22  af23   ! all business aps
class-map match-any VOICE_SIG
 match  dscp cs3                     ! new dscp values signalling
 match  dscp af31                    ! old dscp value signalling
class-map match-all SCAVENGER
 match  dscp cs1                     ! unwanted traffic
class-map match-any IPCONTROL
 match  dscp cs6                     ! routing protocols etc
class-map match-all VOICE_RTP
 match  dscp ef                      ! voice packets
!
! Based on using no more than 30% for voice traffic this policy
! is enough for two voice calls (52k). DSL has a fixed uplink speed
! so I have used percentages to make carving up easier. Where a pipe
! which is likely to have speed changes it might be easier to use
! absolute 'bandwidth' statements to simplify calculations.
!
! NB: You cannot mix absolute and percentages in the same
! policy-map so decide up front what you are going to use.
!
policy-map V3PNWAN
 class VOICE_RTP
  priority 52 5348            ! 52k for 2 voice calls
 class VOICE_SIG
  bandwidth percent 5         ! 5% for call control traffic
 class IPCONTROL
  bandwidth percent 5         ! 5% for routing protocols etc
 class BIZAPPS
  bandwidth percent 30        ! 30% for business apps
 class SCAVENGER
  bandwidth percent 1         ! limit scavenger to 1%
  class class-default
  fair-queue
!
! The device snippets are just enough info to show how the
! policys are applied and any other relevant settings.
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
 bandwidth 384                   ! your upstream speed
 pvc 0/38
 vbr-nrt 384 384                 ! your upstream speed
 tx-ring-limit 3                 ! tx-ring set to 3
 encapsulation aal5mux ppp dialer
 dialer pool-member 1
 service-policy out V3PNWAN      ! associate to phys interface
!
interface Dialer0
 ip tcp adjust-mss 542           ! make tcp packets much smaller
!
interface Tunnel0
 qos pre-classify                ! allow acls based on pre-encrypted data

Good luck

Mick

Enable Caller-id globally on Cisco Unity Express (CUE)

By default Cisco Unity Express only reports the called number in your message for internal calls.

It’s quite simple to change this so that all calls (where a number is available) have their numbers reported.

Router# service-module service-enable 1/0 session
Trying 192.168.n.2, 2066 ... Open
se-192-168-n-2#
se-192-168-n-2# conf t
se-192-168-n-2(config)# voicemail callerid
se-192-168-n-2(config)# end
se-192-168-n-2# wr mem
se-192.168-n-2# exit

Session closed

[Connection to 192.168.n.2 closed by foreign host]
Router#

Simple really.

Installing two site CME and a single CUE

We have two CME’s and a single shared CUE.

Dialplan

CME1:

3002 – Phone 1
3003 – Phone 2
3200 – AA Script (outside scope)
3600 – Voicemail
3998 – MWI off
3999 – MWI on

CME2:

3004 – Phone 1
3005 – Phone 2
3998 – MWI off
3999 – MWI on

on CME1 (Central)

voice service voip
allow-connections sip to h323
allow-connections h323 to sip
allow-connections h323 to h323

interface FastEthernet 0/0
ip address 192.168.n.1 255.255.255.0
h323-gateway voip interface
h323-gateway voip bind srcaddr 192.168.n.1

interface service-engine 1/0
ip unnumbered FastEthernet0/0
service-module ip address 192.168.n.2 255.255.255.0
service-module ip default-gateway 192.168.n.1

ip route 192.168.n.2 255.255.255.255 Service-Engine 1/0

dial-peer voice 3600 voip
destination-pattern 3[126]00
session protocol sipv2
session target ipv4:192.168.n.2
incoming called-number 399[89]....
codec g711ulaw
no vad

dial-peer voice 3004 voip
destination-pattern 300[45]
voice-class h323 1
session target ipv4:cme2_ipaddress
dfmf-relay h245-alphanumberic
ip qos dscp cs3 signalling
no vad

dial-peer voice 3998 voip
destination-pattern 399[89]300[45]
session target ipv4:cme2_ipaddress

telephony-service
voicemail 3600

ephone-dn 1 dual-line
number 3002

ephone-dn 2 dual-line
number 3003

ephone-dn 3
number 3998....
mwi off

ephone-dn 4
number 3999....
mwi on

on CME2 (remote)

dial-peer voice 3002 voip
destination-pattern 300[23]
voice-class h323 1
session target ipv4:cme1_ipaddress
dfmf-relay h245-alphanumberic
ip qos dscp cs3 signalling
no vad

dial-peer voice 3998 voip
incoming called-number 399[89]....

telephony-service
voicemail 3600
mwi relay

ephone_dn 1
number 3004

ephone_dn 2
number 3005

ephone-dn 3
number 3998....
mwi off

ephone-dn 4
number 3999....
mwi on

Notes:

1. The scope of this post only includes enough info to show CUE integration.

2. It is essential to control the codecs used to inbound and outbound calls. For this reason both the “destination-pattern” as well as the “incoming called-number” is defined on dial-peer 3600 on CME1. This is to ensure that calls coming from and going to CUE use codec g711ulaw.

3. For MWI to be passed between CME1 and CME2 you need to ensure that:

a) “allow-connections sip to h323” is configured inside “voice service voip” on CME1
b) “mwi relay” is configured in “telephony-service” on CME2

CUE Restore Factory Defaults

To restore factory defaults on Cisco Unity Express firstly take the module offline by typing “offline“, then when confirmed issue the “restore factory defaults” command.

An example follows :

Router# service-mode  service-engine 1/0
Trying 192.168.n.3, 2006 ... Open
se-192-168-n-3# offline
!!!WARNING!!!: If you are going offline to do a backup, it is recommended
that you save the current running configuration using the 'write' command,
prior to going to the offline state.

Putting the system offline will terminate all end user sessions.

Are you sure you want to go offline[n]? : y
se-192-168-n-3(offline)# restore factory default
!!!WARNING!!!: This operation will cause all configuration and data
on the system to be erased. This operation is not reversible.

Do you wish to continue[n]? : y
Restoring the system. Please wait .....done
System will be restored to factory default when it reloads.

Press any key to reload:

System reloading ....

se-192-168-n-3(offline)#
MONITOR SHUTDOWN...
INIT: Sending processes the TERRestarting system.

-- SNIP --

INIT: Entering runlevel: 2
********** rc.post_install ****************

IMPORTANT::
IMPORTANT::    Welcome to Cisco Systems Service Engine
IMPORTANT::     post installation configuration tool.
IMPORTANT::
IMPORTANT:: This is a one time process which will guide
IMPORTANT:: you through initial setup of your Service Engine.
IMPORTANT:: Once run, this process will have configured
IMPORTANT:: the system for your location.
IMPORTANT::
IMPORTANT:: If you do not wish to continue, the system will be halted
IMPORTANT:: so it can be safely removed from the router.
IMPORTANT::

Do you wish to start configuration now (y,n)?

Once this has completed you proceed to setup the hostname, whether to use dns and ntp settings. After this configuration the booting process can take quite some time !

Cisco ISDN2e VIC2-2BRI-NT/TE configuration issues.

Here follows the ISDN2e specific config for a gateway connected in the Uk with DDI. An assuption is made that the DDI range is : 03333 567890 – 03333 567899 and that the internal extensions would be 3000 – 3009. In addition to this calls to the PSTN will be presented with full DDI of the calling extension.

Two very important things to be aware of when connecting ISDN2e in the Uk.

1. BT by default only present that last 6 digits on inbound DDI

2. The default companding type is u-law so you need to set it to a-law manually.

Translation-rule 1 is used to convert from the inbound DDI presentation to the internal extension number.

Translation-rule 2 is used to re-write the calling number to add a leading 9 (and the missing 0). So that a user can return the call directly from a list without editing the number.

Translation-rule 3 is used to map back from the extension to the full external DDI number.

Dial-peer 10 is used to control incoming calls (we don’t like defaults dialpeer zero).

I Have split up the outbound dial-peers so that COR (class of restriction) can be applied if we wish to.

isdn switch-type basic-net3

voice service pots
 supported-language UK

voice translation-rule 1
 rule 1 /^56789(.)$/ /3001/

voice translation-rule 2
 rule 1 /^0/ /900/
 rule 2 /^1/ /901/
 rule 3 /^2/ /902/
 rule 4 /^3/ /903/
 rule 5 /^4/ /904/
 rule 6 /^5/ /905/
 rule 7 /^6/ /906/
 rule 8 /^7/ /907/
 rule 9 /^8/ /908/
 rule 10 /^9/ /909/

voice translation-rule 3
 rule 1 /300(.)$/ /03333567891/

voice translation-profile FROM_PSTN
 translate calling 2
 translate called 1

voice translation-profile TO_PSTN
 translate calling 3

interface BRI0/2/0
 description ** ISDN - DDI RANGE 03333 567890 - 9 **
 no ip address
 isdn switch-type basic-net3
 isdn point-to-point-setup
 isdn incoming-voice voice
 isdn static-tei 0

voice-port 0/2/0
 compand-type a-law
 cptone GB

dial-peer voice 10 pots
 description *** For inbound calls from PSTN ***
 translation-profile incoming FROM_PSTN
 preference 1
 incoming called-number .
 direct-inward-dial
 port 0/2/0
 forward-digits all
!
dial-peer voice 9 pots
 description *** Local Calls ***
 translation-profile outgoing TO_PSTN
 preference 1
 destination-pattern 9[1-9]T
 port 0/2/0
!
dial-peer voice 9011 pots
 description *** National Calls ***
 translation-profile outgoing TO_PSTN
 preference 1
 destination-pattern 90[1-6]T
 port 0/2/0
 prefix 0
!
dial-peer voice 907 pots
 description *** Calls to Mobiles ***
 translation-profile outgoing TO_PSTN
 preference 1
 destination-pattern 907T
 port 0/2/0
 prefix 07
!
dial-peer voice 907 pots
 description *** Calls to None Geographical Numbers ***
 translation-profile outgoing TO_PSTN
 preference 1
 destination-pattern 908T
 port 0/2/0
 prefix 08
!
dial-peer voice 909 pots
 description *** Premium Rate Calls ***
 translation-profile outgoing TO_PSTN
 preference 1
 destination-pattern 909T
 port 0/2/0
 prefix 09
!
dial-peer voice 900 pots
 description *** Internation Calls ***
 translation-profile outgoing TO_PSTN
 preference 1
 destination-pattern 900T
 port 0/2/0
 prefix 00
!

A combination of either CME or Call Manager/SRST configuration needs to be added to make more use of this configuration.

Skinny CCIE IP Nat Problem [not]resolved

As mentioned in my profile I am studying for my CCIE Voice Lab exam. Well I have been plagued by a problem with phones not registering when using Rented Lab Kit and physical IP phones in my home POD.

My POD is connected to the Rented Lab Equipment over an encrypted link that is also NAT’d.

podtolabconnectivity

One of the guys from Cisco who was also studying for the exam recommended sticking to IOS 12.4 mainline. As the issue shouldn’t exist within these IOS train. Unfortuately I use a Cisco 1801 router for my connection to the Internet and there is no IOS 12.4 mainline available for it. After some experimentation I discovered that with some of the special releases solved this problem but also created others. Which basically meant keeping 4 different versions of IOS on the routers flash and switching between them depending on what I am doing.

I have just run Wireshark on a PC attached to the back of one of the phones that wasn’t registering and pulled a capture. What appears to be happening is that :

1. The phone issues a SKINNY SoftKeyTemplateReqMessage.
2. There then follows three TCP Retransmissions of SoftKeyTemptateReqMessage
3. A Skinny KeepAliveMessage
4. Two more TCP Retransmissions of SoftKeyTemplateReqMessage
5. The connection is reset.

It’s like these TCP packets are not getting through to the server which is very reminisent of an MTU/Fragmentation problem.

I’ve done some more digging in the Cisco advisories and stumbled across the following :

http://www.cisco.com/en/US/products/products_security_advisory09186a0080a0148e.shtml

This advisory indicates that in IOS Version 12.4(6)T NAT SKINNY fragmentation support was introduced. It advises that there is a vunerability in relation to memory allocation. Which can manifest as a DoS expoitation.

Wondering whether the issue advised was related to the issue I have. Considering I also have introduced Crypto into the mix.  The workaround is to disable Skinny NAT ALG support on port 2000.

Router(config)# no ip nat service skinny tcp port 2000

I’ve got some additional digging to do but on the face. Once this is done smart inspection of the SKINNY packet isn’t performed by the router so it’ neccessary to also open UDP ports for the voice calls to proceed.

So you can have the phones registering correctly – but no audio path.

I have subsequently gone back to IOS version 12.4-15.XY5.

Router#show hardw
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(15)XY5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 18-Dec-08 18:44 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)

Router uptime is 10 hours, 45 minutes
System returned to ROM by reload at 04:02:37 BST Thu May 7 2009
System restarted at 04:03:25 BST Thu May 7 2009
System image file is "flash:c180x-advipservicesk9-mz.124-15.XY5.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1801 (MPC8500) processor (revision 0x400) with 105472K/25600K bytes of memory.
Processor board ID FCZ1048121H, with hardware revision 0000

9 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
125952K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102

Updated 30/06/2009

CCIE R&S Lab Passed #20394

Just a quick note to say I passed my CCIE R&S lab on 31st March 2008. I am now #20394.ccie

After spending time with a number of other suppliers I eventually started using the study materials from Internetwork Expert. The ethos with this company is that you need to first know your subject. The you need to practice till you could almost write the configs in your sleep. I completed their three work books and then redid workbook two over and over again. Whilst I know that once you’ve already done workbook lab you know the answers. Well the answers given are deliberately vague which means you have the option to solve the problems in different ways each time. Which means that you get to learn more each time you complete the tasks. Firthermore you get faster at it.

When I first started out doing my CCIE R&S I rented rack space from remote vendors. Well if the budget is there I would strongly recommend building your own. Two reasons for this. Firstly the experience building up the lab from scratch which helps to understand more as you built the backbones. And Secondly you can leave a task unfinished get the badly needed sleep and get back on the horse. When using remote kit quite often unless you were to save your configs when you finished. Which might not necessarily be that easy to do due to time constraints. You have to start from the begining each time.

Another tip is to get into the habit of writing config in a text editor; notepad for example. This also gets you out of the habit of using the question mark key.

I have attached photos of my lab kit.