Sunday, January 16, 2011

cBarge and Privacy on CME

My environment:  CME 7.0

Barge (SIP)
- use built-in bridge
- max 3 parties
- for SIP shared line only

cBarge (SCCP and SIP)
- SCCP octo-line
- SIP shared line

Privacy
- SCCP octo-line and SIP shared line
- enabled by default

Privacy on Hold
- disabled by default

cBarge Configuration (SCCP)
! Enabling cBarge Softkey
ephone-template  1
softkeys remote-in-use  CBarge Newcall

ephone  1
ephone-template 1
button  1:1

! Create IOS conference bridge
sccp local gi0/0.502
sccp ccm 1.1.1.254 id 1 ver 7.0
sccp

sccp group ccm group 1
     associate ccm 1 pri 1
     associate profile 1 register CME-CFB

dspfarm profile 1 conference
     codec g711ulaw
     max session 4
     associate application SCCP
     no shut

telephony-service
     sdspfarm unit 4
     sdspfarm tag 1 CME-CFB
     conference hardware

Privacy and Privacy on Hold
! System Level
telephony-service
     privacy
     privacy-on-hold

! Phone Level
ephone 1
     privacy on
     privacy-button

Show Command
sh sdspfarm unit all
sh sccp
sh dspfarm dsp all

Note
- When privacy on hold is enabled globally, when the phone enabled privacy (the privacy button is on), you can't see the phone is on hold on the shared line.  If you disable the privacy on hold, then even the privacy button is on, you can see the phone is on hold.

Shared Line and Overlay DNs on CME

When you have started to work on CME, you will find that there are several types of shared DNs that is possible which allow great flexibility to fit your customer needs.  In this post I will lay out 3 scenarios with configuration and expected result, so that you can get better understanding on how it works.

My environment:  CME 7.0

Scenario 1 - one ephone DN for multiple ephone

ephone-dn 1 dual-line
     number 4001

ephone 1
     button 1:1

ephone 2
     button 1:1

- When receive a call to 4001, both ephone 1 and 2 will ring. 
- ephone 1 answers call, ephone 2 in remote in use state
- another incoming call will go to ephone 1 second channel
- yet another incoming call - will busy out, the call will not roll over to ephone 2
- ephone 2 can't use that line for outgoing call

Scenario 2 - 2 ephone-dn with same number with preference

ephone-dn 1 dual-line
     number 4001
     preference 1

ephone-dn 2 dual-line
     number 4001
     no huntstop
     huntstop channel

ephone 1
     button 1:1

ephone 2
     button 1:2

- ephone-dn 2 is preferred to ring when somebody calls 4001
- no huntstop on ephone-dn means it continues to search for another ephone-dn with the same number, so the call will roll over to ephone 1 when ephone-dn with at least 1 channel occupied, because of the huntstop channel command

Scenario 3 - 2 ephone-dn overlays to the same button

ephone-dn 1 dual-line
     number 4001
     preference 1

ephone-dn 2 dual-line
     number 4001
     no huntstop
     huntstop channel

ephone 1
     button 1o1,2

ephone 2
     button 1o1,2

- Both phones will ring.  Say for example ephone 1 answers the call, ephone 2 still able to receive new incoming calls to 4001, and make call using the line 4001
- When ephone 1 answers the call, a new call to 4001 coming in and ephone 2 will ring, without showing call waiting on ephone 1
- If you want call waiting, then use "c" instead of "o"

Friday, January 7, 2011

Tricks of integrating XenDesktop DDC with VMWare vCenter

My environment:  VMWare vCenter 4.1 on Windows 2008 server, ESXi 4.1, Citrix XenDesktop DDC 4

Citrix XenDesktop is the VDI products from Citrix, and it is flexible that the desktop client VM can run on Citrix XenServer and VMWare ESXi.  You can choose your preferred hypervisor for your client VMs.  In my testing I am using ESXi as the hypervisor for the client VMs. 

Integration is needed between Citrix DDC and VMWare vCenter because you need to know which VMs on your ESXi server hosting the client VMs.  During my integration work I have got the following error message in the Create Desktop Group wizard in DDC:

‘Invalid Address – The hosting infrastructure could not be reached at the specified address.’

The workaround is to allow both HTTP and HTTPS for SDK access on vCenter, to do this you can:

1. Edit C:\ProgramData\VMware\VMware VirtualCenter\proxy.xml with your wordpad, and change the access mode of /sdk from httpsWithRedirect to httpAndHttps

<e id="5">
      <_type>vim.ProxyService.LocalServiceSpec</_type>
      <accessMode>httpAndHttps</accessMode>
      <port>8085</port>
      <serverNamespace>/sdk</serverNamespace>
    </e>

2. In DDC, when you are creating integration with vCenter, you can use the URL http://1.2.3.4/sdk where 1.2.3.4 is your vCenter IP address.  You can now allow HTTP access to your vCenter SDK.

Have fun!

How to run Cisco Mobile 8.1 over SSLVPN over 3G

My environment: AnyConnect 2.4.4009 on iPhone, Cisco Mobile 8.1 on iPhone, ASA Software 8.2.3

During my test I have learnt a few tricks that want to share with you guys who want to test / play / deploy it.

1. Setup the TCT device on UCM base on the admin guide here.

2. When you setup the Cisco Mobile, no matter 8.0 or 8.1, when you configure the directory settings, you need to enter port 389 although the field is optional and you are running on default LDAP port.  Otherwise the apps will close by itself!!

3. I have encountered weird problem that my Cisco Mobile registered to UCM, but it can’t make or receive any calls.  The call is either fail to setup, without ring back tone or second call fail.  To solve it, check if you have turned on SIP inspection on ASA.  To turn it off:

policy-map global_policy
class inspection_default
no inspect sip

Good Luck!

Thursday, January 6, 2011

VPN Phone for Cisco UC

My environment:  UCM 8.0.3, ASA Software 8.2.3
VPN phone is one of the alternatives to extend the UC capabilities to remote workers.  I have both 79xx and 99xx phones in my lab, however even though I upgrade the 99xx firmware to 9.1(1)SR1, the VPN feature isn’t working and seems 99xx will only work with UCM 8.5.  The 79xx phones work fine.
Configuring ASA SSL VPN with self-sign CA
1. Generate RSA key for certificate
crypto key generate rsa label sslvpnkeypair
2. Create trustpoint for self-signed cert
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.panda.com
subject-name CN=sslvpn.panda.com
keypair sslvpnkeypair
crypto ca enroll localtrust noconfirm

ssl trust-point localtrust outside
3. Download Cisco_Manufacturing_CA.pem and CAPF.pem from UCM Certification Management.  Import it to ASA via the following command:
crypto ca trustpoint CiscoMfgCert
enrollment terminal
crl configure
crypto ca trustpoint CAPF
enrollment terminal
crl configure
crypto ca authentication CiscoMfgCert
! Enter the text content in the Cisco_Manufaturing_CA.pem cert
crypto ca authentication CAPF
! Enter the text content in the CAPF cert
4. Copy AnyConnect image to flash, then specify the image location
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
5. Enable AnyConnect Access
webvpn
enable outsidesvc enable
6. Create Group Policy
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 1.1.1.1

vpn-tunnel-protocol svc
default-domain value panda.com
address-pools value SSLClientPool

6. Configure ACL bypass
sysopt connection permit-vpn
7. Create a connection profile and tunnel group for client connections
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable

webvpn
tunnel-group-list enable

8. Configure NAT Exemption, say for example 192.168.50.5 is the UCM that you want the client in the pool 192.168.25.0 can access.
access-list no_nat extended permit ip host 192.168.50.5 192.168.25.0 255.255.255.0
nat (inside) 0 access-list no_nat
9. Adding remote access users
username vpnphone password pandavpn
username vpnphone attributes
service-type remote-access

10.  Encryption algorithm
ssl encryption aes128-sha1
ssl trust-point localtrust outside

More detail information about the ASA configuration, check out here.


VPN Phone Configuration
1. From ASA, export the self sign CA cert
crypto ca export localtrust identity-certificate
Copy and paste the text and name the file with extension .pem
2. Create a Group URL.  This is needed in the later steps of VPN phone configuration on UCM.
tunnel-group sslgroup webvpn-attributes
group-url
https://1.2.3.4/vpnphone
3. Upload CA cert to UCM.  From UCM OS admin page, choose Security > Certificate Management.  Click Upload Certificate, and choose Phone-VPN-trust from the certificate name dropdown box.  Upload the certificate you’ve exported from ASA.
4. UCM Admin page > Advanced Features > VPN > VPN Gateway, enter the VPN Group URL.  Move the certificate from the truststore to your location.
5. Advanced Features > VPN > VPN Group, choose the VPN Gateway you’ve created in step 4.
6. Advanced Features > VPN > VPN Profile, choose the preferred authentication method.
7. Device > Device Settings > Common Phone Profile.  Create a new phone profile and assign VPN Group and VPN profile to the phone profile
8. Apply the Common Phone Profile to the phone you want to allow remote VPN access.
9. For 79xx phone, go to Security Configuration > VPN Configuration > Enabled.
10. You will be prompt for username and password.  You can now bring the phone home and test it!

Saturday, January 1, 2011

Nexus 1000v Setup and Configuration

My environment:  Nexus1000v.4.0.4.SV1.3b, VMWare ESXi 4.1, vCenter 4.1

Nexus 1000v consists of VSM (control plane) and VEM (data plane).  VSM can run as a VM or in a standalone appliance.  In my setup I run it as a VM on one of my ESXi hosts.  The Nexus1000v software comes with both VSM and VEM within a zip file.

1. To install the VSM, locate the .ova file in the VSM folder.  In your vSphere client, click File > “Deploy OVF template”

2. During the deployment, you need to provide the following information:

  • Control VLAN ID
  • Packet VLAN ID
  • Domain ID
  • Management IP address

3. You can use the same vlan for control, packet and management, and do not place data traffic on this VLAN.  The wizard is quite straight forward so the details will not be covered here.

4. Next step is to create Nexus 1000v plug-in.  Browse the page http://vsm-ip-address and download the cisco_nexus1000v_extension.xml file

5. In vSphere Client, Plug-Ins menu, choose “Manage Plug-Ins”.  Click “Register Plug-In” and import the XML file downloaded from the VSM page.

6. Then connect your VSM to the vCenter

conf t

svs connection VC

protocol vmware-vim

remote ip address 1.2.3.4

vmware dvs datacenter-name panda-DC

connect

7. Then you can create system port-profile and data port-profile. 

port-profile type ethernet system-uplink
  vmware port-group
  switchport mode trunk
  switchport trunk allowed vlan all
  no shutdown
  system vlan 2010
  state enabled

port-profile type vethernet cciev-server
  vmware port-group
  switchport mode access
  switchport access vlan 100
  no shutdown
  state enabled

8. Next step is to install VEM, the easiest way is to do it via VMWare Update Manager.  In vSphere client > Update Manager > Patch Repository, click “Import Patch”, then choose the VEM module in the Nexus 1000v VEM folder.

9. Then create a new baseline.  Under Baseline and Groups, click create baselines.  Choose VEM under extensions. 

10.  You can now apply the baseline to the host.  In vSphere Client > Hosts and Clusters, choose the host you want to install VEM.  Click the Update Manager tab which is usually the last tab.  Click “Attach” to attach the baseline you’ve just created, then click Remediate to apply.

11.  Now the final step is to add the host to the Nexus 1000v switch.  Under Inventory > Networking, choose the Nexus 1000v switch and right click, click “Add host”.  Apply the system port-profile to the vmnic and apply appropriate data port profile to the VMs.

12.  After adding, you can type the command “show interface virtual” and “show module” on VSM to verify your work.

Remote Access SSL VPN and DDNS setup

My environment:  IOS 15.1(3)T on ISR 892

I have been spending quite a lot of time on the road and it is much convenient if I have a way to remote access back to my home network.  In my home network I have setup the SSL VPN for remote access, as well as DDNS as I don’t have a fixed IP address for my home internet access.

1. You can register an account in dyndns.org to get your own DDNS entry

2.  Then you can configure DDNS update on the router, whenever there is an address change, it will update dyndns.org dynamically.

ip ddns update method DynDNS
HTTP
  add http://pandausername:pandapassword@members.dyndns.org/nic/update?system=dyndns&hostname=panda.dyndns.org&myip=<a>
  remove http://pandausername:pandapassword@members.dyndns.org/nic/update?system=dyndns&hostname=panda.dyndns.org&myip=<a>
interval maximum 1 0 0 0

3. Under your internet facing interface, configure the following command:

ip ddns update hostname panda.dyndns.org
ip ddns update DynDNS host members.dyndns.org

4. These are the webvpn configuration of my router, you can modify it for your own setup:

ip local pool vpn-pool 192.168.20.205 192.168.20.215

webvpn gateway panda.dyndns.org
ip address 1.2.3.4 port 443 
ssl trustpoint TP-self-signed-3650870944
logging enable
inservice
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.3.2016-k9.pkg.zip sequence 2
!
webvpn context panda-context
ssl authenticate verify all
!
login-message "Welcome to Panda's home"
!
policy group panda-group
   functions svc-enabled
   banner "Login Successful"
   svc address-pool "vpn-pool"
   svc default-domain "panda.com"
   svc keep-client-installed
   svc rekey method new-tunnel
   svc split include 192.168.20.0 255.255.252.0
   svc dns-server primary 3.4.5.6
default-group-policy panda-group
gateway panda.dyndns.org
inservice

svc split is the split tunnel configuration that allows inserting a specific route to the client’s routing table.  svc split include means that only this route will be inserted to the host, other routes including default route will be based on the client’s own routing table.

5. Then you can use the AnyConnect client to remote access in full tunnel mode.

Installing UCCX 7 on VMWare

My environment:  VMWare ESXi 4.1, UCCX 7.0.1.168

One of the components in your CCIE lab is UCCX, and instead of install it on bare metal you might want to run it on VMWare so that it reduce your hardware investment.  I have just did that and would like to share some points that you need to aware when you are installing UCCX 7 on VMWare

  • Ready the UCCX 7 media and license, as well as Windows 2003 server.  In my environment I am using Windows 2003 Enterprise edition, and Standard Edition will also work.
  • You will need at least 2GB memory and 72GB vDisk for your UCCX 7 VM, otherwise you can’t continue the installation and the installer will prompt error.
  • Don’t use thin provisioning for your VM vDisk.  Allocate all 72GB during the VM creation, otherwise again the installer will not let you to continue the installation
  • Install IIS, that is required to run the UCCX appadmin pages.
  • Don’t add this machine to a domain
  • Add the following “String” to the Windows 2003 registry to cheat the system you are installing on a MCS
    • HKLM\Software\Cisco Systems\Model
      • Hardware = 7835H05
      • Memory = 2048
      • Speed = 2333
  • Reboot the machine after finish all the above steps
  • Mount the ISO with your vSphere client, then copy all the contents to a temporary folder on the UCCX VM.  Then double click CiscoUnifiedCCXAutorun.exe
  • Reboot after finish installation
  • Access the appadmin page http://uccx7/appadmin, where uccx7 is your hostname or IP address of the UCCX server.  The initial username and password is Administrator/ciscocisco.  Remember the “A” in “Administrator” is upper case.  If you are using lower case, it will show the error I/O AXL error.
  • Ready the license and UCM credential for UCM and UCCX integration

Have fun!