Wednesday, September 30, 2015

Changing UCM to mixed mode without the need of a token

I have just done it in my lab, running 10.5.2.10000-5.  You can simply change it by issuing the command:

utils cli set-cluster mixed mode

Restart the TFTP and CallManager services, you are good to go!

Detail post here:
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html

Tuesday, June 9, 2015

Reserving 1 physical CPU core for Unity Connection?

Starting from VMWare ESXi 5.5 and Unity Connection 10.5.2, you no longer need to reserve 1 CPU core for Unity Connection.  Please see the URL and text below:

http://docwiki.cisco.com/wiki/Virtualization_for_Cisco_Unity_Connection

Quote:
"VMWare release 5.1 and older, requires reserving one physical core per physical server - see co-residency policy. With VMWare release 5.5 and later and Unity Connection release 10.5.2 and later while utilizing the latency sensitivity feature, you may remove the requirement of dedicated one physical core per physical server. This requires the Unity Connection VM Latency Sensitivity to be set to 'High' while at least one other VMs is set to 'Normal'. Recommend every VM to be set to 'Normal' except for Unity Connection VMs."

Sunday, May 31, 2015

Virtual Wireless LAN Controller now supports AVC

Just upgraded my vWLC to 8.1.102 and now it supports AVC in Virtual Wireless LAN Controller in FlexConnect Mode.  The configuration is simple and the graph looks cool!

All you need to do is check this checkbox under your WLAN, this is the FlexConnect enabled WLAN for my home:

At the Monitor > Summary page you can see the top applications statistics:

You can see the detail if you click "View All" with some nice graphs~





Friday, April 24, 2015

CUCM and CUC Publisher Rebuilt

The CUCM and CUC Publisher in my lab was crashed due to a disk failure.  Luckily my subscribers are in different LUN, and at least I don't need to rebuild the whole cluster.  This is what I have done and I want to share my experience and hiccup during the rebuilt in this post.

UCM Publisher Rebuilt

For UCM I am following this guide and it is a well written one.  This is what I have done based on the guide.

1. Gather Cluster Data on Subscriber

2 commands – show network cluster and show version active to get the existing cluster info

2. Stop DB Replication on all subscribers

This is important, you will not want the new publisher sync the NEW database with your existing one in subscriber.  You want the other way round, so stop the dbreplication service.

3. Install the new CUCM Publisher with the same hostname, IP address, domain name, security passphrase, exact UCM version and installed COP files

Install it with a bootable media.

4. Update Processnode Values on the Publisher

I am running 10.5(2), therefore I need to issue the command "utils diaster_recovery prepare restore pub_from_sub" command on the new publisher CLI before adding nodes to System > Server


Retrieve the node list from the existing subscriber – run sql select name,description,nodeid from processnode


Go the the Publisher UCM Admin Page, add the node after you receive the node list.

5. Reboot Publisher

Using the command "utils system restart"

6. Verify Cluster Authentication

Do it on publisher after it restarts, make sure the cluster in the "authenticated" state.

7. Perform a new backup

Add a Backup Device, I am using a linux machine to store the backup.
Start a manual backup


8. Publisher Restore from the Subscriber DB

I have encountered an issue during restore with the error message -  "Unable to send network request to master agent.  This may be due to Master or Local Agent being down".

I have tried a few things
- Regenerate ipsec cert and restart DRF master and local agent – it doesn't work

Solution
  • Remove cup1 and cup2 in Server list on publisher UCM admin page.  Then it works.  DRF requires all host up and running in the server list.  One of my CUP node is not responding (due to my disk LUN failure)
Check the Publisher node check box (UCM1) and choose the subscriber DB from which restoration takes place, in my case UCM2, then click Restore.


9. Restore Status

When the restoration reaches the CCMDB component, the status text shows "Restoring Publisher from Subscriber Backup"


10. Run a Sanity Check on the Publisher DB

These 2 SQL statements will give you a gut feeling if the DB restore works or not.

11. Reboot the Cluster after restore

12. Verify Replication Setup




13. Post Restore

Activate services and install device packs

CUC Publisher Rebuilt

Steps for CUC Publisher Rebuilt are similar.

1. Gather Cluster Data


2. Stop Replication on All Subscribers



3. Install the CUC Publisher

4. Update Processnode Values on the Publisher



5. Reboot the Publisher Node


6. Verify Cluster Authentication

7. To Connect the Subscriber Server to the New Connection Cluster, and Replicate Data and Messages to the Publisher Server

This step is different.  We are not using DRS to do the DB restore.  Run the command "utils cuc cluster renegotiate" on subscriber


The publisher server will automatically restarts.

"show cuc cluster status" on subscriber to verify new cluster has been configured correctly.




Good luck!

Tuesday, March 31, 2015

A simple EEM in my home environment

My broadband link is not as stable as what I expect, and it goes up / down from time to time.  When it goes up and down, the public interfaces of IP address might change.  I have a few settings in my lab depends on that IP address, although DDNS is a way to go, I haven't found a new provide after my DynDNS free membership expired.  So in the meantime I have written a simple EEM to send me the IP address of all my interfaces via email.

! Define the email environmental parameters such as from, to address and email server address
event manager environment _email_from alice@aaa.com
event manager environment _email_to bob@bbb.com
event manager environment _email_server smtp.ccc.com

! Since I want to run show command, panda is a local username with privilege level 15 so that I can run this command in enable mode
event manager session cli username "panda"

! I want to run this EEM every 00:00 midnight
event manager applet check-interface-ip
event timer cron cron-entry "0 0 * * *"
action 1.1 cli command "show ip int brief"
action 1.2 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "[EEM] HOME-RT01 gi0/0 up" body "$_cli_result"


ISE Web Admin Password Expired

I haven't touched my ISE 1.3 lab setup for some time.  When I tried to log in again I saw this - "Password is expired.  Please reset your admin password."
This is a good security policy for production customer environment, annoying in lab environment.  First let's reset the password, it has to be done via CLI:

If you want to disable this default 45-day admin password expiration policy, you can go back to UI, Administration > Admin Access > Authentication > Password Policy > Password Lifetime, uncheck the first checkbox.

Thursday, February 12, 2015

Nexus 9000 Standalone mode eNXOS - New Feature Walkthrough

I have just got two new Nexus 9396PX in my lab, and let's quickly walkthrough some unique features and capabilities on N9K eNXOS.

Comparing with Nexus 7K and 5K which have 2 separate images (kickstart and system), N9K eNXOS has only a single image file.

Although there is VDC command available, only single VDC is supported.


You can enable Linux bash shell access by issuing command "feature bash-shell"


You can also access to Python shell to do some programming and automation to the switch using python scripts.

Moreover, you can access to Broadcom shell for low level troubleshooting

There is a built in tcpdump-like sniffer, this example is simply sniff the traffic of my OOB mgmt port.

N9K standalone offers RESTful NXAPI as the northbound API, you can enable it by using command "feature nxapi"
then access the page http://<your 9K address> from your browser

Then you will see this Developer sandbox, which allows you to test the API calls and let you know the syntax and format:

For example you can submit a "show version" command and it will show the corresponding JSON request format and response, it saves you time to look at documentation to understand the request and response format.


And you can even submit bash shell command via NXAPI, it is really powerful.

Monday, January 19, 2015

ISE 1.3 + vWLC 7.6 - BYOD (Single SSID) Step-by-Step Guide

In my previous post we have ISE 1.3 and vWLC 7.6 setup with basic 802.1x configration, in this post we are going to go further to configure EAP-TLS certificate base authentication using ISE internal CA, a new feature introduced in 1.3.  We are also going to configure the self onboarding capability, which allows the end users can register their own devices and install certificate on their own devices.

1.  First of all, configure Captive Bypass on WLC so that the captive portal will not automatically prompt up when you connect the BYOD SSID.  It has to be done using CLI.

config network web-auth captive-bypass enable

And you need to reload your vWLC after config this.

2.  ISE > Administration > Network Resources > Network Devices, add your vWLC.  192.168.24.70 is my vWLC IP address.


3. We are going to use the ISE internal CA to sign the endpoint cert, therefore no external identity source is needed.  Administration > Identity Management > Identity Source Sequences to add a new Identity Source Sequence.


4.  ISE > Policy > Policy Elements > Results > Authentication > Allowed Protocols to create a new Allowed Protocols Services List.


5. ISE > Policy > Authentication to add a new authentication policy.

6. ISE > Policy > Policy Elements > Results > Authorization > Authorization Profiles to create 2 authorization profiles, one for full network access and the other dedicated to supplicant provisioning

Create ACL on vWLC to permit all for users after authentication.
Create another authorization profiles for supplicant provisioning.
Create ACL on vWLC to allow access to DNS and ISE BYOD portal during the supplicant provisioning stage.

Make sure your ISE FQDN is resolvable from DNS.  I have added a DNS host record in my DNS server 192.168.24.2. 

7. ISE > Policy > Authorization to add two rules.  The rule "Employee Personal Device" and "Reg with ISE TLS".  For those devices that are not registered before, it will be redirected to the BYOD portal and install the certificate on the devices.


8.  ISE > Policy > Client Provisioning, I am an iPhone users and I have only configured iOS in my lab.  For other platforms it should be similar.


9.  Since I am using FlexConnect, make sure you have created the FlexConnect ACL otherwise the client cannot reach the ISE page:

This is the Screen Capture on my iPhone when it first connects to the BYOD SSID.