Search this Blog

Tuesday, June 29, 2010

How to update Bulk UDP in CUCM 7.1.3?

We have over 3000 User Device Profiles that need the User Hold MOH Audio Source field changed back to on CUCM 7.1.3. We need to update not the line but the device profile itself. How can we do a bulk update for UDPs?

Tips:

We can address this issue via the AXL API, or by directly updating the DB.

A rudimentary tool that can do this sort of thing can be found in the following link :

Essentially the input CSV file you would need would have two entries for each UDP:

updateDeviceProfile,name,UDPDAVE1234,networkHoldMOHAudioSourceId,2

updateDeviceProfile,name,UDPDAVE1234,userHoldMOHAudioSourceId,2

updateDeviceProfile,name,UDPSALLY1235,networkHoldMOHAudioSourceId,2

updateDeviceProfile,name,UDPSALLY1235,userHoldMOHAudioSourceId,2

etc

A lot of lines, but should be able to whip this up in Excel - by exporting all UDP names from CCM , or a subset, or whatever. It will be easier to create two files with one line for each UDP, and then search/replace networkHold for userHold, and run the two files separately.

Always do a single-line input file first to verify your spelling/results.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How to create hunt pilot number displayed on local call ?

We have CUCMBE 7.1.3 and hunt pilot number 6000 .Hunt group members are 6001 and 6002. If we make a call to outside, we can use calling party's External Phone number Mask. When we make a call from 6001 to outside number, called number will see the number as 6000. But if we make a call from 6001 to ext 600x (ext to ext), called number will see the origin number (6001). How do we make the called number see the origin number as 6000?

Hints
Run all calls from that extension through a translation pattern. For example:
  1. Ext 6001 currently has CSS 'XXX' (replace XXX with whatever partition name you have assigned)
  2. Create a new Partition 'PT_XXX_CLI_6000'
  3. Create a new CSS 'CSS_XXX_CLI_6000', with just the new partition ONLY as a member
  4. Add a translation pattern to PT_XXX_CLI_6000' with ! as the pattern, and CSS 'XXX' (the original CSS) as the CSS for the translation pattern. Set the 'calling party mask' to 6000.
  5. Assign CSS_XXX_CLI_6000 to ext 6001
  6. The result will be that any calls from ext 6001 (or any lines that are assigned the CSS_XXX_CLI_6000) to go through the translation pattern and have their calling number modified by it. They are then subject to the original CSS from the configuration as that is applied to the CSS.

Below are some of the points that needs to be noted:

  • This doesn't work if you have your extensions internally in the partition, as they will always match before the translation pattern.
  • If you have routing/blocking CSSs on the phones, replace the routing CSS

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Where can we find List of Soft Key Options for UCM 7.1?

SRND, references lots of soft key features, but not as a single list.

List:
Softkey-OnHookSoftkey-ConnectedSoftkey-HoldSoftkey-Ring-InSoftkey-OffHookSoftkey-ConnectedTransfer
RedialHoldResumeAnswerRedialTransfer
New CallEnd CallNew CalliDivertEnd CallEnd Call
Forward AllTransferSelectDnDForward All
QRTSelectJoin
Pickup
DnDJoinDnD
MeetMe
Video ModeConferenceiDivert
Group Pickup
HlogConference ListDirect Transfer
Other Pickup

Remove Last Conference

DnD

iDivert

Abbreviated Dial

Mobility




Video Mode




Park



Softkey-DigitAfterFirstSoftkey-Connected ConferenceSoftkey-Ring-OutSoftkey-OffHookFeatureSoftkey-RemoteInUse
Abbreviated DialConferenceEnd CallRedialBarge
End CallEnd CallDirect TransferEnd CallcBarge


Call Back
New Call















Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

ASA it is not accessible when we telnet IPS. ASA - AIP-SSM20


We have two ASA with AIP-SSM20 .One of the ASA is in standby that means the AIP-SSM20 on the standby is also idle because no traffic is forwarded to ASA when it is in standby mode?
While we telnet IPS of standby ASA it is not accessible and also can't see any logs from the IPS which is in standby mode of ASA in IME, (IPS MANAGER EXPRESS) logs from IPS which is on active ASA can be viewed. Any suggestions or hints will be appreciated?

Tips:

When the ASA is in standby mode, there won't be any traffic going through the ASA, hence nothing will be forwarded towards the AIP module as well because traffic to be inspected by the AIP module is routed through the ASA backplane.

The AIP module on the standby ASA needs to be setup manually as well (ie: configuration will not be synchronised from the active AIP module towards the standby). You would need to configure a unique ip address on the standby AIP module and the port on the module needs to be connected to the network and be accessible. Further to that, if there is no traffic passing through the ASA (when it's in standby mode), there won't be any logs generated by the AIP module because traffic doesn't pass through it.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How to implement a Server Farm Firewalling? ASA 5510

We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN). We like to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. We think putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support. What will the best approach to implement the server farm firewalling? Place a separate hardware firewall like ASA 5510 or use FWSM in Cisco 6500 what will be the best thing to do?

Tips :

  1. ASA is typically an edge device (due to capability to do VPN), but it's not that uncommon to see a multicontext ASA 5580 in DC (lately).
  2. FWSM is what you would typically see in ditribution layer.
Some best practice to follow.
  • KISS principle - if you're adding more then 10th vlan on FWSM or ASA you're probably doing something wrong. If your routing table has just blown up, you're not summarizing enough (screwed up while allocating address spaces).
  • Inter-server or inter-user communication (replication or apps like memcached, DNS traffic) try to design it not to pass through firewall, consider using private vlans instead.
  • If separate rule sets required for different vlan - use multiple context firewalls instead (consider using transparent mode if no NAT or routing needed)
  • You would typically put a firewall to separate users from internet and servers. Try to keep it in mind and police traffic between users (/servers) when needed.
  • Bottom line - traffic that needs to be fast - switch it, don't route it.
  • If you want some servers to communicate on one vlan and some other not - use private vlans.
  • Traffic that needs to be check against policy (access-lists etc.) route it to firewall (or use transparent firewall on that vlan).

Below are some of the books that have related topics

CCDA self study guide

CCDP - ARCH book.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, June 28, 2010

Where can we get interim release code for ASA 8.0.5.2 or ASA 8.0.5.7?

We have a 5510 fail over pair that needs to be upgraded to address some security vulnerabilities. The security advisory can be found here - Specifically addressing the NTLM vulnerability.

The issue is that the NTLM is addressed by 8.2(2.1) and we see 8.2.2.ED available for download. The advisory recommends 8.2(2.4), but we like to avoid interim releases if possible. Is 8.2(2.1) same as 8.2.2.ED on the download site.

Tips:

  • 8.2.2.1 is not the same as 8.2.2ED.You will need to upgrade to at least 8.2.2.1 interim to get around the NTLM vulnerability. The latest available interim is 8.2.2.16.
  • For interim releases not available on CCO you need to contact Cisco TAC to publish it for you.
  • Some interims can be found here and here.
  • Note that this requires a CCO ID with software download privileges and 8.0.5.2 and 8.0.5.7 interim images were not released.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Sunday, June 27, 2010

Top 5 Tech Support questions on Cisco System's products - 6/21/10 Weekly Update


The most actively discussed Tech Support questions on the web for Cisco System's products (Week of June 21st 2010)
  1. Issues while upgrading from CUCM 7.1.2 to 7.1.3 in VMWare
  2. NBMA and using the EIGRP and OSPF, Why is it not possible to use RIP, IS-IS and IGRP
  3. Is it possible to initiate a dhcp-request over different ip-segments over the llc-layer?
  4. How to limit rate in our internet access for Cisco 2600?
  5. Cisco Nexus and 6500 series switches comparisons



How to trace traffic Source in Cisco ASA 5510?

We have a site-2-site IPSec vpn between an 1801 ISR and an ASA 5510. While monitoring the VPN on the ASA, we found constant traffic on it( expected only intermittent traffic). How can we trace the source that is causing traffic to cross the VPN?

Packet capture wizard in the ASA can track all packets between any interface or IP address/range. By capturing from the source subnet, then sending the output to Wireshark, you can trace the traffic source.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Cisco Nexus and 6500

We are running a single 6509 at the data center . We are looking to upgrade. We are debating whether we should continue with the 6500 platform or move to the Nexus platform. We like to be able to support 10Gig with the new platform. Also we like to be able to have the foundation to support future initiatives and the SAN environment (may be merging the SAN environment in the future). What are details available about the Nexus Data Center Space ? We have two FWSMs running in the 6509, will modules work with Nexus ?

Suggestions

1. The Cisco Nexus series of Data Center switches are specifically designed and architected for the data center of the future, which will involve the unification of data and storage fabrics (ISCSI or FCOE), I/O consolidation using 10G (40 and 100G are around the corner), VN-Link, SR-IOV, NPIV (this is part of the storage virtualization you mention), CEE and other data center virtualization technologies and enhancements.
2. The Nexus can also be part of a larger ecosystem that includes Cisco fabric extenders, like the 2100, which can be leveraged instead of TOR switches, as well as EOR switches for inter-rack routing and services positioning, such as SSL offloading, firewalling, load balancing, etc. Take note that the Nexus switches do not support chassis EDIT service EDIT modules, so you will need separate appliances.
3. The deployment of a Nexus implies much more than just a simple switch upgrade; it is part of a wholistic data center solution that reflects a roadmap for the next 5 years at least.

Referred modules are like the FWSM or CSM, etc. To work with Nexus you will need to separate appliances.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, June 25, 2010

VLan- Seperating voice and Data Traffic

Catalyst switches can issue the "switchport voice vlan number" command to separate voice and data traffic by utilizing CDP to communicate with a Cisco IP phone connected to that port. what is the best practice for separating voice and data traffic on the same port with non-Cisco IP phones?

Tips :

We can do this manually or dynamically via a protocol like CDP. For the dynamic option we should be looking for the endpoints to support LLDP-Med:


Please click here for more details on LLDP-MED and Cisco Discovery Protocol.

Please click here for more details on Link Layer Discovery Protocol.

Do research this and test it out before going to production.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, June 24, 2010

NBMA and using the EIGRP and OSPF, Why is it not possible to use RIP, IS-IS and IGRP

Why can't we use RIP, IS-IS and IGRP when we are using NBMA like FrameRelay or X.25 ?We are using EIGRP and OSPF with NBMA.

Solutions :

  1. OSPF and EIGRP are recommended for NBMA but you can use for example RIP if you disable split horizon on hub router as you need to do with EIGRP.
  2. IGRP is legacy and not supported in modern IOS images
  3. ISIS hasn't an NBMA network mode that is present in OSPF. This makes OSPF to be preferred.
  4. However, in ISIS is possible to configure a feature called mesh group that may be useful in dealing with NBMA
  5. ISIS worked over NBMA but only in a fully-mesh topology as it supports only pt-2-pt or broadcast network type.
  6. If you can't send multicast update, you can switch to unicast update (neighbor + passive interface commands). Also if you have a lot of neighbor and are sending multicast updates, you may have to tune the broadcast queue.
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Issues while upgrading from CUCM 7.1.2 to 7.1.3 in Vmware


Does CUCM 7.1.3 runs ok in VMWARE (ESX3.0) we are trying to upgrade but when it re-boots we get the following error -
kernel panic- not syncing: attempted to kill init

Tips to resolve this issue
  1. 7.1.2 bombs out in vmware if you dont configure a viable NTP server
  2. you cant upgrade from 7.1.2 to 7.1.3 in vmware esx 3.0 not sure why, but have heard license files are different
  3. get the bootable copy of 7.1.3 to install fresh on vmware 3.0 but couldnt do it
  4. eventually upgrade vmware to esx 4.0 and all should be good, you will still need a viable ntp server
  5. On CUCM 7.1.2, there's no code to detect VMWare. Thus you may install it on any Virtual Machine. CUCM just thinks it's a physical one.
  6. On CUCM 7.1.3, Cisco added code to detect VM. You'll have to use ESX 4.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, June 21, 2010

What is the Password Recovery procedure for 2900 series Router?


Steps to recover.
  1. The putty "special command -> break" should work.
  2. If you had disabled the boot mode button by running the command no boot mode-button, you will have to call Cisco TAC to gain access. If not use this document and search for password recovery.
  3. If "no service password-recovery" has been enabled then it will be printed at boot.
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

CallManager 8.0 caller id issues


We have Call Manager 8.0, and we have FXO ports with an MGCP 2821 gateway. The caller ID will work for one call, and then go back to displaying unknown name and number. If we reset the gateway, it will display the caller ID for one call again, but only the first call. We have tried changing the ring settings, etc. thinking it was a delay problem, but that did not work.

This should be a simple fix. Try the following
Do a "shut"/"no shut" on the voiceport 0/0/0

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, June 17, 2010

How to limit rate in our internet access for Cisco 2600?


We are about to order a 10mb internet circuit with a 2600 router from my isp. We have a 3560e cisco switch on the outside of the firewall and a 3560e switch on the inside of the firewall connecting to reset of my LAN. Our problem is that we need to rate the 10mb pipe. We would like to have 1.5m to a VLAN x.x.x.x and 2.5mb to another vlan x.x.x.x so on so on. should we use CAR, ACL or rate limit commands? Can someone make a recommendation?

If you are planning to configure QoS only on the 3560 switch then you have few options: MQC or rate-limit. With MQC, you can use the police option within the policy-map while with rate-limit, you can place the command directly on the SVI. They both provide the same feature and the rate-limit requires less typing:

interface vlan xrate-limit output 1496000 93750 187500 conform-action transmit exceed-action drop to limit the interface to 1.5Mbps out to anywhere, not just the internet.

If you want to limit just the internet but allow more bandwidth for other destination from that source, then you need a combination of MQC along with an ACL.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, June 14, 2010

Is it possible to initiate a dhcp-request over different ip-segments over the llc-layer?


Is there a config like ip-helper on cisco devices? dhcp-server and client are in different ip-segments. See details in the capture-file (wireshark) -- set filter: eth.addr == 08:00:09:F2:2a:61

When the dhcp-server and the client are in the same ip-segment we don't see any problems. How can we enforce the nw-device, that all boot-request from this ip-segment (rmp-protokol) should be send to the dhcp-server?

Remote Maintenance Protocol (RMP) is an HP-proprietary boot and file transfer protocol used in early Series 700 workstations and in the Datacommunications and Terminal Controllers (DTC/9000). The rbootd daemon allows BOOTP servers to serve clients that use RMP. rbootd must be run on a BOOTP server on the same subnet as the RMP client. That is, both rbootd and bootpd must run on the same system.#####
The rbootd daemon translates RMP bootrequests into a BOOTP bootrequest using the client's hardware address. rbootd then forwards the bootrequest to bootpd. bootpd can send a bootreply back to rbootd if it finds the client's boot information in its database. Or, it can relay the bootrequest to other BOOTP servers if it has relay information for the client in its database. rbootd translates the BOOTP bootreply back to RMP and sends it to the client.###

Please click here for more details on Booting RMP Clients.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, June 11, 2010

CUCM HUNG AND DISPLAYS THE MESSAGE "EXT3-fs error (device sd(8,6)) in start_transaction: Journal has aborted" IN CONSOLE


We have a CUCM 7825 I4 with CUCM 6.1.2000-2 and sometimes the server goes to an undetermined state and we can't acces neither by console nor http, but we see this message in the console: EXT3-fs error (device sd(8,6)) in start_transaction: Journal has aborted. We have to reboot the server for recover the server. Can someone help with this issue?

Unfortunately as of June 8th 2010 This issue was tracked to a firmware problem on the hard drives.

Workaround
  1. Shut down the server, and remove the first hard drive until a final fix is available.
  2. If server still fails, try switching to the other drive.
  3. Watch during boot up for any errors which might indicate hardware failure (SMART errors in particular).
  4. If server stills fails on 2nd drive, leave one drive in, and reinstall CUCM.
Please click here (you will need to log into www.cisco.com to access this) for the firmware update from Cisco. download the readme and iso for 7828h3-hddfwupdate-v11 under the MCS 7828-H3 Unified Communications Manager Appliance.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, June 10, 2010

How to enable routing between HWIC-4ESW and Onboard FE on cisco 1841 router..?


We have a cisco 1841 router, recently i have purchased HWIC-4ESW slot for my router. The module is working fine i could able to see additional FE ports(fe0/0/0,fe0/0/1...).Now problem comes in routing i.e. these HWIC-4ESW ports and Onboard FEs are not communicating.If any bode knows the solution kindly let me know the configuration details.

Configuration steps
  1. Create your layer 2 vlans in the vlan database .
  2. Configure the corresponding layer 3 SVI on the router itself .
  3. On the 4 port hwics you cannot make them a routed port like some of the other hwics , SVI's must be used for the layer 3 definition.
router# vlan database
vlan 2
conf t
int vlan 2
ip address

no shut

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

2950G log shows Internal POWER supply is FAULTY

We have a 2950G that from time to time logs the Internal POWER supply is FAULTY message. The switch is operating normally, it's not rebooting and isn't connected to an RPS. The IOS version is .121-22.EA8a. Any idea whether this is a genuine hardware problem or is it software related?

If 'show env all" does not presents any PS failures, then it could be some cosmetic issue.

For example, could be due to the not fully correct changes in the code done under CSCsb73608 "2950 does not generate error message when power supply fails", which in turn were corrected in 12.1(22)EA9 under CSCse84332.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, June 8, 2010

What's the maximum number of LDAP Directories configurable in CCM 7?


Does anyone know the maximum number of LDAP directories configurable in CCM7? We have a client that has users spread across about 25 OU's. Any recommendations? Is there a server that could gather all of these accounts and serve them up to CCM under just one context?

You can configure up to 5 LDAP agreements. In your case, you'll need to set your search at the root and then use AD permissions to deny the LDAP user the ability to see objects it shouldn't see.

The synchronization is performed by a process called Cisco DirSync, which is enabled through the Serviceability web page. When enabled, it allows one to five synchronization agreements to be configured in the system. An agreement specifies a search base that is a position in the LDAP tree where Unified CM will begin its search for user accounts to import. Unified CM can import only users that exist in the domain specified by the search base for a particular synchronization agreement.

So, you can only use type of import (i.e., AD, Sun, etc) - if you go AD, that's the only choice. You can then set up separate agreements which specify specific OU's in AD that you'd like to search for users.

For accommodating OU's, then you could consider the following:

Reorganization of the AD tree. Break those 25 OU's into 5 logical groups or a single group (i.e., Users) where you'd set up an agreement for. If you don't maintain AD, this isn't likely to happen.

You can set your search base as the root of the AD tree. You would then need to use permissions within AD to limit the objects and containers that your LDAP Dir Sync user can actually access. Again, this could get a bit involved depending on what you're dealing with in AD and, if you don’t control AD, you'll have to do some convincing here to get this done. But this is an option and it works - have done it elsewhere. Set the search base and get everything.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

2K bytes of non-volatile configuration memory. ERROR in NVRAM sizing. NVRAM could be bad!


We are using a 3640 router and we are receiving the following errors.
00:00:01: %C3600-3-BADNV: Detected invalid NVRAM size: -2056 bytes
00:00:01: %IFS-3-FS_CREATE_FAIL: Failed to create nvram file system, no NVRAM present"

Troubleshooting tips

1) Try to compress running configuration
2) Delete any IOS images that are not supported by means of memory resources to the router (customer has 1 IOS that requires more DRAM memory than the router really has)
Perform these sh commands:
  • sh process cpu
  • sh process memory
  • sh memory sum
  • sh stacks
3) Backup startup config to local computer
4) perform erase startup command

5) reload router

6) Track if problem re-occures


If problem still exists, modify confreg and set x2142 to override reading startup configuration from NVRAM.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How do you recover one-time password to ISR G2 2911 Hell

We have got a problem, We did not change the one-time password in ISR 2911 and we can't access the CLI or the ROMMON mode, so we would very grateful if anyone can help me

2900 series router you should wait till it finishes decompression of the image file then press the break sequence.Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into ROMMON. If the break sequence does not work, you can try the Standard Break Key sequence combinations. Please click here for more details.

If you can't use the Break Sequence, pop out the out the compact flash and boot the router. The CF, on the lower left hand corner of the back of the router can be ejected.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Sunday, June 6, 2010

Top 5 Tech Support questions on Cisco System's products - 5/31/10 Weekly Update

The most actively discussed Tech Support questions on the web for Cisco System's products (Week of May 31st 2010)
  1. Understanding mls qos srr-queue input threshold command
  2. How do you implement announcements in cluster of 3 CUCM 7.1.3?
  3. Unable to SSH CUCM 6.X remotely from a desktop
  4. How do you enable SNMP monitoring from a central location to a number of remote site servers, switches, routers
  5. CM Upgrade 4.1(3) to 7.1(3) - how do you add a phone type to CM 7.1?

How can we fix Ip-phone mac address to switch port in 4510-R SUP6-E?


We are noticing "someone" is moving ip-phones of meeting rooms (some of them are hands-free). To solve this issue, we want to fix ip-phone mac address to port switch. By this way, meeting rooms IP-phone will work only in fixed switch ports. If "someone" try to disconnect one IP-phone to connect it in another switch port, IP-phone didn??t work. What do you think is the best way to achieve our objective? We are thinking to use port-security in meeting rooms switch ports, but we don??t want to configure port-security in all switch ports (pc switch ports, printers switch ports,...). What is the behavior of port security if switch see Ip-phone mac address in a different port in which port security is not configured? IP-phone mac address could be blocked or allowed? Perhaps "mac address-table" command could be useful. Can you tell me you point of view about this issue?

For this you can use the command mac-address-table secure:

Example

Switch(config)# mac-address-table secure 00c0.00a0.03fa G1/1/1

The command will not allow the map address table to learn this specific MAC from any other port other than G1/1/1 interface.

No other changes are required on the switch.

You will have to enter one command per each phone's MAC associating it with the right port.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, June 3, 2010

How to change password on ASA 5510?


We already have password to login and enable the # mode. Since so many people have this password in the office so we would like to change it so less people have access to firewall setting. We would like to change both the login and enable mode passwords. Can someone give me the commands?

Here are the commands -

- To change enable password: enable password
Please click here for more details.

- Login password: passwd
Please click here for more details.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Upgrade from CUCM 7.1(2) to 7.1(3) fails. Error encountered: An unknown error occurred while accessing the upgrade file


We are trying to upgrade a cluster which consists of a publisher and a subscriber. I am running 7.1.2-10000-16 and want to upgrade to 7.1.3-32900-4. When we use the upgrade file which has been checked for the correct MD5Hash, the file loads and the upgrade starts. After around 30mins the upgrade fails with the following error - "Error encountered: An unknown error occurred while accessing the upgrade file"

Troubleshooting tips
  1. Make sure only one file exists in the SFTP server directory that you point CUCM to for upgrade files via the OS administration page
  2. Ensure that the file you are accessing is in a dedicated folder path with no other upgrade files in it
  3. With only the specific 7.1(3) upgrade file in this path, attempt to download the upgrade file again by starting the installation process.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How do you enable SNMP monitoring from a central location to a number of remote site servers, switches, routers


We have a situation where we need to do snmp monitoring from a central location to a number of remote site servers, switches, routers etc. We originally set this up via ipsec vpn's between the central site c1841 and the remote site pix 501 and 506's, and c1800's. The ipsec vpn's will renegotiate their sa's and when doing this will drop the vpn and then false positives will be generated. Have tried to resolve this with keepalives and other methods but it still happens. We have also done this through assigning a static nat translation on the remote site and opening up the router/firewall for snmp(udp 161)from our central location and this works with no issues. Are there any security loop holes in this method. The data being transferred is device statistical information and status and we are assigning the snmp level as read only on a different community name than the default. Is this an accepted method?

The situation of an attack like man in the middle is always a possibility if you transport data over Internet, even from your service provider (now I believe that you should trust your provider, honestly), but sometimes you just have to live with it. Next, very important, what information are you transferring.You are transferring statistics not necessary confidential data. Then SNMP is UDP which is making this less prone to an attack. Then you have your SNMP with read-only rights, so even in the case that somebody is so bored that he's capturing your data, what can it do with it. Nothing.

What you should worry more, is to secure the UDP 161 port with some ACL permitting access only from your monitoring system, to avoid DDoS attacks.

Yes it would be more secure to have some tunnel over internet to collect data, but IF YOU CANNOT, than this should be fine. Most of the companies that monitor small sites, are transferring data over Internet without any secure tunnel. Big companies, have usually or the monitoring system in the Intranet.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, June 1, 2010

Unable to SSH CUCM 6.X remotely from a desktop.


We have a setup where we are trying to SSH the CUCM 6.X but not able to access it. We have checked our whole network and have enabled port 22 throughout the network. Can someone please suggest what may be the issue which is causing this?

Troubleshooting ideas -
  1. Check your local PC to see if you have a firewall program loaded that could be blocking access.
  2. Make sure your client supports SSH protocol version 2 and AES 128-bit encryption.
  3. Look (or upload) a sniffer trace from the PC that is attempting the SSH session.
  4. Try rebooting the server just in case it's some service hanging.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How do you implement announcements in cluster of 3 CUCM 7.1.3?


We started the IP Voice media streaming service on the 2 subscribers and we have got 2 annunciator correctly registered. How do we configure the following?

- the announcements are active as soon we activate the IP Voice media streaming service. Do we configure on the "Route Pattern" page in the "block this pattern" drop down menu or is there other place to configure them? The official documentation is not clear about it.

- we would like to choose when to activate an announce: for example when a DN calls an unregistered or non-existent DN. It's possible to do that ?

The announcements are active as soon as you enable the IPVMS and get the ANN's registered. You cannot configure/modify the actual annunciator prompts in the appliance model versions of CUCM. You can cause an annunciator message to be played using a Route Pattern (in the way you suggest) or by using a translation pattern (in a similar fashion). The unallocated/unassigned message is "automatically" available for stations registered to your CUCM. Meaning, you don't need to configure it. Well, aside from making sure that the annunciator media resource is exposed to the phone/gateway via the media resource group list configuration parameters in your cluster. If you do not place the ANN's in a MRG then you should be fine.

Please click here for documentation on configuring the Announcements in CUCM.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Understanding mls qos srr-queue input threshold command


Can someone explain the meaning of the two parameters threshold-percentage1 and threshold-percentage2 of the command mls qos srr-queue input threshold? What is the effect, an when is it recommended to modify this?

This example shows how to configure the tail-drop thresholds for the two queues. The queue 1 thresholds are 50 percent and 100 percent, and the queue 2 thresholds are 70 percent and 100 percent:
#
Switch(config)# mls qos srr-queue input threshold 1 50 100
#
Switch(config)# mls qos srr-queue input threshold 2 70 100

QoS uses the CoS-to-threshold map or the DSCP-to-threshold map to decide which class of service (CoS) or Differentiated Services Code Points (DSCPs) values are mapped to threshold 1 and to threshold 2. If threshold 1 is exceeded, packets with CoS or DSCPs assigned to this threshold are dropped until the threshold is no longer exceeded. However, packets assigned to threshold 2 continue to be queued and sent as long as the second threshold is not exceeded.

Each queue has two configurable (explicit) drop threshold and one preset (implicit) drop threshold (full).

You configure the CoS-to-threshold map by using the mls qos srr-queue input cos-map global configuration command. You configure the DSCP-to-threshold map by using the mls qos srr-queue input dscp-map global configuration command.

If thresold 1 in crossed over 50 percent, it starts dropping packets known as SPD to avoid congestion ( e.g. it drops 1 out of 10). If the input still grows say to 80 it drops packet ( e.g drops 6 out of ten) more thans what it was dropping when it crossed 50. When it reaches 100 it drops every packet.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.
 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */