Re: [cisco-voip] Hardware Tokens/Secure Cluster

[ROZA, Ariel]

I have done some secure clusters before (with the tokens) and I can tell you 
this:

While you can secure the basic cluster (CUCM and IP Phones) with ease, you have 
to take into account several things if you need to do a more extensive 
encryption:

- Conference usage: software bridges like CUCM may not support encryption, so 
you have to use more hardware bridges on  routers if you want encrypted 
conferences (some planning and more resources)
- Non CUCM applications require some additional work (CUACA, UCCX, Unity 
Connection, PhoneProxy, etc.). This usually involves interchanging certificates 
between servers.
- If you want to encrypt traffic to H.323 gateways  you´ll have to create VPNs
- SIP Trunks with TLS will also require you to deal with certificates.
- If you have a large quantity of devices to handle certificates (<10 
servers+gateways), you better have a PKI infrastructure put in place and well 
oiled before doing anything. You will deal with certificate renew every 2 to 5 
years

You will find the info to encrypt traffic to CUACA or UCCX in the CUCM Security 
Guide (Basically, you´ll have to encrypt CTI Ports).

And, at last, take into account that encryption adds an additional layer of 
complexity when troubleshooting everything.

Hope this helps. Anything else, just ask.


De: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] En nombre de Matthew 
Loraditch
Enviado el: martes, 29 de agosto de 2017 11:03 a.m.
Para: Brian Meade 
CC: cisco-voip@puck.nether.net
Asunto: Re: [cisco-voip] Hardware Tokens/Secure Cluster

Ok yes, I’m starting to understand this.

I’m also looking for guidance re CUACA and UCCX.
I’m struggling trying to find where the instructions are for either of them.

Matthew G. Loraditch – CCNP-Voice, CCNA-R, CCDA
Network Engineer
Direct Voice: 443.541.1518
Facebook
 | 
Twitter
 | 
LinkedIn
 | 
G+

From: bmead...@gmail.com [mailto:bmead...@gmail.com] 
On Behalf Of Brian Meade
Sent: Tuesday, August 29, 2017 9:19 AM
To: Matthew Loraditch 
>
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] Hardware Tokens/Secure Cluster

You can use self-signed certificates now instead with the command-line tools.  
There's still some hardware tokens if you'd rather have something physical 
rather than worrying about backing up the certificates.

You can just run "utils ctl set-cluster mixed-mode" and then restart 
CallManager/TFTP on all nodes if you want to use self-signed certs.

Here's the 10.x security guide- 
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_0100.html

On Mon, Aug 28, 2017 at 8:25 PM, Matthew Loraditch 
> 
wrote:
We have a client who is requesting a secure cluster. Never done it before. Do 
those hardware tokens still exist? It appears not and it’s all software based 
now?
Any fantastic blogs or step by step guides that folks have used? The 
documentation is refreshingly mind numbing.

Thanks!
-Matthew

___
cisco-voip mailing list

Re: [cisco-voip] Third-Party SIP Basic Phone

[Brian Meade]

You should be able to have a 2nd call there.  CUCM would have blocked the
Invite if it wasn't possible.  You can have a busy trigger of 2 on those.

On Tue, Aug 29, 2017 at 3:57 PM, Jason Aarons (Americas) <
jason.aar...@dimensiondata.com> wrote:

>
>
> CUCM 11.5 Third-Party  SIP  Device  (Basic)-This  one-line  SIP  device is
> an RFC3261-compliant phone  that
>
> is running SIP from third-party companies.
>
>
>
> I should expect a second call to come in Line 1 and be able to switch
> between calls?  I’m using a NEC DECT i766 phone that is line side
> registered to CallManager.  I see the second call come in, but phone
> doesn’t show any kind of button to switch calls.  Vendor is researching it,
> pretty sure this is a problem on NEC side.
>
>
>
> Go to Device > Phone >  go to bottom of line, the maximum calls is 2, so I
> should expect to get a second call into the NEC DEC i766, agree?
>
>
>
>
>
>
> This email and all contents are subject to the following disclaimer:
> "http://www.dimensiondata.com/emaildisclaimer;
> 
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] IM v11.5(1) SU3 - UN-Restricted Only? Confused

[Lelio Fulgenzi]

In reading the CUCM 11.5(1)SU3 Release Notes:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/11_5_1/SU3/cucm_b_release-notes-cucm-imp-1151su3.pdf

I saw this snippet on page 2:

In the past, export licenses, government regulations, and import restrictions 
have limited the ability of Cisco to supply Unified Communications Manager and 
IM and Presence Service worldwide. Cisco has obtained an unrestricted U.S. 
export classification to address this issue; IM and Presence Service supports 
an export unrestricted (XU) version only. The unrestricted version differs from 
previous releases of IM and Presence Service in that it does not contain strong 
encryption capabilities.
The part that confuses me is the word "only" in the above paragraph. Could be a 
typo? Could I be reading it wrong?

In CCO I see both a regular (restricted) and UNRST option.


---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519-824-4120 Ext 56354
le...@uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1

<>___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] Third-Party SIP Basic Phone

[Jason Aarons (Americas)]

   CUCM 11.5 Third-Party  SIP  Device  (Basic)-This  one-line  SIP  device is 
an RFC3261-compliant phone  that
is running SIP from third-party companies.

I should expect a second call to come in Line 1 and be able to switch between 
calls?  I'm using a NEC DECT i766 phone that is line side registered to 
CallManager.  I see the second call come in, but phone doesn't show any kind of 
button to switch calls.  Vendor is researching it, pretty sure this is a 
problem on NEC side.

Go to Device > Phone >  go to bottom of line, the maximum calls is 2, so I 
should expect to get a second call into the NEC DEC i766, agree?

This email and all contents are subject to the following disclaimer:

"http://www.dimensiondata.com/emaildisclaimer;
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] using resource pools to organize VMs - supported?

[Lelio Fulgenzi]

OK. Cool. I mean, worse comes to worse, we move our live hosts out of any 
resource pool into the “root” directory of the ESXi host. At least we can keep 
our snapshots handy for disaster recovery.

It’s too bad we can’t easily copy/clone a VM from one resource pool to another 
as far as I can tell. Well, not without vCentre anyways. It means exporting and 
importing back in. Which takes a while with thick provisioned disks.

---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519-824-4120 Ext 56354
le...@uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1

From: Ryan Huff [mailto:ryanh...@outlook.com]
Sent: Tuesday, August 29, 2017 11:26 AM
To: Lelio Fulgenzi
Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net)
Subject: Re: [cisco-voip] using resource pools to organize VMs - supported?

As I understand the TRC, as long as the compute/storage needs are available 
100% of the time (no oversubscription) and the storage wasn't dynamically 
created (thin provision); then I believe you are okay to organize as you see 
fit.

I think you can thin provision, as long as the total storage allocation is 
always available (which kind of makes dynamic vdisks pointless anyway).
-RH

On Aug 29, 2017, at 11:06 AM, Lelio Fulgenzi 
> wrote:

We’d like to come up with a way to organize our collaboration VMs, especially 
when upgrades are underway.

I don’t see folders as an option under ESXi 5.5 or 6.0 (using vSphere client 
only, no vCentre), only resource pools.

Can I use Resource Pools for this? I’m guessing any VM based resource 
reservation will take precedence over any resource pool settings?


---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519-824-4120 Ext 56354
le...@uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] using resource pools to organize VMs - supported?

[Ryan Huff]

As I understand the TRC, as long as the compute/storage needs are available 
100% of the time (no oversubscription) and the storage wasn't dynamically 
created (thin provision); then I believe you are okay to organize as you see 
fit.

I think you can thin provision, as long as the total storage allocation is 
always available (which kind of makes dynamic vdisks pointless anyway).

-RH

On Aug 29, 2017, at 11:06 AM, Lelio Fulgenzi 
> wrote:


We’d like to come up with a way to organize our collaboration VMs, especially 
when upgrades are underway.

I don’t see folders as an option under ESXi 5.5 or 6.0 (using vSphere client 
only, no vCentre), only resource pools.

Can I use Resource Pools for this? I’m guessing any VM based resource 
reservation will take precedence over any resource pool settings?


---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519-824-4120 Ext 56354
le...@uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] using resource pools to organize VMs - supported?

[Lelio Fulgenzi]

We'd like to come up with a way to organize our collaboration VMs, especially 
when upgrades are underway.

I don't see folders as an option under ESXi 5.5 or 6.0 (using vSphere client 
only, no vCentre), only resource pools.

Can I use Resource Pools for this? I'm guessing any VM based resource 
reservation will take precedence over any resource pool settings?


---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519-824-4120 Ext 56354
le...@uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1

<>___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Hardware Tokens/Secure Cluster

[Matthew Loraditch]

Ok yes, I’m starting to understand this.

I’m also looking for guidance re CUACA and UCCX.
I’m struggling trying to find where the instructions are for either of them.

Matthew G. Loraditch – CCNP-Voice, CCNA-R, CCDA
Network Engineer
Direct Voice: 443.541.1518

Facebook | 
Twitter | 
LinkedIn 
| G+

From: bmead...@gmail.com [mailto:bmead...@gmail.com] On Behalf Of Brian Meade
Sent: Tuesday, August 29, 2017 9:19 AM
To: Matthew Loraditch 
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] Hardware Tokens/Secure Cluster

You can use self-signed certificates now instead with the command-line tools.  
There's still some hardware tokens if you'd rather have something physical 
rather than worrying about backing up the certificates.

You can just run "utils ctl set-cluster mixed-mode" and then restart 
CallManager/TFTP on all nodes if you want to use self-signed certs.

Here's the 10.x security guide- 
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_0100.html

On Mon, Aug 28, 2017 at 8:25 PM, Matthew Loraditch 
> 
wrote:
We have a client who is requesting a secure cluster. Never done it before. Do 
those hardware tokens still exist? It appears not and it’s all software based 
now?
Any fantastic blogs or step by step guides that folks have used? The 
documentation is refreshingly mind numbing.

Thanks!
-Matthew

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] FYI: ESXi vmnic numbering...

[Lelio Fulgenzi]

For those of you get your hands dirty with ESXi, I found the following 
interesting artifact of (pre) installing ESXi v6 vs v5 on two Business Edition 
7000H M4 servers. Essentially, ESXi v5.x numbers the vmnics starting from PCIe1 
(left to right) but ESXi v6 numbers the vmnics starting from PCIe2 (left to 
right). While the two sets of BE7H servers we have were ordered about 18 months 
apart, the TAC confirmed this behavior in the lab.

Upgrades should not renumber the vmnics, but fresh installs will be different.

Thought that was a bit odd myself.

Lelio


---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519-824-4120 Ext 56354
le...@uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1

<>___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Hardware Tokens/Secure Cluster

[Brian Meade]

You can use self-signed certificates now instead with the command-line
tools.  There's still some hardware tokens if you'd rather have something
physical rather than worrying about backing up the certificates.

You can just run "utils ctl set-cluster mixed-mode" and then restart
CallManager/TFTP on all nodes if you want to use self-signed certs.

Here's the 10.x security guide-
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_0100.html

On Mon, Aug 28, 2017 at 8:25 PM, Matthew Loraditch <
mloradi...@heliontechnologies.com> wrote:

> We have a client who is requesting a secure cluster. Never done it before.
> Do those hardware tokens still exist? It appears not and it’s all software
> based now?
>
> Any fantastic blogs or step by step guides that folks have used? The
> documentation is refreshingly mind numbing.
>
>
>
> Thanks!
>
> -Matthew
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] SIP option ping prioritization

[Ki Wi]

Hi All,
thanks ! Got it. We already have acl matching tcp 5060 and udp 5060. TLS is
not used in our environment so tcp 5061 is not included.

Looks like they will need to investigate on the CAC as we place signaling
and voice into the same queue. ( Only 5 class of service in WAN)




On Tue, Aug 29, 2017 at 1:23 AM, Anthony Holloway <
avholloway+cisco-v...@gmail.com> wrote:

> I should have also mentioned that interface binding is very important not
> only from where you'll source your OPTIONS messages, but also from where
> you'll reply to them.  I've seen the layer 4 and down be correct due to
> where the OPTIONS was received, but then layer 5 was displaying a different
> IP address.  Make sure you bind on all dial-peers, but you only need
> OPTIONS configured on outgoing dial-peers.
>
> On Mon, Aug 28, 2017 at 12:12 PM Anthony Holloway <
> avholloway+cisco-v...@gmail.com> wrote:
>
>> 1) It's a SIP Message, specifically the OPTIONS message
>>
>> 2) Typically you only prioritize voice traffic and not signaling, but you
>> should still reserve bandwidth for signaling to ensure it's not starved.
>> CUBE marks all signaling traffic as AF31 by default, but CS3 is the newer
>> standard to go with.  Make sure you're QoS policy is matching on AF31
>> and/or CS3 and reserving bandwidth for it.
>>
>> 3) In the absence of a session transport command, the default is UDP,
>> that's typical for carrier facing SIP trunks.
>>
>> 4) I have not seen OPTIONS prioritized before. It's treated with the
>> level of service as all SIP and therefore all signaling
>>
>> On thing people forget is to use a profile on dial-peers which reference
>> server groups.
>>
>> See here for a little more info on that:
>> https://supportforums.cisco.com/t5/video-over-ip/sip-
>> options-ping-and-session-server-group-on-dial-peer/td-p/2994584
>>
>>
>> On Sun, Aug 27, 2017 at 9:56 PM Ki Wi  wrote:
>>
>>> Hi Group,
>>> I would like to find out if SIP option ping is a "ping" or a "sip
>>> message" ?
>>>
>>> From the documents, it seems like it is a sip messages.
>>>
>>> My customer is facing issue with the dial-peers getting busy out during
>>> WAN congestion. We would like to prioritize those messages as a WAN
>>> provider but they are not able to give us the exact commands for the CE
>>> router.
>>>
>>>  Currently this is the command on all their managed "voice gateway"
>>>  * voice-class sip options-keepalive up-interval 120 down-interval 120
>>> retry 2
>>>
>>> This means the "transport" mode is default. This make things more
>>> complex, I have no idea it is TCP or UDP or ???
>>>
>>> With no access to customer network (unable to do wireshark), I would
>>> like to see if there's anyone having the experience to prioritize those SIP
>>> option ping packets?
>>>
>>>
>>> --
>>> Regards,
>>> Ki Wi
>>> ___
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>


-- 
Regards,
Ki Wi
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip