IP phones are called SEP<MAC Address> in UCM. SEP is a legacy from the original developers, Selsius Systems. It is an acronym for Selsius Ethernet Phone.
Cisco Unified Communications Manager allows for very granular assignment of permissions, using the concept of roles and groups to assign specific permissions to users. A role is a list of permissions around a function, and a group is a list of roles, which can then be assigned to a user.
Permissions are assigned to Roles. An example of a role might be “Backup Administrator,” with permissions like “DRF Restore Warning Page,” “DRF Schedule Page,” “DRF Show Dependency Page,” and “DRF Show Status Page.” A role is specific to an application group, such as Cisco Unified Reporting, Cisco Call Manager Serviceability, or Cisco Call Manager Administration.
Permissions can include Read and Update, so a user could be given rights to view configuration elements, but not update them. This could be useful for auditing purposes, or for users that may need to verify a configuration, but not change it, such as a helpdesk user.
An Access Control Group contains a list of Roles. An Access Control Group might be something like “OS Administrators” which could include Roles like “Backup Administrator,” “LDAP Administrator,” etc. While a Role is specific to an Application, an Access Control Group can contain Roles from different Applications to create a comprehensive list of permissions, while limiting the number of groups a user must be assigned to to properly do their job.
Users are assigned to groups either in End Users configuration or in Access Control Group Configuration. Configuring in End User configuration is usually more efficient at assigning multiple groups to a user, while Access Control Group Configuration is going to be better for assigning multiple users to a single group.
Although you can see roles assigned to an end user in the End User Configuration Page, roles are not assigned directly to users. Users are assigned to groups, which contain roles, and the roles contain specific permissions within an application.
Configuration example after the fold.
After connecting phones to our switches, I discovered that they all show up in the “show cdp neighbors” output. This can be a bit of a problem when you want to find something other than a phone! So instead use “show cdp neighbors | exclude SEP” to remove the phones from the output.
When reading debugs, I often use a page or so of blank prompts to separate various things (VoIP calls, etc.) by hitting enter a bunch of times. You can also add comments to the break by prefixing them with an exclamation point.
router#! inbound call 1
This makes finding the breaks between calls, VPN setup attempts, etc. a lot easier.
To convert DSCP AF values to decimal, multiply the first digit by 8, and the second digit by 2, and add the two values:
AF21 – (2*8) + (1*2) = 18
AF31 – (3*8) + (1*2) = 26
The process can be reversed by deviding the decimal value by 8, and the remainder by 2:
30 – 30/8 = 3, remainder of 6, 6/2 = 3 = AF33
CS codes can just be converted by multiplying by 8, CS3 = 24
The command “show key chain” shows the decrypted key strings, and because of that, can be used to decrypt other type 7 passwords:
R1(config)#username cisco password cisco
R1(config)#do show run | include password 7
username cisco password 7 05080F1C2243
password 7 ****
R1(config)#key chain CRACK
R1(config-keychain-key)#key-string 7 05080F1C2243
R1(config-keychain-key)#do show key chain
key 1 — text “cisco”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]
A lot of times we need to make changes on a router or switch that could break connectivity, and often these need to be done from a remote location, and after hours. Instead of keeping someone in the office or on call, here is a much easier bailout. Before you begin to make the changes, issue the command reload in 10 to schedule a reload in 10 minutes (replace 10 in the command with the number of minutes if 10 doesn’t work.) After you make the changes, if you lose connectivity, the router reboots, reverting to the old configuration, or you can issue the reload cancel command to cancel the reload if everything goes well.
I ran into some issues with Exchange running through Zone-based firewalls, where the servers would not pass mail between them. This appears to be related to SMTP inspection rejecting the ESMTP commands Exchange uses. The problem can be resolved by creating a class for SMTP between your mailservers, and configuring it with a pass action, instead of inspect. Just remember that you need to create rules in both directions, and the class must be before any classes that would inspect the traffic.
A Simple config would look something like this, with the mail servers at 172.16.1.10 and 172.17.1.10.
ip access-list extended ACL-FIREWALL-EXCHANGE
permit tcp 188.8.131.52 0.255.0.0 184.108.40.206 0.255.0.0 eq 25
permit tcp 220.127.116.11 0.255.0.0 eq 25 18.104.22.168 0.255.0.0
! The access-list matches traffic to or from either mail server
match access-group name ACL-FIREWALL-EXCHANGE
match protocol HTTP
match protocol HTTPS
match protocol FTP
policy-map type inspect POL-MAP-LAN-TO-WAN
policy-map type inspect POL-MAP-WAN-TO-LAN
zone security WAN
zone security LAN
zone-pair security WAN-TO-LAN source WAN destination LAN
service-policy type inspect POL-MAP-FIREWALL-OUTBOUND
zone-pair security LAN_TO_WAN source LAN destination WAN
service-policy type inspect POL-MAP-LAN-TO-WAN
zone-member security LAN
zone-member security WAN
This is good for Cisco exams, and work, if you ever need to figure out subnets on paper.
To figure out the valid addresses in a subnet:
Take the octet that is not 0 or 255, for example starting with 255.255.224.0, take 224, and subtract that value from 256 (256 – 224 = 32). Now make a chart starting at 0, and adding the value from that last step with each line, up to 256 (the note board I got for the CCNA had gridlines, which made it even easier)
Now, leaving room in between, write on each line the value of the line below, minus 1
| 0 31 |
The values on the left are the valid subnet addresses, and the right is the broadcast address.
If you want, now fill in the valid ranges in between
| 0 1-30 31 |
32 33-62 63
64 63-94 95
96 97-126 127
128 127-158 159
160 161-190 191
192 192-222 223
224 225-254 255
There you go, all your addresses, with subnet and broadcast addresses.