Assigning permissions in UCM

Cisco Unified Communications Manager allows for very granular assignment of permissions, using the concept of roles and groups to assign specific permissions to users. A role is a list of permissions around a function, and a group is a list of roles, which can then be assigned to a user.

Permissions are assigned to Roles. An example of a role might be “Backup Administrator,” with permissions like “DRF Restore Warning Page,” “DRF Schedule Page,” “DRF Show Dependency Page,” and “DRF Show Status Page.” A role is specific to an application group, such as Cisco Unified Reporting, Cisco Call Manager Serviceability, or Cisco Call Manager Administration.

Permissions can include Read and Update, so a user could be given rights to view configuration elements, but not update them. This could be useful for auditing purposes, or for users that may need to verify a configuration, but not change it, such as a helpdesk user.

An Access Control Group contains a list of Roles. An Access Control Group might be something like “OS Administrators” which could include Roles like “Backup Administrator,” “LDAP Administrator,” etc. While a Role is specific to an Application, an Access Control Group can contain Roles from different Applications to create a comprehensive list of permissions, while limiting the number of groups a user must be assigned to to properly do their job.

Users are assigned to groups either in End Users configuration or in Access Control Group Configuration. Configuring in End User configuration is usually more efficient at assigning multiple groups to a user, while Access Control Group Configuration is going to be better for assigning multiple users to a single group.

Although you can see roles assigned to an end user in the End User Configuration Page, roles are not assigned directly to users. Users are assigned to groups, which contain roles, and the roles contain specific permissions within an application.

Configuration example after the fold.

Continue reading

Adding comments to debugs

When reading debugs, I often use a page or so of blank prompts to separate various things (VoIP calls, etc.) by hitting enter a bunch of times. You can also add comments to the break by prefixing them with an exclamation point.

router#! inbound call 1

This makes finding the breaks between calls, VPN setup attempts, etc. a lot easier.

Converting DSCP AF values to decimal

To convert DSCP AF values to decimal, multiply the first digit by 8, and the second digit by 2, and add the two values:

AF21 – (2*8) + (1*2) = 18

AF31 – (3*8) + (1*2) = 26

The process can be reversed by deviding the decimal value by 8, and the remainder by 2:

30 – 30/8 = 3, remainder of 6, 6/2 = 3 = AF33

CS codes can just be converted by multiplying by 8, CS3 = 24

Decrypting router passwords with a router

The command “show key chain” shows the decrypted key strings, and because of that, can be used to decrypt other type 7 passwords:

R1(config)#username cisco password cisco
R1(config)#do show run | include password 7
username cisco password 7 05080F1C2243
 password 7 ****
R1(config)#key chain CRACK
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string 7 05080F1C2243
R1(config-keychain-key)#do show key chain
Key-chain CRACK:
    key 1 — text “cisco”
        accept lifetime (always valid) – (always valid) [valid now]
        send lifetime (always valid) – (always valid) [valid now]

Configuration mistake bailout

A lot of times we need to make changes on a router or switch that could break connectivity, and often these need to be done from a remote location, and after hours. Instead of keeping someone in the office or on call, here is a much easier bailout. Before you begin to make the changes, issue the command reload in 10 to schedule a reload in 10 minutes (replace 10 in the command with the number of minutes if 10 doesn’t work.) After you make the changes, if you lose connectivity, the router reboots, reverting to the old configuration, or you can issue the reload cancel command to cancel the reload if everything goes well.

Exchange and Zone-Based firewalls

I ran into some issues with Exchange running through Zone-based firewalls, where the servers would not pass mail between them. This appears to be related to SMTP inspection rejecting the ESMTP commands Exchange uses. The problem can be resolved by creating a class for SMTP between your mailservers, and configuring it with a pass action, instead of inspect. Just remember that you need to create rules in both directions, and the class must be before any classes that would inspect the traffic.

A Simple config would look something like this, with the mail servers at and

ip access-list extended ACL-FIREWALL-EXCHANGE
 permit tcp eq 25
 permit tcp eq 25
 ! The access-list matches traffic to or from either mail server 

 match access-group name ACL-FIREWALL-EXCHANGE

 match protocol HTTP
 match protocol HTTPS
 match protocol FTP 

policy-map type inspect POL-MAP-LAN-TO-WAN
 class class-default

policy-map type inspect POL-MAP-WAN-TO-LAN
 class class-default

zone security WAN
zone security LAN
zone-pair security WAN-TO-LAN source WAN destination LAN
 service-policy type inspect POL-MAP-FIREWALL-OUTBOUND
zone-pair security LAN_TO_WAN source LAN destination WAN
 service-policy type inspect POL-MAP-LAN-TO-WAN

interface e0/0
 zone-member security LAN

interface s0/0
 zone-member security WAN

Basic Subnetting Trick

This is good for Cisco exams, and work, if you ever need to figure out subnets on paper. 

To figure out the valid addresses in a subnet: 
Take the octet that is not 0 or 255, for example starting with, take 224, and subtract that value from 256 (256 – 224 = 32). Now make a chart starting at 0, and adding the value from that last step with each line, up to 256 (the note board I got for the CCNA had gridlines, which made it even easier) 


Now, leaving room in between, write on each line the value of the line below, minus 1 


  0       31 
 32       63 
 64       95 
 96       127 
128      159 
160      191 
192      223 
224      255 

The values on the left are the valid subnet addresses, and the right is the broadcast address. 

If you want, now fill in the valid ranges in between 


  0         1-30          31 
  32      33-62          63 
  64      63-94          95 
  96      97-126        127 
128     127-158        159 
160     161-190        191 
192     192-222        223 
224     225-254        255 

There you go, all your addresses, with subnet and broadcast addresses.