Deploying CME and CUE

Deploying Cisco CallManager Express and Cisco Unity Express: Advanced Deployment Scenarios, Management and Security

VVT-2106

VVT-2106 12627_04_2006_c2

2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

1

Session Scope and Objectives To explore additional applications that can enhance the capabilities of CME/CUE infrastructure discussed in VVT2014: Designing Cisco CallManager Express and Cisco Unity Express Network Architecture Design will be based on CME 4.0 and CUE 2.3Aspects we will cover: CME/CUE Security: commonly used ports, firewall design, toll restriction and authentication CME Remote Teleworker: call flows, codec considerations, and recommended design CME Video: supported deployments, bandwidth requirements and supplementary features interoperability CUE Advanced Applications: B-ACD interoperability, IMAP integration, Voice View Express (VVE) CME/CUE Management: day one set-up, day two provisioning tools, SNMP monitoring, CDR collectionVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

Agenda CME/CUE Security CME Remote Teleworker CME Video CUE Advanced Applications CME/CUE Management Q and A Summary Backup

VVT-2106 12627_04_2006_c2


Cisco Public

3

CME/CUE Security

VVT-2106 12627_04_2006_c2


Cisco Public

4

CME/Cisco IOS Firewall with H.323 CBAC inspects H.323 connections initiated from CME/firewall ACL on CME/firewall allows H.323 call control traffic on TCP port 1720 Inspection of CME/Firewall initiated traffic enables dynamic opening of pinholes on the interface ACL to allow return traffic for dynamically negotiated call control and RTP ports ACL Allows Inbound/Outbound H.323 Packets on CME Source IP Address, TCP Port 1720 SIP Port Access Restricted to LAN IP Address SpacePrivate H.323 Trunk SCCP phone

SCCP Port Access Restricted to LAN IP Address SpacePrivate

NYCPublic

SJC

SIP phone

VVT-2106 12627_04_2006_c2


Cisco Public

5

CME/Cisco IOS Firewall with SIP CBAC on external firewall inspects CME initiated SIP connections ACL on firewall allows SIP call control traffic on TCP port 5060 External firewall inspects CME initiated traffic, dynamically opening pinholes on the firewall ACL to allow return traffic for dynamically negotiated call control and RTP ports Inspection of SIP and SCCP for co-resident CME and firewall will be supported in Q1 CY07Public Address Translated by Firewall to Private CME Source Address Private SIP Trunk PublicVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

ACL Allows Inbound/Outbound SIP Packets on TCP Port 5060

Public Address Translated by Firewall to Private CME Source Address Private

FW SCCP phone

FW

NYC

SJC

SIP phone

Cisco Public

6

CME Site-to-Site VPN All SIP/H.323 call control and RTP media can be encrypted over IPsec tunnel established between CME/VPN routers CME 3.X and below requires GRE. CME 4.0 and above does not require GRE, supports dynamic, static crypto, EZ-VPN, DMVPN. Recommended design for remote SCCP phonesCME Source Address Uses Loopback Routable Over IPsec Tunnel Private IPsec Tunnel Established Between Public Address on CME/VPN Server CME Source Address Uses Loopback Routable over IPsec Tunnel Private

IPsec tunnelSCCP phone H.323/SIP Trunk

NYCPublic

SJC

SIP phone

VVT-2106 12627_04_2006_c2


Cisco Public

7

Cisco Unity Express: IP Connectivityccn Subsystem SIP Gateway Address "10.68.10.1"

Use IP Unnumbered or VLAN Addressinginterface VLAN1 ip address 10.68.10.1 255.255.255.0 ! interface Service-Engine4/0 ip unnumbered VLAN1 service-module ip address 10.68.10.10 255.255.255.0 service-module ip default-gateway 10.68.10.1 ! ip route 10.68.10.10 255.255.255.255 Service-Engine4/0

Service Module

Bridged linkService-Engine 4/0 VLAN1

Orinterface FastEthernet0/0 ip address 10.68.10.1 255.255.255.0 ! interface Service-Engine4/0 ip unnumbered FastEthernet0/0 service-module ip address 10.68.10.10 255.255.255.0 service-module ip default-gateway 10.68.10.1 ! ip route 10.68.10.10 255.255.255.255 Service-Engine4/0Cisco Public 8

Cisco IOS Routing LogicLoopback 0 FastEthernet 1/0

VVT-2106 12627_04_2006_c2


Securing CUE: NATIf CUE Has a Private IP Address, GUI Access (from External Addresses) Requires NAT:1. Set private IP address to the CUE interface 2. Create a static source NAT IP translation 3. Make the service-engine interface the inside interface 4. Make the FastEthernet interface the outside interfaceinterface FastEthernet0/0 ip address b.19.153.38 255.255.255.0 ip nat outside ! interface Service-Engine2/0 ip address 10.10.10.1 255.255.255.0 ip nat inside service-module ip address 10.10.10.2 255.255.255.0 service-module ip default-gateway 10.10.10.1 ! ip nat inside source static tcp 10.10.10.2 80 b.19.153.38 80VVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

9

Securing CUE: NAT The NAT configuration on the previous slide enables the combined CUE/CME GUI to work, but disables the CMEspecific GUI:To access the CME-specific GUI with the NAT config, the HTTP port for CME must be a number other than 80adjust this with the ip http port port command Use a port-specific URL to access the CME GUI, e.g. http://10.19.153.38:/telephony_service.html

Any other access to HTTP servers on the private LAN also requires configuration to use a port other than 80 A static NAT statement for port 21 might also be needed to enable remote FTP software installation or upgrade for CUEVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

CME Commonly Used Ports for VoiceProtocol Port Usage

SCCP SIP RTP RTP H.225 H.245 H.323 RAS H.323 RAS H.323 RAS TLS TLSVVT-2106 12627_04_2006_c2

TCP 2000 TCP 5060 UDP 16384-32767 UDP 2000 TCP 1720 TCP 11000-65535 UDP 1718 UDP 1719 UDP 223.0.1.4 TCP 3804 TCP 2443 2006 Cisco Systems, Inc. All rights reserved.

Call Control for SCCP Phones Call Control for SIP Endpoints Media from CME to H.323/SIP Endpoint, Including CUE Media from CME to SCCP Phone H.323 Call Setup H.323 Call Control, Port Assignment Random GK Discovery GK Call Control GK Multicast Discovery CAPF Authentication Request Secure Call Control for SCCP PhonesCisco Public 11

CME Commonly Used Ports for DataProtocol Port Usage

DHCP HTTP HTTPS/SSL NTP Radius Radius SNMP SSH Syslog Telnet TFTP

UDP 67 TCP 80 TCP 443 UDP 123 UDP 1645 UDP 1646 UDP 161 TCP 22 UDP 514 TCP 23 UDP 69

IP Addressing for IP Phones CME GUI Access, IP Phone Local Directory Access Secure CME GUI Access Time Sync for CUE, IP Phones Authentication for CME CLI/GUI Users CDR Accounting Traps for CME Monitoring Secure CME CLI Access System Monitoring, CDR Accounting CME CLI Access IP Phone Download of Firmware and Config Files

VVT-2106 12627_04_2006_c2


Cisco Public

12

Securing CUE:

Commonly Used Port Numbers (1 of 3) Recommend inserting ACLs on CUEs host router to limit traffic to/from CUE and to/from other network components (NTP, FTP, DNS, SMTP) it communicates with See Cisco Unity Express Design Guide, Network Infrastructure chapter for more detailshttp://www.cisco.com/en/US/products/sw/voicesw/ps5520/products_ implementation_design_guide_book09186a008049e616.htmlRemote Source Port CUE CUE Source Destination Port Port TCP/UDP 53 TCP 20 (Data), TCP 21 (Control) Remote Device Destination Port Remote Device DNS Servers Used for Software Install; Backup and RestoreCisco Public 13

Protocol DNS

Notes

FTP

FTP Server

VVT-2106 12627_04_2006_c2


Securing CUE:Protocol Remote Source Port CUE Destination Port TCP 143 (Non-SSL) TCP 993 (SSL)

Commonly Used Port Numbers (2 of 3)CUE Source Port Remote Device Destination Port Remote Device Notes

IMAP

PC Client

Integrated Messaging. Use of SSL Is Optional. Used for Call Control in CCM Deployments CUE/CME Admin and User Browser Access; Also Used by VVE Date/Time Server CUE Script Debugging and VVE. TwoThree Dynamic Ports in the 32xxx Are Used. IP Phone and Gateway PortsCisco Public 14

JTAPI HTTP NTP TCP 80 UDP 123 TCP 1099 TCP 32xxx UDP 1638432767 UDP UDP 163841638432767 32767 2006 Cisco Systems, Inc. All rights reserved.

TCP 2748

CCM Administrator / User Web Browsers NTP Server

RMI

PC Client

RTPVVT-2106 12627_04_2006_c2

UDP 1638432767

Voice Media

Securing CUE:Protocol SSH Remote Source Port CUE Destination Port

Commonly Used Port Numbers (3 of 3)CUE Source Port Remote Device Destination Port Remote Device Secure Shell Client UDP 5060 TCP 25 TCP 161 (Polls) TCP 514 TCP 25 TCP 162 (Unsolicited Notifications) CME or SRST Host Router CUE or Unity Network Management Station Syslog Service Telnet Client UDP 69 2006 Cisco Systems, Inc. All rights reserved.

Notes Not Supported on CUE. Use SSH to the Host Router. SIP Trunking Requires CUE 2.3 or Later Voice Mail Networking Between Sites CUE SNMP Requires CUE 2.2 or Later

SIP SMTP SNMP Syslog Telnet TFTPVVT-2106 12627_04_2006_c2

Not Supported on CUE. Use Telnet to the Host Router. Used for Loading RAM KernelCisco Public 15

TFTP Server

CME Security ToolboxToll Restriction COR (Class of Restriction) After-hours call blocking Forced authorization code Direct inward dial

Features Restriction Transfer-pattern Transfer max-length Softkey template Call-forward max-length Disable call-forward local Disable directed pickup

Administrative Restriction TACACS/radius authentication SSH/HTTPS secure accessVVT-2106 12627_04_2006_c2

Customized GUI access Disable auto-registration


Cisco Public

16

Toll Restriction:After-Hours blocktelephony-service after-hours block pattern 1 91 after-hours block pattern 2 91900 7-24 after-hours day sun 9:00 8:00 after-hours day mon 19:00 8:00 after-hours day tue 19:00 8:00 after-hours day wed 19:00 8:00 after-hours day thu 19:00 8:00 after-hours day fri 19:00 10:00 after-hours day sat 13:00 9:00Numbers Starting with 91 Blocked During Non-Business Hours Numbers Starting with 91900 Always Blocked, 247 Business Hours Set to 8:0019:00 MondayFriday, 1013:00 Saturday, Closed Sunday

After-hours block globally defines specific blocks patterns that cannot be dialed during non-business hours Maximum of 32 block patterns can be defined per system Block pattern with 724 always blocked for all phones When stop time is earlier than start time, the stop time is in the next day of the week; i.e. Sat 13:00 9:00 sets non-business hours from Saturday, 13:00 to Sunday, 9:00AMVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

17

Toll Restriction:

After-Hours Exemptiontelephony-service after-hours block pattern 1 91 after-hours block pattern 2 91900 7-24 login timeout 10 ! ephone 1 ! ephone 2 after-hour exempt ! ephone 3 pin 1234Numbers Starting with 91 or 91900 Blocked STOP

ephone 1No Numbers Blocked

ephone 2After PIN Entry: Only Numbers Starting with 91900 are Blocked STOP

ephone 3 After-hour exempt will exempt IP phone from all after-hours blocking After-hours PIN over-ride will suspend after-hours block when user enters four to eightdigit PIN; block pattern with 724 suffix will still be enforced even after PIN entry After-hours suspension in effect until login timeout expires PIN is defined per IP phoneVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

Toll Restriction:Dial-peer cor custom name 911 name 408 ! Dial-peer cor list call911 Member 911 ! Dial-peer cor list call408 Member 408 ! Dial-peer cor list Lobby Member 911 ! Dial-peer cor list Office Member 408 Member 911

Class of Restriction (COR)Define COR Names, Maximum 64 Allowed

Define Outbound COR Lists and Add COR Members

Define Inbound COR Lists and Add COR Members

COR denies or allow calls based on group membership. These groups are called COR lists An ephone-dn or dial-peer can become a member of a single COR list Ephone-dn and dial-peer that are not members of COR lists are exempt from COR rulesVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

Toll Restriction:

Class of Restriction Logic (1)PSTN/VOIP

Incoming COR Listdial-peer cor list Lobby member 911

Incoming Ephone-dnephone-dn 1 number 1111 cor incoming Lobby

Outgoing Dial-peerdial-peer 1 voice pots corlist outgoing call911 destination-pattern 9911 port 1/0/0

Outgoing COR ListDial-peer cor list call911 member 911

Call Allowed: Member 911 Matches for Incoming and Outgoing COR List

Call Blocked: No Member Match for Incoming and Outgoing COR List dial-peer cor list Office member 911 member 408 ephone-dn 2 number 2222 cor incoming Office

STOP

Dial-peer cor list call408 member 408

dial-peer 2 voice pots corlist outgoing call408 destination-pattern 408. port 1/0/0

Call Allowed: Member 911 and 408 Match for Incoming and Outgoing COR ListVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

Toll Restriction:

Class of Restriction Logic (2)PSTN/VOIP

Incoming COR Listdial-peer cor list Office member 911 member 408

Incoming Ephone-dn

Outgoing Dial-peer

ephone-dn 2 number 2222 cor incoming Office

dial-peer voice 3 pots corlist outgoing call845 destination-pattern 845. port 1/0/0 Dial-peer cor list call845 Call Blocked: No Member STOP member 845 Match for Incoming and Outgoing COR List NO COR LIST

Outgoing COR List

Call Allowed: Dial-peers with No COR List Applied Accepts all Calls

NO COR LIST

ephone-dn 3 number 3333

dial-peer voice 4 pots destination-pattern 408. port 1/0/0

Call Allowed: Ephone-dn with No COR List Applied Can Make Calls to any dial-peerVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

Toll Restriction: COR vs. After-BlockCORPros Multiple COR groups can be defined Can be applied to non-sccp devices such as analog phones fax machines and CUE

After-Hours BlockPros Provisioning is simple, settings applied per phone Can be provisioned on GUI Rules can be selectively enforced according to time-ofday or PIN override

Cons Settings must be applied per DN Provisioning on CLI only No time-of-day or PIN override

Cons All phones must follow single global set of rules Supported on SCCP and SIP phones only

VVT-2106 12627_04_2006_c2


Cisco Public

22

Securing CUE: Message Notification System-wide settings to determine valid numeric destinations Checked when numeric destination is enteredAlready configured numbers are not checked when the rules are altered Call Pattern*

AllowedYes

Min/Max digits allowed: 130 Up to ten rules or call patternsRules can contain wildcards * matches zero or more digits . matches one digit (single digit placeholder) Each rule: allowed or denied Rules are searched sequentially until a match is found, then exit

Call Pattern9011* 91.. *

AllowedNo No Yes

Call Pattern9011* 914085551212 91408. *

AllowedNo Yes No Yes

Default: all numbers allowedVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

23

Call Forward Restriction:Call-Forward Max-Lengthephone-dn 1 number 1000 call-forward max-length 4 ! ephone-dn 2 number 1001 call-forward max-length 7 ! ephone 1 button 1:1 2:2 Button 1: Forward to 1002 Allowed

Button 1: Forward to 5551212 Blocked

STOP

Button 2: Forward to 5551212 Allowed

Button 2: Forward to 19103335555 Blocked

STOP

Call-forward max-length restricts maximum number of digits that can be entered for call forward destination with CfwdAll softkey on a per DN basis Max-length for ephone-dn assigned to button 1 will be enforced when pressing CfwdAll softkey while onhook or by lifting handset Max-length for ephone-dn assigned to other buttons only enforced when specific button is selected; if button 2 is selected and CwdFall softkey is pressed, max-length for ephone-dn assigned to button 2 is enforced Call forward max-length is not enforced for destinations entered in GUI or CLIVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

Call Forward Restriction:No Forward Local-Callsephone-dn 1 number 1000 call-forward busy 2000 call-forward noan 2000 timeout 10 no forward local-calls ! ephone 1 button 1:1

No forward local-calls introduced in CME 4.0, will block call-forwarding of incoming calls from local CME IP phones Set on a per ephone-dn basis All other incoming calls will obey ephone-dn call-forward settings

Call Forward Not Enforced

1000

PSTN

Call Forwarded to 2000

VVT-2106 12627_04_2006_c2


Cisco Public

25

Call Transfer Restriction:Transfer-Patterntelephony-service transfer-pattern 408555. Transfer to 4085551212 allowed

PSTNTransfer to 9102223333 blocked STOP

Transfer to 12345 allowed

12345 Call transfer to POTS or VoIP destination that does not match the transferpattern is blocked; this includes local destinations such as CUE and B-ACD One transfer-pattern is allowed per system and is enforced on all phones By default, no transfer-pattern is set, so all call transfers to POTS or VoIP destinations are blocked transfer-pattern still allows transfers to ephone-dn and ephone-hunt numbers defined on local CME Transfer-pattern .T will allow call transfers to any destinationVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

Call Transfer Restriction:Transfer-Pattern Blockedtelephony-service transfer-pattern .T ! ephone-template 1 transfer-pattern blocked ! ephone 1 ! ephone 2 ephone-template1 Ephone 1: Transfer to 5551212 allowed

PSTNEphone 2: Transfer to 5551212 blocked STOP

Ephone 2: Transfer to 12345 allowed

12345

transfer-pattern blocked introduced in CME 4.0 over-rides transfer-pattern and disables call transfer to POTS or VoIP destination transfer-pattern blocked still allows transfers to ephone-dn and ephone-hunt numbers defined on local CME Can be applied on ephone or ephone-templateVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

Call Transfer Restriction:Transfer-Pattern Max-Lengthtelephony-service transfer-pattern .T ! ephone-template 1 transfer-pattern max-length 4 ! ephone 1 ephone-template1 Ephone 1: Transfer to 9911 allowed

PSTNEphone 1: Transfer to 5551212 blocked STOP

Ephone 1: Transfer to 12345 allowed

12345

transfer-pattern max-length introduced in CME 4.0 overrides transfer-pattern and enforces maximum digits you are allowed to enter for transfer destination on a per phone basis Can only be applied on ephone-template Max-length not enforced for ephone-dn or ephone-hunt numbers on local CMEVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

Features Restriction:Softkey Templates

ephone-template 1 softkeys idle Redial Dnd Pickup Login Gpickup softkeys seized Pickup Redial Endcall Gpickup ! Prevent Call Forward by Removing CFwdAll Softkey ephone 1 from IP Phone User Interface ephone-template 1 Ephone-template can be used to disable access to features by removing softkeys Supported on all phones with LCD display Template can include softkey settings for: alerting, connected, idle and seized states CME 3.x supports max 5 templates, CME 4.0 supports max 20 templates per systemVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Idle

Seized

Cisco Public

29

Features Restriction:telephony-service fac custom callfwd all *3 ! ephone-template 1 features blocked CFwdAll ! ephone 1 button 1:1 ! ephone 2 ephone-template 1 button 1:2

Feature Access Code (FAC) Blocking CME 4.0 adds feature access codes (FAC), which allow endpoints such as VG224 to enter * or # codes to invoke features Set features blocked under ephone-template to block specific phones from being able to use FACEnter Dial *3 + Fwd Destination to Set Call Forward All Dial *3 Does NothingCisco Public 30

CME

VG224ephone 1

ephone 2VVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Features Restriction:Disable Directed PickupSTOP Pickup softkey + 123 blocked

Ringing

130Pickup softkey does local group pickup

123 124

telephony-service no service directed-pickup ! ephone-dn 1 number 123 pickup-group 1 ! ephone-dn 2 number 130 ! ephone-dn 1 number 124 pickup-group 1

Directed call pickup allows any call on local CME to be picked up by pressing pickup softkey followed by ringing extension no service directed-pickup, introduced in CME 4.0 disables directed call pickup globally; group call-pickup is not blocked. Pressing pickup softkey executes local group pickup; emulates CCM behaviorVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

31

Toll Restriction:

Inbound Call Best Practices

Default: Incoming Call Receives Secondary Dialtone

Incoming Caller can Reach Any Number Defined on CME PLAR or DID Enabled: Call is Routed to Internal party

International Calls

CUE AAAttendant

By default, incoming calls to a CME voice port presents incoming caller with secondary dial-tone; this allows the incoming caller to dial any number defined on CME, including long distance and international numbers; very dangerous PLAR to an AA or attendant phone if your telco does not present DID Enable direct-inward-dial and translate to match internal dial-plan if telco presents DIDVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

32

Toll Restriction:

DID Translation ScriptDID ScriptTCL

Incoming DID Call to 30

Match130

Script Appends Prefix 1 to DID No Match

You Have Reached an Invalid Extension. This Call Will Be DisconnectedSTOP

TCL Script adds a prefix from 199 to any incoming DID If prefix + DID matches CME numbering plan, call is routed to new destination; if there is no match, script plays invalid number prompt and disconnects callVVT-2106 12627_04_2006_c2


Cisco Public

33

Securing CUE: AA PSTN Access CUE system AA script contains a variable to allow/deny PSTN access from the AA Recommendation: Build a similar capability in any custom AA scripts used on CUE If PSTN access from the AA is required, limit the numbers (or range of numbers) that are considered valid by the script

Allow/Deny PSTN Transfers Out of the AA

VVT-2106 12627_04_2006_c2


Cisco Public

34

Disable Auto-Registration With CME 4.0, no auto-reg-ephone will reject registration attempts by IP phones with MAC address that are not provisioned in CME show ephone attempted-registrations will show MAC address, phone type and datestamp for failed registration attempts Disabling auto registration will disable GUI ephone provisioning and CME SRST Fallback With CME 3.x and below, provision ephones before configuring ip source address to workaround auto-registration behavior REJECT:mac-address Not Provisioned in CMESTOP BBBB.AAAA.DDDD

telephony-service ip source address 10.1.1.1 no auto-reg-ephone ! ephone 1 mac-address AAAA.BBBB.CCCC button 1:1Cisco Public 35

AAAA.BBBB.CCCCVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Secure CMECertificate Authority

CTL Client

Cisco IOS

Cisco IOS PKI

1. IP phone downloads CTL file generated by CTL client; after CTL files is validated, IP phone downloads signed config, locale and firmware files 2. IP phone initiates TLS session on port 3804 to CAPF server specified in config file 3. IP phone user enters password to authenticate to CAPF; after password is validated, CAPF enrolls certificate request to CA and provides certificate to IP phone 4. IP phone stores certificate and establishes TLS session on port 2443 to register to CMECisco Public 36

3.TFTP CMEf SSL/TLS TFTP CAPF

1.

2.TLS

4.

TLS

IP PhoneVVT-2106 12627_04_2006_c2


AAA Model for CCME If AAA for administration of Cisco IOS-based equipment is already in use, it should be leveraged for CCMEUse CiscoSecure ACS and TACACS+ or some other off-box mechanism

AuthenticationFollow corporate standards

AuthorizationCCME administrators only should be allowed access to options under global config such as dial-peers, ephones, ephone-dns, telephonyservice, etc. Show commands and other exec level instructions can be restricted as desired

AccountingCommand level accounting should be enabled as appropriate to at least monitor config changes within CCMEVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

37

HTTPS and SSH Secure Access SSH encrypts user logon data when accessing CME CLI HTTPS encrypts user logon data when accessing CME GUI SSH included in all Cisco IOS images in 12.4 HTTPS require K9 image to provision HTTPS and HTTP can run concurrently IP phones do not support HTTPS; if HTTP is disabled on CME, the following phone features may cease to function:Local directory XML speed dial CUE GUIVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

38

TACACS/Radius Authentication for CME GUI/CLITACACS/RADIUS server

Authenticate username/password

HTTP/HTTPS

telnet/SSH

CME GUI and CLI administrative access can be authenticated to external TACACS/Radius server CLI access can be limited to specific commands based on privilege level, level 15 gives you full access Only CME GUI admin can be authenticated by TACACS/Radius. End user GUI accounts must be local Not supported in CUE GUIVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

39

Securing CUE: CLI Access Telnet to CUE IP address disallowedyou telnet to router and then session through to CUE for CLI access TTY port number for CUE depends on router platform and in which slot the CUE AIM/NM is located TTY port is by default not protectedrecommend inserting a login/password and inactivity timeout; login can be checked via AAA/RADIUS if requiredrouter#service-module service-engine x/y session router backplane

IP

Telnet

Router TTY Port; No Login Required by Default CUE Console CLI Access; No Login RequiredVVT-2106 12627_04_2006_c2

line xx session-timeout 5 password 7 02050D480809 login 2006 Cisco Systems, Inc. All rights reserved.

Router Console or IP Port Provides Router CLI Access; Login RequiredCisco Public 40

Securing CUE: GUI Access CUE GUI access can be restricted on the host router if required (i.e. no HTTP access to CUE) CUE GUI requires a login/passwordusername is checked locally with CUEs LDAP database SSL is not yet supported (roadmap); use IPsec/VPN between client and router CUE GUI uses HTTP servers on both the router and on the CUE moduleHTTP server router backplane HTTP server

HTTP traffic to CUE IP address

IP

CUE IP Address CUE Admin/User LoginVVT-2106 12627_04_2006_c2

Router IP Address

Optional VPNCisco Public 41


CME Remote Teleworker

VVT-2106 12627_04_2006_c2


Cisco Public

42

Remote Teleworker Requirements Minimum bandwidth of one T1 (1.536 Mbps) or E1 (2.048Mbps) of bandwidth at HQ CME site Minimum 128 Kbps upload bandwidth for each remote phone. Business class broadband recommended Maximum number of remote phones constrained by WAN bandwidth CUE, PSTN must be hosted on hub CME No SRST support 2006 Cisco Systems, Inc. All rights reserved.

87X Data 87X

Voice

PSTN

InternetCME

LAN

87X IPsec Tunnels 87X

VVT-2106 12627_04_2006_c2

Cisco Public

43

Remote Teleworker: Background Prior to CME 4.0, there were issues with one-way audio for calls made to hub VM or PSTN by remote phones over direct IPsec tunnel The workaround was using loopback interfaces and GRE tunnels CME 4.0 solves this problem by sending the RTP (UDP) packets through the Cisco IOS IP switching engine, instead of encapsulating it and queuing it to the egress interface itself The changes introduced by this feature makes CME behave the same way as Cisco VoIP (H.323 or SIP) gateway, in the sourcing of RTP packets for remote phonesVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

44

ToS Byte for VoIP ApplicationsMediaDSCP = EF class-map match-all VOICE match ip dscp ef

IP Phones 7960, etc.

(IP Precedence 5)

IP Communicator

SignalingDSCP = AF31 or CS3 [*](IP Precedence 3)

class-map match-any CALL-SETUP match ip dscp af31 match ip dscp cs3

CME/Voice GWConfigurable Verify

dial-peer voice 10 voip ip qos dscp ef media ip qos dscp CS3 signaling

[*] Depends on Firmwarecscdy33281 Integrated Releases Use CS3VVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

45

Remote Phones, No MTPCharacteristics Media flow-around for spoke to spoke calls PSTN, VM access requires media flow-through to CME All IP phones require routable address UDP/TCP ports must be open between remote and LAN IP phones

ephone 1

CMEWAN 87X

VMPSTN 87X

ephone 2

Media(RTP) Signaling (SCCP)Cisco Public 46

VVT-2106 12627_04_2006_c2


Remote Phones with MTPCharacteristics All non-LAN calls flow-through CME source address Only CME source address needs to be routable Remote phones can use NATed addresses UDP/TCP ports must be open between remote IP phones and CME source addressCME source address on routable network ephone 1 mtp Fixup Protocol Skinny Configured on PIX For Private Address on Remote LAN ephone 2 mtp 87X Media(RTP) Signaling (SCCP)Cisco Public 47

CMEWAN 87X

VMPSTN

VVT-2106 12627_04_2006_c2


Recommended Designs for Remote Phones over IPsec IPsec tunnel between CME and 87X/PIX (recommended for QoS, VPN acceleration) IPsec pass-through across third-party router with CME/VPN server at hub and Cisco VPN Client + CIPC at remote site IPsec between CME/VPN and 3rd party router not TAC supported87X/PIX

IPsec TunnelWAN

IPsec TunnelCisco VPN client w/IPC 3rd party router

CME/VPN

VVT-2106 12627_04_2006_c2


Cisco Public

48

Remote Phone G.729 With g.729 dspfarm-assist configured, DSPfarm will be used to transcode G.729 to G.711 for callforward/transfer to CUE and 3-party conferencing If no DSP transcoding resources available, remote phones will use G.711 ATA, VG224 do not support dspfarm-assist, will always use G.711 for CUE and 3-party conferencing Enter total number of remote phones in DSP calculator > Advanced Options > G.711 to G.729a/ GSM-FR field to calculate DSP resources required for transcoding:http://www.cisco.com/cgibin/Support/DSP/cisco_prodsel.pl

VVT-2106 12627_04_2006_c2


Cisco Public

49

CME Video

VVT-2106 12627_04_2006_c2


Cisco Public

50

CME Video Call FlowsGK H.323 CCM

IPCVTA

CVTA

PSTN

H.323

H323 Video EP

Supported video call flows:CME SCCP CME SCCP CME SCCP CME SCCP CME local SCCP CME remote SCCP H.323 video H.323 CCM SCCP video

Video Voice

Only audio over SIP trunk supportedVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

51

SCCP Endpoints

How VT Advantage WorksPhone VLAN = 110 IP PC VLAN = 10

Si

IP802.1Q/p IP Phone: 10.70.110.100

CDP VT Advantage 171.70.10.100

CCME

CAST: I want to associate with you SCCP: Open video channelVideo packets Audio packets

CAST: Open video channel :

1 2 3 4VVT-2106 12627_04_2006_c2

Phone and PC exchange CDP. Phone begins listening for CAST messages on TCP port 4224 from IP address of CDP neighbor PC initiates CAST messages to phone over TCP/IP. CAST packets are routed up to layer-3 boundary between VLANs; firewalls and/or ACLs must permit TCP port 4224 Phone acts as SCCP proxy between VT Advantage and CCME; CCME tells phone to open video channels per call; phone proxies those messages to PC via CAST protocol Phone sends/receives audio. PC sends/receives video on RTP port 5445. Audio and video marked DSCP AF41. Switch port must be set to trust DSCP (or use an ACL) instead of trust COS or else VT Advantage packets will be rewritten to DSCP 0 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

52

CME VTA Support Supported on 7960/40, 7941/61, 7970/71 firmware version 7.x and above; 7985 not supported Video-Capabilities enabled per phone in CME 4.0 CLI VT Advantage automatically associates with IP phone; all dialing and supplementary services done through phone

telephony-service video maximum bit-rate 384 service phone videoCapability 1 ! ephone 1 Case-Sensitive videoVVT-2106 12627_04_2006_c2

CDP installed on PC Ethernet NIC; must be physically connected to PC port on back of IP phone (e.g. no wireless, no associating from a different network jack) Cisco USB camera required (e.g. no 3rd-party cameras) Codecs supported:H.263, H.261, G.729, and G.711Cisco Public 53


Video Call Estimated BandwidthSpeed128 kbps 128 kbps 384 kbps 384 kbps 768 kbps 768 kbps 1.5 Mbps 1.5 Mbps 2.048 Mbps 2.048 Mbps 7 Mbps 7 Mbps

Audio Codec and RateG.711u @64 kbps G.729 @ 8 bps G.711u @64 kbps G.729 @ 8 bps G.711u @64 kbps G.729 @ 8 bps G.711u @64 kbps G.729 @ 8 bps G.711u @64 kbps G.729 @ 8 bps G.711u @64 kbps G.729 @ 8 bps

Video Codec and RateH261/H263 @64 kbps H261/H263 @120 kbps H261/H263 @320 kbps H261/H263 @376 kbps H261/H263 @704 kbps H261/H263 @760 kbps H261/H263 @1.408kbps H261/H263 @1.464kbps H261/H263 @1.984kbps H261/H263 @2.04kbps H261/H263 @~7Mbps H261/H263 @~7Mbps

Total (20%overhead)153.6 kbps 153.6 kbps 460.8 kbps 460.8 kbps 921.6 kbps 921.6 kbps 1.766 Mbps 1.766 Mbps 2.458 Mbps 2.458 Mbps 8.4 Mbps 8.4 Mbps

VVT-2106 12627_04_2006_c2


Cisco Public

54

Video Supplementary Services over H323 Gatekeeper call routing and bandwidth control H323 Slow Start required Video preserved for following features with video capable devices:H.450.2 call transfer H450.3 call forward Cisco Proprietary Park/Pickup, Hold/Resume

Video preservation not supported for H.323 hairpin call flows, such as, such as call transfer/forward between CCM and CMEVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

55

CME Video Fall Back to Audio Scenarios Call between video device and audio-only device Video codec or format mismatch Available bandwidth less than minimum video bitrate provisioned Call transfer or forward to audio-only devices Call transfer or forward between CME and CCM Third-party ad hoc conferenceOnly audio RTP streams are mixed by CME

VVT-2106 12627_04_2006_c2


Cisco Public

56

Forwarding Calls from Video Endpoints to CUE H.323 slow-start converted to SIP delayed media for H.323 to SIP call forward; SIP Delayed Media not supported on CUE 2.2, so incoming H.323 must be fast-start CME must have separate dial-peer for CUE with H.323 fast-start enabled to forward H.323 calls from video endpoint to CUE Not required for CUE 2.3 and above, SIP delayed media supporteddial-peer voice 1 voip destination-pattern 100. voice-class h323 1 session target ras incoming called-number 100. dtmf-relay h245-alphanumeric codec g711ulaw no vad dial-peer voice 1 voip destination-pattern 200. voice-class h323 2 session protocol sipv2 session target ipv4:10.1.1.2 incoming called-number 2000 dtmf-relay sip-notify codec g711ulaw no vadCisco Public 57

IP phone w/CVTA voice class h323 1 call start slow ! voice class h323 2 call start fast CUEVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

CUE Advanced Applications

VVT-2106 12627_04_2006_c2


Cisco Public

58

Scenario 1: B-ACD with VMPSTN B-ACD AA ACD Agent No Answer CUE VM GDM

Thank You for Calling Widget Systems Press 1 for hardware related questions Press 2 for software related questions Press 3 for general questions

1 2 3

ephone-hunt 1 ephone-hunt 2 ephone-hunt 3

noan, timeout noan, timeout noan, timeout

VVT-2106 12627_04_2006_c2


Cisco Public

59

Scenario 2: CUE AA, Hunt Groups and VMPSTN CUE AA CME Hunt Group Hunt Group Member No Answer CUE VM GDM

1

ephone-hunt 1 ephone-hunt 2 ephone-hunt 3 ephone-hunt 4

noan, timeout noan, timeout noan, timeout noan, timeout

Thank You for Calling Riverwood Clinic Press 1 for Doctor X Press 2 for Doctor Y Press 3 for Doctor Z or Press 4 to Reach the Operator

2 3 4

VVT-2106 12627_04_2006_c2


Cisco Public

60

Scenario 3: CUE AA as Main Menu, B-ACD as Sub-Menu and VMAnnouncements PSTN CUE AA B-ACD-AA Main Menu Sub-Menu ACD Agent No Answer CUE VM GDM

1

Thank You for Calling XYZ Depot Press 1 for customer service Press 2 for store hours Press 3 for store location or Press 4 if you know the extension of the person you want to speak to

Press 1 for General Inquiries Press 2 to Check the Status of your Purchase Press 3 for a Refund noan, ephone-hunt 1 1 timeout

2 3 2 3 4

ephone-hunt 2 ephone-hunt 3

noan, timeout noan, timeout

Store Hours are from 9AM to 5PM Our Store is Located at Dial by ExtensionCisco Public 61

VVT-2106 12627_04_2006_c2


Scenario 4: B-ACD as Main Menu, CUE AA as Sub-menu/Announcement and VM

PSTN B-ACD-AA Main Menu

CUE Announcement

ACD Agent

CUE VM GDM noan, timeout noan, timeout

Thank You for Calling Demo Electronics Press 1 for computer Press 2 for other electronic products Press 3 for store hours/location Press 9 to dial by extension

1 2

ephone-hunt 1

ephone-hunt 2

3

Store Hours are from 9AM to 9PM, Monday to Saturday. We Will Be Closed on Sundays and Public Holidays.

4VVT-2106 12627_04_2006_c2

CME B-ACD Dial by ExtensionCisco Public 62


Configuration: CUE AA Script to Hand-Off to B-ACD

Transfer (Redirect) the Call to the CME B-ACD Pilot Number

Variable with BACD Pilot Number

VVT-2106 12627_04_2006_c2


Cisco Public

63

Configuration: CME B-ACD to CUE VMailcme-router> sh run call application voice acd flash:app-b-acd-2.0.2.0.tcl call application voice acd queue-len 30 call application voice acd queue-manager-debugs 1 call application voice acd aa-hunt1 1XX31 call application voice acd aa-hunt2 1XX32 call application voice acd number-of-hunt-grps 2 call application voice store-aa flash:app-b-acd-aa-2.0.2.0.tcl call application voice store-aa second-greeting-time 30 call application voice store-aa max-time-call-retry 60 Set This Parameter to call application voice store-aa max-time-vm-retry 1 the Extension call application voice store-aa voice-mail 10171 Associated with the call application voice store-aa call-retry-timer 20 CUE GDM call application voice store-aa handoff-string store-aa call application voice store-aa service-name acd call application voice store-aa aa-pilot 1XX30 call application voice store-aa number-of-hunt-grps 2 call application voice store-aa language 0 en call application voice store-aa set-location en 0 flash:VVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

64

Integrated MessagingVoicemail TUIVoI PI MAIMAOP

Integrated view of email and voice mailP

Outlook

Retrieve, delete and change the state .wav attachments to email

/X TP HT

ML

P

RFC3501 (IMAP4rev1) Outlook Express Message store and MWI synchronization Authentication (client login) via SSL Microsoft Outlook 2003 Microsoft Outlook 2002 Microsoft Outlook 2000 Microsoft Outlook Express 6.0 IBM Lotus Notes 6.5 IBM Lotus Notes 6Cisco Public 65

VoiceView Express

SMT P/ P

AP IM

VoiceMail TUI or Email NotificationVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Lotus Notes

Example Integrated Messaging Client View Unread Messages in Bold Read Messages in Plain Text Deleted Message

CUE Mailbox (Single Folder)

.wav Attachment for Voice Mail

Note: Screen and Message Appearance Depends on Client CustomizationVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

66

IMAP OperationPrimary (Master) Message Store Secondary Message StoreMessages Retrieved from CUE via IMAP

IPCUE User ID/password Checked Against Internal LDAP

Login/authentication (clear text or SSL) Retrieve messages Exchange/Change message state Send messages

IMAP Server

IMAP Client

Message state display (MWI and client message display) synchronizedVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

67

VoiceView Express (VVE) Overview Visual voice mailA visual (IP phone display) interface into a subscribers voice mailbox Browse, listen and manage (save, delete, forward, reply, compose, send, etc.) new and saved voice mail messages Access voice messages out of sequence (e.g. based on their priority) Sort messages:date/time, caller or sender name/number, or priority

User accesses VVE via the Services key on the IP PhoneXML Server

Screen Updates via XML IP

RTP Stream Initiated by Application to Phone when Play or Record is Selected Authentication is required Stream goes to speakerphone or handset can be lifted 2006 Cisco Systems, Inc. All rights reserved.

Interaction with Application via Softkeys and Numeric Keypad

Cisco 7940/41, 7960/61 and 7970/71 PhonesCisco Public 68

VVT-2106 12627_04_2006_c2

VoiceView Express Sample Screens

Invoking VVE

Login

Home Page

Read and Unread, Urgent and PrivateVVT-2106 12627_04_2006_c2

Detailed Envelope Information

Message List SummaryCisco Public 69


VoiceView Express Sample Screens

Broadcast Msg Listen

Voice Mail Sort

Update Greetings, Personal Settings and Zero Out Number

GDM AccessVVT-2106 12627_04_2006_c2

Mbox Full Notification

Change PINCisco Public 70


IP Phone and Application AuthenticationCUE Hosts the Primary Authentication Servercue(config)# service voiceview cue(config-voiceview)# enable cue(config-voiceview)# session idletimeout 10 cue(config)# service phone-authentication cue(config-phone-authentication)# fallback-url

cme-router(config)#telephony-service cme-router(config-telephony)#url authentication http:///voiceview/authentication/authenticate.do

2. CUE Evaluates Request and Relays It On To a Secondary Server if Not for VVE

IP

1. Phone Authenticates with Services URLhttp:///voiceview/common/login.doVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

3. Application Server Hosts Secondary fallback-url Authentication ServiceCisco Public 71

CME/CUE Management

VVT-2106 12627_04_2006_c2


Cisco Public

72

Managing Cisco Unified CommunicationsWith the Benefits of Ciscos Broad Range of IP Communications Products and Services, Effective Management Become Key: Cisco CallManager Cisco CallManager Express Cisco Unity Cisco Unity Express Cisco Contact Center Cisco Contact Center Express Cisco MeetingPlace IP Phones Infrastructure (gateways, gatekeepers, routers, switches)VVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

73

Customized GUI Access

CME supports one customer admin account which has customized access to CME GUI Access controlled by XML template, which specifies which menus are visible to customer admin account Can only be authenticated to local account specified under telephony-service Supported in CME GUI onlyVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

74

CME GUI FeaturesSupported Not Supported

After-Hours Call Block Call Park Date and Time Settings Dial-Plan Pattern Ephone and Ephone-dn Configuration Hunt-Group Intercom IP Phone Service URLs Max Phone/Ephone-dn Settings Night-Service Bell time, Activation Code MoH file Phone Speed Dial and Fastdials User and Group Voicemail and MWI CUE AA Configuration and Management

7911/41/61, ATA, VG224, B-ACD COR Custom Ringtones Dial-Peer File Management Feature Access Code Gatekeeper Registration Primary/Secondary CME System Speed-Dials (Bulk, XML) TCL Scripts (B-ACD, hookflash) Transcoding Translation Rules

Enhanced CME GUI Provisioning Tool will be Released in Q2 CY07VVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

75

Ease of Configuration Quick Config Tool Configure Factory Default Router for CME for 50 user or less deployments Features:Automatic hardware detection BAT function MAC address entry with barcode scanner Basic dialplan provisioning Automatic up load of config via console port Default parameters Online help

To download the tool:http://www.cisco.com/cgibin/tablebuild.pl/cme-qctVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

76

Configuration Management via Spreadsheets If youre inputting hundreds of lines of configurations through Cisco IOS and the item to item component changes are very small, then spreadsheets saved as CSV files and modified in a word processor can make modifications easy Components where spreadsheets may be applicableEphones Ephone-dns Ephone-hunts Dial-peer statements This is not voice specific, can be used for any portion of the configuration with lots of repetition in it

VVT-2106 12627_04_2006_c2


Cisco Public

77

Configuration Management via Spreadsheets (Cont.)Spreadsheets Become CSV Files Which Become Text Files to Load Into Cisco IOS

Notes: CSV files need to have all quotes () deleted If commas (,) are needed, then they need to be replaced temporarily with a tilde (~) In word processor, replace comma (,) with a line breakfind and replace, more, special, manual line break In final cisco IOS text file, replace tilde (~) with (,)VVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

78

CME Auto-Provisioning with Cisco CNS CECisco CNS CE

HTTP

CME

HTTP CME

CME routers with minimal bootstrap configuration can be provisioned from Cisco CNS Configuration Engine (CE) at hub site Once router is connected to network, CME configuration is downloaded automatically from CNS server using HTTP CME template is mapped to router based on MAC or IP addressVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

79

CNS Template Configuration

Template can be manually added, or uploaded from text file; unique variables such as hostname, passwords and extension numbers can also be applied to apply a common template to multiple CME routers Template is defined in XML format; the XML parser built into Cisco IOS will interpret and apply CME configuration to routerVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

80

Cisco CallManager Express Management APIs SyslogBasic notification of system issues Output often redirected to syslog server for parsing and analysis

SNMPAdvanced centralized management interface for provisioning, polling, and alerting Often contains graphical reporting mechanisms as well

SOAP/AXLXML based interface similar to the one used for Cisco CallManager If your company already is using SOAP/AXL, then this application could be expanded to include CallManager Express as wellVVT-2106 12627_04_2006_c2


Cisco Public

81

CME/SRST MIB Monitored FeaturesFeatureAlias Ephone (Registered/Unregistered/Not Configured) Ephone-dn (State/Active/Call History) Call-Blocking COR Intecom Overlay-dn MoH Night Service Phone Load Information SIP Phone Registration Status Software Version Speed-Dial/Fast-Dials TCL IVR TAPI User-LocaleVVT-2106 12627_04_2006_c2

CME

SRST

Cisco Public 82


Commonly Used CME SNMP Traps and NotificationsTrapccmeStatusChangeNotif

ReasonCME Started/Shutdown, Initialization Failure IP Phone Keepalive Expires

Possible CauseNot Enough Memory, Removing TelephonyService Config Phone Disconnected from Network, IP Connectivity Issues

ccmeEPhoneDeceased

ccmeEphoneUnRegThresholdExceed

Number of Ephone Reset All, Switch Failure, Unregisters Exceeds IP Connectivity Issues Threshold Value Ephone Associate Number of IP Phones Failed: Maximum Attempting to Register Phone Count Exceeds Max-Ephone Exceeded on Socket Phone Registration State Change Phone Reset, Restart, Loss of Connectivity

ccmeEPhoneRegFailed

ccmeKeyEphoneRegChangeNotif

VVT-2106 12627_04_2006_c2


Cisco Public

83

CCME/SRST MIB ProvisioningCME snmp-server community public RO snmp-server enable traps ccme snmp-server host 2.2.2.2 publicSet Read-Only Community string public Enable CME SNMP Notifications Send SNMP Notifications to 2.2.2.2

SRST snmp-server community public RO snmp-server enable traps ccme snmp-server enable traps srst snmp-server host 2.2.2.2 publicCCME and SRST Share Ephone Related Tables/Traps so ccme Traps Need to be Enabled Enable SRST SNMP Notifications

VVT-2106 12627_04_2006_c2


Cisco Public

84

CDR Collection CDR records can be collected either through Syslog or Radius SyslogSyslog servers required for collection Simpler to configure Harder to manage UDP-based transport

RadiusExternal AAA devices required to capture information Configurations are more complex Easier to manage large amounts of data from multiple devices Reliable Transport mechanism for data

VVT-2106 12627_04_2006_c2


Cisco Public

85

Large Enterprise Deployments Cisco CallManager Express Cisco Unity Express Cisco 1040

PSTN/PTT

IPC Service MonitorCisco 1040 Cisco CallManager Cisco Unity

Cisco CallManager Express Cisco Unity Express

IPC Operations Manager Cisco CallManager Cisco Unity Cisco 1040

Cisco 1040

VVT-2106 12627_04_2006_c2


Cisco Public

86

CME/SRST Management CME in service level views, automatic recognition of SRST configuration Real-time alerts on CME hardware and software status Real-time service quality alerts on calls supported by CME/SRST Discovery of CME and the inventory details Version, max # of ephones, extenstions, conf Current status (CME enabled/disabled) Phone details (phone status and status changes) Phone utilization (% ephones registered, key ephones registered) Synthetic tests (phone registration, dial-tone, end to end call) SNMP traps processedVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

87

CUE Management CME in service level views, automatic recognition of SRST configuration Real-time alerts on CME h/w and s/w status Real-time service quality alerts on calls supported by CME/SRST Discovery of CME and the inventory details Current status (CUE VM up/down) Mailbox status, mailbox usage, and mailbox capacity details Mailbox details (message count, message length, greeting, active sessions) Mailbox utilization (% orphaned, sessions used, free capacity, messages, busy mailboxes) Synthetic tests (message waiting indicator test) SNMP traps processedVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

88

Q and A

VVT-2106 12627_04_2006_c2


Cisco Public

89

Summary

VVT-2106 12627_04_2006_c2


Cisco Public

90

Summary: What Did We Cover? CME/CUE Security: commonly used ports, firewall design, toll restriction and authentication CME Remote Teleworker: call flows, codec considerations, and recommended designs CME Video: supported deployments, bandwidth requirements and supplementary features interoperability CUE Advanced Applications: B-ACD interoperability, IMAP integration, Voice View Express(VVE) CME/CUE Management: day one set-up, day two provisioning tools, SNMP monitoring, CDR collection Updates and errata will be posted at:ftp://ftp-eng.cisco.com/tesaka/vvt-2106/VVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

91

Recommended Reading Continue your Networkers learning experience with further reading for this session from Cisco Press Check the Recommended Reading flyer for suggested booksCisco Voice Gateways and Gatekeepers [158705-258-X] Cisco CallManager Fundamentals, Second Ed. [1-58705-192-3] Voice over IP Fundamentals, Second Ed. [158705-257-1] Cisco IP Communications Express: Cisco CallManager Express with Cisco Unity Express [1-58705-180-X]

Available Onsite at the Cisco Company StoreVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

92

Complete Your Online Session Evaluation Win fabulous prizes; Give us your feedback Receive ten Passport Points for each session evaluation you complete Go to the Internet stations located throughout the Convention Center to complete your session evaluation Drawings will be held in the World of SolutionsTuesday, June 20 at 12:15 p.m. Wednesday, June 21 at 12:15 p.m. Thursday, June 22 at 12:15 p.m. and 2:00 p.m.

VVT-2106 12627_04_2006_c2


Cisco Public

93

Related Sessions RST-2454: Cisco ISR Architecture CRT-2203: GWGK Exam PreparationImplementing Gateways CRT-2204: GWGK Exam PreparationImplementing Gatekeepers and IP-to-IP Gateways TEC-VVT1: Enterprise IP Telephony Design and Deployment TEC-VVT2: Session Initiation Protocol VVT-1001: Intro to IP Telephony or VoIP for the Enterprise VVT-2000: Intermediate Voice and Video Control Protocols: H.323 VVT-2008: Understanding Cisco CallManager Dial Plan Functionality

VVT-2106 12627_04_2006_c2


Cisco Public

94

Related Sessions VVT-2015: Interconnection of Voice and Video Networks Using the Cisco Multiservice IP-to-IP Gateway VVT-2101: Designing and Deploying IP-Based Audio and Web Conferencing Solutions VVT-2105: Call Admission Control Design for the Enterprise Wide Area Network VVT-2014: Designing Cisco CallManager Express and Cisco Unity Express Network Architecture

VVT-2106 12627_04_2006_c2


Cisco Public

95

References (1) Cisco Unified CME System Administrator Guidehttp://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_ administration_guide_book09186a00805f262e.html

Cisco Unified CME Command Referencehttp://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_ command_reference_book09186a00805b6c70.html

Cisco Unity Express Documentation Roadmaphttp://www.cisco.com/en/US/products/sw/voicesw/ps5520/products_ documentation_roadmap09186a00803f3e19.html

Cisco Unity Express Design Guideshttp://www.cisco.com/en/US/products/sw/voicesw/ps5520/products_imple mentation_design_guide_book09186a008049e616.html

General CME and CUE Informationhttp://www.cisco.com/go/ccmeVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

96

References (2) Cisco Unified CME B-ACD and Tcl Call-Handling Applicationshttp://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_ configuration_guide_book09186a00805f22ca.html

Cisco CallManager Express SNMP MIB Supporthttp://www.cisco.com/univercd/cc/td/doc/product/voice/its/cme34/ cme34mib/ccme_mib.htm#wp1007750

Cisco Unity Express SNMP MIB Supporthttp://www.cisco.com/en/US/products/sw/voicesw/ps5520/products_mib_quick_refer ence_chapter09186a00805fdc77.html

Radius VSA Voice Implementation Guidehttp://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_ dev/vsaig3.htm

Cisco CME Basic Automatic Call Distribution and Cisco Unity Express Auto Attendant Interoperation Configuration Examplehttp://www.cisco.com/en/US/products/sw/voicesw/ps5520/products_ configuration_example09186a0080566c4a.shtml

VVT-2106 12627_04_2006_c2


Cisco Public

97

VVT-2106 12627_04_2006_c2


Cisco Public

98

Supplemental Slides

VVT-2106 12627_04_2006_c2


Cisco Public

99

G.729 Supplementary Services Paging: if any of the calling or called phones are set to G.729, all page recipients receive G.729; otherwise default to G.711 Shared line: if any of the phones using shared line are set to G.729, all phones receive G.729; if G.729 call is put on hold and picked up by phone set as G.711, call will remain G.729 Park: if a G.729 call is parked, it will remain G.729 even if it is picked up by a G.711 phone; if a G.711 call is parked, it will convert to G.729 if it is picked up by a G.729 phone

VVT-2106 12627_04_2006_c2


Cisco Public

100

Toll Restriction:

Forced Authorization CodeUser Dials External NumberFAC ScriptTCL

PIN Authorized: Call Routed to POTS or VoIP Dial-PeerPSTN/ VOIP

RADIUS Server

PIN Not Authorized: Disconnect callSTOP

Authenticate PIN Forced Authorization Code script prompts user for PIN for outbound call to PSTN/VoIP If PIN is authorized, the call is allowed If PIN is not authorized, call will be dropped FAC script can receive authorization from external Radius server (recommended) or user accounts defined locally on CMEVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

101

Toll Restriction:dial-peer voice 1 voip service acctfixedpin destination-pattern 91. session target ipv4:11.1.1.1 incoming called-number 91. dtmf-relay h245-alphanumeric codec g711ulaw no vad

Forced Authorization CodeNumbers starting with 91 or 91900 blocked STOP

ephone 1No Numbers blocked

! dial-peer voice 2 pots corlist outgoing FAC-required destination-pattern 91. port 0/0/0

ephone 2After PIN entry: only numbers starting with 91900 are blocked STOP

ephone 3 After-hour exempt will exempt IP phone from all after-hours blocking After-hours PIN over-ride will suspend after-hours block when user enters four to eight digit PIN; block pattern with 724 suffix will still be enforced even after PIN entry After-hours suspension in effect until login timeout expires PIN is defined per IP phoneVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

102

Toll Restriction:

Forced Authorization Code LogicTCL

PSTN/ VOIP

IP Phone

CME

FAC TCL Script2. CME routes call to FAC script

1. User dials phone number

Outbound Dial-Peer

3. FAC script plays prompt to IP phone requesting PIN 4. User enters PIN 5. FAC script authenticates PIN with CME 6. CME authorizes PIN 7. FAC script joins call from IP phone to outbound dial-peer 8. Call established between IP phone and outbound dial-peer

VVT-2106 12627_04_2006_c2


Cisco Public

103

Toll Restriction:

Class of Restriction for Non-IP PhonesIncoming Dial-Peer Incoming COR Listdial-peer cor list FAX member 911 member 408 member 845PSTN/VOIP

Outgoing Dial-Peer Analog Phonedial-peer voice 10 pots number 5555 corlist incoming FAX port 0/0/0 Call Allowed: Member 845 Matches for Incoming and Outgoing COR List dial-peer voice 3 pots corlist outgoing call845 destination-pattern 845. port 1/0/0

Outgoing COR List

Dial-peer cor list call845 member 845 STOP

CUE

dial-peer cor list Office dial-peer voice 11 voip number 7777 member 911 corlist incoming Office member 408 session protocol sipv2 session target ipv4:10.1.10.2 dtmf-relay sip-notify no vadVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Call Blocked: No Member Match for Incoming and Outgoing COR List

Cisco Public

104

Key Management AttributesMetricCall Completion Rate Flapping Ephone Registrations Number of Ephone Registrations per CME

RationaleOverall Percentage of Successful, Failed and Abandoned Calls Network or Software Related Events can Cause Flapping IP Phone Registrations

SyslogVoIP CDR Syslogs : %VOIPAAA-5VOIP_CALL_ HISTORY n/a

SNMP OID

SNMP Trap

XML API Calln/a

n/a

n/a

n/a

n/a

ISgetDevEvts

Overall Registration Count per CME. Can n/a Slso be Set as a Trap Based on a Threshold. This is a Basic Metric Which, if Accurately Measured, can be Used to Compare Against the Bill Provided by the Telco.

ccmeEphone UnRegThreshold

ccmeEphone UnReg ISgetGlobal Threshold Exceed

Overall Call Volume/CME

n/a

Various Objects Under the CALL-HISTORY-MIB

n/a

n/a

PSTN Trunk Utilization

Utilization is Available for Various Modes of Interconnect Including n/a ISDN PRI, T1 CAS, FXO, FXS, etc.

cpmDS0OperStatus cvaIfFXSCfgSignalType cvaIfFXSHookStatus cvIfCfgEchoCancelEnable

n/a

n/a

VVT-2106 12627_04_2006_c2


Cisco Public

105

Key Management Attributes (2)MetricCME Ephone Health Real-Time Query for Ephones Current and Historical Status

RationaleAnomaly Messages Which CME Communicates Back to the NMS Station Regarding Ephones Pull Up the Current Status of the Extension, and the Historical (Line Up/Line Down) Events Related to It

SyslogIPPHONE-6-REGISTER_NEW IPPHONE-6UNREGISTER_ABNORMAL

SNMP SNMP Trap OIDn/a ccmeEPhon eDeceased ccmeEPhon eRegFailed

XML API Calln/a

n/a

n/a

n/a

ISgetDevice

T1 Controller health

T1 Health Info

CONTROLLER-2-CRASHED CONTROLLER-2-FIRMWARE CONTROLLER-5-CALLDROP CONTROLLER-5-DOWNDETAIL CONTROLLER-5-UPDOWN [THRESHOLD : 5 times / hr] n/a

n/a

linkDown

n/a

Automating CME Provisioning via XML Ephone Inventory [reporting]

Automating CME Provisioning is Possible Through the XML Interface Useful for Inventory Reporting Per Store

n/a

n/a

ISexecCLI ISgetDevice, ISsetKeyPho nes

n/a

n/a

n/a

VVT-2106 12627_04_2006_c2


Cisco Public

106

Operations Manager Real-time alerting on IPC components and IP infrastructure Real-time service quality (voice quality) alerts and details Phone and device inventory reports (SCCP and SIP): phone status, phone tracking Context-based launching of other CiscoWorks tools Support for CCM (5.0/4.2/4.x/3.x), Unity, Unity Connection, CME, CUE, MeetingPlace Exp IPCC, IPCCE, GW, Routers, Switches, Phones and Applications (CCC, CER, PA,)VVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

107

Service MonitorIntegrated Diagnostics Linked to Monitoring and Proactive TestingReplicate End-User Activities (SCCP and SIP) End-to-end call (signaling and RTP) Phone registration Dial-tone Message waiting indicator Conference Emergency call

Replicate Voice Traffic (IP SLA/SAA Based) Quality/latency/jitter/packet loss RTP traffic streams Gateway registration

EndEnd Testing (Signaling + Data Path) Node - Node testing (IP SLA)PSTNV V

WANVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

108

CME Bootstrap Configurationinterface FastEthernet0/0 ip address 128.107.150.29 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 128.107.150.1 ! cns id FastEthernet0/0 mac-address cns id FastEthernet0/0 mac-address event cns config initial 192.168.94.163 event

cns id commands used to identify router ID to CE server; in example, the MAC address of the Fastethernet interface will be used as ID of CE server cns config command specifies CE server addressVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

109

CNS Device Configuration

The CME router is mapped to a configuration template in CNS CE database CNS Event ID and CNS config ID should match MAC address of interface specified in bootstrap configVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

110

Service MonitorTwo-Component Solution That Monitors, Evaluates and Reports Voice Quality for Actual Calls

Real-time monitoring of voice quality for actual calls R-factor MOS for every 60 second interval Built-in system-level availability and redundancy Easily installs and configures itself just like a Cisco IP phone Uses switch SPAN portVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Real-time alerting with details Analysis and archival-based on MOS thresholds Integrates with OM or Manager of Managers

Cisco Public

111

ManageExpressScreenshots

VVT-2106 12627_04_2006_c2


Cisco Public

112

ManageExpressScreenshots

VVT-2106 12627_04_2006_c2


Cisco Public

113

CME Video Show Command Outputs Show call active video.........

VIDEO: VideoCap_Codec=H263 VideoCap_Format=CIF......

1 Call Leg only

VideoUsedBandwidth=2560

Show call active video compactSRST-2821#show call active video compact A/O FAX T Codec type Peer Address IP R:

Total call-legs: 2 2458 ANS 2459 ORG T282 g711ulaw T282 g711ulaw TELE-VIDEO P1003 TELE-VIDEO P1004

TELE: Audio Only TELE-VIDEO: Audio/Video

VVT-2106 12627_04_2006_c2


Cisco Public

114

Voice Performance Statistics in 12.3(4)T Collecting, archiving, and displaying call statisticsPSTN/IP interface from GWs at user defined interval Counts of RADIUS accounting messages

Displaying the signaling statistics at different aggregation levels Archiving the statistics on a console or send/format to TFP or syslog server Displaying the avail/used memory for collection of records Specifying thresholds for lost packets, packet jitter and latencyhttp://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/ products_feature_guide09186a00801d2ac1.htmlVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

115

CME XML APIs Introduced in CME 3.0 CME XML APIs between CME and NMSPhone/extension monitoring Configuration changes

CME XML monitoring support is implemented in several SOAP (Simple Object Access Protocol) messages AXL : AVVID XML Layer (AXL) Session layer protocol is HTTP HTTP payload encapsulated in SOAP Test AXL/SOAP using xml-test.html Polling requests from NMS sent in clear text format NetIQ VivinetManager or AppManager for CME is the First NMS Solution that has Leveraged this CapabilityVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

116

XML APIsFunctions Monitoring and PerformanceGet static information Get dynamic information Mark IP phone for special care (keyphone)

Configuration/provisioningExecute CLI

XML Developers Guide:http://www.cisco.com/en/US/products/sw/voicesw/ ps4625/products_programming_reference_ guide09186a00801c5fab.html

VVT-2106 12627_04_2006_c2


Cisco Public

117

CME Phone Authentication Features Support secure SCCP signaling through TLS Generates Certificate Trust List (CTL) which contains public key information for Cisco IOS CME, TFTP and Certificate Authority Proxy Function (CAPF) Provision Certificates for IP phones Data integrity (digital signatures) for config files Requires advipservicesk9, adventerprisek9 images Supported on 7940/7960/70/71 running 7.X firmware and above, all versions of 7911/41/61VVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

118

Phone Authentication Caveats Media is unencrypted (SRTP support in Q2CY06) External TFTP server is not supported in CME when security is enabled cnf-file perphone must be enabled Auto registration of IP phones must be disabled when security is enabled Once an authenticated phone registers to CME, Factory reset required to register phone to another CCM/CME

VVT-2106 12627_04_2006_c2


Cisco Public

119

IPsec Through NAT/PATProvides for Dynamic NAT/PAT for IPsec192.168.10.7 via DHCP xx.102.223.4

IPsec Tunnelxx.74.162.156 via 10.1.81.0/24 via DHCP DHCP or PPPoE

rtr-vpn-1750#show ip nat trans | incl esp esp xx.74.162.156:0 192.168.10.7:A336AEF0 xx.102.223.4:0 xx.102.223.4:0 esp xx.74.162.156:0 192.168.10.7:0 xx.102.223.4:0 xx.102.223.4:67785E Residential DSL providers bundle a DSL router/firewall with the service Cable subscribers install 3rd party Ethernet/Ethernet router/firewalls However, not all implementations properly support this function IPsec transform set which includes AH will fail as IP header hashedVVT-2106 12627_04_2006_c2 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

120

SRST Video SupportCVTA Supported with SRST 4.0, 12.4(4)XCcall-manager-fallbackvideo maximum bit-rate 384 max-conferences 16 gain -6 transfer-system full-consult ip source-address 20.1.1.1 port 2000 max-ephones 52 max-dn 110

VVT-2106 12627_04_2006_c2


Cisco Public

121

Deploying CME and CUE

Documents

Transcript of Deploying CME and CUE