Not a fully formed note/post yet. Just some notes and links.
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/cliparse.html#wp5286
http://hackathology.blogspot.com/2007/04/cisco-ios-cli-regular-expressions-part.html
http://hackathology.blogspot.com/2007/02/basic-cisco-ios-router-management-to.html
http://www.handsomeplanet.com/archives/7
Friday, May 21, 2010
Cisco VPN PSK Decryption
Had a customer today who needed their Cisco IPSec VPN pre-shared key. The problem is we didn't keep that information for their VPN account (only for our own) and the password is stored encrypted on the ASA.
I can reset their PSK easily, but then the other computers that are already deployed with the existing PSK will need to be reconfigured.
The Group Name, IP and PSK are all stored in a profile file (.pcf) on computers that are already configured. The PSK is encrypted. However, the encryption used for the PSK is very easily crackable.
Here's How:
1) Locate the profile (.pcf) file for your connection entry. This should be located at C:\Program Files\Cisco Systems\VPN Client\Profiles\ENTRYNAME.pcf.
2) Open the profile with a text editor.
3) Look for the line that begins with enc_GroupPwd=
4) Grab the string of characters that follow the = sign.
5) Input the characters into the Encrypted User/Group Password: field on this website.
6) Hit decode. Use the retrieved password to setup the remaining machines.
Here is an example of the encrypted password:
enc_GroupPwd=B54080BC72B142E7F537A9A2080C940D4B953BA6AE47C952C42C60C4C0EF69D6D8FA1E3E76038450E27724D29D851301CE97DF962667FD7A
Links:
http://coreygilmore.com/projects/decrypt-cisco-vpn-password/
I can reset their PSK easily, but then the other computers that are already deployed with the existing PSK will need to be reconfigured.
The Group Name, IP and PSK are all stored in a profile file (.pcf) on computers that are already configured. The PSK is encrypted. However, the encryption used for the PSK is very easily crackable.
Here's How:
1) Locate the profile (.pcf) file for your connection entry. This should be located at C:\Program Files\Cisco Systems\VPN Client\Profiles\ENTRYNAME.pcf.
2) Open the profile with a text editor.
3) Look for the line that begins with enc_GroupPwd=
4) Grab the string of characters that follow the = sign.
5) Input the characters into the Encrypted User/Group Password: field on this website.
6) Hit decode. Use the retrieved password to setup the remaining machines.
Here is an example of the encrypted password:
enc_GroupPwd=B54080BC72B142E7F537A9A2080C940D4B953BA6AE47C952C42C60C4C0EF69D6D8FA1E3E76038450E27724D29D851301CE97DF962667FD7A
Links:
http://coreygilmore.com/projects/decrypt-cisco-vpn-password/
Thursday, May 13, 2010
Cisco CLI - Show Command Section Filter and Other CLI Shortcuts
One of the most useful Cisco show filters ever is the new(ish) section filter. This lets you view information from the section you specify. For example, show run | section include ephone 12 will return all the config lines in the running config which pertain to your ephone 12. The section command (like all Cisco show command filters) is case sensitive and doesn't allow tab completions or etc - you need to type exactly what you're looking for (or at least the beginning of what you're looking for).Note that per one site: "Cisco considers a section to be a line with no leading blank and includes all lines following it until the start of the next section."
Verifying the changes is where the section filter can really be helpful. Rather than getting a complete new copy of the config and sifting through it, just do a sh run | s i whatever I'm looking for. On major changes, I will always save the starting configs and the ending configs and compare them with WinMerge. However, the section command works very well to make sure everything is going well as I make each change.
So overall, the section command filter is a great shortcut. However, if you are looking for data on an interface, you should use show run interface. This method will allow for tabbed completions, abbreviations and isn't case sensitive so it is faster and better for this type of work than the section filter. It won't work with the variety of items that the section command will though.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtshfltr.html
http://www.techexams.net/forums/ccna-ccent/37408-show-run-section.html
http://cciepursuit.wordpress.com/2007/07/17/must-use-command-filtering-output-with-the-section-command/
http://www.nil.com/C1256F0A00429755/html/EnhanceIOSUI/
Cisco Documentation:
show
! awesome. Now I don't have to filter through the config looking for the ephone 12 config.When I first start working on a router, I'll usually grab a copy of the running config and throw it into a txt file. Then I search through it for whatever I want. Once I find the relevant pieces, I'll copy them over to a new text file and prep the changes I want to make. Then I'll apply the changes to the router.
2821#sh run | s i ephone 12
ephone 12
device-security-mode none
description Ryan IP Communicator
video
mac-address 0023.AE7F.0000
type CIPC
button 1:2 2:10
2821#
! term len 0 sets the terminal length to no pauses so you can get the complete config at once.
Rtr#term len 0
Rtr#sh run
! now do a copy all to clipboard from putty and paste into a text document.
Verifying the changes is where the section filter can really be helpful. Rather than getting a complete new copy of the config and sifting through it, just do a sh run | s i whatever I'm looking for
So overall, the section command filter is a great shortcut. However, if you are looking for data on an interface, you should use show run interface
! annoying because I had to type this all the way out and even capitalize it correctlyShow Section Command Filter Links
2821#sh run | s i interface GigabitEthernet0/0
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
bridge-group 1
! less annoying - just do sh run int and use tab completion or abbreviations like you normally would.
2821#sh run int gigabitEthernet 0/0
Building configuration...
Current configuration : 92 bytes
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
bridge-group 1
end
2821#
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtshfltr.html
http://www.techexams.net/forums/ccna-ccent/37408-show-run-section.html
http://cciepursuit.wordpress.com/2007/07/17/must-use-command-filtering-output-with-the-section-command/
http://www.nil.com/C1256F0A00429755/html/EnhanceIOSUI/
Cisco Documentation:
Command Reference
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.
show section
To filter the output of a show command to match a given expression as well as any lines associated with that expression, use the show command section command in privileged EXEC mode.
show command | section [include | exclude] regular-expression
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
In many cases, it is useful to filter the output of a show command to match a specific expression. Filtering provides some control over the type and amount of information displayed by the system. The show section command provides enhanced filtering capabilities by matching lines in the show command output containing specific expressions as well as matching any entries associated with those expressions. Filtering is especially useful, for example, when displaying large configuration files using the show running-configuration command or the show interfaces command.
If the include or exclude keyword is not specified, include is the default.
If there are no associated entries for an expression, then only the line matching the expression is displayed.
Examples
The following examples compare the filtering characteristics of the show running-config | include command with the show running-config | section command. The first example gathers just the lines from the configuration file with "interface" in them.
Router# show running-config | include interface
interface Ethernet0/0 interface Ethernet1/0 interface Serial2/0 interface Serial3/0
The next example uses the show command section command to gather the lines in the configuration file with "interface" in them as well as any lines associated with those entries. In this example, interface configuration information is captured.
Router# show running-config | section include interface
interface Ethernet0/0 shutdown no cdp enable
interface Ethernet1/0 shutdown no cdp enable interface Serial2/0 shutdown no cdp enable interface Serial3/0 shutdown no cdp enable
Related Commands
Information About the Show Command Section Filter
The Show Command Section Filter feature enhances the functionality of the Cisco IOS CLI by filtering show command output matching a regular expression (text string) as well as filtering output associated with that expression. Prior to this enhancement, the level of filtering offered by the show command was limited to the individual lines of the output.
In many cases, it is useful to filter the output of a show command to match a specific expression. Filtering provides some control over the type and amount of information displayed by the system. With section filtering, show command output not only displays the individual entries matching the expression in the command output but also displays the section of entries associated with that expression.
Filtering is especially useful, for example, when displaying a large configuration file. In this case, it is helpful to display sections of the configuration file without having to enter multiple commands to gather the related configuration information.
Thursday, May 6, 2010
Wednesday, April 28, 2010
Cisco CME - SIP Providers
Some SIP providers require that your PBX use a specific SOURCE port when communicating with their network. Voip Your Life (VYL Media) business setup authenticates via public IP address and requires that your PBX use port 5060 as a source and destination port when communicating with their network.
The problem is that by default, Cisco CME does not use a static source port; it uses a random unassigned source port. This resulted in outgoing calls not working. Their device was specifically responding with a 404 not found error (which is not very helpful). To get this to work properly, we had to configure the UC540 to use port 5060 for the source port.
conf t
sip-ua
connection-reuse
end
Additional information from Cisco:
1. By default the source port for SIP messages that the UC500 sends is ephemeral or random which is per the spec. You can force this to always be UDP 5060 by looking at section 4.4.12 on guide below
https://www.myciscocommunity.com/docs/DOC-1560
If the provider requires that SIP traffic always be sourced from the UC520 using TCP or UDP port 5060, this can be changed at a system level as below:
sip-ua
connection-reuse
2. Need "deb ccsip message" for this to check the reason for the error. One possibility is mentioned here:
https://www.myciscocommunity.com/docs/DOC-1520#Inbound_calls_from_SIP_Trunk_on_UC520_fail_when_configured_using_CCA_19_or_higher
Earlier posts on NexVortex:
The problem is that by default, Cisco CME does not use a static source port; it uses a random unassigned source port. This resulted in outgoing calls not working. Their device was specifically responding with a 404 not found error (which is not very helpful). To get this to work properly, we had to configure the UC540 to use port 5060 for the source port.
conf t
sip-ua
connection-reuse
end
Additional information from Cisco:
1. By default the source port for SIP messages that the UC500 sends is ephemeral or random which is per the spec. You can force this to always be UDP 5060 by looking at section 4.4.12 on guide below
If the provider requires that SIP traffic always be sourced from the UC520 using TCP or UDP port 5060, this can be changed at a system level as below:
sip-ua
connection-reuse
https://www.myciscocommunity.com/docs/DOC-1520#Inbound_calls_from_SIP_Trunk_on_UC520_fail_when_configured_using_CCA_19_or_higher
Wednesday, March 24, 2010
Cisco CME Basic Call Debugs
WIP:
debug isdn q931 - see live calling / called numbers on PRI
debug voip ccapi inout - This is hard to read but you will see something on the screen if calls come in / out of the FX0 / POTS lines.
debug ccsip messages - debug sip messages
debug ccsip all - debug all sip traffic - CAREFUL
term mon - see debugs on the screen
u all - disable all debugging
debug isdn q931 - see live calling / called numbers on PRI
debug voip ccapi inout - This is hard to read but you will see something on the screen if calls come in / out of the FX0 / POTS lines.
debug ccsip messages - debug sip messages
debug ccsip all - debug all sip traffic - CAREFUL
term mon - see debugs on the screen
u all - disable all debugging
Friday, March 5, 2010
Bandwith.com Blocking Access to Rural Telephone Numbers
One of our customers ran into this issue the other day. They were attempting to call into a free conference bridge to meet with a client. They received a busy signal. After it happened twice in a day on 2 different numbers, they told us about it.
After opening a ticket with Bandwidth.com, we received an email response a day later. Basically, Bandwidth.com has decided that they are going to block calls to certain locations without informing their customers. Also, their notification that your call is blocked is a busy signal. The same busy signal our customer has received when they had all the other Bandwidth.com issues with calls. This does not lead to customer satisfaction. It also causes us problems since we can't identify the cause of the call failure.
To be fair, some of the other providers are are also blocking these same calls. These calls are to certain rural areas which are known for hosting lots of "call pumping" businesses. These areas receive significantly higher call termination fees for having calls terminated there. This was put into place with the idea that we need telco infrastructure in rural areas but there are less subscribers and calls there to spread the costs over. See the links at the end of this post for some more information on this issue.
Some smart (but shady) people figured out that if they were able to get tons of calls into these areas, that would be a lot of money generated for the local telco. Start up your own CLEC and host a free (to end users) adult chat site or conference bridge service there. Now just get people to call and your CLEC business makes money off your other business.
These fees really add up apparently. Google voice recently blocked service to some of these areas which resulted in AT&T complaining to the FCC. It looks like some VoIP providers are already doing this as well.
So the problem here is that this is horrible for Net Neutrality. We absolutely should NOT allow a telco decide who/where to connect calls to. This just opens up a huge can of worms. For example, what if AT&T decided that they weren't going to connect callers to Sprint numbers. Or to people in the state of Montana. That would be a problem right? The FCC has already ruled that the traditional telcos have to provide service to these areas and can't block the calls. However, a definitive ruling on VoIP providers has not been given, so many providers are making up their own rules.
I understand that there is a problem here. Calls into these areas are resulting in huge charges for the telephone companies. This is a particular problem on a low cost nationwide unlimited VoIP plan as the provider can't recoup those charges. However, allowing the telcos to determine who they will connect calls to is insanity and will cause huge problems down the road.
So what's the solution? Well, the FCC should pass some new rules governing call pumping and probably reducing the price of connection fees to rural areas. These rules would be very complex and should be carefully considered so as not to cause other problems. This will likely take forever.
What about a short term solution? I think it's reasonable for VoIP providers to limit access to areas known for call pumping. Speakeasy did this and they informed their users ahead of time and provide a list of numbers that are blocked online.
However, Bandwidth.com has not posted this information. They have not published their policy of blocking these numbers online and they also do not provide a list of blocked numbers.
Well.... Hopefully they just didn't get around to publishing it. Below is their letter they sent us on this issue and the list of prefix's they are blocking (per them).
More Info::
Speakeasy Gives Notice It Will Block Calls, FCC Needs To Take Action. | Public Knowledge
Here's To You, Mr. Traffic-Pumper.
AT&T Falls Back on "It's All About Google" Strategy
Response to AT&T's letter to FCC on Google Voice
After opening a ticket with Bandwidth.com, we received an email response a day later. Basically, Bandwidth.com has decided that they are going to block calls to certain locations without informing their customers. Also, their notification that your call is blocked is a busy signal. The same busy signal our customer has received when they had all the other Bandwidth.com issues with calls. This does not lead to customer satisfaction. It also causes us problems since we can't identify the cause of the call failure.
To be fair, some of the other providers are are also blocking these same calls. These calls are to certain rural areas which are known for hosting lots of "call pumping" businesses. These areas receive significantly higher call termination fees for having calls terminated there. This was put into place with the idea that we need telco infrastructure in rural areas but there are less subscribers and calls there to spread the costs over. See the links at the end of this post for some more information on this issue.
Some smart (but shady) people figured out that if they were able to get tons of calls into these areas, that would be a lot of money generated for the local telco. Start up your own CLEC and host a free (to end users) adult chat site or conference bridge service there. Now just get people to call and your CLEC business makes money off your other business.
These fees really add up apparently. Google voice recently blocked service to some of these areas which resulted in AT&T complaining to the FCC. It looks like some VoIP providers are already doing this as well.
So the problem here is that this is horrible for Net Neutrality. We absolutely should NOT allow a telco decide who/where to connect calls to. This just opens up a huge can of worms. For example, what if AT&T decided that they weren't going to connect callers to Sprint numbers. Or to people in the state of Montana. That would be a problem right? The FCC has already ruled that the traditional telcos have to provide service to these areas and can't block the calls. However, a definitive ruling on VoIP providers has not been given, so many providers are making up their own rules.
I understand that there is a problem here. Calls into these areas are resulting in huge charges for the telephone companies. This is a particular problem on a low cost nationwide unlimited VoIP plan as the provider can't recoup those charges. However, allowing the telcos to determine who they will connect calls to is insanity and will cause huge problems down the road.
So what's the solution? Well, the FCC should pass some new rules governing call pumping and probably reducing the price of connection fees to rural areas. These rules would be very complex and should be carefully considered so as not to cause other problems. This will likely take forever.
What about a short term solution? I think it's reasonable for VoIP providers to limit access to areas known for call pumping. Speakeasy did this and they informed their users ahead of time and provide a list of numbers that are blocked online.
However, Bandwidth.com has not posted this information. They have not published their policy of blocking these numbers online and they also do not provide a list of blocked numbers.
Well.... Hopefully they just didn't get around to publishing it. Below is their letter they sent us on this issue and the list of prefix's they are blocking (per them).
List of Blocked Prefixes
At Bandwidth.com, Inc. our SIP trunking, BoxSet and Phonebooth voice-over-IP products have been recognized as being a great value for customers. As an interconnected VoIP and communications service provider, we have grown rapidly because our business customers are routinely saving 30-70% off of their traditional telecom bills.
However, we want you to know that the viability of low-cost IP telephony is at risk due to highly controversial so-called “traffic-stimulation” activities of some telecom providers and their business partners through the promotion and use of “free” conference calling or similar services, or “free” adult entertainment and “chat” services. Long distance calls to the phone numbers of these services is usually directed to rural areas where the telecom providers assess charges for the calls that we view as excessive, if not exorbitant. In fact, the charges are so high that the telecom providers have an arrangement where their conference calling or adult entertainment service partners share in the profits.
This practice has been the subject of great controversy within the telecommunications industry and among VoIP providers like Bandwidth.com, Inc., and has drawn the recent formal scrutiny of both the FCC and the State of Iowa Utilities Board. In our view, these so-called “services” exist for no reason other than to draw high-volume traffic to high-cost tariff areas. In fact, the “free” service is not really free since the telecom provider then turns around and charges the communications companies that send them the long distance “stimulated” calls from around the country for connecting to the service. In our view, this whole practice greatly distorts what would otherwise be a low volume of calls to a given rural area into a high volume calling area, resulting in unfair and excessive charges to others. The problem is compounded because, while the FCC may not look kindly on these practices, thus far, there has not been the timely relief we think is needed to protect those being unfairly charged.
So, how does this affect you if nothing is done? If you are a metered SIP trunk customer (i.e. you are charged per minute), you will be subject to excessively high cost per-minute charges for calls into those rural areas of concern. That free conference calling service that you thought was saving you money would actually cost you significant money on your phone bill.
If you are an Unlimited SIP trunk, BoxSet or Phonebooth customer, your bill will not be affected now. However, the growing costs that Bandwidth.com, Inc. and other VoIP providers incur to deliver an unlimited nationwide VoIP product will inevitably raise your telecom rates as we try to continue to stay profitable and viable.
Thus, we refuse to do nothing and put our customers or our own business in jeopardy to what we, and many others, believe to be inappropriate practices that exist to take advantage of regulatory loopholes. Therefore, effective today, we are making the following changes to our voice product terms and conditions and acceptable use policy:
a) Bandwidth.com, Inc. will stop allowing voice traffic to a few selected locales in North America, where we determine that "traffic stimulation" practices are going on. Instead of passing on these fees to you, we have chosen to maintain the most competitive rates possible by implementing this policy change.
b) We are updating our Acceptable Use Policy, and are extending other conference calling options to customers who may have a legitimate need for conferencing.
These changes are effective immediately, and can be seen on our website at http://www.bandwidth.com/resources/legal/policy.html. Please feel free to contact customer care if you have any additional questions or would like to talk about alternate conferencing options for your business.
Additionally, I would urge you to contact the FCC and ask them to crack down on "traffic stimulating" practices by rural telecom companies so that innovation in low-cost, feature-rich IP telephony can continue. They can be contacted at: http://www.fcc.gov/contacts.html
Best regards,
Joe Campbell
Vice President of Operations
Bandwidth.com
218237
218339
218486
218538
218548
218632
218844
218862
218895
218936
270250
270200
270400
270402
270405
270406
270407
270431
270446
270572
270696
270834
270872
270943
270951
270960
308231
308344
308378
308526
308823
308831
308929
319256
319279
402590
563843
605475
605622
605715
605725
641210
641213
641235
641237
641262
641264
641297
641308
641309
641315
641388
641396
641410
641453
641509
641527
641551
641552
641570
641594
641608
641612
641654
641665
641696
641710
641713
641715
641739
641765
641793
641795
641816
641826
641827
641865
641962
641982
641983
641985
641992
712278
712338
712353
712429
712432
712439
712451
712458
712472
712475
712541
712568
712580
712725
712726
712737
712775
712827
712858
712858
712872
712873
712876
712889
712941
712944
712945
712948
712951
724444
906204
906232
906239
906294
906357
906481
906874
More Info::
Speakeasy Gives Notice It Will Block Calls, FCC Needs To Take Action. | Public Knowledge
Here's To You, Mr. Traffic-Pumper.
AT&T Falls Back on "It's All About Google" Strategy
Response to AT&T's letter to FCC on Google Voice
Wednesday, February 10, 2010
Cisco KATE
Working on a problem with Cisco SPA525G phones freezing and rebooting. Going through the debugs, I find a bunch of KATE messages. Weird. Some research shows that this is pretty poorly documented. Research also shows that Google sucks if you want to do a case sensitive search, which in this case I definitely do.
After some digging around, it looks like KATE stands for "Keyboard Alphanumeric Text Entry" and deals with Cisco localization settings and etc.
Error Messages:
I was only able to find 2 pages in Cisco that defined KATE directly. Both are release guides that mention this in passing.
Another Mention of KATE in another context.
After some digging around, it looks like KATE stands for "Keyboard Alphanumeric Text Entry" and deals with Cisco localization settings and etc.
Error Messages:
2010-02-10 08:49:16 Local3.Debug 192.168.1.9 KATE_tftp {
2010-02-10 08:49:16 Local3.Debug 192.168.1.9 KATE_tftpInit {
2010-02-10 08:49:16 Local3.Debug 192.168.1.9 }<010>
2010-02-10 08:49:16 Local3.Debug 192.168.1.9 KATE: finished waiting on EVENT_INIT_CNF_PARSED
2010-02-10 08:49:16 Local3.Debug 192.168.1.9 kate Name: English_United_States/525G-kate.xml
I was only able to find 2 pages in Cisco that defined KATE directly. Both are release guides that mention this in passing.
Source3.3 No Keyboard Alphanumeric Text Entry Support
3.3.1 Asian Locales
There is currently no localised Keyboard Alphanumeric Text Entry (KATE) support for the following Asian locales:
Chinese (China)
Chinese (Hong Kong)
Chinese (Taiwan)
Japanese (Japan)
Korean (Korea Republic)
The default English (United States) KATE will be presented to the user instead.
3.3.2 Cisco Unified IP Phone 3951"
KATE is not internationalised on this device and therefore cannot be localised. KATE is only used for local administation purposes only.
Another Mention of KATE in another context.
Monday, February 1, 2010
Resetting Cisco Phones Part 2
Reset the phone instead of restarting the phone to be sure it completely reboots.
Friday, January 29, 2010
Saving Your Password in the Cisco VPN Client
It has always been frustrating to have to login to the VPN with a password everytime I have to connect to a client site to check something. Here is how to enable your client to save the password locally on your computer.
First, we need to enable the option on the router or ASA.
Now disconnect the session. Wait a few seconds and reconnect. You should now see the Save Password checkbox in the VPN connection window. Check this box. Input your password for the last time and hit connect.
Your password should now be saved in your VPN client settings and you should no longer need to input it when connecting to this device. Verify that this is working by disconnecting and reconnecting one more time. Then save the config with a wr mem if everything looks good.
A Show Run should show you something like this now for your VPN group. Note that the save-password option is there now.
crypto isakmp client configuration group <YourVPNGroup>
key
dns save-password pool
acl
save-password
include-local-lan
max-users 5
netmask 255.255.255.0
First, we need to enable the option on the router or ASA.
- Connect to the device
- Check your VPN group name if necessary by doing a 'show run | include crypto isakmp client configuration group'. You should see 'crypto isakmp client configuration group
'. - Enter config mode
- Enter ISAKMP group configuration mode for the appropriate isakmp group by typing 'crypto isakmp client configuration group <YourVPNGroup>'
- Add the command 'save-password'
- Example:
rtr#config t
rtr(config)#crypto isakmp client configuration group MyVPNGroup
rtr(config-isakmp-group)# save-password
rtr(config-isakmp-group)#end
Now disconnect the session. Wait a few seconds and reconnect. You should now see the Save Password checkbox in the VPN connection window. Check this box. Input your password for the last time and hit connect.
Your password should now be saved in your VPN client settings and you should no longer need to input it when connecting to this device. Verify that this is working by disconnecting and reconnecting one more time. Then save the config with a wr mem if everything looks good.
A Show Run should show you something like this now for your VPN group. Note that the save-password option is there now.
crypto isakmp client configuration group <YourVPNGroup>
key
dns
acl
save-password
include-local-lan
max-users 5
netmask 255.255.255.0
Cisco Documentation
save-password
To save your extended authentication (Xauth) password locally on your PC, use the save-password command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the Save-Password attribute, use the no form of this command.
save-password
no save-password
Syntax Description
This command has no arguments or keywords.
Defaults
Your Xauth password is not saved locally on your PC, and the Save-Password attribute is not added to the server group profile.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
Save password control allows you to save your Xauth password locally on your PC so that after you have initially entered the password, the Save-Password attribute is pushed from the server to the client. On subsequent authentications, you can activate the password by using the tick box on the software client or by adding the username and password to the Cisco IOS hardware client profile. The password setting remains until the Save-Password attribute is removed from the server group profile. After the password has been activated, the username and password are sent automatically to the server during Xauth without your intervention.
The save-password option is useful only if your password is static, that is, if it is not a one-time password such as one that is generated by a token.
The Save-Password attribute is configured on a Cisco IOS router or in the RADIUS profile.
To configure save password control, use the save-password command.
An example of an attribute-value (AV) pair for the Save-Password attribute is as follows:
ipsec:save-password=1
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the save-password command.
Note
•The Save-Password attribute can be applied only by a RADIUS user.
•The attribute can be applied on a per-user basis after the user has been authenticated.
•The attribute can override any similar group attributes.
•User-based attributes are available only if RADIUS is used as the database.
Examples
The following example shows that the Save-Password attribute has been configured:
crypto isakmp client configuration group cisco
save-password
Related Commands
Command | Description |
|---|---|
acl | Configures split tunneling. |
crypto isakmp client configuration group | Specifies the DNS domain to which a group belongs. |
Thursday, January 14, 2010
Cisco IOS Bundles
Cisco IOS Packaging
Cisco IOS Packaging consists of eight packages for Cisco routers and five packages for Cisco switches. (See Figure 6.)
Figure 6—Cisco IOS Packaging for Cisco Routers and Switches
Four packages are designed to satisfy requirements in four typical service categories:
-
IP data
-
Converged voice and data
-
Security and VPN
-
Enterprise protocols
Three additional premium packages offer new Cisco IOS Software feature combinations that address more complex network requirements. All features merge in the Advanced Enterprise Services package that integrates support for all routing protocols with Voice, Security, and VPN capabilities.
Feature inheritance is another powerful aspect of Cisco IOS Packaging. After a feature is introduced, it is included in the more comprehensive packages. The feature inheritance facilitates migration by clarifying the feature content of the different packages and how they relate to each another.
Cisco IOS Packaging also simplifies image naming. Each name is designed to effectively convey the high-level feature content of, and the inheritance characteristics for the new packages.
These categories summarize the new naming convention:
-
Base—entry level image (IP Base, Enterprise Base)
-
Services—addition of IP Telephony Service, MPLS, Voice over IP (VoIP), Voice over Frame Relay (VoFR), and ATM (SP Services, Enterprise Services)
-
Advanced—addition of VPN, Cisco IOS Firewall, 3DES encryption, SSH, Cisco IOS IPsec and Intrusion Detection Systems (IDS) (Advanced Security, Advanced IP Services)
-
Enterprise—addition of multi-protocols, including IBM, IPX, AppleTalk (Enterprise Base, Enterprise Services)
These packages are new:
-
IP Base
-
IP Voice
-
Enterprise Base
-
Advanced Security
-
SP Services
-
Advanced IP Services
-
Enterprise Services
-
Advanced Enterprise Services
Wednesday, January 13, 2010
Alias for CLI Access to the CUE
!creating an alias to enable CLI access to the CUE module much more easily.
! alias exec
!do a sh ip int brief and look for the service-engine or integrated service-engine number to fill in the proper one. It is usually 0/0 though.
!alias exec cue service-module service-Engine <Service-engine location> session
Examples:
alias exec cue service-module service-Engine 0/0 session
alias exec cue service-module integrated-Service-Engine 0/0 session
rtr#conf t
rtr(config)#alias exec cue service-module service-Engine 0/0 session
rtr(config)#end
rtr#cu?
*cue="service-module service-Engine 0/0 session"
rtr#cue
Trying 10.1.10.1, 2194 ... Open
rtrcue#
Tuesday, January 5, 2010
Rebooting Cisco Phones
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/command/reference/cme_r1ht.html#wp1013890
Note that when resetting or restarting phones, the phone will not be rebooted immediately if it is currently in use. Instead, it will be rebooted once the phone call is over. Thus, resetting or restarting should both be safe to do during business hours as long as call traffic is not high at that point in time.
Note that when resetting or restarting phones, the phone will not be rebooted immediately if it is currently in use. Instead, it will be rebooted once the phone call is over. Thus, resetting or restarting should both be safe to do during business hours as long as call traffic is not high at that point in time.
reset (ephone)
To perform a complete reboot of a single phone associated with a Cisco CallManager Express (Cisco CME) router, use the reset command in ephone configuration mode.
reset
Syntax Description
This command has no arguments or keywords.
Command Default
No reset is performed.
Command Modes
Ephone configuration (config-ephone)
Command History
Cisco IOS Release | Cisco Product | Modification |
|---|---|---|
12.1(5)YD | Cisco ITS 1.0 | This command was introduced |
12.2(8)T | Cisco ITS 2.0 | This command was integrated into Cisco IOS Release 12.2(8)T |
Usage Guidelines
After you update information for one or more phones associated with a Cisco CME router, the phone or phones must be rebooted. There are two commands to reboot the phones: reset and restart. The reset command performs a "hard" reboot similar to a power-off-power-on sequence. It reboots the phone and contacts the Dynamic Host Configuration Protocol (DHCP) server and the TFTP server to update from their information as well. The restart command performs a "soft" reboot by simply rebooting the phone without contacting the DHCP and TFTP servers. The reset command takes significantly longer to process than the restart command when you are updating multiple phones, but it must be used after updating phone firmware, user locale, network locale, or URL parameters. For simple button, line, or speed-dial changes, you can use the restart command.
Use the reset (ephone) command to perform a complete reboot of an IP phone when you are in ephone configuration mode. This command has the same effect as a reset (telephony-service) command that is used to reset a single phone.
This command has a no form, but the no form has no effect.
Examples
The following example resets the SCCP phone with a phone-tag of 1:
Router(config)# ephone 1
Router(config-ephone)# reset
Related Commands
reset (telephony-service)
To perform a complete reboot of one or all phones associated with a Cisco CallManager Express (Cisco CME) router, use the reset command in telephony-service configuration mode. To interrupt and cancel a sequential reset cycle, use the no form of the command with the sequence-all keyword.
reset {all [time-interval] | cancel | mac-address | sequence-all}
no reset {all [time-interval] | cancel | mac-address | sequence-all}
Syntax Description
Command Default
No reset is performed.
Command Modes
Telephony-service configuration (config-telephony)
Command History
Usage Guidelines
After you update information for one or more phones associated with a Cisco CME router, the phone or phones must be rebooted using either the reset command or the restart command. The reset command performs a "hard" reboot similar to a power-off-power-on sequence and contacts the Dynamic Host Configuration Protocol (DHCP) server and the TFTP server for updated information as well. The restart command performs a "soft" reboot by simply rebooting the phone without contacting the DHCP and TFTP servers. The reset command takes significantly longer to process than the restart command when you are updating multiple phones, but it must be used after you make changes to phone firmware, user locale, network locale, or URL parameters. For simple button, line, or speed-dial changes, you can use the restart command.
When you use the reset command, the default time interval of 15 seconds is recommended so that phone reset operations are staggered in order to avoid all phones attempting to access router system resources at the same time. A shorter interval may be used on systems with only a small number of phones or for cases where a simple reset of the phones is desired that does not result in the phones downloading updates to the phone firmware (using the router's TFTP service).
When you use the reset sequence-all command, the router waits for one phone to complete its reset and reregister before starting to reset the next phone. The delay provided by this command prevents multiple phones from attempting to access the TFTP server simultaneously and therefore failing to reset properly. Each reset operation can take several minutes when you use this command. There is a reset timeout of 4 minutes, after which the router stops waiting for the currently registering phone to complete registration and starts to reset the next phone.
If the router configuration is changed so that the eXtensible Markup Language (XML) configuration files for the phones are modified (changes are made to user locale, network locale, or phone firmware), then whenever you use the reset all or restart all command, the router automatically executes the reset sequence-all command instead. The reset sequence-all command resets phones one at a time in order to prevent multiple phones from trying to contact the TFTP server simultaneously. This one-at-a-time sequencing can take a long time if there are many phones. To avoid this automatic behavior, use the reset all time-interval or the restart all time-interval with an explicit argument that is not equal to the default 15-second time interval; for example, set a time interval of 14 seconds. If a reset sequence-all command has been started in error, use the reset cancel command to interrupt and cancel the sequence of resets.
The restart command allows the system to perform quick phone resets in which only the button template, line information, and speed-dial information is updated. See the documentation for the restart command for more information.
The no form of this command has an effect only when used with the all or sequence-all keyword, when it interrupts and cancels the sequential resetting of phones.
Examples
The following example resets all IP phones served by the Cisco CME router:
Router(config)# telephony-service
Router(config-telephony)# reset all
The following example resets the Cisco IP phone with the MAC address CFBA.321B.96FA:
Router(config)# telephony-service
Router(config-telephony)# reset CFBA.321B.96FA
The following example resets all IP phones in sequential, not-overlapping order:
Router(config)# telephony-service
Router(config-telephony)# reset sequence-all
Related Commands
Wednesday, December 16, 2009
Show ip dhcp pool
shows you the leased DHCP IP addresses.
2811#sh ip dhcp pool
Pool sdm-pool1 :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 54
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.1.1.163 10.1.1.1 - 10.1.1.254 54
2811#
2811#sh ip dhcp pool
Pool sdm-pool1 :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 54
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.1.1.163 10.1.1.1 - 10.1.1.254 54
2811#
Monday, November 16, 2009
Ephone-dn-templates
ephone-dn-template
To enter ephone-dn-template configuration mode and create an ephone-dn template containing a standard set of ephone-dn features, use the ephone-dn-template command in global configuration mode. To delete an ephone-dn template, use the no form of this command.
ephone-dn-template template-tag
no ephone-dn-template template-tag
Syntax Description
Command Default
No ephone-dn template is created.
Command Modes
Global configuration (config)
Command History
Cisco IOS Release | Cisco Product | Modification |
|---|---|---|
12.4(4)XC | Cisco Unified CME 4.0 | This command was introduced. |
12.4(9)T | Cisco Unified CME 4.0 | This command was integrated into Cisco IOS Release 12.4(9)T. |
Usage Guidelines
Use this command to create an ephone-dn template. An ephone-dn template contains a set of ephone-dn attributes that you can easily apply to one or more ephone-dns.
If you use an ephone-dn template to apply a command to an ephone-dn and you also use the same command in ephone-dn configuration mode for the same ephone-dn, the value that you set in ephone-dn configuration mode has priority.
Type? in ephone-dn-template configuration mode to see the commands that are available in this mode. The following example shows CLI help for ephone-dn-template configuration mode:
Router(config-ephone-dn-template)# ?
Ephone Dn template configuration commands:
call-forward Define E.164 telephone number for call forwarding
call-waiting Config call-waiting option
caller-id Configure port caller id parameters
corlist Class of Restriction on dial-peer for this dn
default Set a command to its defaults
description dn desc, for DN Qualified Display Name
exit Exit from ephone-dn-template configuration mode
hold-alert Set Call On-Hold timeout alert parameters
huntstop Stop hunting on Dial-Peers
mwi set message waiting indicator options (mwi)
no Negate a command or set its defaults
pickup-group set the call pickup group number for the DN
translate Translation rule
translation-profile Translation profile
After creating an ephone-dn template, apply the template to one or more ephone-dns using the ephone-dn-template command in ephone-dn configuration mode. Even though you can define up to 15 different ephone templates, you cannot apply more than one template to a particular ephone-dn.
If you try to apply a second ephone-dn template to an ephone-dn that already has a template applied to it, the second template will overwrite the first ephone-dn template configuration after you use the restart command to reboot the phone.
To view your ephone-dn-template configurations, use the show telephony-service ephone-dn-template command. To see which ephone-dns have templates applied to them, use the show running-config command.
Examples
The following example creates ephone-dn template 3, which sets call forwarding on busy and no answer to forward calls to extension 4000 and sets the pickup group to 4. Ephone-dn template 3 is then applied to ephone-dn 23 and ephone-dn 33, which appear on ephones 13 and 14, respectively.
ephone-dn-template 3
call-forwarding busy 4000
call-forwarding noan 4000 timeout 30
pickup group 4
ephone-dn 23
number 2323
ephone-dn-template 3
ephone-dn 33
number 3333
ephone-dn-template 3
ephone 13
button 1:23
ephone 14
button 1:33
Related Commands
ephone-dn-template (ephone-dn)
To apply an ephone-dn template to an ephone-dn, use the ephone-dn-template command in ephone-dn configuration mode. To remove the ephone-dn template, use the no form of this command.
ephone-dn-template template-tag
no ephone-dn-template template-tag
Syntax Description
template-tag | The template tag for a template created with the ephone-dn-template command in global configuration mode. Range is from 1 to 15. |
Command Default
No ephone-dn template is applied to the ephone-dn.
Command Modes
Ephone-dn configuration (config-ephone-template)
Command History
Cisco IOS Release | Cisco Product | Modification |
|---|---|---|
12.4(4)XC | Cisco Unified CME 4.0 | This command was introduced. |
12.4(9)T | Cisco Unified CME 4.0 | This command was integrated into Cisco IOS Release 12.4(9)T. |
Usage Guidelines
Use the ephone-dn-template command in ephone-dn configuration mode to apply an ephone-dn template to an ephone. You cannot apply more than one ephone-dn template to an ephone-dn.
If you try to apply a second ephone-dn template to an ephone-dn that already has an ephone-dn template applied to it, the second template will overwrite the first ephone-dn template configuration.
To view your ephone-dn-template configurations, use the show telephony-service ephone-dn-template command.
Examples
The following example shows how to create ephone-dn template 3, which sets call forwarding on busy and no answer to forward calls to extension 4000 and sets the pickup group to 4, and apply the template to ephone-dn 23 and ephone-dn 33, which appear on ephones 13 and 14, respectively.
ephone-dn-template 3
call-forwarding busy 4000
call-forwarding noan 4000 timeout 30
pickup group 4
ephone-dn 23
number 2323
ephone-dn-template 3
ephone-dn 33
number 3333
ephone-dn-template 3
ephone 13
button 1:23
ephone 14
button 1:33
Related Commands
Subscribe to:
Posts (Atom)