The following configuration example is about a cisco 2801 router working as Call Manager Express version 4.1 with both local IP phones and IP Phones located in remote branches over IPSEC VPN. The remote phones work with G729 codec and the local phones use normal G711 voice encoding. The requirement is to enable hardware ad-hoc conferencing between remote G729 and local G711 phones.

Here is the configuration snapshot (only commands related to hardware conferencing are shown):

voice-card 0
dsp services dspfarm
!
voice class custom-cptone leavetone
dualtone conference
frequency 400 800
cadence 400 50 200 50 200 50
!
voice class custom-cptone jointone
dualtone conference
frequency 600 900
cadence 300 150 300 100 300 50
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0

sccp local FastEthernet0/0
sccp ccm 192.168.10.1 identifier 100 priority 1 version 4.1
sccp
!
sccp ccm group 2
bind interface FastEthernet0/0
associate ccm 100 priority 1
associate profile 2 register DSPprofile2
keepalive retries 5
!
dspfarm profile 2 conference
! Configure codecs allowed to participate in conference
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
maximum sessions 2
conference-join custom-cptone jointone
conference-leave custom-cptone leavetone
associate application SCCP

telephony-service
sdspfarm units 2
sdspfarm tag 2 DSPprofile2
conference hardware
max-ephones 24
max-dn 48
ip source-address 192.168.10.1 port 2000 strict-match
max-conferences 4 gain -6

!
ephone-dn  43  dual-line
number A000
description Ad-Hoc Conference
conference ad-hoc
no huntstop
!
!
ephone-dn  44  dual-line
number A000
description Ad-Hoc Conference
conference ad-hoc
preference 1
no huntstop
!
!
ephone-dn  45  dual-line
number A000
description Ad-Hoc Conference
conference ad-hoc
preference 2
!
!
ephone-dn  46  dual-line
number A000
description Ad-Hoc Conference
conference ad-hoc
preference 3

Notice on the configuration above that we have to create some dummy phone directory numbers (ephone-dn 43 to 46) to facilitate the ad-hoc conference operation. An Ad-hoc conference is an unscheduled conference. It occurs when a third party is added into any conversation by the participants. The ad-hoc initiators can add/delete/drop participants to/from the conference.

CME hardware conferencing supports a maximum of 8 participants in an ad-hoc conference.
Each DSP can support a maximum of 64 G.711 participants only (single-mode), this translates to:

• 8 conferences of 8 participants each.

Each DSP can support a maximum of 16 G.711/G.729A/G.729 participants (mixed-mode), so this translates to:

• 2 conferences of 8 participants each.

Verify DSP registration

If your DSPfarm is not registered to CME, you will not be able to use the DSP resources to initiate a conference call. To check if the dspfarm is registered, perform the following command - “show dspfarm all”

Example: Registered - good example

Router#show dspfarm all

<output omitted>

Profile Operation State : ACTIVE

Application : SCCP Status : ASSOCIATED

<output omitted>

Example: Unregistered - bad example

<output omitted>

Profile Operation State : ACTIVE IN PROGRESS

Application : SCCP Status : ASSOCIATION IN PROGRESS

<output omitted>

Here are some of the Cisco related blogs that I visit regularly:

• 6200 Networks (By Joe Harris, CCIE# 6200)
• Blindhog.net (a site dedicated to helping people learn Cisco, Linux and VOIP technologies)
• CCIE Blog (Allows you to create your own Blog and also hosts feeds from various Cisco related blogs)
• Ethereal Mind (By Greg Ferro CCIE# 6920)
• Human Modem (By CCIE# 19747)
• Mr. Configure (A Quick Reference for Routing, Switching, Cisco & Juniper)
• Cisco Blog and Forum (Open Discussion about Cisco, By Jeremy Cioara )
• Should Have Gone With Cisco (By Ted Romer CCIE# 21785 )
• Aaron’s Worthless Words (By Aaron Conaway )

1.      I don’t know about other products, but specifically for the Cisco ASA 5505, Amazon offers the cheapest price online. It’s even cheaper than ebay. At the time of writing, the cheapest price for the ASA 5505 at ebay is $380 while at Amazon is $360 (including shipping).

2.      The ASA 5505 at Amazon is eligible for FREE Super Saver Shipping within the US.

3.      Amazon is probably the most trusted and reliable name for online purchases. The A-to-Z Guarantee Purchase Protection offered by Amazon ensures a safe buying experience.

4.      Before buying a product from Amazon, you can read other customer’s reviews for the same product in order to get a better idea whether this product suits your needs.

5.      For the Cisco ASA 5505, Amazon provides also special offers and product promotions together with suggestions for related products to purchase.

There are basically three software license types for the ASA 5505 according to the number of internal users (hosts) that will be protected by the firewall.

• ASA 5505 with 10-User license
• ASA 5505 with 50-User license
• ASA 5505 with Unlimited-User license

In its simplest form, you just enable priority queuing on an interface and select with an ACL and a policy map which traffic should pass through the priority queue of the interface. All other traffic will be passing through the “best effort” queue. For example if we have FTP data traffic (which is usually a long packet) together with a VoIP packet, the VoIP will be served first by the interface (priority queue) while the FTP packet will be served in a best-effort basis.

In our example below, we present a usual scenario in which we have two (or more) sites communicating through a Lan-to-Lan IPSEC VPN via the Internet. Between the sites we can have both data and VoIP traffic communication. Although we can not enforce real QoS through the Internet, at least we can ensure voice traffic prioritization on the firewall interface.

From the diagram above we assume that we have already configured the IPSEC VPN and is working properly (i.e both subnets 192.168.1.0/24 and 192.168.2.0/24 can communicate via the tunnel). The example configuration below is for the ASA-1 firewall and should be applied accordingly to ASA-2 for better QoS performance.

! Enable a priority queue on the outside interface

ASA-1(config)# priority-queue outside
ASA-1(config-priority-queue)# exit

! Select VoIP traffic for prioritization

ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq h323
ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq sip
ASA-1(config)#access-list VoIP-Traffic-OUT extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq 2000

ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq h323
ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq sip
ASA-1(config)#access-list VoIP-Traffic-IN extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 2000

! Match the ACL and traffic with Expedited Forwarding (EF)

ASA-1(config)# class-map Voice-OUT
ASA-1(config-cmap)# match dscp ef
ASA-1(config-cmap)# match access-list VoIP-Traffic-OUT
ASA-1(config-cmap)# exit

ASA-1(config)#class-map Voice-IN
ASA-1(config-cmap)# match dscp ef
ASA-1(config-cmap)# match access-list VoIP-Traffic-IN
ASA-1(config-cmap)# exit

! Configure the actual policy that will be applied to the interface

ASA-1(config)# policy-map VoicePolicy
ASA-1(config-pmap)# class Voice-OUT
ASA-1(config-pmap-c)# priority
ASA-1(config-pmap-c)# exit

ASA-1(config-pmap)# class Voice-IN
ASA-1(config-pmap-c)# priority
ASA-1(config-pmap-c)# exit
ASA-1(config-pmap)# exit

! Apply the policy to the outside interface

ASA-1(config)# service-policy VoicePolicy interface outside

Professionals certified with the Cisco CCSP qualification are also recognized as INFOSEC professionals (4013 standard). The 4013 training standard is suggested by the National Security Agency (NSA) and the Committee on National Security Systems (CNSS).

The Table below shows the exam requirements for obtaining the new CCSP certification:

Visit the Cisco Learning Network Job Portal Here

From the diagram above, assume that the Web Server (WEB_SRV) has a public IP address of 20.20.20.1. Any access from outside to this IP address must be intercepted by the ASA firewall which should prompt the user for authentication (username/password). After the user enters his/her credentials, the Firewall will communicate with the AAA Authentication server (AAA_SRV), using either TACACS+ or RADIUS protocols, to validate the credentials of the user. The AAA server will respond to the firewall with ACCESS_PERMITED or ACCESS_DENIED accordingly. If permitted, the user will be able to communicate with the Web Server. This functionality of the Cisco ASA Firewall is also called “cut-through Proxy” and works for only specific services (HTTP, HTTPs, FTP, and TELNET). This means that in addition to authenticating users for Web Server access, we can do the same for FTP or TELNET Servers as well.

Configuration Example:

! Specify a AAA server name (AAA_SRV) and which protocol to use (Radius or TACACS+)
CISCO-ASA(config)#  aaa-server AAA_SRV protocol tacacs+

! Designate the Authentication server IP address and the authentication secret key
CISCO-ASA(config)#  aaa-server AAA_SRV (inside) host 10.0.0.1
CISCO-ASA(config-aaa-server-host)#  key authentication-secret-key

! The following ACL specifies for which traffic flow the firewall will enforce authentication
CISCO-ASA(config)#  access-list 120 permit tcp any host 20.20.20.1 eq www

! Enable web server user authentication by matching the ACL configured above
CISCO-ASA(config)#  aaa authentication match 120 outside AAA_SRV

! The last statement above will authenticate traffic on the “outside” interface using
! server AAA_SRV only if this traffic matches Access List 120

A high level network topology of two remote branch offices with the enterprise central site is shown in the figure below:

The components that constitute the Cisco Virtual Office solution include the following products and technologies:

 REMOTE BRANCH LOCATION:

 In the remote user premises, the equipment includes Cisco 800 series ISR (Integrated Services Routers) to provide secure IPSEC VPN connectivity towards the central site, together with unified 7900 series IP Phones that offer voice and video communication with the central call manager system.

 CENTRAL SITE LOCATION:

 The equipment and technologies here include a VPN termination device (which can be either a VPN router or a Cisco ASA Firewall), central call manager system for voice and video control, and central management software for policy enforcement, authentication services, identity management etc.

 The license installed on the 5505 firewall determines the number of active VLANs allowed on the appliance as described below:

 Basic ASA 5505 License:

The basic license allows only 3 active VLANs which you can use as Inside, Outside and DMZ. However, there is a restriction here that many people do not know about: The DMZ VLAN can access ONLY the Outside VLAN but can not access the Inside VLAN. The other two VLANs (Inside and Outside) can access all the other VLANs with no problems.

 Security Plus ASA 5505 License:

The Security Plus license, removes all limitations and allows up to 20 active VLANs to be configured. Since there are only 8 physical ports, you can create several vlan subinterfaces on each physical port to segment your network into different security zones (e.g Inside, Outside, DMZ1, DMZ2, Sales, Engineering etc).

• Pass multicast traffic from a video server of one site to another site over the Internet.
• Pass routing protocol updates (multicast traffic) between sites working in an IPSEC VPN topology.
• Running Novel IPX between IPSEC VPN sites.
• Use load balancing with a routing protocol between IPSEC VPN sites.

Configuration example

Below we will describe a configuration example between two Cisco routers running GRE over IPSEC via the Internet.

From the diagram above, we have two private LAN networks 192.168.1.0/24 and 192.168.2.0/24 and we want to send non-IP traffic between them (e.g multicast video server traffic from Site-A to Site-B or any other non-IP non-unicast traffic). For each router we have a static Public IP address on the FE0/1 outside interface (100.100.100.1 and 200.200.200.1) over which we will set up the IPSEC tunnel. The GRE tunnels will be running between two private IP addresses (10.0.0.1 and 10.0.0.2) configured on each router (with the interface Tunnel command). The scenario also involves NAT for general internet access of the local networks.

SITE-A

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-A
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
!
!— This is the IPsec configuration.
!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key testkey123 address 200.200.200.1
!
crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
!
set peer 200.200.200.1
set transform-set ESPDES-TS
match address 101
!
!— This is one end of the GRE tunnel.
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0

!— Associate the tunnel with the physical outside interface.
tunnel source FastEthernet0/1
tunnel destination 200.200.200.1

!— Attach the IPSEC crypto map to the GRE tunnel.
crypto map myvpn

!— This is the internal network.

interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside

!— This is the external interface and one end of the GRE tunnel.

interface FastEthernet0/1
ip address 100.100.100.1 255.255.255.0
ip nat outside
crypto map myvpn

!— Define the NAT pool.

ip nat pool NATPOOL 100.100.100.2 100.100.100.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool NATPOOL overload
ip classless

ip route 0.0.0.0 0.0.0.0 100.100.100.254

!— Force the private network traffic into the tunnel.

ip route 192.168.2.0 255.255.255.0 10.0.0.2

!— All traffic that enters the GRE tunnel is encrypted by IPsec.
access-list 101 permit gre host 100.100.100.1 host 200.200.200.1

!— Use access list in route-map to address what to NAT.

access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat permit 10
match ip address 175

end

SITE-B

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITE-B
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
ip subnet-zero
!
!— This is the IPsec configuration.
!
crypto isakmp policy 10
authentication pre-share

crypto isakmp key testkey123 address 100.100.100.1
!
crypto ipsec transform-set ESPDES-TS esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
!
set peer 100.100.100.1
set transform-set ESPDES-TS
match address 101
!
!— This is one end of the GRE tunnel.
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0

!— Associate the tunnel with the physical outside interface.
tunnel source FastEthernet0/1
tunnel destination 100.100.100.1

!— Attach the IPSEC crypto map to the GRE tunnel.
crypto map myvpn

!— This is the internal network.

interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat inside

!— This is the external interface and one end of the GRE tunnel.

interface FastEthernet0/1
ip address 200.200.200.1 255.255.255.0
ip nat outside
crypto map myvpn

!— Define the NAT pool.

ip nat pool NATPOOL 200.200.200.2 200.200.200.20 netmask 255.255.255.0
ip nat inside source route-map nonat pool NATPOOL overload
ip classless

ip route 0.0.0.0 0.0.0.0 200.200.200.254

!— Force the private network traffic into the tunnel.

ip route 192.168.1.0 255.255.255.0 10.0.0.1

!— All traffic that enters the GRE tunnel is encrypted by IPsec.
access-list 101 permit gre host 200.200.200.1 host 100.100.100.1

!— Use access list in route-map to address what to NAT.

access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 any

route-map nonat permit 10
match ip address 175

end