Tuesday, December 27, 2011

Cisco Router VPN: Configure an 1841 IOS Router for Site to Site VPN.

On occasion, I have to setup a site to site vpn on an IOS router.  It seems a little odd, but the IOS router will do this just fine, just like an ASA.  Commands are different, but not difficult at all.  Below, I outline what you need to do to configure an IOS router (1841 in this case) to get the vpn up and running.  Nothing special in this, just the basics of getting the vpn up and running.

You wont be able to use a base image.  Below, I have an advance security image.
boot system flash:c1841-advsecurityk9-mz.124-3h.bin

Set your domain name on your router.
ip domain name company.com

Here is your Phase I info.
-------- Beginning of Phase I ----------
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key key! address 98.98.98.98 no-xauth    <------ No Authentication needed
crypto isakmp keepalive 20 3 periodic

Here is your Phase II info.
------- Phase II -----------------
crypto ipsec transform-set to_remotesite esp-3des esp-md5-hmac

Here is your crypto map for the vpn.
--------- Crypto Map for VPN ----------------
crypto map to_remotesite 5 ipsec-isakmp  
 set peer 98.98.98.98                <------- Peer address
 set transform-set to_remotesite  <------ Use this Phase II policy (above)
 match address 121                 <------ Match this ACL for encryption

Apply the crypto map to your serial interface.
interface Serial0/0/0
 ip address 12.94.221.218 255.255.255.252
 ip nat outside
 crypto map to_remotesite       <------- Apply this CryptoMap to Int S0/0/0

Here is your encryption ACL.  This says "encrypt across the vpn".
----------- Encryption ACL ---------------------------------
access-list 121 permit ip 192.168.101.0 0.0.0.255 192.168.75.0 0.0.0.255

If you have to "NOT NAT", then you have to tell the router.  Below is the config to NAT 192.168.101.0 to any, but NOT NAT 192.168.101.0 to 192.168.75.0.  Notice the Deny statement for NOT NAT'ing.
------------------------- No Nat ACL, NAT statement, and Route-map for NO-NAT'ing ----------------------
access-list 104 deny   ip 192.168.101.0 0.0.0.255 192.168.75.0 0.0.0.255
access-list 104 permit ip 192.168.101.0 0.0.0.255 any
ip nat inside source route-map nonat interface Serial0/0/0 overload
route-map nonat permit 10
 match ip address 104

Thats all there is to it.  I hope this helps.

Monday, December 26, 2011

Collecting logs for ShoreTel TAC: What to do


I had to do some troubleshooting one day, and I was asked to collect logs and send them in to ShoreTel.  I wasnt sure what all they wanted, so they send me these instructions.  I thought this would be helpful to you who need to do the same.  See these instructions below:

Collect the appropriate logs and files. Package them up and attach to the case.

Please create a folder named SR NUMBER (eg 1-41234567) and COPY (not move) the following data into it.

NOTE: All logs should reflect the date of the issue being escalated, as should call GUIDs.
NOTE: If your server is a Windows Server 2008 machine, please ensure that event logs are saved in Comma Separated Value (CSV) and/or Plain Text (TXT) format, as we cannot open EVTX files.
NOTE: This document assumes the ShoreTel application is installed to the C: drive and data is stored on the D: drive in the default directories. Your installation may differ.

1. Server SYSTEM INFO:

START / All Programs / Accessories / System Tools / System Information
File / Save (Saves as an .NFO file)
File / Export (Saves as an .TXT file)

2. Server REGISTRY DUMP:

START / Run / “regedit”
Right-click “My Computer” / Export (Saves as a .REG file)

3. Server EVENT LOGS:

For Windows Server 2003:
START / Programs / Admin Tools / Event Viewer /
Select the APPLICATION LOG, and then "Save Log File As..."
Enter application as filename.
Select the SYSTEM LOG, and then "Save Log File As..."
Enter system as filename.

For Windows Server 2008:
START / Programs / Admin Tools / Event Viewer / Windows Logs
Select the APPLICATION LOG, then "Save Log File As..."
Select CSV (Comma Separated Values) as FILE TYPE
Enter application as filename.
Select the APPLICATION LOG, then "Save Log File As..."
Select EVTX (EventX) as the FILE TYPE
Enter application as filename.
Select the SYSTEM LOG, and then "Save Log File As..."
Select CSV (Comma Separated Values) as FILE TYPE
Enter system as filename.
Select the SYSTEM LOG, and then "Save Log File As..."
Select EVTX (EventX) as the FILE TYPE
Enter application as filename.

4. Server LOGS:

All the logs for that date – pay close attention to the date embedded in the file name, and do not rely on the Windows “Date Modified” stamp. Please place these log files in a subfolder called “logs” (eg, C:\1-4123456\logs\ ) You may use the search function and find all files matching the bold string below:

*YYMMDD*.*

where YY is the year, MM is the month, and DD is the day, eg, *100823*.* would be all log files for August 23rd, 2010.

Log files are located in the following folder by default: D:\Shoreline Data\Logs


Be advised that log files are deleted automatically based the SYSTEM PARAMETERS / OTHER / Log File Storage setting in Director, so be sure to copy the files with in this timer frame. Otherwise they will be removed.

5. Call GUIDs and Examples:

Include call GUIDs, source and destination extension/number, and time and date stamp of the call. More call GUIDs are always better than fewer. Please provide as much information as possible! You may use the following template to describe the issue.

Who? Is experiencing the problem?
What? Is the exact issue?
Where? At what site (both physically and logically) is the issue occurring?
When? At what time did the issue occur in this example, and how often does it occur?
How? Exactly what process, step-by-step, results in the error?
Extra Info? Is there any extra information you are aware of that may be helpful?

Here’s an example:

Who? John Doe at extension 1234 and Jane Doe at extension 1567
What? Choppy audio on the phone call.
Where? John is at Sunnyvale, CA (HQ) and Jane is at Austin, TX (AUS)
When? The problem occurs every Wednesday between 5pm and midnight CST.
How? John at 1234 calls Jane on his ShoreTel IP560 by picking up the handset and dialing Jane’s extension. Jane answers by clicking “Answer” in the pop-up using her softphone in Communicator. Jane is speaking to John on her USB headset, and John is using the handset.
Extra Info? Jane tried using her desk phone (a ShoreTel IP230 at the Sunnyvale HQ site) to call John and experienced the same problem.

6. CDR LOGS:

Copy the appropriate LOG file from: D:\Shoreline Data\Call Record 2\

7. ShoreTel DATABASE dump:

For pre ST8, please copy the database (Shoreware.MDB):

D:\Shoreline Data\Database

For ST8, perform a MySQL database dump by opening a CMD prompt in the following directory:

C:\Program Files\Shoreline Communications\ShoreWare Server\MySQL\MySQL Server 5.0\bin

Then enter:

mysqldump.exe --add-drop-table --routines --user=root --password=shorewaredba --database shoreware>C:\\shoreware_db.sql

For ST10.1+

mysqldump.exe --add-drop-table --routines --user=root --password=shorewaredba --database shoreware>C:\\shoreware_db.sql --port=4308

These commands place the dump file in the root of the C:\ drive, named “shoreware_db.sql”.

8. CDR DATABASE dump:

For pre ST7, please copy the CDR.mdb from the following folder:

D:\Shoreline Data\Call Records 2

For ST7+, perform a MySQL database dump by opening a CMD prompt in the following directory:

C:\Program Files\Shoreline Communications\ShoreWare Server\MySQL\MySQL Server 5.0\bin

For ST7 – ST9.2, enter:

mysqldump.exe --add-drop-table --routines --user=root --password=shorewaredba --database shorewarecdr>C:\\shoreware_cdr.sql

For ST10.1+, enter:

mysqldump.exe --add-drop-table --routines --user=root --password=shorewaredba --database shorewarecdr>C:\\shoreware_cdr.sql --port=4309

These commands place the dump file in the root of the C:\ drive, named “shoreware_db.sql”.

9. EXTRA Info

Please include any additional screen shots, videos, or files that either have been requested or you feel will be helpful.

Please compress the folder you created into a ZIP file with all the above files in it. You can do this by right-clicking the folder and selecting “Send To…”, “Compressed (ZIPPED) Folder”. Make sure the name of this ZIP file is SRNUMBER.zip (eg, “1-4123456.zip”) and attach it to the SR via our web page, http://support.shoretel.com, or upload it to our FTP server at ftp://ftp2.shoretel.com .

For FTP credentials, you may use the following case-sensitive credentials:

ftp2.shoretel.com
Username: XXXXXXXXX
Password: XXXXXXXX

Please update the Service Request online when your upload or attachment is complete so a notification is generated for your Technical Support Engineer. If you require assistance with this process, please call into the TAC at 800-742-2348 and any available engineer can assist you.

Sunday, December 25, 2011

ShoreTel CallerID problem: shows main number instead of DID

All, I got stuck the other day on an issue where every phone in the company that called out has a callerID of the main corporate number.  I had in the BTN of the trunk group the main number, and that was the number the callerID showed for everyone.  Well, they didnt want that.  They wanted each individuals number to show up.  That made sense, but I couldnt seem to find where to override this and make it show the DID of the individual.  Well, I did find it.  It was under the "Trunk Group" and specific Trunk, where "Enable Original Caller Information" was checked.  Simply uncheck it and the DID shows up.

I got banned from a forum today... :)

Something funny happened to me the other night.  I signed up at a forum called ShoreTelforums.com and I got banned within an hour of signing up, because I posted a link to the two "cheat sheets" I created on this blog. Boy, I tell you, you try to help so folks out by posting something helpful to people and you get "banned for life".  I though that forums where to help each other out in the technical arena?  I guess not.  Anyway, I did put the links in on ShoreTel's Official forum (forums.shoretel.com), and I didn't get banned.  I think ShoreTel's own forums actually like to help people.  :)  Merry Christmas all.

CallManager Express (CME): config explanations (notes)


Merry Chirstmas all!  I hope all has had a good Christmas today.  I came across a "CME explained" document that I created some time back of an old config I had of an CallManager Express, where I put some explanations of key config statements and what they do.  I hope this helps some of you who do CMEs and need some explanations of things.  See below the config (in black) and explanations (in blue).  I deleted some of this so it wouldnt be so long.
CME2821#show run
Building configuration...

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CME2821
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.124-4.XC7.bin This IOS image MUST be compatible with the CME version that is on here. We are using 4.0(3), and this image is the “least” image we can have for 4.0(3) to run properly on our 2821 router.
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa session-id common
resource policy
clock timezone central -6
clock summer-time zone recurring
network-clock-participate wic 1
network-clock-select 1 T1 0/1/0
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.75.1 192.168.75.10 Exclusion that will not allow client IPs of .1 through .10 to be handed out to clients. This scope will start at .11 .
!
ip dhcp pool phone Name of the DHCP pool is “phone”.
import all
network 192.168.75.0 255.255.255.0
option 150 ip 192.168.75.1 Option 150 tells the phones where to look for the TFTP server, so that it knows where to get its phone loads.
default-router 192.168.75.1
ip domain name company.net
!
isdn switch-type primary-ni Type of PRI used is Primary NI 2 is used.
!
voice-card 0
no dspfarm
voice service voip The allow statements allow calls from protocol to protocol. H323 to H323, H323 to SIP, etc.
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
h323 default
sip default
header-passing default
registrar server expires max 3600 min 3600 default
!
voice class codec 1
codec preference 1 g711ulaw use uncompressed voice, for internal LANs, you don’t need to compress the voice. You only need compression when going over a T1, Frame-Relay, etc.
!
voice translation-rule 1 This is voice translation-rule 1. You reference this much like access-list 1 in an ACL. Notice down in the “voice translation-profile strip9” that the “translate called 1” references this translation-rule. This rule is not applied to anything, because the 9 is stripped off by default. No need to apply.
rule 1 /^9\(.*\)/ /\1/ This rule strips the 9 off the from of the digits. EX. When you push 9 to get an outside line, it takes that 9 off before handing it over to the PRI, or in our case, the Cisco IAD.
!
Below, this translation-rule below (2) adds digits to the numbers going out. Rule #1 in this translation-rule states that any call with an extension of 83XX should have added to it a “205413”, at the front. Because, in this case, the NoVux Cisco IAD expects to see 10 digits from our CME. This IS configurable on their side. Rule #2 states to add a “205876” to anything coming in from the LAN with a 4 digit string of “15XX”. Our block of numbers are 205.876.1500 – 1532. Same for rule #3, where our two main lines 4490 and 4494 need to have a “205986” in front of the two extensions before being forwarded out to the Cisco IAD. If these rules where not in place, you would not be able to get past the Cisco IAD, therefore you would get a fast busy signal.
*****NOTE***** If you get another dialtone AFTER you dial your number, that means that the IAD (in this case) is expecting digits from ONLY the DIDs they have listed and it is programmed into the Cisco IAD (Nuvox owned). This is a security feature, and it will only allow calls from the DIDs they list. If you get dial tone and digits are sent without problem to the IAD, the IAD is the issue.
voice translation-rule 2
rule 1 /^\(83..\)$/ /205413\1/
rule 2 /^\(15..\)$/ /205876\1/
rule 3 /^\(44..\)$/ /205986\1/
!
Below, this translation-rule (3) was for test purposes in troubleshooting an issue, not relevant to this config.
voice translation-rule 3
rule 1 /.*/ /2054138323/
!
voice translation-profile callerid
translate calling 3
!

Below, this was named “fix_clid” because the NuVox Cisco IAD expects 10 digits, and we have to provide a way to do so. Therefore, if you look down at voice-port 0/1/0:23, you will notice that this profile is applied to that voice-port. Hence, 10 digits are forwarded to the NuVox Cisco IAD.
voice translation-profile fix_clid
translate calling 2
!
Below, this is a translation-profile which a translation-rule goes into. OR the translation-rule is referenced by the translation-profile. Remember this one is not being used, because the 9 is stripped off the number before being sent out by default. “strip9” is what the translation-profile is called.
voice translation-profile strip9
translate called 1 “1” is the translation-rule that is referenced (voice translation-rule 1). Kindof like your portfolio has pictures in it, where a translation-profile has a translation-rule in it.
!
crypto pki trustpoint TP-self-signed-1571388936
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1571388936
revocation-check none
rsakeypair TP-self-signed-1571388936
!
username company privilege 15 password 7 XXXXXXX
!
controller T1 0/1/0
framing esf
linecode b8zs
pri-group timeslots 1-24
!
controller T1 0/1/1
framing esf
linecode b8zs
pri-group timeslots 1-24
!
interface GigabitEthernet0/0
description LAN
no ip address
duplex auto
speed auto
!
===============================================
These two sub-interfaces are for the voice and data vlans. They connect to a trunk port on the 3560.
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.73.4 255.255.255.0
no snmp trap link-status
!
interface GigabitEthernet0/0.5
encapsulation dot1Q 5
ip address 192.168.75.1 255.255.255.0
no snmp trap link-status
===============================================
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/3/0
switchport mode trunk
switchport voice vlan 5
!
interface FastEthernet0/3/1
switchport mode trunk
switchport voice vlan 5
!
interface FastEthernet0/3/2
switchport mode trunk
switchport voice vlan 5
!
interface FastEthernet0/3/3
switchport mode trunk
switchport voice vlan 5
!
interface Serial0/1/0:23
no ip address NO ip address needed
encapsulation ppp Usually ppp, but router defaults to HDLC
isdn switch-type primary-ni switch type named from phone company
isdn incoming-voice voice voice calls come in
!
interface Serial0/1/1:23
no ip address
encapsulation ppp
shutdown
isdn switch-type primary-ni
isdn incoming-voice voice
!
interface Service-Engine1/0 This interface is for Unity Express.
ip unnumbered GigabitEthernet0/0.1
service-module ip address 192.168.73.8 255.255.255.0 MUST be on the same network as the router LAN scheme.
service-module ip default-gateway 192.168.73.4 Notice on same LAN IP scheme also.
!
interface Vlan1 You need an IP address on these two vlans if you are going to use the 4 port switch module in the router. Do not use it for vlan 1 or vlan 5, but you can for other vlans if need be.
no ip address
!
interface Vlan5
no ip address
!
ip route 0.0.0.0 0.0.0.0 192.168.73.1
ip route 192.168.73.8 255.255.255.255 Service-Engine1/0 Tells the router where to route to for the CUE config.
!
ip http server Must have on if you are going to do any admin work via the GUI.
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
snmp-server community 4star$ RO
!
Below are the TFTP phone loads, ring tones, etc. Do not delete any of these. Remember “option 150” in your DHCP scope? This is what its after, depending on the type of phone you have. DO NOT DELETE ANY OF THESE.
tftp-server flash:P0030702T023.bin
tftp-server flash:P00405000700.bin
tftp-server flash:P0030702T023.loads
tftp-server flash:P0030702T023.sb2
tftp-server flash:P0030702T023.sbn
tftp-server flash:CVM70.2-0-0-112.sbn
tftp-server flash:Jar70.2-9-0-117.sbn
tftp-server flash:TERM70.7-0-1-0s.LOADS
tftp-server flash:TERM70.DEFAULT.loads
tftp-server flash:TERM71.DEFAULT.loads
tftp-server flash:cnu70.2-7-4-134.sbn
tftp-server flash:Analog1.raw
tftp-server flash:Analog2.raw
tftp-server flash:AreYouThere.raw
!
control-plane
!
voice-port 0/0/0
voice-port 0/0/1
voice-port 0/1/0:23
translation-profile outgoing fix_clid
voice-port 0/1/1:23
!
Below, this dial peer is for voice-mail. The pilot number for voicemail is 7000. Notice the IP address in the “target” is the CUE module. G711 is also used.
dial-peer voice 5 voip
destination-pattern 7...
session protocol sipv2
session target ipv4:192.168.73.8
dtmf-relay sip-notify
codec g711ulaw
no vad
!
These dial-peers have a description that explain themselves. Notice on all that a port is listed for where they will be forwarded out, or in. Also, notice they are “pots” dial-peers and not “voip” dial peers, meaning they are coming from or going to the PRI.
dial-peer voice 1 pots
description ===== INBOUND CALLS ===== ===== INBOUND CALLS =====
incoming called-number .
direct-inward-dial
port 0/1/0:23
!
dial-peer voice 2 pots
description ===== 911 CALLS ===== ===== 911 CALLS =====
destination-pattern 911
port 0/1/0:23
prefix 911
!
dial-peer voice 3 pots
description ===== LOCAL CALLS ===== ===== LOCAL CALLS =====
destination-pattern 9[2-9]......
clid override rdnis
port 0/1/0:23
!
dial-peer voice 4 pots
description ===== 911 CALLS STRIP 9 ===== ===== 911 CALLS STRIP 9 =====
destination-pattern 9911
port 0/1/0:23
prefix 911
!
dial-peer voice 6 pots
description ===== LONG DISTANCE CALLS ===== ===== LONG DISTANCE CALLS =====
destination-pattern 91[2-9]..[2-9]......
clid override rdnis
port 0/1/0:23
prefix 1
!
dial-peer voice 7 pots
description ===== INTERNATIONAL CALLS ===== ===== INTERNATIONAL CALLS =====
destination-pattern 9011T
port 0/1/0:23
prefix 011
!
Below, you have the telephony-service where you tell it several things like what load to use for what phone, no auto-registration of the phones (they have to be manually added for security reasons), maximum of 52 phones supported, maximum of 192 extensions, voicemail pilot, call forwarding, pushing “9” to get outside dialtone, etc.
telephony-service
no auto-reg-ephone
load 7960-7940 P0030702T023
load 7941GE SCCP41.8-0-4SR3AS
load 7941 SCCP41.8-0-4SR3AS
load 7970 SCCP70.8-0-4SR3AS
max-ephones 52
max-dn 192
ip source-address 192.168.75.1 port 2000
dialplan-pattern 1 205XXXXXXX extension-length 4 extension-pattern XXXX
voicemail 7000
max-conferences 8 gain -6
call-forward pattern .T
transfer-system full-consult
transfer-pattern .T
secondary-dialtone 9
create cnf-files version-stamp 7960 Sep 24 2007 20:25:01
!
The extensions below in the “ephone-dn” section. Description shows up in the top right corner of the phone, where name shows up when you are calling someone (it tells them who you are instead of the extension), and the number is the actual extension number.
ephone-dn 1 dual-line
number 8323
description Joey XXXXX
name Joey XXXXX
!
ephone-dn 2 dual-line
number 4490
name XXXXXXX
!
These two are the message waiting indicators numbers. CUE uses the number 8000 plus your extension number to turn the light on your phone on or off.
ephone-dn 100
number 8000....
mwi on
!
ephone-dn 101
number 8001....
mwi off
!
Below is where the actual physical phones start. You put in the mac-address of the phone, tell it what type of phone so it knows what kind of phone load to look for, and you assign the extension with the “button” command. The “button” command goes like this: button (physical button on the side of your phone:ephone-dn #). So, “button 1:1” would refer to first button on the right side of the phone, and extension 8323, which is Joey’s.
ephone 1
device-security-mode none
mac-address 001B.5494.A209
type 7970
mwi-line 2
button 1:1 2:2 3:4 4:50
!
ephone 2
device-security-mode none
mac-address 001A.E22A.C835
type 7940
button 1:5

banner login ^C******This is a private network********^C
!
line con 0
line aux 0
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output all
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180269
ntp server 140.221.9.20
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Wednesday, December 21, 2011

Cheat Sheet: MultiTech FaxFinder integration with ShoreTel 12.1

Cheat Sheet:  Integrating MultiTech FaxFinder with ShoreTel 12.1

I have to be honest on this.  I have had a hard time with this integration, and so I owe a lot of thanks to Oliver at ShoreTel TAC.  I talked with about 6 engineers from ShoreTel on this.  He seems to be the only one that knew anything about this.  So, with his help, I got through this on the ShoreTel side of config and I thought Id share what had to be done to get this thing going. 
First, I have ShoreTel 12.1.  Second, I have a FF230 (MultiTech FaxFinder model 230).  The MultiTech 230 is a dual analog device, meaning capable of only have two calls at a time on it.  It connects to my customer's ShoreTel 24A, so it acts like a station endpoint.  With that said, lets move on.
My customer has a different fax number than they do for their voice extension.  So, I have in my example 7405 (the fax) and 7404 (the phone extension).  The call flow goes like this:  Call comes in across the PRI.  It hits the ShoreTel phone system, where I have a DNIS entry pointing 7405 to be mapped to 7404. This DNIS entry is under Trunk --> Trunk Group --> (name of PRI) --> "edit DNIS map"  button.  The fax gets forwarded to the phone extension.  Now, this is important.  Under Sites --> (Site name) --> FAX Redirect Extension:, you put the user you configure for the analog line #1 of the FaxFinder 230 as the destination (FaxFinder1 - ext. 4050 in my case).  This is connected to the 24A port 14 and this is an extension only, no mailbox.  On that user's properties, go down to the "Fax Support" portion, and click the down menu and select "Fax Server".   Under Personal Options of this user, go down to Edit Call Handling Modes: Standard Mode.  Select "No Answer/Busy", and forward "Busy Destination" and "No Answer Destination" to the second user that holds that analog line.  In my case, it is user FaxFinder2 - ext. 4051.  On that extension, same thing, except I dont forward to anything on Busy/No Answer. 

Now, on the MultiTech FaxFinder.  Go to System Configuration tab, and fill in the Network parameters.  Fill in the SMTP and Time properties also.  Oh yeah, upgrade the firmware also.  Two days ago they came out with an upgrade.  You will want to do this, according to MultiTech. 
On the Fax Configuration tab, configure Routing as DTMF Digits.  No need to change anything else except "Max Extension Digits", where mine was 4 digits for the number of my digits in my extensions.  Under Inbound Routing, run the size of the email size limit up to 100000K or higher.  The default I found was too low, which I think was 5000K.  Under Users tab, add your users.  Input all info on them, and make sure at the bottom that you select the "Add Route" check box, and the appropriate extension.  IF you do not check that box and add that extension, you wont get faxes to your email.  Oh yeah, Im sending faxes to email here, which is configurable under Fax Configuration --> Inbound Routing --> edit user. 

Thats all.  I hope this helps out.  To me, the MultiTech was easier than the ShoreTel piece.  But, its in and working.  Oh yeah, dont forget to put in a admin email address.  All faxes that go there that dont match a user will go to the admin.  That might be important if you dont want to miss a fax.

Now, one thing I dont care for that I actually tried to setup.  I thought I could forward the FAX Redirect Extension (under Sites) to a Hunt Group instead, which had both 4050 and 4051 in it.  It wouldnt work.  According to ShoreTel TAC, it wont work.  In fact, there is NO way to make it work.  That hurts.

Monday, December 19, 2011

Does ShoreTel Support NFAS Configuration?

Ok, let me start off this post by saying that there are many things that I do like about the ShoreTel phone system.  However, I have to say that I dont like that ShoreTel doesnt support NFAS for "bonded" PRIs.  When I learned this today from a TAC case I had opened, I was really disappointed.  In fact, IF a customer has this configuration and they dont want to go away from this, ShoreTel is automatically out as a VoIP choice.  Reliability is of upmost importance to businesses with call centers, governments, etc (and PRIs are the most reliable in my opinion).  Maybe in the future ShoreTel will support the NFAS configuration for bonded PRIs, but as of today, they dont.

Thursday, December 15, 2011

Brocade (Foundry): "PoE Error: Memory allocation failed" / "Error: LLDP can't allocate memory for generating any of the location ID config"

  I was at a customer site yesterday and I was getting ready to do a ShoreTel install.  I noticed that I was having some PoE issues, and that is when I came across an even bigger issue.  It appeared that my Brocade switches were really NOT happy, for when I consoled into one of my switch stacks to find the PoE issue, I got this message continously scrolling down the page:
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).
PoE Error: Memory allocation failed (2705, ../../../../platform/HAL/system/ch/src/poe_drv_CH.c).

  Well, no wonder Im having PoE issues, and now I have no idea what this error means.  So, I rebooted the switch and it cleared things up, for the moment.
  That is when I got into another switch that was having an issue.  I was getting this message when I got into it:
Error: LLDP can't allocate memory for generating any of the location ID config
Error: LLDP can't allocate memory for generating any of the location ID config
Error: LLDP can't allocate memory for generating any of the location ID config
Error: LLDP can't allocate memory for generating any of the network policy config

  Hmmm.  I dont know what all that means, but I notice one common thing in both messages:  Memory.  So, I called up Brocade TAC and it turns out that I have an IOS version that has a bug, specifically a memory leak.  Well, I did the upgrade of the IOS and all seems to be well now.  But, here is what I did to do the upgrade of the IOS:
  First, I needed to upgrade the boot image.  Here is the command:
"copy tftp flash 172.24.14.125 grz07100.bin boot"

  Second, here is the command for upgrading the IOS:
"copy tftp flash 172.24.14.125 FCXS07202e.bin pri"

  Next, reload the switch and you are done:
"reload"

Sunday, December 11, 2011

Cisco: How To Decrypt The PCF Group Authentication Password

Do you ever get tired of NOT knowing the vpn group authentication password in a pcf file?  I do.  But, here is a way to decrypt those starred out characters.  Its been very handy to me.  Go to the pcf file and open it up in notepad.  C:\Program Files\Cisco Systems\VPN Client\Profiles is where the profiles are located.  Find the place where it reads "enc_GroupPwd=".  Highlight the key underneath and copy it.  Paste it into the box in the link below.  Then, hit "decode" and its spits out your key down at the middle of the page.  Easy.
Decode Group Authentication Passwords HERE

ShoreTel: Amphenol cable pinout for the ShoreGear 24A

Ok, why am I concerned with the amphenol cable?  Well, because if you do any ShoreGear 24A devices, you will need to know this.  I do not know by heart the cable to pin out.  So, I often refer to this diagram.  I thought Id share with you all.  Here it is.



Brocade (Foundry): PoE insufficiency - "detection failed - out of range capacitor"

One of the cool things I have found out from my local Brocade engineer, is that when it comes to POE, you can actually control how much power is given on each port.  If you are on the ethernet interface, you can type in "inline power ?".  It will give you an interesting option.

  interface ethernet 1/1/2
 dual-mode  25
 inline power power-by-class 2   <--- Interesting option here to me.
 trust dscp
 sflow forwarding

Notice that on this configuration on the interface, you see "inline power power-by-class 2".  You can change the power output based on what power class your device is.  I notice VoIP phones mainly.  In this case, I had to look up how much power a ShoreTel IP230 phone took.  It was a class two PoE device, according to the specs.  Hence the command you see.  It wont give more than a class 2 power rating on that interface.

Why would you want to do this?  Because if you don't specify lesser power when you only need a smaller amount, then you will find that some of your ports on your switch wont give out power.  It will be an insufficient amount.  So, by running the power down by the above command, you give your other ports that wouldn't normally have a chance at having power the opportunity to give out power.   Pretty cool.

  So you can see, this is what you get by default when you do a show inline power:
telnet@ConfRoom#sh inline power
Power Capacity:         Total is 410000 mWatts. Current Free is 20000 mWatts.
Power Allocations:      Requests Honored 26 times
 Port   Admin   Oper    ---Power(mWatts)---  PD Type  PD Class  Pri  Fault/
        State   State   Consumed  Allocated                          Error
--------------------------------------------------------------------------
 1/1/1  Off     Off            0          0  n/a      n/a         3  n/a
 1/1/2  On      Off            0          0  n/a      n/a         3  n/a
 1/1/3  On      Off            0          0  n/a      n/a         3  n/a
 1/1/4  On      Off            0          0  n/a      n/a         3  n/a
 1/1/5  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
 1/1/6  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
 1/1/7  On      Off            0          0  n/a      n/a         3  n/a
 1/1/8  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
 1/1/9  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
1/1/10  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
1/1/11  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
1/1/12  On      On           188      30000  Legacy   n/a         3  n/a
1/1/13  On      Off            0          0  n/a      n/a         3  n/a
1/1/14  On      Off            0      30000  n/a      n/a         3  n/a
1/1/15  On      Off            0      30000  n/a      n/a         3  n/a
1/1/16  On      Off            0      30000  n/a      n/a         3  n/a
1/1/17  On      Off            0      30000  n/a      n/a         3  n/a
the rest omitted...

Notice above the 30000 mWatts allocated.  But, this is what you get when you modify the power output to be a class 2 output:
telnet@ConfRoom#sh inline power
Power Capacity:         Total is 410000 mWatts. Current Free is 165000 mWatts.
Power Allocations:      Requests Honored 48 times
 Port   Admin   Oper    ---Power(mWatts)---  PD Type  PD Class  Pri  Fault/
        State   State   Consumed  Allocated                          Error
--------------------------------------------------------------------------
 1/1/1  On      Off            0       7000  n/a      n/a         3  n/a
 1/1/2  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
 1/1/3  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
 1/1/4  On      Off            0          0  n/a      n/a         3  n/a
 1/1/5  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
 1/1/6  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
 1/1/7  On      Off            0          0  n/a      n/a         3  n/a
 1/1/8  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
 1/1/9  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
1/1/10  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
1/1/11  On      Off            0          0  n/a      n/a         3  detection failed - out of range capacitor
1/1/12  On      On           188       7000  Legacy   n/a         3  n/a
1/1/13  On      Off            0          0  n/a      n/a         3  n/a
1/1/14  On      Off            0       7000  n/a      n/a         3  n/a
1/1/15  On      Off            0       7000  n/a      n/a         3  n/a
1/1/16  On      Off            0       7000  n/a      n/a         3  n/a
1/1/17  On      Off            0       7000  n/a      n/a         3  n/a
rest ommited...

See the 7000 mWatts instead.  Makes life a little better in the PoE world.

VPN remote-access into a Cisco IOS router.

One of the things I think is cool is that you dont necessarily need a firewall to do VPN remote-access.  You can do this with a Cisco router just as well.  This is really good if you have a Cisco router laying around not being used for anything.  Lets look at the configuration for this. 
This was on a 1841 Cisco router.  Lets first define what we will NAT and what we will not NAT.  The deny statements are what you do NOT want to NAT.  The permit statements DO NAT.
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 10.5.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 10.1.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 permit ip any any

Now, lets make an ACL that will do the encryption.  Source and Destination.  Notice that in both of these ACLs, the subnet mask is backwards.  It can be a little confusing, but its just the way the IOS is.
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.5.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.1.10.0 0.0.0.255 192.168.50.0 0.0.0.255

Now, the DHCP pool for the Cisco remote-access clients:
ip local pool ippool 192.168.50.50 192.168.50.250

The NAT statement on what to NAT.  Place this on the external interface:
ip nat inside source list 111 interface FastEthernet1/0 overload

Lets tell the router to use local authentication:
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local

Create a username and password for local authentication:
username tech password passwordstring

Configure Phase I:
crypto isakmp policy 3
 encr aes-256
hash sha
 authentication pre-share
 group 2

Create Phase II:
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

Configure the group, pcf password, DNS name, DHCP pool to use, and the encryption ACL to use:
crypto isakmp client configuration group vpnclient
 key companypassword
company.com
pool ippool
 acl 101

Create the crypto piece where you will apply Phase II:
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route

Crypto Maps:
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

Apply to the external interface:
interface FastEthernet1/0
 crypto map clientmap

Now, test your Cisco VPN client and verify you can log in with the local credentials.  Thats it.

Friday, December 9, 2011

Cisco ASA: NAT'ing site to site VPN traffic - NOT NOT NAT

So I have come across a few times where I needed to NAT VPN traffic to a certain IP address.  They remote end (usually a place that has a lot of VPN connections) wouldn't allow private addressing to be used.  So, I needed to have an IP address or range to use that was public.  With that said, I decided I wanted my 10.0.0.0 subnet to be NAT'ed to the 174.X.X.167 address.  They will accept this on their remote end, as my client will be sending traffic only to them.  They will not be sending traffic to us.  With that said, we only need one IP address, since they are not trying to get to multiple servers here at my customer.
Lets look at the config:
Phase I:
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400

Phase II:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Tunnel creation:
tunnel-group 62.X.X.233 type ipsec-l2l
tunnel-group 62.X.X.233 ipsec-attributes
 pre-shared-key passkey

Now the fun stuff.  Remember, we ARE NAT'ing our traffic.  We want to NAT our 10.0.0.0 private network to 174.X.X.167.  So, we need to define what internal traffic gets NAT'ed to the destination of 206.X.X.210. 
NAT ACL:
access-list policy-nat extended permit ip 10.0.0.0 255.0.0.0 host 206.X.X.210    

Now, lets do the encryption ACL.  If you are coming from the 10.0.0.0 network you get NAT'ed to be 174.X.X.167 and are destined to 206.X.X.210, then the following encryption ACL will do for traffic across the VPN.
Encryption ACL:
access-list customer-access extended permit ip host 174.X.X.167 host 206.X.X.210

Now, we have to tell it to NAT.  We do this with a static NAT translation.  We say if the ACL policy-nat is matched, then NAT to 174.X.X.167.
static (inside,outside) 174.X.X.167  access-list policy-nat   

Then go add the crypto map.
crypto map outside_map 20 match address customer-access
crypto map outside_map 20 set peer 62.X.X.233
crypto map outside_map 20 set transform-set ESP-AES-256-SHA

Apply to the outside interface:
crypto map outside_map interface outside
crypto isakmp enable outside

Done.  Now you are NAT'ing your vpn traffic across the site to site VPN.

Cisco ASA to Pix site to site VPN template

Here is a sample site to site vpn template for an ASA to a Pix.  Thought someone might be interested in having something like this.  Its been handy for me.  Its good to just modify to your needs and cut and paste in.  All in notepad.

ASA config:
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list huntsville_remote extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list huntsville_remote extended permit ip 10.10.0.0 255.255.0.0 192.168.30.0 255.255.255.0
nat (inside) 0 access-list nonat
tunnel-group13.X.X.226 type ipsec-l2l
tunnel-group13.X.X.226 ipsec-attributes
 pre-shared-key passkey!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address huntsville_remote
crypto map outside_map 10 set peer13.X.X.226
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

cryp map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal



PIX config:
crypto map vpn_map 10 ipsec-isakmp      
crypto map vpn_map 10 match address bham_main  
crypto map vpn_map 10 set peer 66.X.X.130      
crypto map vpn_map 10 set transform-set bham_main                                                                                                              
crypto ipsec transform-set bham_main esp-aes-256 esp-sha-hmac                                                                                                  
isakmp key passkey! address 66.X.X.130 netmask 255.255.255.255   
isakmp policy 10 authentication pre-share      
isakmp policy 10 encryption aes-256       
isakmp policy 10 hash sha              
isakmp policy 10 group 2               
isakmp policy 10 lifetime 86400       
crypto map vpn_map interface outside                  
isakmp enable outside                  
isakmp nat-traversal 10            
nat (inside) 0 access-list nonat                                
access-list nonat permit ip 192.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0 
access-list nonat permit ip 192.168.30.0 255.255.255.0 10.10.0.0 255.255.0.0                            
access-list bham_main permit ip 192.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0 
access-list bham_main permit ip 192.168.30.0 255.255.255.0 10.10.0.0 255.255.0.0                                                                       

Doing Cisco configs in notepad first

Ever do configs in notepad?  It is so much easier than just getting on the ASA/Router/Switch itself and doing it.  I dont know why.  I just find that if you know the cli pretty well, to me it seems easier to just write all the config out in notepad (cut and paste and modify mostly) and then cut and paste a final product into the device itself.  Any thoughts on that?  Here is what I have for tonight's config of an ASA:
config t
int vlan 2
no ip add
ip add 13.X.X.218 255.255.255.248
exit
no ip route 0.0.0.0 0.0.0.0 67.X.X.73
ip route 0.0.0.0 0.0.0.0 13.X.X.217
no static (inside,outside) tcp interface citrix-ica 192.168.168.209 citrix-ica netmask 255.255.255.255
no static (inside,outside) udp interface 1494 192.168.168.209 1494 netmask 255.255.255.255
no static (inside,outside) tcp interface https 192.168.168.209 https netmask 255.255.255.255
no static (inside,outside) tcp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
no static (inside,outside) udp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
no static (inside,outside) tcp interface pptp 192.168.168.250 pptp netmask 255.255.255.255
no static (inside,outside) tcp 67.X.X.76 3389 192.168.168.250 3389 netmask 255.255.255.255
no static (inside,outside) tcp interface 2067 192.168.168.49 2067 netmask 255.255.255.255
no static (inside,outside) 67.X.X.77 192.168.168.55 netmask 255.255.255.255
no static (inside,outside) 67.X.X.78 192.168.168.245 netmask 255.255.255.255
no access-list 101
access-list 101 extended permit tcp any host 13.X.X.218 eq citrix-ica
access-list 101 extended permit udp any host 13.X.X.218 eq 1494
access-list 101 extended permit tcp any host 13.X.X.218 eq https
access-list 101 extended permit tcp any host 13.X.X.218 eq 1604
access-list 101 extended permit udp any host 13.X.X.218 eq 1604
access-list 101 extended permit tcp any host 13.X.X.218 eq pptp
access-list 101 extended permit ip any host 13.X.X.220
 access-list 101 extended permit tcp any host 13.X.X.219 eq 3389
access-list 101 extended permit ip any host 13.X.X.221
access-list 101 extended permit tcp any host 13.X.X.218 eq 2067
static (inside,outside) tcp interface citrix-ica 192.168.168.209 citrix-ica netmask 255.255.255.255
static (inside,outside) udp interface 1494 192.168.168.209 1494 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.168.209 https netmask 255.255.255.255
static (inside,outside) tcp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
static (inside,outside) udp interface 1604 192.168.168.209 1604 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.168.250 pptp netmask 255.255.255.255
static (inside,outside) tcp 13.X.X.219 3389 192.168.168.250 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 2067 192.168.168.49 2067 netmask 255.255.255.255
static (inside,outside) 13.X.X.220 192.168.168.55 netmask 255.255.255.255
static (inside,outside) 13.X.X.221 192.168.168.245 netmask 255.255.255.255
wr mem
exit
reload  (The ASA will reboot after you type this in.)

Tomorrow, I should be able to just cut and paste this whole thing in all at once and be done with it quickly while onsite.  Anyway, not much technical on this post, but I just thought it was a good note for tonight.  Notepad can be a good thing sometimes.

Tuesday, December 6, 2011

ShoreTel: The lack of multiple extension capability.

 One of the things I come across quite a bit is that a company has users who have multiple extensions.  Its really a common request, for whatever reason.  Cisco does this without any issue, and its very easy to configure a phone to have multiple extensions.  You just go to the phone and you select the line appearance and put in the number you want it to have.  ShoreTel, unfortunately, does not have this option.  They want you to do a "monitor extension" or a hunt group to accomplish this.  I am not a fan of this, because I feel like this can limit you on some "out of the box" thinking, not to mention you can not fulfill a request for simply having two regular extensions. 
  I have talked with a ShoreTel pre-sales guy about this, and he says it can be done.  However, he has never installed a phone system before.  I am always cautious about pre-sales engineers, simply because of what I consider to be "lack of real world experience".
  As of version 12.1, I talked with a ShoreTel TAC engineer about this.  Im pasting this piece of the chat below. 

2:22 PM Me: Ok, it would be nice to just be able to have two regular extensions that act the same way, just two separate extensions.  But Im thinking that it cant be done on this system, correct?
2:23 PM ShoreTel TAC: That is a great suggestion Shane, you may want to review this link and provide feedback. http://blog.shoretel.com/2011/07/shoretel-suggestions-goes-live/
2:24 PM ShoreTel TAC: However, as you saw via the configuration you cannot assign two separate extensions to one user. So based on the user's requirements I will help provide the best configuration solution.

  To me, its very frustrating that you can not do this.  Maybe in the future ShoreTel will incorporate this.  I can say, that there have been situations where I have recommended Cisco over ShoreTel solely because of this.

EDITED POST:  Ok, I know you are saying, as some have directly to me, why not just use BCA?  Well, because BCA doesnt work the same way as an extension.  It works differently than a "shared" line.  Read the documentation.

Saturday, December 3, 2011

Cant add route-map to the Cisco 3750 vlan interface for policy based routing

Well, today I had quite a day re-doing a topology for a customer.  But there was one thing in particular that was worthy of writing about.  One of my goals was to add a route-map into a pair of 3750s that were acting as a redundant core.  They were merging two companies onto the same network, but wanted some boundaries.  They wanted to keep each other off each other's resources, but needed to share the network infrastructure because of the redundancy built in.  They were saving money by sharing resources, but still implementing security across the network.  One of the things they wanted to do was to still utilize their own Internet pipe.  Each of them had their own ASAs in place, with their own amount of bandwidth.  

So, with that said, the goal here was to add a route-map on the 3750 cores, and separate the Internet traffic from there, across each company's own firewalls.  Ok, so lets look at the route-map.

 Ok, here is the access list to determine what happens.  I want all traffic coming from 10.10.1.0 and 10.10.2.0 to go out Internet 2, unless they are going to each other.  Then, we dont want them to match the criteria.  The first four are denies (dont go to the Internet 2),  then the permits.  The permits say go to Internet 2 ASA.  Then a deny anything else. 
access-list 105 deny   ip 10.10.1.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 105 deny   ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 105 deny   ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 105 deny   ip 10.10.2.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 105 permit ip 10.10.1.0 0.0.0.255 any
access-list 105 permit ip 10.10.2.0 0.0.0.255 any
access-list 105 deny   ip any any
!
Now for the route-map.  The match 105 says to look at ACL 105 for the matching criteria.  Then if it matches, set the next hop to be 10.10.2.2, which is Internet 2.  
route-map SBS permit 10
 match ip address 105
 set ip next-hop 10.10.2.2
!
Now, lets apply the policy to the vlan we want to implement this on.  Lets look at the vlan interface:
interface Vlan102
 description *** Company 2 Network ***
 ip address 10.10.2.254 255.255.255.0
 ip helper-address 10.10.1.17
 ip policy route-map SBS    <--- *** Here is where it is implemented onto the vlan interface ***
 standby 102 ip 10.10.2.1

Now, here is the real reason Im writing this blog:  At first, and for the next two or three times, the policy would not apply.  AND, it never gave me any indication that it DIDNT apply.  I didnt know why, but it wasnt working.  When I went to ipchicken.com, it wouldnt give me the public address of company 2.  So, what was wrong?  Well after some research, I found that I had to add a command on the 3750 (and probably any L3 switch Im guessing).  So, here is what I did:

Switch(config)# sdm prefer routing
Switch(config)# end
Switch# reload

I can not tell you exactly what this "sdm prefer routing" command does at this point, but I have every intention of reading more about this.  I know it refers to how resources are allocated within the 3750.  Here is what Im planning on reading: Thanks Cisco for explaining this.

So, after a reload, the 3750s come back up and I am now able to apply the route-map to the interface with the "ip policy route-map" command.  Give it a good read.  I know I will. 

Wednesday, November 30, 2011

Cisco Router: How To Bond Two T1s Together For More Bandwidth

I wanted to post something tonight because I haven't posed in a while.  Id like to cover "bonding" two T1s together to make one larger pipe.  I mean going from 1.54Meg to 3Meg.  Who doesn't love more bandwidth?  So here is what I did on a Cisco 1841 router.
First, you need to configure the controller interfaces:
controller T1 0/1/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 0/1/1
 framing esf
 linecode b8zs
 channel-group 1 timeslots 1-24

Next, lets configure the Multilink interface.  This will be used to put the IP address on:
interface Multilink1
 ip address 172.24.0.2 255.255.255.252
 ppp multilink
 ppp multilink group 1

Next, lets configure the serial interfaces that the T1s will plug into.  These will be "bonded" together with the "ppp mulitlink group 1" command.
interface Serial0/1/0:0
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/1:1
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!

Thats it.  Now you have 3Meg instead of 1.54Meg.  Not too shabby.

Monday, November 14, 2011

Brocade (Foundry): Error - invalid virtual ethernet interface number.

I have run into a nuisance on occasion on a layer 3 brocade switch, that when I want to go into the VE interface, I cant. Here is what I mean:

BR-telnet@DC_CORE_1(config-vlan-10)#int ve 10
Error - invalid virtual ethernet interface number.

As you can see above, when I try to go into the virtual ethernet interface 10, I get an error saying its invalid. Well, the reason is that you have to go into the vlan first and put a ethernet port in the vlan to make it "appear", if you will. Until you put an interface in the vlan, you will not be able to go into the VE interface. See below example.

BR-telnet@DC_CORE_1(config)#vlan 10
BR-telnet@DC_CORE_1(config-vlan-10)#tagged eth 1/1
Added tagged port(s) ethe 1/1 to port-vlan 10.
BR-telnet@DC_CORE_1(config-vlan-10)#router-interface ve 10
BR-telnet@DC_CORE_1(config-vlan-10)#int ve 10
BR-telnet@DC_CORE_1(config-vif-10)#

I run into this a lot, and I tend to forget I have to have a port in the vlan first. I cant go in and do VRRP or put an IP address on the virtual ethernet interface until I get a port in that vlan. Just a thought for today.

How To Configure A Stack On A Brocade (Foundry) FCX648SHPOE

I am often asked to setup a stack with the FCX648SHPOE Brocade switches. This is a pretty simple process to do. Connect the stacking cables in the back appropriately (up on first switch to down on the second switch, and vice versa for controller redundancy). Boot them up and then go through the following configuration:
config t
stack enable
exit
stack secure
config t
stack mac XXXX.XXXX.XXXX <--- Primary switch MAC address

After the "stack secure" command, the stack will start to configure. It will take a few seconds and then all switches except the primary switch will reboot. To see the stack configuration, do the "show stack" command. Below you will see that I ran the command when the second switch was still booting up.
FCX648SHPOE Switch#sh stack
alone: standalone, D: dynamic config, S: static config
ID Type Role Mac Address Pri State Comment
1 S FCX648SPOE alone XXXX.XXXX.6bc0 128 local None:0

. +---+
-2/2| 1 |2/1-
. +---+

Current stack management MAC is XXXX.XXXX.6bc0
FCX648SHPOE Switch#Election, was alone --> active, assigned-ID=1, total 2 units, my priority=128
Detect stack member 2 POE capable
Done hot swap: Set stack unit 2 to Ready <--- (NOTICE THE 2nd UNIT HAS BOOTED UP AND IS READY IN THE STACK)
sh stack <--- I RAN THE "SHOW STACK" COMMAND AGAIN TO SEE THE 'CURRENT' TOPOLOGY.
alone: standalone, D: dynamic config, S: static config
ID Type Role Mac Address Pri State Comment
1 S FCX648SPOE active XXXX.XXXX.6bc0 128 local Ready
2 D FCX624SPOE member XXXX.XXXX.a000 0 remote Ready

. active
. |+---+ +---+|
-2/1| 1 |2/2--2/1| 2 |2/2-
. | +---+ +---+ |

Current stack management MAC is XXXX.XXXX.6bc0
FCX648SHPOE Switch#Election, was active, no role change, assigned-ID=1, total 2 units, my priority=128

That is all you have to do. Brocade certainly makes this an easy process.

Saturday, November 5, 2011

Check Point: How to setup UTM-1 high availability (step-by-step)

I came across a document I created for doing an UTM-1 install in an HA environment. I thought Id share it with you in case you ever needed help with the process. I created this so that I wouldnt forget how to do it, and its worked every time.
====================================================================
Steps to installing a HA for UTM-1

You need this info:
1. Get all IP info you need: What the VIP will be (same as the current physical IP) for DMZ, Internal, and External, etc. You also need the physical IPs for each UTM-1 (whats available that you can use, NOT for VIP).
2. You also need the management station hostname and domain name.
3. You need a screenshot of the smart update screen, for clarification.
4. You need DNS servers.
5. You need the next hop route for the default route.
6. You need any routes that are on the underlying OS, so that you can put them in on the UTM-1 system.
7. When onsite at the client, put the "upgrade_export" file on the existing Check Point box so that you can do an "upgrade_export" (to get the current config of the current system). The "upgrade_export" file has to be the same version you are going to. You can not use an "upgrade_export" from R60 when you are going to R65, etc. The location you will go to, to put the file on the existing box, is as follows: "cd $FWDIR/bin/upgrade_tools". You will need to be in expert mode. (You may want to rename the existing "upgrade_export" before you put the new one on the existing box). Then, to do the export, you type the following: "./upgrade_export ". You will ftp this exported file onto your laptop so that you can take it to the lab and do an import when you are ready to do the "upgrade_import" off the UTM-1.

**NOTE**: You will need several Eval Licenses since you are going to be changing IP addresses a few times during this process. 3 should be enough to do the complete install.

Install Instructions:
1. Install the first UTM-1 with the current IP info, etc that matches the management station IP of the current install. Verify the IP address is the one of the management station that you are putting on the UTM-1.
2. After the intial install, you will reboot the UTM-1.
3. When it comes back up, you will ssh into the UTM-1. It will be time to do the "upgrade_import" for the exported file you obtained from the existing check point (cd $FWDIR/bin/upgrade_tools). You will have to ftp the exported file to the new UTM. Import will look like this example:
"[Expert@utm1570]# ./upgrade_import cpbackup.tgz"
(**NOTE**: You need to copy the file from the directory you copied to (probably /home/admin to the $FWDIR/bin/upgrade_tools folder) to do the import.
4. After the import, reboot the UTM-1 and make sure everything works. Open Dashboard up and re-IP the "old" management station to a different IP address. (**NOTE**: You may have to go into the command line and define yourself as a GUI Client (option 3) by running "cpconfig".
5. At this point, you go into the WebUI and you go to "cluster" and create the cluster. It will reboot after you create this. Its one button to push.
6. You reboot and go into smart Dashboard, and the cluster configuration automatically comes up when you log in. Cancel this. The new Cluster will be there under the check point devices now. It will only show the one primary under the cluster at this time, since you have not started on the secondary yet.
7. ***NOTE*** Ok, here I had to go back and put the original IP address back on the cluster. When it created the cluster, it made the "old" management station into the new cluster.
8. Go into WebUI, and change the IPs to what you want the primary to be, all interfaces. This wont be the VIPs.
9. Logged into Dashboard, and first thing to do is to go and pull the topology in the cluster. Go into cluster (classic mode) -->topology --> "edit topology" and "get all members' topology"
10. Put the VIPs in for the cluster. Save this.
11. Replace ALL "old" check point stations with the "new" created check point station in the policy rules.
12. Delete the "old" check point out of the configuration.
13. In order to push policy, you are going to have to get the evaluation licenses to get it to work properly. It wont push until you get them in place.
14. Goto CP User Center, and create eval licenses. Go to Smart Update and attach them. Use the IP address of the physical box, not the VIP.
15. Go into Smart Update and attach the licenses.
16. Push policy to the primary UTM-1. When it pushes, start on the secondary UTM-1.

Secondary UTM-1:
1. Install the second UTM-1 and make it the secondary in the "cluster". Go ahead and connect the crossover cable on the SYNC interface.
2. Make sure you have the license ready for the secondary.
3. Once the install is done, reboot the secondary.
4. When it comes back up, go into Dashboard, and open up the cluster. Go into simple mode (wizard) and add the cluster in Dashboard.
5. Install policy to both UTM-1s.
6. Go into smart update and add the license.
7. Make sure you have deleted out all references to the old firewall.


steps:
do the primary first
import upgrade_export
make sure it works.
configure cluster on the primary
do the secondary utm.

====================================================================

Friday, November 4, 2011

How To Upgrade The Check Point UTM-1 Via WebUI

I wanted to go over the process of doing an upgrade on the Check Point UTM-1 appliance. It used to be that the upgrade was somewhat easy, if you knew what to do. Now, its even easier with the UTM-1 appliance.
In this example today, I did an upgrade from R70.20 to R70.40. First, I had to go and download the image from Check Point's website. Just choose the appropriate image you need. In my case today, I needed Check_Point_R70.40_Upgrade.Splat.tgz. I downloaded it, went into the WebUI, then on the left side, click 'Appliance'. In the center, click on "upload upgrade to appliance', browse to where you downloaded your image, and then upload it. It will take a few minutes to upload.

Next, you want to click on 'Start upgrade". To the right of that, it tells you the image it will use to upgrade.

The upgrade varies in time, according to the version you are upgrading to, etc. It will go through the process of decompressing the file, extracting the file, takes a snapshot of the current system config, does the upgrade, then reboots the UTM-1.
Today, the UTM-1 rebooted and I logged in and it told me that the upgrade was successful when I logged in. I could see that when I went to the 'Information' page, where it tells you the version you are running.
Now, here is the tricky thing. I have seen this one thing in the past where it used to be (and I dont know if/when this changed) that you only had a certain amount of time to do the upgrade, which you choose at the beginning of the upgrade process. If you did not log in by the time the 'timeframe you selected' was up (15 minutes was default), then it would revert back to the old version you just tried to upgrade FROM. I can say though, that the last few Check Point UTMs I have upgraded did not allow me to name an amount of time to do the upgrade in. Im not sure why sometimes its like that and sometimes its not, but you will know what it is if you see it.
So that is how you do the Check Point UTM-1 upgrade.