Being able to monitor your network traffic is essential when it comes to troubleshooting problems, performing a security audit or even casually checking your network for suspicious traffic.

Back in the old days whenever there was a need to monitor or capture network traffic, a hub would be introduced somewhere in the network link and, thanks to the hub’s inefficient design, it would copy all packets incoming from one port out to all the rest of the ports, making it very easy to monitor network traffic. Those interested in hub fundamentals can read our Hubs & Repeaters article.

Of course switches work on an entirely different principle and do not replicate unicast packets out of every port on the switch, but keep them isolated unless it’s a broadcast or multicast.

Thankfully, monitoring network traffic on Cisco Catalyst switches is a straightforward process and does not require the presence of a hub. The Cisco method is called Switched Port Analyser also known as  SPAN.

Understanding SPAN Terminology

• Ingress Traffic: Traffic that enters the switch
• Egress Traffic: Traffic that leaves the switch
• Source (SPAN) port: A port that is monitored
• Source (SPAN) VLAN: A VLAN whose traffic is monitored
• Destination (SPAN) port: A port that monitors source ports. This is usually the point to which a network analyser is connected.
• Remote SPAN (RSPAN): When Source ports are not located on the same switch as the Destination port. RSPAN is an advanced feature that requires a special VLAN to carry the monitored traffic and is not supported by all switches. RSPAN explanation and configuration will be covered in another article.

Figure 1. The network diagram above helps us understand the terminology and implementation of SPAN.

Source SPAN ports are monitored for received (RX - Ingress), transmitted (TX - Egress) or bidirectional (both) traffic.  Traffic entering or exiting the Source SPAN ports is mirrored to the Destination SPAN port. Typically, you would connect a PC with a network analyser  on the Destination SPAN port, and configure it to capture and analyse the traffic.

The amount of information you can obtain from a SPAN session really depends on how well the captured data can be interpreted and understood. A reliable Network Analyser will not only show the captured packets but automatically diagnose problems such as TCP retransmissions, DNS failures, slow TCP responses, ICMP redirect messages and much more. These capabilities help any engineer to quickly locate network problems which otherwise could not be easily found.

Basic Characteristics & Limitations Of Source Port

A source port has the following characteristics:

• It can be any port type such as EtherChannel, Fast Ethernet, Gigabit Ethernet and so forth.
• It can be monitored in multiple SPAN sessions.
• It cannot be a destination port (that’s where the packet analyser is connected)
• Each source port can be configured with a direction (ingress, egress, or both) to monitor. For EtherChannel sources, the monitored direction applies to all physical ports in the group.
• Source ports can be in the same or different VLANs.
• For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.

Basic Characteristics & Limitations Of Destination Port

Each SPAN session must have a destination port that receives a copy of the traffic from the source ports and VLANs.

A destination port has these characteristics:

• A destination port must reside on the same switch as the source port (for a local SPAN session).
• A destination port can be any Ethernet physical port.
• A destination port can participate in only one SPAN session at a time.
• A destination port in one SPAN session cannot be a destination port for a second SPAN session.
• A destination port cannot be a source port.
• A destination port cannot be an EtherChannel group.

Limitations Of SPAN On Cisco Catalyst Models

Following are the limitations of SPAN on various Cisco Catalyst switches:

• Cisco Catalyst 2950 switches are only able to have one SPAN session active at a time and can monitor source ports. These switches cannot monitor VLAN source.
• Cisco Catalyst switches can forward traffic on a destination SPAN port in Cisco IOS 12.1(13)EA1 and later
• Cisco Catalyst 3550, 3560 and 3750 switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs
• The Catalyst 2970, 3560, and 3750 switches do not require the configuration of a reflector port when you configure an RSPAN session.
• The Catalyst 3750 switches support session configuration with the use of source and destination ports that reside on any of the switch stack members.
• Only one destination port is allowed per SPAN session and the same port cannot be a destination port for multiple SPAN sessions. Therefore, you cannot have two SPAN sessions that use the same destination port.

Configuring SPAN On Cisco Catalyst Switches

Our test-bed was a Cisco Catalyst 3550 Layer 3 switch, however, the commands used are fully supported on all Cisco Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560−E, 3750, 3750−E and 4507R Series Switches.

The diagram below represents a typical network setup where there is a need to monitor traffic entering (Ingress) and exiting (Egress) the port to which the router connects (FE0/1). This strategically selected port essentially monitors all traffic entering and exiting our network.

Since router R1 connects to the 3550 Catalyst switch on port FE0/1, this port is configured as the Source SPAN port. Traffic copied from FE0/1 is to be mirrored out FE0/24 where our monitoring workstation is waiting to capture the traffic.

Once we have our network analyser setup and running, the first step is to configure FastEthernet 0/1 as a source SPAN port:

Next, configure FastEthernet 0/24 as the destination SPAN port:

After entering both commands, we noticed our destination’s SPAN port LED (FE0/24) began flashing in synchronisation with that of FE0/1’s LED – an expected behaviour considering all FE0/1 packets were being copied to FE0/24.

Confirming the monitoring session and operation requires one simple command, show monitor session 1:

To display the detailed information from a saved version of the monitor configuration for a specific session, issue the show monitor session 1 detail command:

Notice how the Source Ports section shows Fa0/1 for the row named Both. This means that we are monitoring both RX & TX packets for Fa0/1, while the Destination Port is set to Fa0/24.

Turning to our network analyser, thanks to its predefined filters we were able to catch packets to and from the worksation monitored:

This completes our discussion on SPAN configuration and how to monitor/capture packets on a Cisco Catalyst switch. Upcoming articles will cover RSPAN and more advanced packet capturing techniques using dedicated VLANs for captured traffic and other complex scenarios.

The Cisco Catalyst Switching Portfolio is perhaps one of the most useful Cisco PDF files, containing all Catalyst series products. 

The portfolio covers all Cisco modular switches, including the popular 6500 and 4500 series, the chassis, slots, supervisor engine options, compatible line cards for 10 Gigabit Ethernet, Gigabit Ethernet, Fiber, 10/100/1000 and bundles.

The Fixed Configuration Switches section includes the Cisco Catalyst 4900 series, popular 3750-X StackWise Plus switches, 3750V2, 3560-X, 3560-E, 3560, 2960S with FlexStack Stacking and LAN Base, LAN Lite software, 3560-C, 2960-C and 2360 models.

For each category of Catalyst switches you'll find full model numbers, detailed descriptions and the necessary product number. 

This great PDF file will allow you to quickly find the right product for your needs without spending hours on Cisco's site trying to figure out what products are available.

To download this time-saver PDF, visit our Cisco Product Datasheets & Guides Download section.

Cisco announces the end-of-sale and end-of-life dates for the Cisco Catalyst 3750G, 3560G, 3750-E, and 3560-E Series Switches. The last day to order the affected product(s) is January 30, 2013. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin.

Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.

Table 1. End-of-Life Milestones and Dates for the Cisco Catalyst 3750G, 3560G, 3750-E, and 3560-E Series Switches

Table 2. Product Part Numbers Affected by This Announcement

The SG500 series Cisco switches are the next step up from the already popular SG300 Layer-3 switches. Cisco introduced the SG Small Business series switches to compete against DELL’s and HP’s offerings and take the same share of the market. 

Cisco saw the massive gap between its entry level Catalyst switches (2960S & 3560) and the competition, and decided to hit them as much as it could with the SG series switches.

The specifications on the newer SG 500 series switches are impressive: switching capacity starting from 28.8Gbps for the smallest 24-port SG500, up to 176Gbps for the largest models that include 10Gpbs uplinks, all with layer-3 switching, stacking and power efficiency capabilities!

Here are some highlights of the SG 500 Series:

• High-Power Power over Ethernet Plus (PoE+), providing up to 30 watts per port
• Full IPv6 Support
• Advanced Layer 3 Traffic Management (InterVLAN-Routing)
• Strong Security. Access Control Lists (ACLs), Voice VLAN, Guest VLAN and many more security features.
• Power Efficiency. Ability to automatic power shutoff ports not used, adjusting signal strength based on length of connecting cable etc.
• Expandability. Offering 1G and 1G/5G Ethernet expansion slots. 10G expansion slots for the 500X series.
• Limited lifetime warranty with next-business-day advanced replacement.

For our readers' convenience, we've made the following downloads available directly from Firewall.cx:

• Cisco SG500 Series Overview
• Cisco SG500 Series Datasheet
• Cisco SG500 Quick Start Guide

 These are easily accessible in our SG500 Datasheet Download section.

Initial Setup of SG500-52P

Just like the SG200 & SG300 series, the SG500 can be configured by both Web and CLI interface. The Web interface is highly intuitive but does require some time to understand its layout and where to configure different aspects of the switch.

The CLI mode is similar to that of the Cisco IOS Catalyst switches but it has its own logic, something we believe Cisco did deliberately to ensure the SG series configuration experience is not ‘identical’ to the much more expensive and well known Catalyst switches.

We found that the best way to configure the switch was to use the CLI interface for specific functions such as setting up IP Addresses, creating and naming VLANs, setting default gateway, then using the web interface for configuring the trunk and access links, allowed VLANs etc. When we completed the configuration and performed a ‘show running-config’ in CLI mode, we then understood that some of the web configuration could have easily been done through CLI.

As with the SG200 & SG300 models, it is advised to always keep the firmware updated to the latest available version. Earlier SG300 firmware suffered from plenty of problems that could cause the switch to stop processing packets and required a reboot to restore functionality.

Hopefully, we won’t be experiencing the same problems with the SG500 firmware.

Before You Begin

Both SG300 and SG500 series switches are layer-3 capable, which means you can create multiple VLANs and route between them - a function called InterVLAN routing. For more information about InterVLAN routing, you can read our InterVLAN  routing article.

Most people are not aware that when an SG300 or SG500 switch is powered up for the first time, it defaults to Layer-2 mode!  In order to create multiple VLANs, assign IP Addresses and enable Layer-3 Switching, you must switch the SG300 & SG500 to router mode! When this is done all configuration is erased and the device is reset, losing any configuration performed.

It is therefore highly advisable to always switch to router mode before any configuration is performed on the switch!

Switching to ‘Router’ Mode – Enabling Layer-3 Switching

To switch to router mode, connect to the serial port using the provided DB9 serial cable (read up on our serial cable articles for info on DB9 connectors) and set the com port thus:

• 115200 Baud Rate
• 8 Data Bits
• No Parity
• 1 Stop Bit
• No Flow Control

When presented with the login prompt, use ‘cisco’ as the username and password. You will be requested to change the password before you perform any configuration:

User Name:cisco  Password:*****

Please change your password from the default settings. Please change the password for better protection of your network.

Do you want to change the password (Y/N)[Y] ?Y

Enter old password  : *****
Enter new password  : ************
Confirm new password: ************

When complete, the CLI prompt will be presented along with the familiar hash symbol. At the prompt, enter show system mode to view the current mode:

switch# show system mode

Feature    State
------   ---------
Mode:      Switch

Without delay, let’s switch to router mode:

switch# set system mode router

Changing the switch working mode will *delete* the startup configuration file and reset the device right after that. It is highly recommended that you will backup it before changing the mode, continue ? (Y/N)[N] Y

As the reset process begins, a number of messages will be displayed on the console and the switch will finally reboot:

switch# 02-Feb-2012 10:48:36 %AAA-I-CONNECT: User CLI session for user cisco over console , source 0.0.0.0 destination  0.0.0.0 ACCEPTED, aggregated (1)


02-Feb-2012 10:48:55 %FILE-I-DELETE: File Delete - file URL flash://startup-config
Resetting local unit

**************************************************
*****************  SYSTEM RESET  *****************
**************************************************
Boot1 Checksum Test...............................PASS

Boot2 Checksum Test...............................PASS

Flash Image Validation Test.......................PASS

BOOT Software Version 1.2.0.12 Built  23-Nov-2011  08:31:59

Networking device with Marvell ARM CPU core. 256 MByte SDRAM.
I-Cache 16 KB. D-Cache 16 KB. L2 Cache 256 KB. Cache Enabled.

MAC Address   :  88:43:e1:ad:52:53.

Autoboot in 2 seconds - press RETURN or Esc. to abort and enter prom.
Preparing to decompress...
 100%
Decompressing SW from image-1
 100%

OK
Running from RAM...
About to erase CDB. Terminal baud rate will now be set to default!
Board ID is 27
Device ID 0xdc7411ab

*********************************************************************
*** Running  SW  Ver. 1.2.0.97  Date  02-Feb-2012  Time  10:12:46 ***
*********************************************************************
HW version is V01
Base Mac address is: 88:43:e1:ad:52:53
Dram size is  : 256M bytes
Dram first block size is  : 208896K bytes
Dram first PTR is  : 0x3000000
Dram second block size is  : 4096K bytes
Dram second PTR is  : 0xFC00000
Flash size is: 32M
02-Feb-2012 10:13:09 %CDB-I-LOADCONFIG: Loading running configuration.
02-Feb-2012 10:13:09 %CDB-I-LOADCONFIG: Loading startup configuration.
Device configuration:
Slot 1 - SG500-52P
Device 0: GT_98DX3124 (TomCat)
Device 1: GT_98DX3124 (TomCat)

------------------------------------
-- Unit Number 1                  --
------------------------------------
02-Feb-2012 10:13:21 %Entity-I-SEND-ENT-CONF-CHANGE-TRAP: entity configuration change trap.
02-Feb-2012 10:13:32 %INIT-I-InitCompleted: Initialization task is completed

>
-----------------------------------
-- Unit Number 1  Master Enabled --
-----------------------------------

Tapi Version: v1.9.5
Core Version: v1.9.5
02-Feb-2012 10:13:39 %Stack-I-STCK-CFG-CHNG: Configuration changed: chain
02-Feb-2012 10:13:39 %MLDP-I-MASTER: Switching to the Master Mode.
02-Feb-2012 10:13:43 %Environment-I-FAN-STAT-CHNG: FAN# 1 status changed - operational.
02-Feb-2012 10:13:43 %Environment-I-FAN-STAT-CHNG: FAN# 2 status changed - operational.
02-Feb-2012 10:13:43 %Environment-I-FAN-STAT-CHNG: FAN# 3 status changed - operational.
02-Feb-2012 10:13:43 %Environment-I-FAN-STAT-CHNG: FAN# 4 status changed - operational.
02-Feb-2012 10:13:43 %Environment-I-FAN-STAT-CHNG: FAN# 1 status changed - operational.
02-Feb-2012 10:13:43 %Environment-I-FAN-STAT-CHNG: FAN# 2 status changed - operational.
02-Feb-2012 10:13:43 %SNMP-I-CDBITEMSNUM: Number of running configuration items loaded: 0
02-Feb-2012 10:13:43 %Environment-I-FAN-STAT-CHNG: FAN# 3 status changed - operational.
02-Feb-2012 10:13:43 %Environment-I-FAN-STAT-CHNG: FAN# 4 status changed - operational.
02-Feb-2012 10:13:43 %SNMP-I-CDBITEMSNUM: Number of startup configuration items loaded: 0
02-Feb-2012 10:13:43 %Entity-I-SEND-ENT-CONF-CHANGE-TRAP: entity configuration change trap.

>lcli

At this point, it is necessary to login using the cisco username & password, then change the password as prompted.

Issuing the show system mode command will then confirm the switch is in router mode, which means we are in business:

Creating VLANs, Assigning IP Addresses, Default Gateway, DNS Name-Server & Enabling IP Routing

The process of creating VLANs on the SG500 is similar to that of the Catalyst switches. First create your VLANs and then VLAN interfaces to configure IP addresses.  Since VLAN 1, the Default VLAN is already created, we only require that we change its IP address to match our network.  Keep in mind that the switch has VLAN 1 preconfigured with IP address 192.168.1.254, but also has DHCP enabled, so if the switch finds a DHCP server during startup it will automatically obtain an IP address. When the system uses its default IP address (192.168.1.254), the System LED shown below will flash continuously:

We’ve now set VLAN 1’s IP address to 192.168.1.2. Next step is to create VLAN2 & 5, our Voice VLAN & Guest VLAN, name them and configure an IP address for each:

switch(config)# vlan 2
switch(config)# interface vlan 2
switch(config-if)# name Voice-VLAN
switch(config-if)# ip address 192.168.10.2 255.255.255.0
switch(config-if)# exit
switch(config)# vlan 5
switch(config)# interface vlan 5
switch(config-if)# name Guest-VLAN
switch(config-if)# ip address 192.168.50.2 255.255.255.0
switch(config-if)# exit

The vlan 2 & vlan 5 command creates VLAN 2 and VLAN 5, however the switch’s prompt will not change, so do not be alarmed.

Finally, we set the switch’s hostname, configure the default gateway, name-server for dns resolution and enable ip routing:

Saving Our Configuration

Saving the configuration is easily performed using the classical command:

Web Configuration

For those wishing to use the web interface to configure the switch, don’t despair as there are still plenty of features that can be configured through the web interface.  VLAN creation and IP address configuration are certainly a lot faster and easier through the CLI interface, especially if you make a mistake and need to make corrections.

To access the web interface, enter the switch’s VLAN 1 IP address as configured previously. In our example, this is 192.168.1.2.  You’ll be greeted with the login screen and prompted to enter a valid username and password. Once entered, the Getting Started screen is shown:

Assigning Ports To VLANs

The web interface provides two different ways to assign VLANs to the switch’s ports. Under the VLAN Management menu, you’ll find the Port-to-VLAN and Port-VLAN-Membership options.  The first, Port-to-VLAN option, presents all available ports and by selecting the appropriate VLAN from the top you can assign it, exclude it or make it the native VLAN for any of the selected ports:

In our example, we’ve selected VLAN 2 (VLAN ID equals 2), our Voice VLAN, and configured all but one port to carry VLAN 2 traffic as Tagged. When configuring a VLAN as Tagged traffic, the port automatically becomes a trunk port and the Trunk option above is greyed out as you cannot disable it – a logical restriction.  When configuring a VLAN to Untagged it then becomes the Native VLAN for that port. If these concepts are new, we would highly recommend you read through ourVLAN section.

We’ve configured VLAN2 traffic as Tagged, which means we plan to connect an IP Phone to these ports and from there on a PC. VLAN 1 traffic is set as the Untagged traffic, or Native VLAN for all ports.

Finally, Port GE1 is forbidden to carry VLAN2 traffic. The reason for this is that we plan to connect our Internet router on port GE1 and there is no reason for our Voice VLAN traffic to exist on that port, for security reasons of course.

When done, click on Apply to save the changes and continue with the rest of the VLAN port configuration.

The Port-VLAN-Membership menu provides an overview of all port configuration, however, changes can only be made for one port at a time:

Our screenshot shows no configuration has been made as VLAN2 and 5 are not configured for any port. Select the port of interest and click on Join VLAN at the bottom of the page:

The small pop-up window will appear in which we can select a VLAN from the area on the right (under Select VLAN:), then choose the tagging method for the selected VLAN and finally assign it to the port by clicking on the right arrow ‘>’:

Once complete, click on Apply to save the changes followed by Close to return to the menu, or select the next port to be configured from the upper area of the page.

We should note that the Port-to-VLAN is the fastest way to configure multiple switch ports simultaneously.

Configuring Voice VLAN Settings

Configuration of the Voice VLAN settings is necessary to ensure the switch understands which VLAN will carry the traffic.  Experience shows its best to specify the Voice VLAN port under these settings, rather than leave it to the switch's discretion to figure it out.

In our example, VLAN ID 2 is our Voice VLAN, so we've changed the default VLAN ID from 1, to 2 and disabled the Dynamic Auto Voice VLAN feature for security purposes.

Finally, click on Apply to save the changes.

Setting System Time

The system’s time can be configured under the Administration > Time Settings > System Time:

To configure synchronization with an NTP server, enable the Main Clock Source SNTP Servers and set the correct Time Zone Offset. Next, configure the Daylight Saving Settings and click on Apply. 

Move to SNTP Unicast menu option, enable the SNTP Client Unicast and add your preferred NTP server as shown below:

Click on Apply to save your changes.

Creating User Accounts

To create the desired user accounts to access the switch, select the Administration > User Accounts menu.

Currently there is only the default account "cisco". Click on Add and enter the username and  password:

Note the different User Levels available for the user being created. For full access, select level 15.

Once created, the cisco user can be deleted, however it is imperative the configuration is saved by clicking on the flashing Save button at the top of the page.

Defining Management Method

Our final step for the basic setup of the switch is to define the management method. The SG500 and previous models support a variety of management methods which include Telnet, SSH, HTTP, HTTPS and SNMP.

To setup your access profile, visit the Security > Mgmt Access Method > Access Profiles:

 Next, click on the Add button to add a new profile:

The pop-up window will allow you to define the access profile name, rule priority (the highest rule number takes priority over other access profiles), management method, interface to which it applies and IP Addresses to which access is allowed or denied:

In our example we named our access profile All-Access, set the rule priority to No.1 which takes precedence over other rules, management method of All, permit action, interface VLAN 1 only and source IP of 192.168.1.0 / 24, which of course is the VLAN1 network.

When complete click on Apply and Close.

This action will return you to the Access Profiles section. We now select the Active Access Profile we just created (All-Access) and click on Apply. A pop-up window will request us to confirm this action. Click on OK:

If the session is disconnected, simply reconnect to the switch using VLAN1’s IP address.

Note: If configuring the switch for Telnet or SSH remote access, it is important not to forget to enable these services from the Security > TCP/UDP Services menu option as shown below:

Again, do not forget to click on the flashing Save button at the top of the page:

Clicking on the Save button will take us to the Copy/Save Configuration page. Select Running-Configuration as the Source File Name and Startup-Configuration as the Destination File Name and hit Apply:

Configuration Backup

To download the switch's configuration to a workstation for backup purposes, select File Management > Download/Backup Configuration/Log from the main menu. Here, select HTTP method and Backup action. Finally select Running or Startup Configuration depending on your requirements and Apply.  You'll soon be prompted with the option to save the configuration file to your hard disk drive:

This completes our introduction to the SG500-52p PoE Switch and its basic configuration.

Errdisable is a feature that automatically disables a port on a Cisco Catalyst switch. When a port is error disabled, it is effectively shut down and no traffic is sent or received on that port.

The error disabled  feature is supported on most Catalyst switches running the Cisco IOS software. Including all the following models:

• Catalyst 2940 / 2950 / 2960 / 2960S
• Catalyst 3550 / 3560 / 3560-E / 3750 / 3750-E
• Catalyst 4000 / 4500 / 4507R
• Catalyst 6000 / 6500

 The Errdisable error disable feature was designed to inform the administrator when there is a port problem or error.  The reasons a catalyst switch can go into Errdisable mode and shutdown a port are many and include:

• Duplex Mismatch
• Loopback Error
• Link Flapping (up/down)
• Port Security Violation
• Unicast Flodding
• UDLD Failure
• Broadcast Storms
• BPDU Guard

When a port is in error-disabled state, it is effectively shut down and no traffic is sent or received on that port. The port LED is set to the orange color and, when you issue the show interfaces command, the port status shows as Errdisabled.

Following is an example of what an error-disabled port looks like:

To recover a port that is in an Errdisable state, manual intervention is required, and the administrator must access the switch and configure the specific port with 'shutdown' followed by the 'no shutdown' command. This command sequence will enable the port again, however, if the problem persists expect to find the port in Errdisable state again soon.

Understanding And Configuring Errdisable AutoRecovery

As outlined above, there are a number of reasons a port can enter the Errdisable state.  One common reason is the Port Security error, also used in our example below.

Of all the errors, Port Security is more a feature rather than an error. Port Security allows the restriction of MAC Addresses on an interface configured as a layer 2 port. This effectively prevents others connecting unwanted hubs or switches on the network. Port Security allows us to specify a single MAC Address to be connected to a specific port, thus restricting access to a specific computer.

In the case of a violation, Port Security will automatically disable the port. This is the behaviour of the default port security policy when enabling Port Security. Following is a configuration example of port security:

Once a host is connected to the port, we can get more information on its port-security status and actions that will be taken when a violation occurs:

Note that the Violation Mode is set to Shutdown. This means that when a violation is detected, the switch will place gigabitethernet 0/48 in the err-disable shutdown state as shown below:

While it's almost always necessary to know when a port security violation occurs there are some circumstances where autorecovery is a desirable feature, especially durng accidental violations.

The following commands enable the autorecovery feature 30 seconds after a port security violation:

Determine The Reason For The Errdisabled State

To view the Errdisabled reasons, and see for which reason the autorecovery feature has been enabled, use the show Errdisable recovery command:

We have now confirmed that autorecovery is enabled for port-security violations. If it is required to enable the Errdisable autorecovery feature for all supported reasons, use the following command:

To test our configuration we forced a port security violation, causing the switch to place the offending port in the shutdown state. Notice we've enabled autorecovery for all Errdisable reasons and the time left to enable the interfaces placed in shutdown state by the port security violation:

Seventeen seconds later, the switch automatically recovered from the port security violation and re-enabled the interface:

Disabling The Errdisable Feature

There are cases where it might be necessary to disable the Errdisable mechanism for specific supported features in order to overcome constant interface shutdowns and auto recoveries.  While the Catalyst IOS does not allow disabling all features we can still fine-tune the mechanism and selectively disable a few.

To view the Errdisable reasons monitored by the switch, use the show Errdisable detect command:

2960G# show errdisable detect

ErrDisable Reason      Detection    Mode
-----------------      ---------    ----
bpduguard               Enabled      port
channel-misconfig       Enabled      port
community-limit         Enabled      port
dhcp-rate-limit         Enabled      port
dtp-flap                Enabled      port
gbic-invalid            Enabled      port
inline-power            Enabled      port
invalid-policy          Enabled      port
link-flap               Enabled      port
loopback                Enabled      port
lsgroup                 Enabled      port
mac-limit               Enabled      port
pagp-flap               Enabled      port
port-mode-failure       Enabled      port
secure-violation        Enabled      port/vlan
security-violation      Enabled      port
sfp-config-mismatch     Enabled      port
small-frame             Enabled      port
storm-control           Enabled      port
udld                    Enabled      port
vmps                    Enabled      port

As shown, the command lists all supported Errdisable reasons.  For our example, let's assume we want to disable the inline-power Errdisable feature.

To achieve this, we simply use the following command:

And verify that Errdisable has been disabled for the feature:

Overall, the Errdisable feature is an extremely useful tool if configured and monitored correctly. Take the necessary time to play around with the supported options of your Cisco Catalyst switch and fine-tune it to suit your network needs.

Many companies are seeking for Cisco SFP alternatives to help cut down the costs on these expensive modules.

A frequent customer problem with Cisco's new line of Catalyst switches is that they do not support 3rd party (non-Cisco) SFPs - or at least they do not seem to...

If you've just replaced your network switches and tried using any 3rd party SFPs to connect your network backbone, you'll quickly stumble across an error similar to the following:

Congratulations!  The Catalyst switch has just disabled the GBIC port! This happens because Cisco Catalyst switches are configured by default not to work with non-Cisco SFPs.

When a SFP is inserted into a switch's GBIC port, the switch immediately reads a number of values from the SFP and if it doesn't like what it sees, it throws the above error message and disables the port.

All SFP modules contain a number of recorded values in their EEPROM and include:

• Vendor Name
• Vendor ID
• Serial Number
• Security Code
• CRC

How To Force Your Cisco Switch To Use 3rd Party SFPs

Despite the error displayed, which leaves no hope for a solution, keep smiling as you're about to be given one.

There are two undocumented commands which can be used to force the Cisco Catalyst switch to enable the GBIC port and use the 3rd party SFP:

When entering the service unsupported-transceiver command, the switch will automatically throw a warning message as a last hope to prevent the usage of a 3rd party SFP.

The no errdisable detect cause gbic-invalid command will help ensure the GBIC port is not disabled when inserting an invalid GIBC.

Since the service unsupported-transceiver  is undocumented, if you try searching for the command with the usual method (?), you won't find it:

The same applies for the no errdisable detect cause gbic-invalid command.

We tried both service unsupported-transceiver & no errdisable detect cause gbic-invalid commands on 2960G, 3560G, 3750G, 4507R and 4507R-E Catalyst switches and all accepted the commands without a problem. In fact if the Catalyst switch is running IOS 12.2(25)SE and above, the undocumented commands are available.

Should 3rd Party SFPs Be Used?

There are mixed feelings about this. We certainly do not recommend using non-Cisco SFP's in production environments, however in a lab environment, its most probably a cheap way out.

When using 3rd party GBICs, one must keep in mind that Cisco TAC will not provide any support for problems related to the SFPs as they are totally unsupported. Here is a small portion from the Cisco Catalyst 3750G Q&A that refers to the usage of 3rd party SFP modules on the switch:

This article focuses on VLAN Security and its implementation within the business network environment. We provide tips and Cisco CLI commands that will help you upgrade your VLAN network security.

Even though many Administrators and IT Managers are aware of VLAN technologies and concepts, unfortunately, it has been proven that the same does not apply when it comes to VLAN Security. While this section mainly focuses on security implemented on Cisco switches, many of the concepts can be applied on other vendor switches.

The first principle in securing a VLAN network is physical security. If you do not want your devices to be tampered with, physical access to the device must be strictly controlled.  Core switches are usually safely located in a datacenter with restricted access, however edge switches are not that lucky and are usually placed in areas where they are left exposed.

Just as physical security guidelines require equipment to be in a controlled space, VLAN-based security requires the usage of special tools and following a few ‘best security practices’ to give the desired result.

Let’s take a look at a few important steps an Administrator or IT Manager can take, to strip their network from the security problems most networks suffer today.

Removal of Console-port Cables, Introduction of Password-Protected Console/Vty Access with Specified Timeouts and Restricted Access

Console ports on the back side of Cisco switches provide direct access to the system. If no care is taken to secure this access method, then the switch might remain fully exposed to anyone with the popular ‘blue console cable’. Configuration of complex user credentials on the console and telnet/ssh ports will ensure any unwanted visitor will remain in the dark when trying to access the device.  Using special commands such as the ‘exec-timeout’ commands,  when the Administrator accidently forgets to logout of the session, it will automatically timeout after the programmed timeout value.

Following is a set of commands that will help you accomplish the above measures to help restrict access to the swich:

We also apply the same commands to our VTY (telnet/ssh) section and create an access-list 115 to restrict telnet/ssh access from specific networks & hosts:

Always ensure the use of the ‘secret’ parameter rather than the ‘password’ parameter in your username syntax, when defining usernames and their passwords. The classic ‘password’ parameter uses a much weaker encryption algorithm that is easily unencrypted.

To demonstrate this, you can use the 'password' parameter and then copy past the encrypted password into our popular Cisco Type 7 Password decrypt page and see what happens!

Avoid Using VLAN1 (Default VLAN)  for your Network Data

VLAN 1 is a special VLAN selected by design to carry specific information such as CDP (Cisco Discovery Protocol), VTP, PAgP and more.  VLAN 1 was never intended to be used as standard VLAN to carry network data.

By default configuration, any Access Link on a Cisco switch is set to VLAN 1, causing a major security issue as direct access to the network backbone is given.  As a consequence, VLAN 1 can end up unwisely spanning the entire network if not appropriately pruned.

The practice of using a potentially omnipresent VLAN for management purposes puts trusted devices to higher risk of security attacks from untrusted devices that by misconfiguration or pure accident gain access to VLAN 1 and try to exploit this unexpected security hole.

As a general rule of thumb, the network Administrator should prune any VLAN, and in particular VLAN 1 from all ports where that VLAN is not needed.

The following example prunes VLANs 1  to 5 and 7 to 8, allowing access only to VLAN 6 when in trunking mode. Furthermore, we assign the port to VLAN 6 only:

Disable High-Risk Protocols on Switchports

If a port is connected to a ‘foreign’ device, don’t try to speak its language – it could be turned to someone else’s advantage and used against your network. Ensure you disable protocols such as CDP, DTP, PAgP, UDLD (Unidirectional Link Detection Protocol)  and always enable spanning-tree  portfast & bpduguard on the port.

Here is an example on how to disable the above mentioned protocols and enable spanning-tree portfast bpduguard:

Finally, if the port is not to be used, issue the ‘shutdown’ command to ensure it won’t be accessed by anyone without the proper authorization.

VTP Domain, VTP Pruning and Password Protection

Two choices exists here – either configure the VTP domain appropriately or turn off VTP altogether!  VTP is a great tool that ensures all VLAN information is carried to your network switches. If necessary security measures are not taken, wiping your network-wide VLAN configuration is as easy as connecting a switch with the ‘proper’ devastating configuration.

 A switch configured with the same ‘VTP domain’, a role type of ‘Server’ and a higher ‘VTP revision’ number of the real VTP server (usually the core switch), is all that’s required to cause major disruption and panic across any network size. All other switches will automatically ‘listen’ to the new ‘VTP Server’ and wipe all existing VLAN information. You can then start looking for a new job.

A few simple self-explanatory commands on your core switch will help ensure the above scenario is avoided:

Edge switches will require the ‘vtp mode client’ and ‘vtp password’ command, after which they will automatically receive all necessary VLAN information from your core switch.

You can verify the configuration using the ‘show vtp status’ command:

Control Inter-VLAN Routing Using IP Access Lists

Inter-VLAN routing is a great and necessary feature. Because in many cases there is the need to isolate VLANs or restrict access between them, the usage of IP Access lists is mandatory.

IP Access lists should be created in such a way, that they allow the normal flow of traffic between VLANs, but do not expose the networks that need to be protected. Once the Access Lists are created, they are applied directly on the VLAN interface of the core layer-3 switch.   All traffic from the designated VLAN trying to pass to other VLANs will be denied according to the Access Lists, making sure the core network is not exposed. 

Let’s take a common example to make this tip more practical.

You’ve created a new guest VLAN (VLAN 6 – Network 192.168.141.0/24) to provide free Internet access to your company visitors. The requirement is to allow full Internet access, but restrict access to other VLANs.  In addition, configuration of a DHCP server is also deemed necessary, to make your life easier and less troublesome.

Here’s the configuration used for the DHCP server serving this VLAN:

Note that 192.168.141.1 is our core switch VLAN 6 IP Address, and 192.168.130.5 is our DNS server located on a different VLAN.

Next, we create our necessary Access Lists.

Notice that we permit DNS and DHCP requests initially, and then deny access to all VLANs. Finally we permit access everywhere else. This logical structure of our Access List is built to comply with the Top-Down Access List examination performed by the Core switch.

If we were to place the DNS or Bootp last in the Access List, it would clearly fail as the deny statements would prevail.  Finally, the ‘log’ parameter seen on our deny statements would trigger a log entry on our core switch, allowing us to catch any guests trying persistently to access our other VLANs

Last step would be to apply the access-list to the newly created VLAN interface, in the ‘incoming’ direction:

Summary

VLAN Technology is wonderful – it offers great enhancements to the network and provides paths to run multiple services in isolated environments without sacrificing speed, quality and network availability. If the necessary basic security guidelines are taken in consideration during its initial implementation and ongoing administration, it can perform wonders and dramatically reduce the administrative overhead from your IT Administrators or Managers. On other hand, if these security guidelines are ignored, the imminent exposure of the whole network is at risk and simply a matter of time.

Perhaps the most serious mistake that an IT Administrator or Manager can make, is to underestimate the importance of the DataLink layer, and of VLANs in particular, in the architecture of switched networks. It should not be forgotten that any network is only as robust as its weakest link, and that therefore an equal amount of attention should be given to any of its layers, to make sure that its entire structure is sound.

Driven by our thirst for technical material and experience, we thought it would be a great idea to start presenting various installations of Cisco equipment around the globe, especially equipment that we don't get to play with everyday.

We recently had the chance to unpack and install a Cisco Catalyst 4507R-E Layer 3 switch, which we must admit was extremely impressive. The Cisco Catalyst series is world-known for its superior network performance and modularity that allows it to 'adapt' to any demands your network might have.

For those who haven't seen or worked with a 4507R/4507R-E switch, it's a very big and heavy switch in a metal cabinet (chassis) supporting up to two large power supplies and a total of 7 cards (modules), two of which are the supervisor engines that do all the switching and management work.

The new 4507R-E series is a mammoth switch that allows a maximum of 320Gbps (full duplex) switching capacity by utilising all 7 slots, in other words 5 modules alongside with two Supervisor Engine 6-E cards (with two full line rate 10Gb Uplinks).

The 4507R-E switch is shipped in a fairly large box 50(H)x44(W)x32(D) cm and weights around 21 Kgrs with its shipping box. The practical height of the unit for a rack is 11U which means you need quite a bit of room to make sure it's comfortably placed.

Unboxing the Cisco Catalyst 4507R

Like most Cisco engineers, we couldn't wait to open the heavy box and smell the freshly packaged item that came directly from Cisco's manufacturing line. We carefully moved the 4507R-E box to the datacenter and opened the top side of the box.....

The upper area of the picture is where you'll find the two large cube slots for the power supplies. Below them, you can identify 6 out of the 7 slots waiting to be populated and give this monster unbelievable functionality!

After opening the package and removing the plastic wrapping, we placed the switch on the floor so we could take a better look at it.

Because we couldn't wait any longer, we quickly opened one of two power supplies and inserted it into the designated slot. The power supplies installed were rated at 2800Watts each - providing more than enough juice to power a significant number of IP Phones via the PoE cards installed later on.

The picture below shows both power supplies, one inserted into its slot, while the other was placed on top of the chassis with its connectors facing frontwards so you can get a glimpse of them. When inserted into its slot, the power supply's bottom connectors plug firmly into the chassis connectors and power up the Catalyst switch:

Turning on the power supplies for the first time made the datacenter's light dim instantantly as they began to draw power for the first time! Interestingly enough, if you take a look at the power supply on top of the chassis, you'll notice three long white strips inside the power supply. These are actually three very large electrolytic capacitors - quite impressive!

For those interested, the power supplies were made by Sony (yes, they had a Sony sticker on them!).

Supervisor Engine Line Card Installation

As we mentioned in the beginning of this article, the powering engine of any 4500 series Catalyst switch is the Supervisor Engine. The Supervisor engines occupy up to two slots on the 4507R chassis, one of them used for redundancy in case the other fails. When working with two supervisor engines, the 4507R is usually configured to automatically switch from one engine to the other without network interruptions, even for a VoIP network with active calls between ends.

Cisco currently has around 7 different Supervisor Engines, each with unique characteristics, designed for various levels of density and bandwidth requirements.

Currently, the Supervisor Engine 6-E is the best performing engine available, providing 320Gbps bandwidth (full duplex) and 250 million packets per second forwarding rate!

Our users can refer to our popular Cisco Catalyst 4500 Series Zero-Downtime IOS Upgrade Process for Supervisor Engine 7-E, 7L-E, 6L-E and V-10GE Redundant Configurations article to learn how to upgrade their Supervisor Engine without network service interruption.

For our installation, we worked with the Supervisor Engine II-Plus, also known as Cisco part WS-X4013+. Here's one of the supervisor engines in its original antistatic bag:

After placing on my wrist the antistatic wrist-strap contained in the package and carefully unwrapping the supervisor engine, the green circuit-board with its black towers (heatsinks) is revealed. You can easily see the 5 heatsinks, two of which are quite large and do an excellent job in keeping the processors cool:

At the back left side of the board, you can see the supervisor engine's connector which is equally impressive with 450 pin connectors - 50 on each row!

We took a picture from the back of the board to make sure the connector was clearly visible:

Just looking at the connector makes you imagine the number of signals that pass through it to give the 4507R-E the performance rating it has! On the left of the board's connector is the engine's RAM (256MB), while right behind it is the main CPU with the large heatsink, running at 266Mhz.

Here is a close up of the engine's RAM module. The existing 256MB memory module can be removed and upgraded according to your requirements:

Moving to the front side of the Supervisor Engine, you can see the part number and description:

The uplink ports visible on the front are GBIC (GigaBit Interface Converter) that can be used as normal Gigabit interfaces. By using different GBIC's you can connect multimode, singlemode fiber optic cable or standard CAT5e/CAT6 Ethernet cabling. These ports can come in handy when you're approaching your switch's full capacity.

The impressive Supervisor Engine fits right into one of the two dedicated slots available on the 4507R-E chassis. These are slots 3 & 4 as shown in the picture below. Also visible is the switch's backplane and black connectors awaiting the Supervisor Engine boards (marked with red):

We took another picture inside the chassis to make things as clear as possible:

Here you can see the backplane with the two Supervisor Engine connectors. The white coloured connectors just above and below the Supervisor Engines are used by the rest of the boards available to the 4507R.

After inserting one of the Supervisor Engines and two power supplies, here is the result:

One detail well worth noticing is the colour coded bars on the left and right side of the Supervisor card. These colour codes exist to ensure engineers don't accidently try to insert a Supervisor card into an inappropriate slot. The 4507R-E can accept upto two supervisor engines, therefore you have two slots dedicated to them, leaving 5 slots available.

Cisco engineers have thought of everything on the 4507R-E. The cooling mechanisim is a good example of smart-thinking and intelligent engineering. With 7 cards installed on the system, pumping a generous amount of heat, the cooling had to be as effective as possible. Any heat captured between the cards could inadvertably lower the components' reliability and cause damage in the long term.

This challenge was dealt with by placing a fan-tray right next to the cards in a vertical direction. The fan-tray is not easily noticed when taking a quick glance, but the available handle on the front gives away that something is hidden in there. Unscrew the top & bottom bolts, place your hand firmly around the handle and pulling outwards will suprise you:

 The picture taken on the left shows the eight fans placed on the fan-tray. These fans work full speed the moment you power the switch on, consuming 140Watts alone!

Once they start spinning, you really can't argue that the cooling is inadequate, as the air flow produced is so great that when we powered the 4507R-E, the antistatic bags accidently forgotten on the right hand side of the chassis were sucked almost immediately against the chassis grip, just at it happens when you leave a plastic bag behind a powerful fan!

Of course, anything on the left side of the chassis (vieweable in our picture) would be immediately blown away.

After inserting the fan-tray back in place, it was time to take a look around and see what else what left to play with.

Our eyes caught another Cisco box and we approached it, picked it up and checked out the label:

The product number WS-X4548-GB-RJ45V and size of the package made it clear we were looking at a card designated for the 4507R-E. Opening the package confirmed our thoughts - this was a 48port Gigabit card with PoE support:

We carefully unwrapped the contents always using our antistatic wrist-strap so that we don't damage the card, and then placed it on top of its box:

The card has an impressive quantity of heatsinks, two of which are quite large and therefore must generate a lot of heat. The backplane connector is visible with its white colour (back left corner), and right behind the 48 ports is an area covered with a metallic housing. This attracted our attention as we thought something very senstive must be in that area for Cisco to protect it in such a way.

Taking a look under the protective shield we found a PCB board that ran along the length of the board:

Our understanding is that this rail of PCB with transistors and other electrical circuits mounted on it seemed to be regulators for the PoE support. Taking into consideration that we didn't see the same protection in other similar non-PoE boards, we couldn't image it being something else.

When we completed our checkup, we decided it was time to install the card and finally power the 4507R-E switch.

The picture on the left shows our 4507R-E installed with two Supervisor Engine II-Plus engines in active-standby redundancy mode and one 48 port Gigabit Ethernet card with PoE support.

On top is the editor's (Chris Partsenidis) laptop with a familair website loaded, Firewall.cx!

Configuring the Supervisor engines was a simple task. When the 4507R-E is powered on, both engines will boot by first performing a POST test on their modules, memory buffers etc. When this internal POST phase is successfully complete without errors, the engines begin to boot the IOS.

The screenshot below shows us the described procedure from one Supervisor engine since you can't monitor both engines unless you have one serial port connected to each supervisor's console port:

As shown above, the Supervisor engine passed all tests and then proceeded to boot the IOS.

Once loaded, the IOS will check for the existence of a second Supervisor engine, establish connection with it and, depending on which slot it is located in, it will automatically initialise the second engine in standby mode as shown below:

 Once the Supervisor engine bootup process is complete, you are able to configure any aspect of the switch according to your needs, just as you would with any other Cisco Catalyst switch. The interesting part is when you try to save your configuration:

In the above screenshot, we've configured the switch to boot using a specific IOS located in the bootflash, as soon as we saved the configuration using the wr command, the Supervisor engine automatically synchronised the two engines' nvram without any additional commands. This excellent functionality makes sure that whatever configuration is applied to the active Supervisor engine will be available to the standby engine should the first one fail.

The great part of this switch is that you can obtain any type of information you require from it. For example, we switched off one of the two power supplies and executed the show modules command. This command gives a report of the installed modules (cards) in the catalyst switch along with a few more details:

The command reveals that the backplane power consumption is approximately 40 Watts followed by a detailed report of the installed modules. In our example, you can see the two Supervisor engines in slot 3 & 4, followed by the 48 Gigabit Ethernet module in slot 5. The command also shows the Supervisor engines' configured redundany operating mode and status. Lastly, any system failures are reported at the end - this output shows that we've got a problem with one of the power supplies, but rest assured, we had simply switched it off to see if it was going to show up in the report!

Summary

This article covered the initial installation and setup of a new Cisco Catalyst 4507R-E switch, populated with two Supervisor Engines II-Plus and a 48 port Gigabit module with PoE support. We saw areas of the switch which you won't easily find elsewhere and our generous amount of pictures made sure you understood what the 4507R-E looks like, inside and out! Lastly, we saw the switch bootup procedure and Supervisor engine POST test and syncronization process.

One Appliance – One Image is what Cisco is targeting for its Next Generation Firewalls. With this vision, Cisco has created a unified software image named “Cisco Firepower Threat Defense”.  In this FirePOWER series article we’ll cover the installation of Firepower Threat Defense (FTD) on a Cisco ASA 5500-X series security appliance. We’ll also explain the management options available: Firepower Management Center (FMC) which is the old FireSIGHT and Firepower Device Manager (FDM).

Cisco Firepower Threat Defense (FTD) is a unified software image, which is a combination of Cisco ASA and Cisco FirePOWER services features that can be deployed on Cisco Firepower 4100 and the Firepower 9300 Series appliances as well as on the ASA 5506-X,ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. However, at the time of writing, the Cisco Firepower Threat Defense (FTD) unified software cannot be deployed on Cisco ASA 5505 and 5585-X Series appliances. 

Understanding Cisco Firepower Threat Defense Management & Capabilities

Simplifying management and operation of Cisco’s Next Generation Firewalls is one of the primary reasons Cisco is moving to a unified image across its firewall appliances.

Currently the Firepower Threat Defense can be managed through the Firepower Device Management (similar to Cisco’s ASDM) and Firepower Management Center (analyzed below).

Managing Options for FirePOWER Services and Firepower Threat Defense (FTD)

It should be noted that the Firepower Device Management software is under extensive development and is not currently capable of supporting all configuration options. For this reason it’s best to rely on the Firepower Management Center to manage the Cisco Firepower Threat Defense system.

The Firepower Management Center, also known as FMC or FireSIGHT, is available as a dedicated server or virtual image appliance (Linux based VM server) that connects to the FirePOWER or Firepower Threat Defense and allows you to fully manage either system. Organizations with multiple Firepower Threat Defense systems or FirePOWER Services would register and manage them from the FMC.

Alternatively, users can manage the Firepower Threat Defense (FTD) device using the Firepower Device Manager (FDM) – the concept is similar to ASDM.

Currently the latestCisco Firepower Threat Defense (FTD) unified software image available is version 6.2.x .

The Cisco Firepower Threat Defense is continually expanding the Next-Generation Firewall Servicesit supports which currently includes:

• Stateful Firewall Capabilities
• Static and Dynamic Routing. Supports RIP, OSPF, BGP, Static Routing
• Next-Generation Intrusion Prevention Systems (NGIPS)
• URL Filtering
• Application Visibility and Control (AVC)
• Advance Malware Protection (AMP)
• Cisco Identity Service Engine (Cisco ISE) Integration
• SSL Decryption
• Captive Portal (Guest Web Portal)
• Multi-Domain Management
• Rate Limiting
• Tunnelled Traffic Policies
• Site-to-Site VPN. Only supports Site-to-Site VPN between FTD appliances and FTD to ASA
• Multicast Routing Shared NAT
• Limited Configuration Migration (ASA to Firepower TD)

While the Cisco Firepower Threat Defense is being actively developed and populated with some great features, we feel that it’s too early to place it in a production environment. There are some stability issues, at least with the FTD image on the ASA platform, which should be ironed out with the newer software releases.

If you are already in the process of installing FTD on your ASA then you should heavily test it before rolling it out to production.

Due to the issues encountered, we were forced to remove the FTD installation by reimaging our ASA 5555-X Appliance with Cisco ASA and FirePOWER Services images. We believe the “Cisco Firepower Threat Defense” unified software image is very promising but requires some more time to reach a more mature and stable version.

Problems/Limitations Encountered With Cisco Firepower Threat Defense

While small deployments might be able to overcome the absence of many desired features (e.g IPSec VPN support), enterprise environments will certainly find it more challenging.

Depending on the environment and installation requirements customers will stumble into different limitations or issues. For example, on our ASA 5555-X we had major delays trying to push new policies from the Firepower Management Centre (FMC) to the newly imaged FTD ASA. With a total of just 5 policies implemented it took over 2 minutes to deploy them from the FMC to the FTD.

We also found that we were unable to configure any EtherChannel interfaces. This is considered a major drawback especially for organizations with multiple DMZ zones and high-bandwidth traffic requirements. Cisco has an official announcement for this right here.

In addition to the above, when we completed the conversion of our ASA to the FTD software we needed to open a TAC Service Request in order to get transfer our ASA License to the FTD image, adding additional unnecessary overhead and confusion. We believe this should have been automatically done during the installation process.

Cisco ASA Firepower Threat Defense (FTD) Installation – Quick Overview

Reimaging the Cisco ASA 5555-X Appliance to install the Cisco Firepower Threat Defense image is fairly simple once you understand what needs to be done. Here are the steps in the order they must be executed:

• Download the Cisco Firepower Threat Defense Boot&System image
• Reboot ASA, Break The Startup/Boot Sequence
• Upload the Boot Image and boot the ASA Firewall
• Install Firepower Threat Defense system software

Download the Cisco Firepower Threat Defense Boot & System Image

Using a valid CCO account that has the necessary software download privileges visit: Downloads Home>Products Security>Firewalls>Next-Generation Firewalls (NGFW)>ASA 5500-X with FirePOWER Services and select Firepower Threat Defense Software:

Downloading Cisco ASA 55xx Firepower Threat Defense software

Alternatively click on the following URL: Firepower Threat Defense Software Download

Next, select and download the latest boot image and system version. In our example this isversion 6.2.0:

Downloading the latest Firepower Threat Defense System and Boot Image

Reboot ASA, Break The Startup/Boot Sequence

When ready reboot the ASA appliance. During the boot process hit Break or Esc to interrupt boot:

It is strongly recommended you have a complete backup of your ASA Configuration and software before proceeding with the next steps which will erase the configuration and all files

Rebooting... Cisco BIOS Version:9B2C109A
Build Date:05/15/2013 16:34:44
CPU Type: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz, 2793 MHz
Total Memory:16384 MB(DDR3 1333)
System memory:619 KB, Extended Memory:3573 MB
……. <output omitted>
Booting from ROMMON
Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011
Platform ASA 5555-X with SW, 8 GE Data, 1 GE Mgmt
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 10 seconds.

Boot interrupted.
Management0/0
Link is DOWN
MAC Address: 00f6.63da.e807
Use ? for help.
rommon #1>

At this point we have successfully interrupted the boot process and can proceed to the next step. 

Upload the Boot Image and Boot the ASA Firewall

We now need to configure the necessary parameters on the ASA Firewall to download the Cisco Firepower Threat Defence Boot Image. Ensure you have an FTP/TFTP server installed and configured to allow the Firewall to download the image/system files.

Now connect to the ASA console port using a terminal access application, e.g. Putty, configured with the following serial port settings:

• 9600 baud
• 8 data bits
• No parity
• 1 stop bit
• No flow control

Ensure the Cisco ASA 5500-X appliance is running rommon version v1.1.8 or greater by using an IOS command show module to ensure re-immaging will be successful. If the rommon version is earlier than v1.1.8 then the ASA Appliance needs a rommon upgrade. 

ciscoasa# show module
.. output omitted…
Mod    MAC Address Range                Hw Version     Fw Version     Sw Version
---- --------------------------------- ------------ ------------ ---------------
1       7426.aceb.ccea to 7426.aceb.ccf2    0.3          1.1.8           9.6(1)
sfr     7426.aceb.cce9 to 7426.aceb.cce9    N/A         N/A

Next, configure the ASA Firewall with the necessary network settings/variables so it can access the image and system files previously downloaded. ASA 5555-X firewall uses a built-in management interface, hence no need to specify the management interface.

rommon #1> address 10.32.4.129
rommon #2> server 10.32.4.150
rommon #3> gateway 10.32.4.150
rommon #4> file ftd-boot-9.7.1.0.cdisk
rommon #5> set
ROMMON Variable Settings:
 ADDRESS=10.32.4.129
 SERVER=10.32.4.150
 GATEWAY=10.32.4.150
 PORT=Management0/0
 VLAN=untagged
 IMAGE=ftd-boot-9.7.1.0.cdisk
 CONFIG=
 LINKTIMEOUT=20
 PKTTIMEOUT=4
 RETRY=20

Explanation of commands:

The Sync command will save the NVRAM parameters, effectively “enabling” the configuration changes. It’s advisable to try and ping the TFTP server. This will not only confirm the TFTP server is reachable but also populate the ARP table of the ASA Firewall:

rommon #6> sync
Updating NVRAM Parameters...

rommon #7> ping 10.32.4.150
Sending 20, 100-byte ICMP Echoes to 10.32.4.150, timeout is 4 seconds:
?!!!!!!!!!!!!!!!!!!!
Success rate is 95 percent (19/20)

When ready, issue the tftpdnld command to initiate the download of the boot image to the ASA Firewall. Once downloaded the system will automatically boot the image file:

rommon #7> tftpdnld
ROMMON Variable Settings:
ADDRESS=10.32.4.129
SERVER=10.32.4.150
GATEWAY=10.32.4.150
PORT=Management0/0
VLAN=untagged
IMAGE=ftd-boot-9.7.1.0.cdisk
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20

tftp This email address is being protected from spambots. You need JavaScript enabled to view it. via 10.32.4.150
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Received 107292672 bytes

Launching TFTP Image...

Execute image at 0x14000

Cisco Security Appliance admin loader (3.0) #0: Mon Jan 16 09:01:33 PST 2017
Platform ASA5555

Loading...
IO memory blocks requested from bigphys 32bit: 125055
INIT: version 2.88 booting

Starting udev
Configuring network interfaces... done.
Populating dev cache
Found device serial number FCH2023J78M.
Found USB flash drive /dev/sdc
Found hard drive(s): /dev/sda /dev/sdb
fsck from util-linux 2.23.2
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
There are differences between boot sector and its backup.
Differences: (offset:original/backup)
65:01/00
Not automatically fixing this.
/dev/sdc1: 62 files, 825465/2011044 clusters
Launching boot CLI ...
Configuring network interface using DHCP
Bringing up network interface.
Depending on your network, this might take a couple of minutes when using DHCP...
ifup: interface lo already configured
Using IPv6 address: fe80::2f6:63ff:feda:e807
IPv4 address not assigned. Run 'setup' before installation.
INIT: SwitchingStarting system message bus: dbus.
Starting OpenBSD Secure Shell server: sshd
generating ssh RSA key...
generating ssh ECDSA key...
generating ssh DSA key...
Could not load host key: /etc/ssh/ssh_host_ed25519_key
done.
Starting Advanced Configuration and Power Interface daemon: acpid.
acpid: starting up
acpid: 1 rule loaded
acpid: waiting for events: event logging is off

Starting ntpd: done
Starting syslog-ng:[2017-03-16T04:08:41.437297] Connection failed; fd='15', server='AF_INET(127.128.254.1:514)', local='AF_INET(0.0.0.0:0)', error='Network is unreachable (101)'
[2017-03-16T04:08:41.437321] Initiating connection failed, reconnecting; time_reopen='60'
.
Starting crond: OK

      Cisco FTD Boot 6.0.0 (9.7.1.)
      Type ? for list of commands
FIREWALLCX-boot>

Optionally you can ping the tftp/ftp server to confirm there is still connectivity with the server:

FIREWALLCX-boot> ping 10.32.4.150
PING 10.32.4.150 (10.32.4.150) 56(84) bytes of data.
64 bytes from 10.32.4.150: icmp_seq=1 ttl=128 time=0.722 ms
64 bytes from 10.32.4.150: icmp_seq=2 ttl=128 time=0.648 ms
64 bytes from 10.32.4.150: icmp_seq=2 ttl=128 time=0.856 ms
--- 10.32.4.150 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2018ms
rtt min/avg/max/mdev = 0.648/0.742/0.856/0.086 ms

Install Firepower Threat Defense System Software 

At this point our Firewall has successfully downloaded and booted the Boot image and is ready to accept the System image. At the prompt type setup and simply follow the bouncing ball. The setup process will gather important configuration parameters for the FTD device such as Hostname, IP address, Subnet mask, Gateway, DNS servers and more

Many of the configuration questions involve a yes/no answer. The default value that will be selected when leaving the parameter blank and hitting enter is marked in square brackets [ ]:

FIREWALLCX-boot> setup

                      Welcome to Cisco FTD Setup
                      [hit Ctrl-C to abort]
                      Default values are inside []

Enter a hostname [FIREWALLCX]: FIREWALLCXFTD
Do you want to configure IPv4 address on management interface?(y/n) [Y]: y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [Y]: n
Enter an IPv4 address: 10.32.4.129
Enter the netmask: 255.255.255.0
Enter the gateway: 10.32.4.150
Do you want to configure static IPv6 address on management interface?(y/n) [N]: n
Stateless autoconfiguration will be enabled for IPv6 addresses
Enter the primary DNS server IP address: 10.32.4.150
Do you want to configure Secondary DNS Server? (y/n) [n]: n
Do you want to configure Local Domain Name? (y/n) [n]: y
Enter the local domain name: firewall.cx
Do you want to configure Search domains? (y/n) [n]: n
Do you want to enable the NTP service? [Y]: n
Please review the final configuration:

Hostname:                             FIREWALLCXFTD
Management Interface Configuration

IPv4 Configuration:                 static
           IP Address:                 10.32.4.129
           Netmask:                    255.255.255.0
           Gateway:                    10.32.4.150

IPv6 Configuration:                 Stateless autoconfiguration
DNS Configuration:
           Domain:                      firewall.cx
           DNS Server:                10.32.4.150

NTP configuration:                   Disable

CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Done.
Press ENTER to continue...

At this point the appliance’s initial configuration phase is complete and ready to begin downloading the FTD system image

To initiate the image download use the system install ftp://10.32.4.150/ftd-6.2.0-362.pkg and replace the IP address portion with your FTP server’s IP address.

During the installation, the process will ask for the necessary credentials to authenticate to the FTP server. Right before the point of no return the system will ask for a final confirmation before erasing the appliance’s disk and initiating the upgrade. When the system image installation is complete, the system will require the user to hit enter to reboot.

Unnecessary output e.g. dots (….) have been removed from the log to make it easier to read and understand.

FIREWALLCX-boot> system install ftp://10.32.4.150/ftd-6.2.0-362.pkg

######################## WARNING ############################
# The content of disk0: will be erased during installation! #
#############################################################

Do you want to continue? [y/N]: y
Erasing disk0 ...
Extracting ...
Verifying. …

Enter credentials to authenticate with ftp server
Username: firewallcx
Password: $etmeup!
Verifying. ... ...
Downloading. … ...
Extracting. … …

Package Detail
           Description:                  Cisco ASA-FTD 6.2.0-362 System Install
           Requires reboot:           Yes

Do you want to continue with upgrade? [y]: y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

Starting upgrade process .... ….. ….
Populating new system image. ….. ….

Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.

Broadcast message from root@FIREWALLCXFTD (ttyS0) (Thu Mar 16 05:46:03 2017):
The system is going down for reboot NOW!

The ASA FTD Appliance will now reboot. While this process is underway you will see a lot of information during shutdown and startup. When booting into the FTD system image for the first time it is normal to see a number of error/warning messages – do not be alarmed.

When the system has successfully booted it will require you to login using the default username (admin) & password (cisco123) then require you to press Enter to present Cisco’s EULA which must be accepted at the end by pressing again the enter key or typing YES:

Cisco ASA5555-X Threat Defense v6.2.0 (build 362)
firepower login: admin
Password: cisco123
You must accept the EULA to continue.
Press <ENTER> to display the EULA:
END USER LICENSE AGREEMENT
IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY.
……………………………………..
Product warranty terms and other information applicable to Cisco products are
available at the following URL: http://www.cisco.com/go/warranty.

Please enter 'YES' or press <ENTER> to AGREE to the EULA: YES

Finally the last step involves changing the default admin password and configuring again the system’s network settings.

While it might seem repetitive and pointless to configure the network settings three times during the FTD boot image and system image installation, this allows companies to perform these necessary preparation tasks in an isolated environment, e.g. lab room, to get the device ready for the final deployment that will be in the production environment.

Similar to the previous steps, pressing enter will accept the default value shown between the brackets [ ]:

System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: $etmeup!
Confirm new password: $etmeup!
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: manual
Enter an IPv4 address for the management interface [192.168.45.45]: [enter]
Enter an IPv4 netmask for the management interface [255.255.255.0]: [enter]
Enter the IPv4 default gateway for the management interface [data-interfaces]: [enter]
Enter a fully qualified hostname for this system [firepower]: firewall.cx
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: [enter]
Enter a comma-separated list of search domains or 'none' []:[enter]
If your networking information has changed, you will need to reconnect.

DHCP server is enabled with pool: 192.168.45.46-192.168.45.254. You may disable with configure network ipv4 dhcp-server-disable For HTTP Proxy configuration, run 'configure network http-proxy'

Manage the device locally? (yes/no) [yes]: yes
Configuring firewall mode to router Update policy deployment information - add device configuration Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.
>

The greater-than “>” symbol indicates the FTD setup is complete and running.

More information on the Cisco Firepower Threat Defense, including Installation and Upgrade Guides, can be found at the following Cisco URL:

https://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-guides-list.html

You can now log into the Cisco Firepower Device Manager by entering the ASA Firewall appliance IP address in your web browser:

Cisco Firepower Device Manager Login Screen

Once logged in, you can follow the step-by-step setup Device Setup Wizard that will take you the necessary steps to initially configure your new ASA FTD device:

Device Setup Page of Cisco FTD 

Experienced Firepower Threat Defense users can click on the Skip device setup link located on the lower area of the screen.

Summary

Cisco’s Firepower ThreatDefense(FTD) istheNext-Generation Firewall solution that will eventually replace the well-known ASA software. While FTD is still in its early years it is rapidly being adopted by organizations across the globe. It is important to understand the current limitations of FTD before moving it into a production environment. For example, important features such as site-to-site VPN are not currently supported, however, it does have a great clean and intuitive GUI interface!

For many, installing Cisco’s Firepower Threat Defense on an ASA Firewall appliance can be a confusing task. Our Cisco Firepower Threat Defense (FTD) installation guide has been designed to simplify the process by providing step-by-step instructions presented in an easy-to-understand format while also covering Cisco Firepower Threat Defense management options.

The Cisco ASA Firewall 5500-X series has evolved from the previous ASA 5500 Firewall series, designed to protect mission critical corporate networks and data centers from today’s advanced security threats.

Through sophisticated software and hardware options (modules), the ASA’s 5500-X series Firewalls support a number of greatly advanced next-generation security features that sets them apart.These include:

• Cisco Intrusion Prevention System (IPS) services. A signature based IPS solution offered as a software or hardware module depending on the ASA 5500-X appliance model.
• Cisco ASA CX Context-aware services. A software module for ASA 5500-X appliances except the ASA 5585-X where it’s offered as a hardware module. Provides IPS services, Application Visibility and Control (AVC), web security and botnet filtering.
• Cisco FirePOWER Services. Cisco’s latest software & hardware threat protection, superseding previous technologies by combining IPS and CX services plus full contextual awareness of users, infrastructure, applications and content, URL filtering with advanced malware protection (AMP). Offered as a software module for 5500-X series appliances except the 5585-X, which requires a dedicated hardware module. Note that FirePOWER services run in parallel with the classical ASA software.
• Cisco Firepower Threat Defense (FTD). This is the next step after the FirePOWER services which was released by Cisco in 2015.  While FirePOWER services run alongside with the classical Cisco ASA software, the newer Firepower Threat Defence combines the Cisco ASA Software + FirePOWER services in one software package. This is also the concept of the newer Firepower appliances (e.g 4100 & 9000 series) which run Firepower Threat Defense software. At this point, Firepower Threat Defence is under continious development but does not still support many features offered by the classical ASA software. For example at the time of writing site-to-site IP Sec VPN is still not available.

Our previous article examined Cisco’s ASA 5500 series Firewall hardware modules, which include the Content Security CSC-SSM & Intrusion Prevention System (IPS) / Intrusion Detection System (IDS) AIP-SCC / AIP-SSM modules. While these solutions are no longer sold by Cisco, they have been widely deployed in data centers and corporate networks around the world and will be supported by Cisco until 2018.

Note: To download datasheets containing technical specifications and features offered by the Cisco 5500-X Series Firewalls with FirePOWER, IPS and CX Context-aware services, visit our Cisco ASA 5500 & 5500-X Series Adaptive Security Appliances Download Section.

Since Cisco’s announcement back in 2013 regarding the discontinuation of its ASA 5500 series firewall appliances in favour of the newer 5500-X Next Generation Firewalls, customers have been contemplating when to upgrade to the newer 5500-X series. Given the fact that Cisco is no longer providing major firmware upgrades to the older ASA 5500 series and the appearance of new advanced security threats and malware (e.g ransomware), it is now considered imperative to upgrade to the newer platform so that security is maintained at the highest possible level.

Customers seeking advanced protection are likely to consider expanding their ASA Firewall capabilities with the purchase of an IPS module, CX Context-aware or FirePOWER services.

Figure 1. The Cisco FirePOWER hardware module for the ASA-5585-X Firewall

Cisco’s FirePOWER advanced security threat protection solution was introduced late 2014 and its purpose is to replace the current ASA 5500-X IPS and ASA CX 5500-X Context-aware offerings.

The diagram below shows key security features provided by most Cisco ASA Firewall appliances. Features such as Clustering, High Availability, Network profiling, Identity-Policy Control, VPN and advanced access lists have until today been fairly standard offerings across the ASA Firewall series, however, the newer 5500-X can now offer the additional FirePOWER services marked in red below:

Figure 2. Cisco FirePOWER services (marked in red) provide advanced key security features to ASA Firewalls

Cisco’s FirePOWER solution has the ability not only to provide advanced zero-day IPS threat protection, but also to deliver exceptional security & firewalling services such as Application Visibility & Control, FirePower Analytics & Automation, Advanced Malware Protection (AMP) & Sandboxing, plus Web-based URL filtering, all in one box.

While most of these additional FirePOWER services are subscription based, meaning companies will need to fork out additional money, they do offer significant protection and control and help to reduce administrative complexity.

Customers utilizing Cisco’s Intrusion Prevention System (IPS) or FirePOWER services also have the option of the Cisco FireSIGHT Management Center – a solution used to centrally manage network security. Cisco’s FireSIGHT allows network administrators, security engineers and IT Managers to monitor events, analyse incidents, obtain detailed reporting and much more, from a single intuitive web-interface.

Figure 3. The Cisco FireSIGHT Management Center Graphical Interface

It’s evident that Cisco is marketing its ASA 5500-X series with FirePOWER services as its flagship network security & threat protection solution, which is why Firewall.cx will be covering the Cisco FirePOWER & FireSIGHT Management Center configuration in great depth in upcoming articles.

Cisco’s Adaptive Security Appliance (ASA) Firewalls are one of the most popular and proven security solutions in the industry. Since the introduction of the PIX and ASA Firewall into the market, Cisco has been continuously expanding its firewall security features and intrusion detection/prevention capabilities to adapt to the evolving security threats while integrating with other mission-critical technologies to protect corporate networks and data centers.

In recent years, we’ve seen Cisco tightly integrate separate security technologies such as Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) within the ASA Firewall appliances in the form of hardware module add-ons (older 5500 series & newer 5500-X series) and, recently, software modules supported only by the newer ASA 5500-X series security appliances.

With the addition of the software or hardware module, customers are able to increase the firewall’s security and protection capabilities while at the same time simplifing security management and administration by dealing with a single firewall device instead of multiple firewall, IPS or IDS devices.

While this article covers the hardware modules available for the Cisco ASA 5500 Firewall series, upcoming articles will cover both software and hardware modules along with Cisco FirePOWER & FireSIGHT management services for the newer ASA 5500-X series.

Note: The Cisco ASA 5500 series hardware modules for ASA-5505, ASA 5510, ASA 5520 & ASA 5540 have been announced as End-of-Sale & End-of-Life. Modules below are no longer sold or supported by Cisco. Last day of support was 30^th of September 2018.

Users interested in the newer ASA 5500-X IPS, Context-Aware and FirePOWER services can read our article Cisco ASA 5500-X Series Firewall with IPS, ASA CX & FirePower Services. Application Visibility and Control (AVC), Web Security, Botnet Filtering & IPS / IDS.

Hardware Modules For ASA 5500 Series Firewalls

The ASA 5500 series Firewalls (ASA-5505, ASA 5510, ASA 5520, ASA 5540 etc) were the first security appliances with the capability to integrate hardware modules for enhanced security and threat protection.

To help target different markets and security requirements, Cisco split its hardware module offerings into two distinct categories:

• Content Security and Control Security Services (CSC-SSM)
• Advanced Inspection and Prevention Security Services (AIP-SCC & AIP-SSM)

Each hardware module card is equipped with its own CPU, RAM and Flash storage space, running a separate operating system that integrates with the ASA Firewall via its internal network ports.

Let’s take a brief look at each category.

The Content Security & Control Security Services Modules

The Content Security and Control Security Services module aims to cover corporate environments where comprehensive malware, advanced content filtering (including Web Caching, URL filtering, anti-phishing), and anti-spam filtering is required. This all-in-one hardware module solution is capable of providing a wealth of security and control capabilities essential for all size networks.

Following are the hardware modules supporting Content Security and Control Security Services:

• CSC-SSM-10: For ASA 5510 & ASA 5520. Initial support for 50 users, upgradable up to 500 users
• CSC-SSM-20: For ASA 5510, ASA 5520 & ASA 5540. Initial support for 500 users, upgradable up to 1000 users

The CSC-SSM-10 & CSC-SSM-20 modules look identical. Shown below is the CSC-SSM-20 module:

Figure 1. The Cisco CSC-SSM-20 hardware module for the ASA 5500 series Firewalls

Users requiring additional information on the Cisco CSC-SSM modules, including features, hardware specifications, licenses, and support contracts (Smartnet), can download the Cisco ASA 5500 Series Content Security and Control Security Services datasheet from our Cisco ASA 5500 Product Datasheets and Guides download section.

The Advanced Inspection & Prevention Security Services Modules

The Advanced Inspection and Prevention Security Services modules combine IPS and IDS threat protection with mitigation services aiming to protect and stop malicious traffic before it can affect the network. Updates for the modules occur up to every 5 minutes, ensuring real-time updates and effective protection from zero-day attacks.

Cisco ASA Firewall customers can choose between the following Advanced Inspection and Prevention Security Service modules depending on their ASA hardware platform:

• AIP SCC-5:For ASA 5505. 1 Virtual sensor. 75Mbps concurrent threat mitigation throughput.
• AIP SSM-10: For ASA 5510 & ASA 5520. 4 Virtual sensors. Up to 225Mbps concurrent threat mitigation throughput depending on ASA model.
• AIP SSM-20: For ASA 5520 & ASA 5540. 4 Virtual sensors. Up to 500Mbps concurrent threat mitigation throughput depending on ASA model.
• AIP SSM-40: For ASA 5520 & ASA 5540. 4 Virtual sensors. Up to 650Mbps concurrent threat mitigation throughput depending on ASA model.

Figure 2. The Cisco ASA Firewall AIP SSC-5, AIP SSM-20 and AIP SSM40 IPS hardware modules

Users requiring additional information on the Cisco AIP SSC-5 & AIP-SSM modules, including features, hardware specifications, licenses, and support contracts (Smartnet), can download the Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services module and card datasheet from our Cisco ASA 5500 Product Datasheets and Guides download section.

Summary

The ASA 5500 Firewall series hardware modules offer a substantial number of network security enhancements making them ideal for corporate environments with sensitive data, in-house webservers and multiple VLANs & VPN networks. Their ability to provide advanced malware threat protection, URL filtering and IPS / IDS services make them the ideal upgrade for any ASA 5500 series Firewall adding true value to protecting and mitigating security threats.

This article examines the concept of NAT Reflection, also known as NAT Loopback or Hairpinning, and shows how to configure a Cisco ASA Firewall running ASA version 8.2 and earlier plus ASA version 8.3 and later, to support NAT Reflection. NAT Reflection, is a NAT technique used when devices on the internal network (LAN) need to access a server located in a DMZ zone using its public IP address.

What’s interesting is that NAT Reflection is not supported by all firewall appliances, however Cisco ASA Firewalls provide 100% support, making any NAT scenario possible. NAT Reflection is also seen at implementations of Cisco’s Telepresence systems where the ExpressWay-C server on the internal network needs to communicate with the ExpressWay-E server in the DMZ zone using its public IP address.

Note: Users seeking additional information on Network Address Translation concepts can visit our dedicated NAT Section that covers NAT in great depth.

Single 3-Port/Leg Firewall DMZ With One LAN Interface ExpressWay-E Server

In the example below, ExpressWay-C with IP address 192.168.1.50 needs to access ExpressWay-E (DMZ zone, IP address 192.168.5.5) using its public IP address of 203.40.40.5. This type of setup also happens to be one of the two most popular configurations:

Figure 1. NAT Reflection on a 3-Port ASA Firewall with Cisco Telepresence (ExpressWay-C & ExpressWay-E)

ExpressWay-C packets traversing the ASA Firewall destined to ExpressWay-E’s public IP address will have the following transformation thanks to the NAT Reflection configuration:

• Destination IP address 203.40.40.5 is replaced with Destination IP address 192.168.5.5 –ExpressWay-E’s private IP address. This is also known as Destination NAT (DNAT).
• The Source IP address 192.168.1.50 (ExpressWay-C) is replaced with Source IP address 192.168.5.1 – ASA’s DMZ interface IP address. This is also known as Source NAT (SNAT).

When ExpressWay-C packets arrive to the ExpressWay-E server, they will have the following source & destination IP address: Source IP: 192.168.5.1, Destination IP: 192.168.5.5

Translation of the source IP address (SNAT) of packets (192.168.1.50 to 192.168.5.1) for this traffic flow is optional however required specifically for the Cisco ExpressWay setup. The configuration commands for the above setup is as follows:

For ASA Versions 8.3 and later:

NOTE: After the NAT command is applied you will receive the two above warning messages.

The last line in our ASA configuration performs Source NAT and Destination NAT in one command.

For ASA Versions 8.2 and earlier:

access-list INT-DMZ-IN extended permit ip host 192.168.1.50 host 203.40.40.5
static (inside,DMZ) interface access-list INT-DMZ-IN
!
access-list INT-DMZ-IN extended permit ip host 192.168.5.5 host 192.168.5.1
static (DMZ,inside) 203.40.40.5 access-list INT-DMZ-IN

As shown, there are two levels of NAT occurring for this scenario, both required by the Cisco Telepresence - ExpressWay infrastructure.

Dual 2-Port/Leg Firewalls DMZ With One LAN Interface ExpressWay-E Server

The second most popular setup involves two firewalls, one protecting our LAN (Firewall 2) and one protecting our DMZ (Firewall 1) while also limiting traffic hitting our LAN firewall:

Figure 2. NAT Reflection on a 2-Port ASA Firewall with DMZ for Cisco Telepresence (ExpressWay-C & ExpressWay-E)

In this slightly more complex setup, Firewall No.1 is where we apply NAT Reflection to inbound traffic from ExpressWay-C server destined to ExpressWay-E’s public IP address 203.40.40.5.

It’s important to note that returning traffic from ExpressWay-E to ExpressWay-C will have to pass through Firewall 1 again. If an attempt is made to direct returning traffic through Firewall 2 (bypassing Firewall 1) e.g via a static route, then we’ll have a condition known as Asymmetric Routing, possibly causing disruptions in the communication between the two servers.

Note: Asymmetric Routing occurs when returning traffic between two hosts does not follow the same route as the original traffic. This condition is not favored by Firewalls as they track traffic and expect returning traffic to follow the same path originally taken.

Firewall No.1 is also configured with a one-to-one static NAT mapping, directing all traffic towards 203.40.40.5 to 192.168.5.5.

ExpressWay-C packets traversing ASA Firewall 1 destined to ExpressWay-E’s public IP address will have the following transformation thanks to the NAT Reflection configuration:

• Destination IP address 203.40.40.5 is replaced with Destination IP address 192.168.5.5 –ExpressWay-E’s private IP address. This is also known as Destination NAT (DNAT).
• The Source IP address 192.168.1.50 (ExpressWay-C) is replaced with Source IP address 192.168.5.2 – Firewall 1’s internal interface IP address. This is also known as Source NAT (SNAT).

Firewall 2 does not perform any NAT for traffic between ExpressWay-C and ExpressWay-E. When ExpressWay-C packets arrive to the ExpressWay-E server, they will have the following source & destination IP address: Source IP: 192.168.5.2, Destination IP: 192.168.5.5

Translation of the source IP address (SNAT) of packets (192.168.1.50 to 192.168.5.2) for this traffic flow is optional however required specifically for the Cisco ExpressWay setup. The configuration commands for the above setup is as follows:

For ASA Versions 8.3 and later:

NOTE: After the NAT command is applied you will receive the two above warning messages.

The last line in our ASA v8.3 and later configuration performs Source NAT and Destination NAT in one command.

For ASA Versions 8.2 and earlier:

Summary

NAT Reflection (NAT Loopback or Hairpinning) is a fairly new NAT concept to most but as we’ve seen it’s a fairly easy one to understand. Implementations of NAT Reflection are slowly becoming popular due to the new and complex technologies that require this type of NAT functionality – Telepresence and video conferencing being one of them. We covered NAT Reflection for the two most popular Firewall configurations including diagrams and ASA Firewall configuration commands.

This article will show how to download and upload the newer AnyConnect 4.x VPN clients to your Cisco ASA Firewall appliance (5500 & 5500-X Series) and configure WebVPN so that the newer AnyConnect VPN client is used and distributed to the remote VPN clients.

The Cisco AnyConnect SSL VPN has become the VPN standard for Cisco equipment, replacing the older Cisco IPSec VPN Client. With the introduction of the newer 4.x AnyConnect, Cisco has made dramatic changes to their licensing and features supported. Our Cisco AnyConnect 4.x Licensing article explains the differences with the newer 4.x licensing and has all the details to help organizations of any size migrate from 3.x AnyConnect to 4.x. You’ll also find the necessary Cisco ordering codes along with their caveats.

Figure 1. Cisco AnyConnect v4.x

The latest AnyConnect client at the time of writing is version 4.2.02075, which is available for Cisco customers with AnyConnect Plus or Apex licenses. Cisco provides both head-end and standalone installer files. The head-end files (.pkg extension) are deployed on the Cisco ASA Firewall and automatically downloaded by the VPN clients once authenticated via the web browser.

Uploading AnyConnect Secure Mobility Packages To The ASA Firewall

Images can be uploaded to the Cisco ASA Firewall via a standard tftp client using the copy tftp flash: command:

We repeat the same commands until all 3 files have been uploaded so we can fully support Windows, Linux and MAC OS clients.

Using the dir command at the end of the process confirms all files have been successfully uploaded to our ASA Firewall:

Registering The New AnyConnect Packages

Assuming AnyConnect is already configured on your ASA Firewall, registering the new packages is a very simple process. In the near future, we’ll be including a full guide on how to setup AnyConnect Secure Mobility on Cisco ASA Firewalls.

Enter configuration mode and in the webvpn section add the following commands:

When dealing with multiple clients (supported platforms) of AnyConnect, assign an order to the client images using the numbers (1, 2, 3) at the end of each package command as shown above.

Previous versions of AnyConnect packages (.pkg) can be removed from the configuration by using the no anyconnect image disk0:/anyconnect-win-xxxxx-k9.pkg command.

Verifying The New AnyConnect Packages

As a final step, we can verify that the AnyConnect packages have been successfully installed using the show webvpn anyconnect command:

This completes the upgrade process of AnyConnect Secure Mobility Client on an ASA Firewall Security appliance. We saw all CLI commands involved to upload and register the new AnyConnect packages, remove the old AnyConnect packages and finally verify the packages are correctly registered for usage.

In late 2014, Cisco announced the new licensing model for the latest AnyConnect Secure Mobility client v4.x. With this new version, Cisco introduced a number of new features, but also simplified the licensing model which was somewhat confusing. In this article, we will take a look at the new AnyConnect 4.x licenses which consist of: AnyConnect Plus license, AnyConnect Plus Perpetual license and AnyConnect Apex license.
 
We will also show how the new licenses map to the older AnyConnect Essentials and AnyConnect Premium license, plus the available migration paths. Finally, we also take a look at Cisco’s Software Application Support (SAS) and Software Application Support plus Upgrade (SASU), which are required when purchasing AnyConnect.

All AnyConnect licenses prior to version 4 had the AnyConnect Essentials and Premium licensing scheme. The newer v4.x AnyConnect licenses now have one of the three licensing options:

• Cisco AnyConnect Plus License (Subscription Based)
• Cisco AnyConnect Plus Perpetual License (Permanent – no subscription)
• Cisco AnyConnect Apex License (Subscription Based)

With the new AnyConnect licenses, Cisco has moved to a subscription-based licensing model which means customers will unfortunately need to fork out more money in the long run.  The Plus Perpetual License on the other hand allows Cisco customers to purchase a one-time license, however the license costs significantly higher than the subscription-based license.

We should also note that AnyConnect 4.0 is not licensed based on simultaneous connections (like the previous AnyConnect 3.x), but is now user-based. This means a user connecting via his smartphone and laptop simultaneously will only occupy a single license.

Since the newer AnyConnect licenses are subscription-based, according to Cisco, if their subscription expires and is not renewed, they will stop working.
 
Cisco AnyConnect Secure Mobility Client 4.0 supports the following operating systems:

• Windows 8.1 (32bit & 64Bit)
• Windows 8 (32bit & 64Bit)
• Windows 7 (32bit & 64Bit)
• Linux Ubuntu 12.X 64Bit
• Linux RedHat 6 64Bit
• Mac OS X 10.10 – 10.8

As expected, Windows XP is no longer supported.

Let’s take a look at each license feature and how the older AnyConnect Essentials and Premium licenses map to the newer AnyConnect Plus and Apex licenses:

Figure 1. Mapping AnyConnect 3.x Essentials & Premium to AnyConnect 4.x Plus & Apex

Related AnyConnect Articles on Firewall.cx:

• Configuring Cisco SSL VPN AnyConnect 3.x (WebVPN) on Cisco IOS Routers
• WEB SSL VPN - The Next Wave Of Secure VPN Services

Cisco AnyConnect Plus License (Old Essentials License) 5, 3 or 1-Year Term

The AnyConnect Plus License is a subscription-based license with the option of a 5, 3 or 1-year renewable subscription and supports the following features:

• VPN Support for Devices. Includes Workstations and Laptops.
• Secure Mobility Client support (AnyConnect Mobile). Includes mobile phones, tablets etc.
• SSL VPN (Client-based)
• Per-app VPN. Authorize specific applications access the VPN.  Supports specific devices and software.
• Basic endpoint context collection
• IEEE 802.1X Windows supplicant
• Cisco Cloud Web Security agent for Windows & Mac OS X platforms
• Cloud Web Security and Web Security Appliance support
• Cisco Advanced Malware Protection for Endpoints Enabler. AMP for Endpoints is licensed separately
• Network Access Manager
• Federal Information Processing Standards (FIPS) Compliance

It is worth noting that AnyConnect 3.x required the purchase of Essentials or Premium license + AnyConnect Mobile (L-ASA-AC-M-55xx) in order to support mobile devices (Smartphones, Tablets etc.).  AnyConnect Mobile is now integrated into the new AnyConnect Plus license.

Cisco AnyConnect Plus Perpetual (permanent) License

The AnyConnect Plus Perpetual license supports the same features as the Plus license above, but with the difference that it is a permanent license.
 
The customer purchases it once and does not have any subscription services, however it is still required to purchase a software application support plus upgrade (SASU) contract. This is covered in detail at the end of this article.

Customers considering the Plus Perpetual license should compare costs with the subscription-based license to see if it is worth going down that path.

Cisco AnyConnect Apex License (Old Premium License)

The AnyConnect Apex License includes all offerings in the AnyConnect Plus license plus the following:

• All AnyConnect Plus features
• Clientless (browser-based) VPN Termination on the Cisco ASA Firewall appliance
• VPN compliance and posture agent in conjunction with the Cisco ASA Firewall appliance
• Unified compliance and posture agent in conjunction with the Cisco Identity Services Engine (ISE) 1.3 or later
• Support for stronger Next-generation encryption (Suite B)

The AnyConnect Apex license is only available as a subscription-based license. There is no perpetual license available.
 
The Next Generation Suite B encryption supports the following stronger encryption standards:

• Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits.
• Elliptic Curve Digital Signature Algorithm (ECDSA) — digital signatures
• Elliptic Curve Diffie–Hellman (ECDH) — key exchange agreement
• Secure Hash Algorithm 2 (SHA-256 and SHA-384) — message digest

Purchasing AnyConnect Licenses & Important Notes – Understand SAS & SASU For AnyConnect

While AnyConnect licensing has been simplified, there are still a few important areas we must be aware of to avoid licensing and future upgrade issues.

Before we dive in, we need to clarify what Software Application Support (SAS) and Software Application Support plus Upgrade (SASU) is because they are required with AnyConnect licenses:

SAS:  Provides access to Cisco’s latest software application updates (e.g AnyConnect, VPN Client software). SAS also includes minor release updates (e.g. AnyConnect 4.0 to 4.1 upgrade) and 24-hour technical assistance from Cisco TAC (Only for the specific software/application) and unrestricted access to online tools.

SASU: Includes everything provided in SAS, plus major upgrade release of the software e.g from AnyConnect 4.x to AnyConnect 5.x (when available).

When purchasing AnyConnect Plus or AnyConnect Apex subscription-based licenses, SASU is already included and is not required to be purchased separately.
 
When purchasing AnyConnect Plus Perpetual licenses, SASU must be purchased.  To do so, you need to order the following:

1. Order the Cisco AnyConnect Plus Perpetual License (L-AC-PLS-P-G) which has no cost ($0)
2. Add the User License required e.g Cisco AnyConnect Plus - Perpetual License/25 users (AC-PLS-P-25-S)
3. Add the SASU product for the selected User License (AC-PLS-P-25-S). In our example the SASU product will be CON-SAU-ACPL25. It is also necessary to specify the duration of the contract (1 – 60 months). The longer the duration, the larger the cost.

Full product ID’s for AnyConnect Plus, Plus Perpetual and Apex licenses along with all subscriptions and SASU products are available in the Cisco AnyConnect Ordering Guide freely available from our Cisco Product Datasheets & Guides section.

Below we are including a list of the maximum VPN peers/sessions supported by each ASA Firewall appliance to help customers decide the amount of AnyConnect licenses they require:

Cisco ASA Maximum VPN Peers / Sessions

5505 = 25
5510 = 250
5520 = 750
5540 = 5,000
5550 = 5,000
5580 = 10,000

Cisco ASA Next Generation Platform (X) VPN Peers / Sessions

5512-X = 250
5515-X = 250
5525-X = 750
5545-X = 2,500
5555-X = 5,000
5585-X = 10,000

Cisco AnyConnect Plus, AnyConnect Apex Migration Licenses

Cisco customers who purchased AnyConnect Essentials, Premium and Shared Premium licenses prior to March 2 2015, can transition to the new Plus/Apex licenses by ordering the Plus/Apex Migration subscription licenses for 5, 3 or 1-year term.

The last day to purchase AnyConnect Migration licenses is 31st of December 2015.

The AnyConnect Migration license product IDs are available in the Cisco AnyConnect Ordering Guide freely available from our Cisco Product Datasheets & Guides section.

This article explained the new Cisco AnyConnect 4.x licensing model. We analysed the three new simplified licensing options AnyConnect Plus, Plus Perpetual and AnyConnect Apex, including the features each license supports and how they map to the old Essentials and Premium licenses. We covered the operating systems supported by AnyConnect 4.x, ordering product IDs and analysed the SASU services required with AnyConnect Perpetual  licenses, AnyConnect Migration licenses while also noting the maximum VPN sessions supported by all available ASA Firewall appliances.

The Cisco ASA 5500 series security appliances have been around for quite some time and are amongst the most popular hardware firewalls available in the market. Today Firewall.cx takes a look at how to easily setup a Cisco ASA5500 series firewall to perform basic functions, more than enough to provide secure & restricted access to the Internet, securely access and manage the ASA Firewall and more.

While many consider the Cisco ASA Firewalls complex and difficult to configure devices, Firewall.cx aims to break that myth and show how easy you can setup an ASA Firewall to deliver basic and advanced functionality. We’ve done it with other Cisco technologies and devices, and we’ll do it again :)

The table below provides a brief comparison between the different ASA5500 series security appliances:

Users can also download the complete technical datasheet for the Cisco ASA 5500 series firewalls by visiting our Cisco Product Datasheet & Guides Download section.

Perhaps one of the most important points, especially for an engineer with limited experience, is that configuring the smaller ASA 5505 Firewall does not really differ from configuring the larger ASA5520 Firewall. The same steps are required to setup pretty much all ASA 5500 series Firewalls – which is Great News!

The main differences besides the licenses, which enable or disable features, are the physical interfaces of each ASA model (mainly between the ASA 5505 and the larger 5510/5520) and possibly modules that might be installed. In any case, we should keep in mind that if we are able to configure a small ASA5505 then configuring the larger models won’t be an issue.

At the time of writing of this article Firewall.cx came across a Cisco ASA5505, so we decided to put it to good use for this article, however, do note that all commands and configuration philosophy is the same across all ASA5500 series security appliances.

ASA5500 Series Configuration Check-List

We’ve created a simple configuration check-list that will help us keep track of the configured services on our ASA Firewall. Here is the list of items that will be covered in this article:

• Erase existing configuration
• Configure Hostname, Users, Enable password & Disable Anonymous Reporting
• Configure interface IP addresses or Vlan IP addresses (ASA5505) & Descriptions
• Setup Inside (private) & Outside (public) Interfaces
• Configure default route (default Gateway) & static routes
• Configure Network Address Translation (NAT) for Internal Networks
• Configure ASA DHCP Server
• Configure AAA authentication for local database user authentication
• Enable HTTP Management for inside interface
• Enable SSH & Telnet Management for inside and outside interfaces
• Create, configure and apply TCP/UDP Object-Groups to firewall access lists
• Configuration of access-lists for ICMP packets to the Internet
• Apply Firewall access lists to ‘inside’ and ‘outside’ interfaces
• Configure logging/debugging of events and errors

Note: it is highly advisable to frequently save the ASA configuration to ensure no work is lost in the event of a power failure or accident restart.

Saving the configuration can be easily done using the write memory command:

Erasing Existing Configuration

This first step is optional as it will erase the firewall’s configuration. If the firewall has been previously configured or used it is a good idea to start off with the factory defaults. If we are not certain, we prefer to wipe it clean and start from scratch.

Once the configuration is deleted we need to force a reboot, however, take note that it’s important not to save the system config to ensure the running-config is not copied to the startup-config otherwise we’ll have to start this process again:

Configure Hostname, Users, 'Enable' Password & Disable Anonymous Reporting

Next, we need to configure the Enable password, required for privileged exec mode access, and then user accounts that will have access to the firewall. 

The ASA Firewall won’t ask for a username/password when logging in next, however, the default enable password of ‘cisco’, will be required to gain access to privileged mode:

The privilege 15 parameter at the end of the command line ensures the system is aware that this is an account with full privileges and has access to all configuration commands including erasing the configuration and files on the device’s flash disk, such as the operating system.

Configure Interface IP addresses / VLAN IP Addresses & Descriptions

Depending on the ASA appliance we have, we can configure physical interfaces (inside/outside) with IP addresses, usually done with ASA5510 and larger models,  or create VLANs (inside/outside) and configure them with IP addresses, usually with the smaller ASA5505 models.

In many cases network engineers use VLAN interfaces on the larger ASA5500 models, however, this depends on the licensing capabilities of the device, existing network setup and more.

In the case of the ASA5505 we must use VLAN interfaces, which are configured with their appropriate IP addresses and then (next step) characterised as inside (private) or outside (public) interfaces:

The setroute parameter at the end of the command will ensure the ASA Firewall sets its default route (gateway) using the default gateway parameter the DHCP server provides.

After configuring VLAN1 & VLAN2 with the appropriate IP addresses, we configured ethernet 0/0 as an access link for VLAN2 so we can use it as a physical public interface.  Out of the 8 total Ethernet interfaces the ASA5505 has, at least one must be set with the switchport access vlan 2 otherwise there won’t be any physical public interface on the ASA for our frontend router to connect to. Ethernet ports 0/1 to 0/7 must also be configured with the no shutdown command in order make them operational. All of these ports are, by default, access links for VLAN1. Provided are the configuration commands for the first two ethernet interface as the configuration is identical for all:

Setup Inside (private) & Outside (public) Interfaces

Next, we must designate the Inside (private) and Outside (public) interfaces. This step is essential and will help the ASA Firewall understand which interface is connected to the trusted (private) and untrusted (public) network:

The ASA Firewall will automatically set the security level to 100 for inside interfaces and 0 to outside interfaces.  Traffic can flow from higher security levels to lower (private to public), but not the other way around (public to private) unless stated by an access-lists. 

To change the security-level of an interface use the security-level xxx command by substituting xxx with a number from 0 to 100. The higher the number, the higher the security level.  DMZ interfaces are usually configured with a security level of 50.

It is extremely important the necessary caution is taken when selecting and applying the inside/outside interfaces on any ASA Firewall.

Configure Default Route (default gateway) & Static Routes

The default route configuration command is necessary for the ASA Firewall to route packets outside the network via the next hop, usually a router. In case the public interface (VLAN2) is configured using the ip address dhcp setroute command, configuration of the default gateway is not required.

For networks with multiple internal VLANs, it is necessary to configure static routes to ensure the ASA Firewall knows how to reach them. Usually these networks can be reached via a Layer3 switch or an internal router.  For our example, we’ll assume we have two networks: 10.75.0.0/24 & 10.76.0.0/24 which we need to provide Internet access to. These additional networks are contactable via a Layer3 device with IP address 10.71.0.100:

Configure Network Address Translation (NAT) For Internal Networks

This is the last step required to successfully provide Internet access to our internal networks. Network Address Translation is essential to masquerade our internal network using the single IP address our Public interface has been configured with.  Network Address Translation, along with all its variations (Static, Dynamic etc), is covered in great depth in our popular Network Address Translation section.

We should note at this point that NAT configuration has slightly changed with ASA software version 8.3 and above. We will provide both commands to cover installations with software version up to v8.2.5 and from v8.3 and above.

The following commands apply to ASA appliances with software version up to 8.2.5:

In the above configuration, the ASA Firewall is instructed to NAT all internal networks using the NAT Group 1. The number ‘1’ is used to identify the NAT groups for the NAT process between the inside and outside interfaces.

The global (outside) 1 interface command instructs the ASA Firewall to perform NAT using the IP address assigned to the outside interface.

Another method of configuring NAT is with the use of access lists. In this case, we define the internal IP addresses to be NAT’ed with the use of access lists:

NAT with the use of access lists provides greater flexibility and control which IP addresses or networks will use the NAT service.

With software version 8.3 and newer, things have changed dramatically and there are no more access lists in NAT configuration lines.

The new NAT format now utilizes "object network", "object service" and "object-group network" to define the parameters of the  NAT  configuration.

The following commands (software version 8.3 and above) will provide NAT services to our internal networks so they can access the Internet:

Configuring The ASA DHCP Server

The existence of a DHCP server is necessary in most cases as it helps manage the assignment of IP address to our internal hosts. The ASA Firewall can be configured to provide DHCP services to our internal network, a very handy and welcome feature.

Again, there are some limitations with the DHCP service configuration which vary with the ASA model used. In our ASA5505, the maximum assigned IP addreses for the DHCP pool was just 128!

Note that the DHCP service can run on all ASA interfaces so it is necessary to specify which interface the DHCP configuration parameters are for:

Once configured, the DHCP service will begin working and assigning IP addresses to the clients. The Gateway IP address parameter is automatically provided to client and is not required to be configured on the ASA Firewall appliance.

We can verify the DHCP service is working using the show dhcpd statistics command:

If required, we can clear the DHCP bindings (assigned IP addresses) using the clear dhcpd binding command.

Configure AAA Authentication For Local Database User Authentication

Configuring AAA authentication is always a good idea as it instructs the ASA Firewall to use the local user database for the various services it's running. For example, we can tell the ASA Firewall to use a radius server for VPN user authentication, but use its local database for telnet, ssh or HTTP (ASDM) management access to the Firewall appliance.

As mentioned, our example instructs the ASA Firewall to use its local database:

Enable HTTP Management For Inside Interface

We now turn to the management settings of our ASA Firewall to enable and configure HTTP management. This will allow access to the Firewall’s management via the popular ASDM management application:

The above commands enable HTTP management on the ASA Firewall only for the network 10.71.0.0/24.

Enable SSH & Telnet Management For Inside & Outside Interfaces

Enabling SSH and Telnet access to the Cisco Firewall is pretty straightforward. While we always recommend the use of SSH, especially when accessing the Firewall from public IPs, telnet is also an option, however, we must keep in mind that telnet management methods do not provide any security as all data (including username, passwords and configurations) are sent in clear text.

Before enabling SSH, we must generate RSA key pairs for identity certificates. Telnet does not require any such step as it does not provide any encryption or security:

Note that the ASA Firewall appliance will only accept SSH connections from host 200.200.90.5 arriving on its public interface, while SSH and telnet connections are permitted from network 10.71.0.0/24 on  the inside interface.

Create, Configure & Apply TCP/UDP Object-Groups

An essential part of any firewall configure is to define the Internet services our users will have access to. This is done by either creating a number of lengthy access lists for each protocol/service and then applying them to the appropriate interfaces, or utilising the ASA Firewall Object-Groups which are then applied to the interfaces. Using Object-groups is easy and recommended as they provide a great deal of flexibility and ease of management.

The logic is simple:  Create your Object-Groups, insert the protocols and services required, and then reference them in the firewall access -lists. As a last step, we apply them to the interfaces we need.

Let’s use an example to help visualise the concept. Our needs require us to create two Object-Groups, one for TCP and one for UDP services:

Now we need to reference our two Object-groups using the firewall access lists. Here we can also define which networks will have access to the services listed in each Object-group:

Note that the 10.71.0.0/25 network has access to both Object-groups services, our other networks are restricted to only the services defined in the TCP Object-group. To understand how Object-groups help simplify access list management: without them, we would require 37 access lists commands instead of just 4!

Configuration Of Access-Lists For ICMP Packets To The Internet

To complete our access list configuration we configure our ASA Firewall to allow ICMP echo packets (ping) to any destination, and their replies (echo-reply):

Appling Firewall Access-Lists To ‘inside’ & ‘outside’ Interfaces

The last step in configuring our firewall rules involves applying the two access lists, inside-in & outside-in, to the appropriate interfaces. Once this step is complete the firewall rules are in effect immediately:

Configure Logging/Debugging Of Events & Errors

This last step in our ASA Firewall configuration guide will enable logging and debugging so that we can easily trace events and errors. It is highly recommended to enable logging because it will certainly help troubleshooting the ASA Firewall when problems occur.

The commands used above enable log in the debugging level (7) and sets the buffer size in RAM to 30,000 bytes (~30Kbytes).

Issuing the show log command will reveal a number of important logs including any packets that are processed or denied due to access-lists:

Summary

This article serves as an introduction configuration guide for the Cisco ASA5500 series Firewall appliances. We covered all necessary commands required to get any ASA5500 Firewall working and servicing network clients, while also explaining in detail all commands used during the configuration process.

This article explains how to convert a local or remote Autonomous / Standalone Cisco Aironet Access Point to Lightweight and register it to a Cisco WLC Controller. Included are detailed steps, commands, full text logs of the conversion process and screenshots to ensure an easy and successful upgrade - WLC registration.

Key Topics:

• Restrictions & Considerations when Converting Autonomous APs to Lightweight Mode
• The Different Type of Access Point Image Files (k9w8 & rcvk9w8)
• Cisco AP Autonomous to Lightweight Conversion Process
• Registering Cisco Lightweight AP to WLC Controller
• Summary

Related Articles

• Introduction To Cisco Wireless Controllers (WLC) - Basic Concepts – WLC Models, Benefits & Their Friendly GUI Interface
• Cisco WLC Interfaces, Ports & Their Functionality. Understand How WLCs Work
• Understanding, Configuring & Tweaking Web-based Cisco Aironet Access Point. Network Interface Radio0 802.11a/b/g Settings

Restrictions & Considerations when Converting Autonomous APs to Lightweight Mode

Converting an Autonomous AP to Lightweight Mode is a straight forward process however it is important to keep a few things in mind before performing the conversion procedure as there are some restrictions users should be aware of.

Depending on the level of experience some of these notes/restrictions might be considered basic or redundant knowledge. For sake of simplicity we are presenting them in bullet format:

• All Cisco lightweight access points are capable of supporting up to 16 BSSIDs per radio and a total of 16 WLANs per access point.
• Access points converted to lightweight mode require a DHCP server to obtain an IP address and discover the WLC via DNS or IP broadcast.
• Lightweight access points do not support Wireless Domain Services (WDS). All lightweight APs communicate with the WLC.
• Lightweight AP console port provides read-only access to the AP.

The Different Type of Access Point Image Files (k9w8 & rcvk9w8)

Before we begin the conversion process it is necessary to download the CAPWAP software file that matches the Access Point to be converted. These files can be downloaded from Cisco’s website and usually require an active Smartnet contract. Alternatively, a search on the web might reveal other sources from which they can be downloaded.

There are two type of AP CAPWAP software files we can download and install:

• Fully functional CAPWAP Image file (full image) – Identified by the k9w8 string in their filename and are usually large in size (10-20Mb). Once loaded, the AP is able to join the WLC and download its configuration. Example file name: ap3g1-k9w8-tar.152-4.JB6.tar

• Recovery mode CAPWAP Image file – Identified by the rcvk9w8 string in their filename. These are smaller in size (5-8Mb) and used to help the AP boot and join the controller so it can then download the full image from the WLC. Example filename: ap3g1-rcvk9w8-tar.152-4.JB6.tar

Regardless of the type of image loaded during the conversion process, the AP will always download the full image from the WLC as soon as it joins. The only exception to this rule is when the fully functional CAPWAP image file loaded on the AP is the same version as the one contained in the WLC.

Cisco AP Autonomous to Lightweight Conversion Process

First download a fully functional or recovery mode CAPWAP file suitable for the AP model. In our example we will be converting a Cisco 3502 AP and decided to download the appropriate recovery mode file: ap3g1-rcvk9w8-tar.152-4.JB6.tar.

Since the AP will automatically download the full image from the WLC once it joins, using the recovery mode file will speed up the conversion process.

We’ll need to have a FTP server running so we can configure the AP to download the file from it.

STEP 1: Power up the Autonomous AP & Configure a FTP server form where the AP will download the image

STEP 2: Connect the Autonomous AP to a network switch or directly to the workstation serving the AP image via a FTP server.

STEP 3: Configure the AP with an IP address appropriate for the network or set it to DHCP

In our example we configure the AP to obtain its IP address from a DHCP server:

The AP confirms once it has successfully obtained an IP address from the DHCP server.

Note: BVI interface indicates that the Radio interface (e.g Dot11Radio0) and Ethernet interface (e.g GigabitEthernet0) are bridged (bridge-group x). If this is not your case, apply the configuration to the AP’s Ethernet interface.

STEP 4: Configure the AP with the FTP user account credentials as configured on the FTP server. This will allow the AP to access and download the image file. Once configured, begin the software download procedure using the archive download-sw command.

Here is the complete text log of the procedure:

The /force-reload parameter will automatically reload the AP as soon as the new software image is installed while the /overwrite parameter is required to replace the autonomous image with the CAPWAP image.

Console cable can be used for the conversion process of local APs. Alternatively SSH/Telnet can be used for the conversion of both local and remote APs.

Registering Cisco Lightweight AP to WLC Controller

Once the CAPWAP image has been successfully loaded on the AP it reload and begin searching to register with a WLC Controller. As soon as the AP successfully registers with the WLC it will compare its image with that of the controller and if found different begin to download and install it.

It is important to ensure there is an active DHCP server on the same VLAN/network as the AP to provide it with an IP address, subnetmask, gateway and DNS parameters. DNS parameters are not mandatory but will speed up the WLC discovery processes if the DNS server contains an “A Type” resource record  of “CISCO-CAPWAP-CONTROLLER” pointing to the WLC’s IP address.

In the logs below we can see our AP searching for the WLC (Translating "CISCO-CAPWAP-CONTROLLER"...domain server) after its initial reload (we’ve just installed recovery mode image). It then discovers the WLC (both WLC and AP are on the same VLAN), registers and downloads the WLC full CAPWAP image:

Click to enlarge

The following screenshot was taken after the AP joined the WLC and begun automatically downloading the new image:

As soon as the AP downloads and installs the new image, it will automatically reload and register with the WLC again. At this point the AP is ready to be configured and used as required.

Finally notice the date/time correction (*Sep  6 09:54:05.000) as soon as the AP registers with the WLC controller. This is the first indication its registered correctly with the WLC at IP address 192.168.50.5

Summary

This article showed how to convert an Autonomous or Standalone Cisco Access Point to Lightweight mode and join it to a Cisco WLC Controller. We covered the different restrictions and considerations during the AP conversion process, explained the difference between the fully functional CAPWAP (k9w8) and recovery mode CAPWAP (rcvk9w8) image files. Finally we provided the necessary commands & tips to configure the AP, transfer the image and register it with the WLC.

Cisco Wireless Controllers (WLC) support the configuration of Link Aggregation (IEEE 802.3ad - LAG) which bundles the controller ports into a single port channel. This helps simplify the configuration of the WLC interface ports, increase available bandwidth between the wireless and wired network, provide load-balancing capabilities between physical WLC ports and increase port redundancy.

To learn more about WLC interfaces refer to our article Cisco WLC Interfaces, Ports & Their Functionality article

The diagram below shows an example of a WLC 2504 with ports P1 and P2 in a LAG configuration connecting to a Cisco Catalyst or Nexus switch. In the configuration below WLC ports P1 and P2 are aggregated to provide a total of 2Gbps bandwidth:

Key Topics:

• Link Aggregation Restrictions and Considerations
• Wireless Controller LAG Configuration – Enabling LAG
• Configuring Switch to Support Link Aggregation
• Summary

Related Articles

• Cisco WLC Basic Concepts, WLC Models, and GUI Interface
• WLC Interfaces, Ports & Functionality. Understand how WLCs work, Wi-Fi SSID/VLAN Mappings
• Cisco WLC Datasheets Download

Link Aggregation Restrictions - Considerations

While LAG is the preferred method of connecting the WLC to the network there however a number of restrictions we need to be aware of to ensure we don’t stumble into any unpleasant surprises.

• On 2504 and 3504 WLCs you can bundle all 4 ports into a single link.
• On 5508 WLC you can bundle up to 8 ports into a single link.
• Link Aggregation Control Protocol (LACP) or Cisco proprietary Port Aggregation Protocol (PAgP) are not supported by the WLC. Port-Channel members must be set unconditionally to LAG (shown in the configuration below).
• Only one LAG Group is supported per WLC, you can therefore connect a WLC only to one switch unless using VSS (Catalyst) or vPC (Nexus) technologies.
• When LAG is enabled, if a single link fails, traffic is automatically switched to the other links.
• After enabling LAG the WLC must be rebooted.
• When enabling LAG, all dynamic AP manager interfaces and untagged interfaces will be deleted. (See related article WLC Interfaces – Logical Interfaces)
• After enabling LAG, all Virtual Interfaces use the LAG interface. No backup port (under the Virtual Interface settings) is configurable:

Click to enlarge

Wireless Controller LAG Configuration – Enabling LAG

First step is to enable LAG. Log into the WLC and click on the Advanced menu option (firmware v8 and above only). Next, select the Controller menu option and set the LAG Mode on next reboot option to Enabled and click on the Apply button:

At this point the WLC will pop up a warning window explaining the changes that are about to take place. As mentioned previously, all dynamic AP manager interfaces and untagged interfaces will be deleted. (See related article WLC Interfaces – Logical Interfaces to understand the implications):

Once we click on OK the WLC will proceed to enable LAG mode and present us with another notification requesting that we save the configuration and reboot the controller:

Note: Ignore the DNS Server IP that was presented in our Lab environment.

Next, click on the Save Configuration button on the top right corner. To reboot the controller, click on Commands menu, select Reboot from the right menu column and finally click on the Reboot button on the right:

Click on OK in the popup message to confirm the reboot.

At this point the WLC will reboot and we won’t be able to ping or access the WLC web interface until we configure the switch. All access points and wireless networks will also be unavailable.

Configuring Switch Port-Channel to Support Link Aggregation

The Port-channel configuration is a straight forward process. It’s best to ensure all interfaces participating in the Port-channel are set to their default configuration. This will remove any existing configuration, minimizing errors during the switchport configuration process.

First remove existing configuration from the interfaces participating in the Port-channel (Gigabitethernet 0/6 & 0/7), then make them members of Port-channel 1. If the Port-channel doesn’t exist, it will be automatically created:

Below is the complete Port-channel and interface configuration:

Notice that the channel-group mode is set to on which enables Etherchannel without any LACP or PAgP support. This is because the WLC doesn’t support LACP or PAgP and requires a plain vanilla Etherchannel.

When connecting the WLC to a modular Catalyst or Nexus switch its always advisable to use ports on different modules as this will increase redundancy in the event of a module failure.

Finally during the Port-channel configuration process, ensure to allow all necessary VLANs used by the WLC controller and wireless network.

Once the configuration is complete, we’ll should be able to ping and access the WLC again.

A simple show interface port-channel 1 will also confirm both configured links are up and we have a total bandwidth of 2Gbps:

Additional useful commands that can be used to obtain more information on the Etherchannel are:

• Show etherchannel 1 summary
• Show etherchannel 1 status
• Show etherchannel 1 port-channel
• Show etherchannel 1 protocol

Summary

This article explained the advantages and showed how to configure Link Aggregation (LAG) on your Cisco WLC. We included a number of important LAG restrictions for WLCs while noting restrictions for specific WLC models (2504, 5508 etc). Cisco switch port configuration using Port-channel interfaces was also included along side with an explanation on why Etherchannel must be used as WLC LAG does not support LACP or PAgP. Finally we included a number of useful commands to verify and troubleshoot Link Aggregation or Port-channel interfaces.

Our previous article introduced Cisco’s popular Wireless ControllerCisco’s popular Wireless Controller (WLC) devices and examined their benefits to enterprise networks, different models offered and finally took a look at their friendly GUI interfaces. This article continues by explaining the purpose and functionality of each WLC interface (Management interface, Virtual interface, AP-Manager interface, Dynamic interfaces etc), WLC Port (Service port, Redundant port, Distribution ports etc), how WLCs connect to the network infrastructure, VLAN requirements and mapping to SSIDs.

Users can freely download Cisco's WLC product portfolio in our Cisco's Wireless Controller Datasheets download section. The datasheets contain all currently available WLC models, brief specification overview/comparison and much more.

WLC Interface Concepts – Understanding Ports & Logical Interfaces

Every WLC is fitted with a number of ports (physical interfaces) and logical interfaces, all critical for the device’s proper operation and integration with the network infrastructure. It is important that engineers working with WLCs, understand the purpose of each interface and how it should be used. This will help maximize the stability and scalability of any WLC deployment by correctly configuring all necessary interfaces and attached devices.

WLC Ports (Physical Interfaces)

We will now take a look at the different ports that can be found on WLCs and explain their purpose. Depending on the WLC model, some ports might or might not be present. The Console Port and Distribution System Ports are found on all WLCs.

Figure 1. Available Ports on a Cisco WLC 5500

Redundancy Port

This port is used for High-Availability (HA) deployment designs when there are two WLCs available. In this setup, both WLCs are physically connected with each other through the Redundant Port using an Ethernet cable. The redundancy port is used for configuration, operational data synchronization and role negotiation between the primary and secondary controllers.

The redundancy port checks for peer reachability by sending UDP keepalive messages every 100 milliseconds from the standby-hot WLC to the active WLC. Finally, the first two octets of the redundancy port’s IP address is always 169.254.xxx.xxx.

Service Port

The service port is used for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is important to note that the service port does not support VLAN trunking or VLAN tagging and is therefore required to connect to an access port on the switch.

It is also recommended not to connect the service port to the same VLAN as the wired clients network because by doing so, administrators will not be able to access the management interface (analysed later) of the controller.

SFP/Ethernet Distribution System Ports

The distribution system ports are the most important ports on the WLC as they connect the internal logical interfaces (analysed below) and wireless client traffic to the rest of our network. High-end WLCs as the WLC 5500 series above, have multiple SFP-based distribution system ports allowing engineers to connect the WLC with the network backbone using different configurations. The SFP Ports are able to accept fiber optic or Ethernet copper interfaces, with the use of the appropriate SFPs.

Figure 2. Picture of Fiber & Ethernet Copper SFPs

Lower-end WLCs such as the WLC2504 or the older WLC2100 series provide Ethernet interfaces only, because of the limited number of access points supported. For example, the WLC2504 provides up to 4 Gigabit Ethernet ports and can support up to 75 access points, while the WLC2125 provides up to 8 FastEthernet ports and supports up to 25 access points.

 Figure 3. Pictures of WLC2504 & WLC2124

WLC Interfaces (logical Interfaces)

In this section, we will examine the logical interfaces that can be found on all WLCs. Understanding the functionality of each logical interface is crucial for the correct setup and deployment of any Cisco WLC-based wireless network.

The WLC’s logical interfaces are used to help manage the Wireless SSIDs broadcasted by the access points, manage the controller, access point and user data, plus more.

The diagram below provides and visual layout of the logical interfaces and how they connect to the physical ports of a WLC:

Figure 4. Cisco Wireless Controller Interfaces & Ports (click to enlarge)

The above layout shows how each Wireless SSID (WLAN 1, WLAN 2 etc), maps to a Dynamic interface. In turn, each Dynamic interface maps to a specific VLAN. The number of WLANs & Dynamic interfaces depend on the WLC model. The bigger the WLC model, the more SSIDs (Wireless Networks)/Dynamic interfaces it supports.

All Dynamic interfaces and AP-Manager/Manager interfaces connect to the network infrastructure via the Distribution ports which depending on the WLC model are SFP or Ethernet (10/100 or Gigabit) interfaces.

Because all WLCs have multiple physical Distribution ports, it is possible to assign all Dynamic interfaces and AP-Manager/Manager interfaces to one physical Distribution port, as shown in the above diagram. In this case, the Distribution port is configured as an 802.1q Trunk port. Alternatively, Dynamic interfaces can also be assigned to separate physical Distribution ports, so that a specific WLAN/Dynamic interface can tunnel its traffic through a single Distribution port.

The dedicated Service-Port seen in the above diagram can be found only on the WLC 5500 series and 7500/8500 series which connects directly to the network.

Let’s take a closer look at each logical interface and explain its purpose:

Management Interface

The management interface is the default interface used to access and manage the WLC. The management interface is also used by the access points to communicate with the WLC. The management interface IP address is the only ping-able IP address and is used by administrators to manage the WLC.

Administrators can log into the WLC’s configuration GUI by entering the management interface IP address in a web browser and logging into the system.

AP-Manager Interface

A controller can have one of more AP-Manager interfaces which are used for all Layer 3 communications between the controller and lightweight access points after they have joined the controller. The AP-Manager IP address is used as the tunnel source for CAPWAP/LWAPP packets from the controller to the access points, and as the destination IP address for CAPWAP/ LWAPP packets from the access points to the controller.

While the configuration and usage of the AP-Manager interfaces is optional, models such as the WLC2504 and WLC5508, do not have a dedicated AP-Manager interface. For these models, under the Management interface settings, there is an option labeled Enable Dynamic AP Management, that allows the Management interface to work as an AP-Manager interface at the same time:

Figure 5. Cisco WL2504 - Management interface, Dynamic AP Management option (click to enlarge)

According to Cisco's documentation, each AP-Manager interface can handle up to 48 access points, however we belieive with the latest firmware updates that this limit has been increased to 75, because the smaller WLC model (2504) can now handle up to 75 access points with its dual-purpose management/AP-Manager interface. If more access points are installed, then multiple AP-Manager interfaces are required to be configured.

Virtual Interface

The virtual interface is used to manage and support wireless clients by providing DHCP relay functionality, guest web authentication, VPN termination and other services. The virtual interface plays the following two primary roles:

• Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server.
• Serves as the redirect address for the web authentication login page (if configured).

The virtual interface IP address is only used for communications between the controller and wireless clients. It never appears as the source or destination address of a packet that goes out through the distribution ports and on to the local network.

Finally, the IP address of the virtual interface must be unique on the network. For this reason, a common IP address used for the virtual interface is 1.1.1.1. All controllers within a mobility group must be configured with the same virtual interface IP address to ensure inter-controller roaming works correctly without connectivity loss.

Service-Port Interface

The service-port interface is used for out-of-band management of the controller. If the management workstation is in a remote subnet, it may be necessary to add a IPv4 route on the controller in order to manage the controller from the remote workstation.

It is important to note that the service-port IP address must not reside on the same subnet as the Manager/AP-Manager interface.

Smaller WLC models such as the WLC2124, WLC2504 do not have a service-port interface.

Dynamic Interface

The easiest way to explain dynamic interfaces is to think of them as VLAN interfaces for your wireless networks (SSIDs). One dynamic interface is created per wireless network/SSID. The wireless network or SSID is mapped to a dynamic interface, which is then mapped to a specific VLAN network.

As mentioned earlier, dynamic interfaces can be assigned to separate physical distribution ports, so that traffic from specific WLANs, pass to the wired network via specific distribution ports. In this scenario, each distribution port is a single access-link carrying one VLAN only.

Alternatively, all dynamic interfaces can be mapped to one distribution port, in which case will be a trunk port so that it can carry all WLANs/VLANs. This is a common setup method for smaller networks.

Finally, each dynamic interface must be on a different VLAN or IP subnet from all other interfaces.

Since the WLC2504 controller can handle up to 16 SSIDs, it can have a maximum of 16 dynamic interfaces, and support a maximum of 16 VLANs.

Distribution Port - Link Aggregation

All WLCs support the aggregation of multiple distribution ports into a single port using the 802.3ad port standard. This allows an administrator to create one large link between the WLC and the local switch.

For example, the WLC2504 provides 4 Gigabit Ethernet ports, allowing us to aggregate all 4 ports with the neighbour switch and create a 4 Gigabit Ethernet link with the wired network. EtherChannel will have to be configured on the local switch for the link aggregation to work.

WLCs do not support Link Aggregation Control Protocol (LACP) or Cisco’s proprietary Port Aggregation Protocol (PAgP), and therefore the switch must be set unconditionally to LAG. Only one LAG group is supported per controller.

Conclusion

This article introduced the Cisco Wireless LAN Controller interfaces. We covered the interfaces and ports found on WLCs, and analysed each interface's purpose, including Ethernet distribution ports, service port, redundancy port, interfaces such as the management interface, ap-manager interface, virtual interface and dynamic interfaces.

The Cisco Wireless Controller (WLC) series devices provide a single solution to configure, manage and support corporate wireless networks, regardless of their size and locations. Cisco WLCs have become very popular during the last decade as companies move from standalone Access Point (AP) deployment designs to a centralized controller-based design, reaping the enhanced functionality and redundancy benefits that come with controller-based designs.

Cisco currently offers a number of different WLC models, each targeted for different sized networks. As expected, the larger models (WLC 8500, 7500, 5760 etc) offer more high-speed gigabit network interfaces, high availability and some advanced features required in large & complex networks, for example supporting more VLANs and WiFi networks, thousands of AP & Clients per WLC device and more.

Recently, Cisco has begun offering WLC services in higher-end Catalyst switches by embedding the WLC inside Catalyst switches e.g Catalyst 3850, but also as a virtual image 'Virtual WLC' that runs under VMware ESX/ESXi 4.x/5.x. Finally Cisco ISR G2 routers 2900 & 3900 series can accept Cisco UCS–E server modules, adding WLC functionality and  supporting up to 200 access points and 3000 clients.

Figure 1.  A few of the larger Cisco WLC models and Catalyst 3850

More detailed information on the current available models and their specifications can be obtained from our Cisco Wireless Controller Product and Datasheet section  and freely download WLC datasheets containing each model’s features, deployment modes, supported VLANs, maximum access points & clients, encryption features, wireless standards support (802.11xx) and many more.

Learn about WLC interfaces, their physical and logical ports, how they connect to the network and how Wireless SSIDs are mapped to VLAN interfaces, plus much more, in our Cisco WLC Interfaces, Ports & Their Functionality. Understand How WLCs Work, Connect to the Network Infrastructure & Wi-Fi SSID/VLAN mappings article.

Working With The Cisco WLC

While all WLC models support GUI and CLI based configuration, in contrast with Cisco routers and switches which are usually configured via CLI, WLCs are most often configured via their nicely designed web GUI.  The CLI is mandatory only during the initial configuration, where the engineer is required to assign an IP address to the WLC device, along with a few other important parameters.

Working with any WLC model gives the engineer a great advantage as the interface is identical across all WLC models, making it easy to manage and configure, regardless of the WLC model:

Figure 2.  Cisco WLC 8500 (left) and Cisco WLC 2500 (right) web interface

Unlike other Cisco products, the WLC’s GUI interface is extremely well designed with a logical layout.

When logging into the WLC GUI, the administrator is presented with a healthy amount of information, including a front view of the controller from where he can see the status of each physical port and more details which we’ll be looking into right now. 

Below is a screenshot of the WLC2504 homepage web interface:

 Figure 3.  Cisco 2504 WLC – Click to enlarge

The great part is that the homepage provides all necessary information an administrator would want to see during a routine check and that includes:

• Visual state of the controller’s physical ports
• Status of the controller's hardware (up time, IP address, CPU/Memory usage, temperature, firmware version etc)
• Summary of Access Points connected and up/down radio interfaces
• Current connected clients (on all wireless networks)
• Top wireless networks and number of clients connected to each
• Rogue Access Points and Clients detected
• Recent traps generated by the controller

Obtaining more information on any section can be easily done by clicking on the Detail link next to it.  

The following screenshot shows the information presented by the controller when clicking on the Detail link under the Access Point Summary > All Access Points section:

 Figure 4.  Browsing through All APs currently registered – Click to enlarge

The information shown is extremely useful as it contains each access point's name, model, MAC address, Up time (extremely useful when troubleshooting client connection issues), access point admin state (enabled/disabled), firmware version and many more.

Equally useful information is provided when clicking on the Detail link of the Client Summary > Current Clients section:

 Figure 5.  Viewing currently connected clients – Click to enlarge

In this screen, the controller shows each client’s MAC address, the AP to which its connected, WLAN Profile used, WLAN SSID the client is connected to, protocol used (802.11a/b/g/n), status and much more. We would however like to have the option to also show the IP address of the wireless client on this page – for this information you currently need to click on its MAC address, after which a page loads the IP address of the client alongside with other information.

When necessary, the administrator can dive further and obtain more information on almost any aspect of the Wireless network, SSIDs, clients connected, client speeds etc – the list is endless!

Summary

This article introduced the Cisco Wireless LAN Controller (WLC). We explained the basic concepts behind the product, and talked about the different models available and their main features. We took a look at the intuitive GUI interface used to setup and monitor the controller and the whole wireless infrastructure.  More information on Cisco Wireless Controllers and wireless technology can be found in our Cisco Wireless Section. Users can also read about WLC interfaces-ports and their purpose, VLAN/SSID mappings and much more, in our next article: Cisco WLC Interfaces, Ports & Their Functionality. Understand How WLCs Work, Connect to the Network Infrastructure & Wi-Fi SSID/VLAN mappings.

We would like to inform our readers that Firewall.cx has just made available as a free download all of Cisco's Wireless Controller Datasheets.

The datasheets provide valuable infomation for all currently available Cisco Wireless Controllers including:

• Scalability,
• Performance speed
• RF Management
• QoS features
• Supported Access Points models
• Maximum Access Points & SSIDs
• Supported Wireless Standard (802.11xx)
• Physical interfaces
• Redundancy options
• Security standards
• RFC compliance and support
• Supported encryption methods
• Authentication - Authorization & Accounting (AAA) support
• Ordering information (product-id)
• Optional accessories
• License upgrade options their product-id

Read our article on Cisco Wireless Controllers - Basic concepts, models and benefits they provide to companies.

Readers can head directly to our Cisco Product Datasheets & Guides where they can find the Cisco Wireless Controllers (WLC) Datasheet section amongst other Cisco products.

Resetting a Cisco Aironet access point can be required if you’ve lost your password or need to wipe out the configuration of a previously configured access point. Cisco provides two main methods to perform a factory reset on the Aironet 1100 and 1200 series access points and these are: 1) Via the Mode Button 2) Via Web Interface. 

The first method (Mode Button) does not require any user credentials or passwords as the reset procedure is performed during the boot up process and does not involve logging into the access point.

The second method (Web Interface) requires username and password with privileged access 15 (administrator privileges) in order to perform the reset procedure.

Both reset procedures described below will reset all configuration settings to factory defaults. This means it will erase all passwords, SSIDs, WEP/WPA keys, IP address and anything else configured on the access point.

When the Cisco Aironet access point factory-reset procedure is complete, the default credentials will need to be used to access it. Both username and passwords are Cisco with a capital “C” (case-sensitive). In addition, the factory default IP address for the access point will be 10.0.0.1.

Factory Reset via MODE Button

This is the most common reset method engineers look for, and we’ve got it covered in four easy-to-follow steps!

Step 1
Disconnect power (the power jack for external power or the Ethernet cable for in-line power) from the access point.

Step 2
Press and hold the MODE button while you reconnect power to the access point.

Step 3
Hold the MODE button until the Status LED turns amber (approximately 1 to 2 seconds), and release the button.

Step 4
Reboot the access point by performing a power-cycle (switch off and then on) After the access point reboots, you must reconfigure the access point by using the Web-browser interface or the CLI.

CLI Output During Factory Reset via MODE Button

Below is the CLI output during the Mode button reset method.  It is clear that once the access point sees the MODE button pressed for 20 seconds (the time it takes until the status LED turns amber), it initiates the recovery process:

Factory Reset via Web Interface (Recommended Option for Remote Reset)

Resetting your Cisco access point via its web interface is an easy process.  Following are the steps required:

Step 1
Open a web browser and enter the IP address of your Cisco access point

Step 2
Enter the necessary credentials (username & password)

Step 3
Once successfully logged in, you’ll be presented with Summary Status page:

Step 4
From the main menu, select System Software and then System Configuration sub-menu.  The access point will present a number of different management options.

Here we can select the Reset to Defaults to initiate the factory reset or alternatively the Reset to Defaults (Except IP) if we wish to reset to factory defaults but keep the current IP address.  The second option is especially handy in case you are required to perform this procedure remotely.

 This completes the Factory Reset procedure for all Cisco Aironet 1100 & 1200 series access points.

Cisco Aironet Access Points, just like most Cisco devices, provide a web interface from which we are able to configure the device. It is often we are presented with a number of options and settings, which we really are not sure why they exist, what they do, and how they can affect the performance of our wireless access point.  This is all about to change!

This article aims to help cover this gap by explaining the various configuration options and settings found in Cisco's Aironet series Web-Based configuration page.  While the web-based interface allows the configuration of many functions within the Aironet device, we will be focusing on the 'Network Interfaces: Radio0-802.11a/b/g' Settings, which is perhaps the most important section for the device's proper wireless operation.

Understanding and configuring correctly your Cisco Aironet Access Points can really make a difference in your clients wireless performance and connectivity range.  You'd be suprised on the performance difference of your wireless network, when tweaking your Cisco Aironet Access Points to adapt to the working environment.

This article explains all the network options found under the Cisco Aironet web-interface setup, in a step-by-step manner.  To help make it easier to track, we have broken the page into three sections, each containing a screenshot of the covered options.

Please note that some features and settings will not appear on your Cisco Aironet Access Point as they are supported only on specific models:

Cisco Aironet Network Interfaces: Radio0-802.11a/b/g Settings

Enable Radio

If enabled, the access point sends packets through its 802.11a/b/g radio interface and monitors when other devices use the 802.11a/b/g radio interface to send packets. To change the administrative state of the radio from up to down, choose Disable. To change the administrative state of the radio from down to up, choose Enable.

Current Status (Software/Hardware)

• Software - Indicates whether the interface has been enabled or disabled by the user.

• Hardware - Indicates whether the line protocol for the interface is up or down.

Role in Radio Network

Select the role of the access point on your network. Choose one of the three access point (root) settings if the access point is connected to the wired LAN.

Access Point Root (Fallback to Radio Island): This default setting enables wireless clients to continue to associate even when there is no connection to the wired LAN.

Access Point Root (Fallback to Repeater): When the wired connection is lost, the radio becomes a repeater. The repeater parent should be configured to allow data to be wirelessly transferred to another access point.

Repeater Non-Root: Choose this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent. The repeater parent may be configured as an access point or another repeater.

Fallback Mode Upon Loss of Ethernet Connection: Access points operate as root access points by default. When set to defaults, Cisco Aironet 1400 Series Wireless Bridges start up in install mode and adopt the root role if they do not associate to another bridge. If a 1400 series bridge associates to another bridge at start-up, it automatically adopts the non-root role. Cisco Aironet 1300 Series Wireless Bridges operate as root bridges by default.

Repeater: Specifies that the access point is configured for repeater operation. Repeater operation indicates the access point is not connected to a wired LAN and must associate to a root access point that is connected to the wired LAN.

Root: On access points, specifies that the access point is configured for root mode operation and connected to a wired LAN. This parameter also specifies that the access point should attempt to continue access point operation when the primary Ethernet interface is not functional.

Root Bridge: On 1300 series bridges, specifies that the bridge functions as a root access point. If the Ethernet interface is not functional, the unit attempts to continue access point operation. However, you can specify a fallback mode for the radio. This option is supported only on 1300 series bridges.

Non-root Bridge: On 1400 series bridges, specifies that the bridge operates as a non-root bridge and must associate to a root bridge. This option is supported only on 1400 series bridges.

Fallback Shutdown (Optional): Specifies that the access point should shutdown when the primary Ethernet interface is not functional. This option is supported only on access points and on 1300 series bridges in access point mode.

Fallback Repeater (Optional): Specifies that the access point should operate in repeater mode when the primary Ethernet interface is not functional. This option is supported only on access points and on 1300 series bridges in access point mode.

Install: On 1400 series bridges, configures the bridge for installation mode. In installation mode, the bridge flashes its LEDs to indicate received signal strength (RSSI) to assist in antenna alignment. This option is supported only on 1400 series bridges.

Workgroup-Bridge: On 1300 series bridges, specifies that the bridge operates in workgroup bridge mode. As a workgroup bridge, the device associates to an access point or bridge as a client and provides a wireless LAN connection for devices connected to its Ethernet port. This option is supported only on 1300 series bridges.

Universal Workgroup Bridge Mode: When configuring the universal workgroup bridge roll, you must include the client's MAC address. The workgroup bridge will associate with this MAC address only if it is present in the bridge table and is not a static entry. If validation fails, the workgroup bridge associates with its BVI's MAC address. In universal workgroup bridge mode, the workgroup bridge uses the Ethernet client's MAC address to associate with Cisco or non-Cisco root devices. The universal workgroup bridge is transparent and is not managed.

Scanner: This option is supported only when used with a WLSE device on your network. It specifies that the access point operates as a radio scanner only and does not accept associations from client devices. As a scanner, the access point collects radio data and sends it to the WDS access point on your network. This option is supported only on access points.

Data Rates

Use the data rates setting to choose the data transmission rates. The rates are expressed in megabits per second. The device always attempts to transmit at the highest rate selected. If there are obstacles or interference, the device steps down to the highest rate that enables data transmission.

Click the Best Range button to optimize access point range or the Best Throughput button to optimize throughput.

Note: When you configure the 802.11g access point radio for best throughput, the access point sets all 802.11g data rates to basic (required). This setting blocks association from 802.11b client devices.

For each of the rates, choose Require, Enable, or Disable.

• Require - Enables transmission at this rate for all packets, both unicast and multicast. At least one data rate must be set to Require. A client must support a required rate before it can associate.

• Enable - Enables transmission at this rate for unicast packets only.

• Disable - Does not allow transmission at this rate.

Note: The client must support the basic rate you select or it cannot associate with the access point.

Transmit Power: This setting determines the power level of the radio transmission. The default power setting is the highest transmit power allowed in your regulatory domain.

Note: Government regulations define the highest allowable power level for radio devices. This setting must conform to established standards for the country in which you use the device.

To reduce interference, limit the range of your access point, or to conserve power, select a lower power setting.

For an 802.11g radio, Transmit Power is divided into CCK Transmit Power and OFDM Transmit power. CCK is the modulation used in 802.11g for the lower frequency rates, and OFDM is the modulation used in 802.11g for higher data rates (above 20 Mbps).

Note: The 100 mW (20dBM) value is not available for rates greater than 12 Mbps.

Power Translation Table (mW/dBm)

The power settings may be in mW or in dBm depending on the particular radio that is being configured. This table translates between mW and dBm.

Limit Client Power (mw): Determine the maximum power level allowed on client devices that associate to the access point. When a client device associates to the access point, the access point sends the maximum power level setting to the client.

Note: The 100 mW value is not available for rates greater than 12 Mbps.

Default Radio Channel: The available selection of radio channels is determined by your regulatory domain. The default setting is the least-congested frequency. With this setting, the device scans for the radio channel that is least busy and selects that channel for use. The device scans at power-up and when the radio settings are changed. You can also select specific channel settings from the Default Radio Channel drop-down menu.

Short Slot Time (for 802.11g radios only): Determine if you want to enable support for the Extended-Rate-PHY short slot time. Enabling this setting reduces the slot time from the standard 20 microseconds to 9 microseconds to increase throughput.

Least Congested Channel Search: This selection list is available only when Default Radio Channel is set to Least Congested Frequency. You can search for least congested channels but exclude some channel(s) which are known to be problematic or already in use by other applications. By default, all channels are selected and searched. To select more than one channel, hold down the Ctrl or Shift keys to highlight multiple channels.

World Mode Multi-Domain Operation (for 802.11b and 802.11g only): World mode operation is disabled by default. If you uncheck Disable, the device adds channel carrier set information to its beacon. Client devices with world-mode enabled receive the carrier set information and adjust their settings automatically. If you select the dot11d option, you must enter an ISO country code. If you select the legacy option, you enable Cisco legacy world mode.

With world mode enabled, the access point advertises the local settings, such as allowed frequencies and transmitter power levels. Clients with this capability then passively detect and adopt the advertised world settings, and then actively scan for the best access point.

Country Code (required only for dot11d option): A country code can be selected only if the dot11d option was chosen in the World Mode option above. Use the drop-down menu to select the appropriate country. After the country code, you must enter indoor or outdoor to indicate the placement of the access point.

Radio Preamble (802.11b and 802.11g only): The radio preamble is a section of data at the head of a packet that contains information the access point and the client devices need when sending and receiving packets. Keep the setting on short unless you want to test with long preambles. If you have the radio preamble set to short and a client associates that does not support short preamble associates, the access point will send only long preamble packets to this client.

• Short - A short preamble improves throughput performance. Cisco Aironet's Wireless LAN Adapter supports short preambles. The access point and client negotiate the use of the short preamble. Early models of Cisco Aironet's Wireless LAN Adapter require long preambles.

• Long - A long preamble ensures compatibility between the access point and all early models of Cisco Aironet Wireless LAN Adapters.

Receive Antenna and  Transmit Antenna:

• Diversity - This default setting tells the device to use the antenna that receives the best signal. If your device has two fixed (non-removable) antennas, you should use this setting for both receive and transmit.

• Left (secondary)- If your device has removable antennas and you install a high-gain antenna on the left connector, you should use this setting for both receive and transmit. When you look at the back panel, the left antenna is on the left.

• Right (primary)- If your device has removable antennas and you install a high-gain antenna on the right connector, you should use this setting for both receive and transmit. When you look at the back panel, the right antenna is on the right.

Note: The device receives and transmits using only one antenna at a time, so you cannot increase range by installing high-gain antennas on both connectors and pointing one north and one south. When the device uses the north-pointing antenna, client devices to the south should be ignored by the access point.

External Antenna Configuration: This feature is currently not operational, but it may be supported in future releases.

Antenna Gain(dB): The gain of an antenna is a measure of the antenna's ability to direct or focus radio energy over a region of space. High-gain antennas have a more focused radiation pattern in a specific direction. This setting is disabled on the bridge.

Aironet Extensions: Select Enable to use Cisco Aironet 802.11 extensions. This setting must be set to Enable so that you can use load balancing, MIC, and TKIP.

Ethernet Encapsulation Transform: Choose 802.1h or RFC1042to set Ethernet encapsulation type. Data packets that are not 802.2 packets must be formatted to 802.2 with 802.1h or RFC1042. Cisco Aironet equipment defaults to RFC1042 because it provides optimum interoperability.

• 802.1h - This setting provides optimum performance for Cisco Aironet wireless products.

• RFC1042 - Use this setting to ensure interoperability with non-Cisco Aironet wireless equipment. RFC1042 does not provide the interoperability advantages of 802.1h but is used by other manufacturers of wireless equipment.

Reliable Multicast to WGB: Normally, an access point treats a workgroup bridge as an infrastructure device and not as a client. The access point uses the reliable multicast protocol to ensure delivery of all multicast packets. The extra traffic caused by reliable delivery limits the number of workgroup bridges that can be associated. Select Disableto allow the workgroup bridge to be treated as a non-infrastructure device and thus allow the maximum number of workgroup bridges to be associated.

Public Secure Packet Forwarding: Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN.

No exchange of unicast, broadcast, or multicast traffic occurs between protected ports. Choose Enable so that the protected port can be used for secure mode configuration.

PSPF must be set per VLAN.

Note: To prevent communication between clients associated to different access points on your wireless LAN, you must set up protected ports on the switch to which your access points are connected.

Short Slot Time: You can increase throughput on the 802.11g radio by enabling short slot time. Reducing the slot time from the standard 20 microseconds to the 9-microsecond short slot time decreases the overall backoff time, which increases throughput. Backoff time, which is a multiple of the slot time, is the random length of time that a station waits before sending a packet on the LAN.

When you enable short slot time, the access point/bridge uses the short slot time only when all clients associated to the 802.11g radio support short slot time. Short slot time is disabled by default.

Beacon Privacy Guest-Mode: This command must be configured if you wish the beacon frames to use the privacy settings of the guest-mode SSID. If there is no guest-mode SSID configured, the command has no effect. If there is a guest-mode SSID and the command is configured, the privacy bit present in the beacon frames are set to ON/OFF according to how the security (encryption) settings of the guest-mode SSID are configured.

The command has no effect in MBSSID mode.

Beacon Period: The beacon period is the amount of time between access point/bridge beacons in kilomicroseconds. One Kusec equals 1,024 microseconds. The default beacon period is 100

Data Beacon Rate (DTIM): This setting, always a multiple of the beacon period, determines how often the beacon contains a delivery traffic indication message (DTIM). A traffic indication map is present in every beacon. The DTIM notifies power-save client devices that a packet is waiting for them. If power save clients are active, the access point buffers any multicast traffics and delivers them immediately after the DTIM beacon. Power save nodes always wake for the DTIM beacons. The longer the time, the more buffering the access point does, and the longer the multicasts are delayed.

If the beacon period is set at 100 (its default setting), and the data beacon rate is set at 2 (its default setting), then the device sends a beacon containing a DTIM every 200 Kusec. One Kusec equals 1,024 microseconds.

Max. Data Retries: The maximum number of attempts the device makes to send a packet before giving up, dropping the packet, and disassociating the client.

RTS Max. Retries: The maximum number of times the device issues an RTS before stopping the attempt to send the packet through the radio. Enter a value from 1 to 128.

Fragmentation Threshold: This setting determines the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference.

RTS Threshold: This setting determines the packet size at which the device issues a request to send (RTS) before sending the packet. A low RTS Threshold setting can be useful in areas where many client devices are associating with the access point or in areas where the clients are far apart and can detect only the access point and not each other.

Repeater Parent AP Timeout: If this timeout is enabled, the access point in repeater mode looks only for the parent access point specified in the following Repeater Parent AP MAC definition for this given amount of time. If the timeout expires, the list is ignored, and the unit associates to an access point that matches its requirements, regardless of its MAC address. If the timeout is disabled, the repeater associates only to parents in the list and continues the search.

Repeater Parent AP MAC 1-4: Normally, a repeater access point (without a wired LAN connection) associates much like a normal client, choosing the best access point it can find. Enter MAC addresses in this list if you want to control the parent access point to which a repeater may associate. If MAC addresses are entered in this list, a repeater associates only to a parent whose MAC address matches an entry in the list. If the first MAC address is not available, the access point continues through the list and waits the amount of time specified in Repeater Parent AP Timeout field before trying the next.

Calculate Key Now!        Clear Form

Notes: WEP encryption uses 24 bit "Initilization Vector" in addition to the "secret key". Therefore, 40 bit WEP can be refered to as 64 bit WEP, and 104 bit can be refered to as 128 bit, depending on whether the "initialization vector" is counted or not.

This article explains how the Cisco 1240 series access point can be setup to provide support for multiple SSID, each SSID assigned to a separate VLAN.  This type of configuration is ideal for supporting different wireless networks, each one with its own characteristics.

Frequently used setup of Cisco access points involve at least one wireless network (SSID) for  accessing the local network (VLAN1) and another SSID for Internet access (Guest VLAN).

It is important to note that this guide is also valid for the following Cisco Access Points: Cisco Aironet 1240 Series, Cisco Aironet 1040 series, Cisco Aironet 1130 AG Series, Cisco Aironet 1140 Series, Cisco Aironet 1200 Series, Cisco Aironet 1250 Series and Cisco Aironet 1260 Series.  Configuration of multiple SSIDs with Trunk links is almost identical, with minor differences in the interfaces (where we have more than one radio) and channels, depending if there is support for 802.11a/b/g/n.

Cisco Access Point Multiple SSID Configuration 

Configuring multiple SSIDs on a Cisco access point is a straight-forward process, however it does contain a few details we will analyse as we progress.

We need to now create the two SSIDs by defining their name, which will be broadcasted so users can find them, encryption method plus keys and VLAN assignment.

The above configuration is quite different from setups with one SSID. Reason being the multiple SSID and VLAN configuration required to ensure each SSID is assigned to the correct vlan. The 'Company' wireless network is assigned to VLAN 1 and the 'Hotspot' wireless network to VLAN 2.

Notice that when using multiple SSIDs on a Cisco aironet access point, it is imperative to use the mbssid guest-mode command otherwise the SSID name of the wireless network will not be broadcasted correctly.

The 'dot11 <vlan-name>'  command ensures the correct mapping of vlans and their respective VLAN names. In our example, the VLAN names follow the actual VLANs. So, VLAN 1 has been named 'vlan1'. This helps keep track of them.

Next, we must ensure the integrated routing and bridging (IRB) feature is enabled to allow the routing of our protocols (IP) between routed interfaces and bridge groups. This command is most likely already present in the configuration, but let's play safe and enter it:

Configuring The Dot11Radio0 Interface

Configuring the Dot11Radio0 interface is our next step. Dot11Radio0 is the actual radio interface of the integrated Cisco access point.  We will need to assign the SSIDs configured previously to this interface, along with the encryption methods and a few more parameters.

Most commands are self-explanatory. We will however explain the basic and important ones:

The Encryption VLAN commands set the encryption mode for each VLAN and, therefore, each SSID.  

The SSID command assigns the SSIDs to this interface.

The mbssid command ensures both SSIDs are broadcast and are viewable to our wireless clients.

The station-role root is a default command and makes the access point act as a root station, in other words as an autonomous access point.

Note the speed basic command. This as well is a default command that sets the supported speeds. The first portion, 1.0 to 54.0 refers to the 802.11 b/g protocol. If you have a dual radio on your access point you can configure the Dot11Radio1 (Second radio) interface accordingly.

Configuring The Dot11Radio0 Sub-interfaces

At this point we are required to configure sub-interfaces on Dot11Radio0, assigning each sub-interface to a VLAN.

When creating the subinterfaces, we always use easy-to-identify methods of mapping. Thus, interface Dot11Radio0.1 means this interface will be mapped to VLAN 1, while interface Dot11Radio0.2 will map to VLAN 2.

The encapsulation dot1Q 1 native command surves two purposes. It maps VLAN 1 to sub-interface Dot11Radio0.1 and tells the ap that this VLAN (1) is the native vlan.  This means that untagged VLAN traffic belongs to VLAN 1.  More information on VLAN is available in our VLAN Section - be sure to visit it.

Similarly, under interface Dot11Radio0.2,  the encapsulation dotQ 2 command maps VLAN 2 traffic to this sub-interface.

The bridge-group command assigns each sub-interface to a bridge group. Each sub-interface is assigned to its own bridge-group. The bridge group essentially connects the wireless sub-interfaces with the Fast Ethernet interface this access point has. This is analysed below.

Configuring Cisco 1242AG / 1240 Access Point Fast Ethernet0, Sub-Interfaces & BVI interface

As with all Cisco Aironet access points, you'll find a Fast Ethernet0 interface that is used to connect the access point to our LAN switch. On Cisco Aironet models that support 802.11n technology e.g Cisco Aironet 1140, this interface is replaced with a Gigabit Ethernet interace, desinged to handle the increased capacity and throughput of the access point.

Following is the configuration required to create the necessary GigabitEthernet sub-interfaces and map the Dot11Radio0.X interfaces previously created, with them:

The FastEthernet interface and sub-interface configuration follows the same logic as the Dot11Radio0 interface. Notice that each FastEthernet sub-interface is mapped to the same VLAN and bridge-group as the Dot11Radio0 sub-interfaces.  

Next, we create the one and only BVI1 interface and assign it an IP Address. This is basically the IP Address of our access point and is reachable from our LAN network, so it's best to assign it an IP Address from your LAN network (VLAN 1).

It is important to note that only one bridge-interface (BVI Interface) is configured with an IP Address. The rest of the bridge groups are not required to have a BVI interface as all traffic is trunked through the BVI1 Interface. This is per Cisco design.

Finally, we must enable ip routing for bridge 1:

Configuring DHCP Service For Both VLAN Interfaces

First step is to define the DHCP service and ip address pools for our two Vlans, and therefore SSID's.

If you prefer to configure the DHCP service on your Cisco router, detailed instructionscan be found at our Cisco Router DHCP Server Configuration article.

To help make it easy, we are providing the necessary commands for our example:

This configuration assumes that your router has two VLAN interfaces configured with the appropriate Internet access and Firewall configuration.

On another note, NAT Overload is required in most cases to ensure both VLAN networks have Internet access..  This is covered extensively in our Cisco Router NAT Overload article.

Summary

This article provided an in-depth coverage on how to configure a Cisco Aironet 1242AG / 1240 series access point to support multiple SSID wireless networks and connect via 802.1q Trunk link to a local switch.  The information provided not only covers the basic commands, but also analyses the background theory and logic, to ensure the reader fully understands why this configuration method is used.

Cisco Unified CallManager (CUCM) and its Voice Gateway relies on the telecommunication provider (telco) to send the correct call details for every incoming call, to allow the system to correctly process it and route it.

One problem many engineers stumble upon is the routing of incoming calls which have their caller-id blocked.  In these cases, quite a few telcos send Anonymous instead of N/A as the Calling Party Number (the number that is calling us), instead of the typical N/A string:

By default, all CUCM versions from version 6 and above will automatically reject calls when Calling Party Number set to Anonymous, making it impossible for callers with hidden ID to successfully call the company.

Solutions To Stop CUCM From Rejecting Anonymous Caller-IDs

One solution is to request the Telco to replace the Anonymous Calling Party Number with a specific numeric string. Possibilities of this happening, are quite slim.

Another solution is to convert your MGCP Voice Gateway to H.323. This will allow the usage of translation patterns for all incoming calls, and manually changing Anonymous to whatever is required to ensure the call is not rejected.

The final solution is to dive into each Directory Number (DN) and un-tick the Reject Anonymous Calls option, under the Directory Number Settings section. The Reject Anonymous Calls feature is enabled by default and will cause CUCM to reject all anonymous incoming calls:

When done, simply click Save and your done! Simple - Fast and Effective!

In this article we discuss about the security and encryption of Cisco Unified Communications Manager Express (CUCME) which is an integral part of Cisco UC; and more so of Cisco Express Call processing regime.

Voice over IP (VoIP) is not just need of hour for most enterprises; it’s something their business depends on to a degree that without IP communications in place, their business processes and revenue streams will fall apart. In such case, it goes without saying; security of voice networks is one of the chief concerns when it comes to security of intellectual capital and customer data. More often than not, one of the first thoughts is how to secure the VoIP network itself which is leveraged by IP Telephony / Unified Communication (UC) applications.

So what is that may be the most commonly sought after yet elusive security control which plays an indispensable role in securing a VoIP network? Your guess is as good as mine, it is encryption! Now, you are well within your rights to ask why elusive? The simple answer is – where encryption can help you succeed and protect the privacy of communications, it can also be detrimental for various functions / organizations e.g. monitoring secure calls is not a trivial task and encrypting all endpoints has an impact on platform sizing and performance.

The use of authentication and encryption helps protect confidentiality and makes it harder for malicious insiders or outsiders from tampering with the signaling and media streams, the CUCME router, and IP phones. When the CUCME security features are enabled i.e. the media streams (SRTP) and call signaling (TLS), the communication between Cisco Unified IP phones and CUCME as well as Phones is encrypted as shown in figure 1:

Figure 1 - CUCME to Cisco IP Phone SRTP and TLS

Let’s go over some of the assumptions, requirements and caveats before we dwell further into CUCME security configuration.

Assumptions For CUCME Encryption

• It is assumed that CUCME is configured and operational (without security in place); this article only serves to elucidate the process of implementing authentication and encryption on the CUCME
• It must also be understood that authentication is an integral part of overall security construct when the discussion is around encryption since; authentication provides integrity whereas encryption provides privacy. 

Requirements For CUCME Encryption

• Enabling CUCME encryption requires Cisco IOS feature set Advanced Enterprise Services (adventerprisek9) or Advanced IP Services (advipservicesk9)

• CUCME version 4.2 or later is require to provide media encryption

• Supported platforms include 2800, 2900, 3200, 3800, and 3900 series routers

• Network Time Protocol (NTP) must be enabled to ensure the certificate dates are correct and to check validity of certificates

• IOS CA to sign various certificates (on same router as that of CUCME or different router

Caveats For CUCME Encryption

• Secure three-way software conference is not supported therefore, while in conference, the call falls back to plain RTP. However, if a party drops from a three-party conference, the call between the remaining two parties returns to a secure state (if the two endpoints are configured for encryption)

• Media and signaling encryption requires the Cisco CTL client service

• Calls to Cisco Unity Express (CUE) do not support SRTP or TLS for media and signaling respectively

• Music on Hold (MOH) does not support encryption

• Modem relay and T.3 fax relay calls not support encryption

• Secure CUCME does not support Session Initiation Protocol (SIP) trunks and only H.323 trunks are supported (with IPSec for signaling protection)

With above in mind, let’s take a deep dive into the enablement of security (Encryption, Authentication) for Cisco Unified IP Phones on CUCME.

Enabling SRTP & TLS On CUCME For Endpoints

Alike any PKI hierarchy, enabling encryption (and authentication) on CUCME requires the use of a Certificate Authority (CA) server/process. CA can be configured on the same router on which CUCME application is running or it can be a different IOS router (dedicated to CA function in an organization). The major function of CA for CUCME security is to provide certificates, duration for which certificates are valid, and trust-relationship between different entities by virtue of certificates.

 Configuring IOS Certificate Authority (CA)

The following commands are required to configure the IOS CA. For the following example, we are enabling the CA on the same router as that of CUCME.

First we must ensure that the HTTP server on the router is enabled since, by default port 80 (TCP) will be used for granting certificates and for accepting certificate signing requests by IOS CA.

Now, we need to configure the CA process and enable CA process:

Finally define the CA trustpoint and define (globally) enrollment URL:

At this time, we are done with CA server definition. Next step is to start defining the various certificates which will be used for CUCME security processes (CME, TFTP, CAPF and so on).

Generate Certificates For Enabling Security

A number of certificates must be generated by creating a trustpoint and enrolling it with the CA for enabling various security processes on CUCME. Although CUCME supports leveraging a single trustpoint for all certificate functions, it is a leading practice recommendation to have different trust points for different certificate functions so, it is easier to manage different certificate expiry, revocation, regeneration and so on.

The different certificates required for SRTP and TLS are:

• CUCME
• TFTP
• CAPF
• SAST tokens

Creating a Certificate For CUCME, TFTP, CAPF, SAST1 & SAST2 Processes

Following commands outline the process to generate the certificate for the secure CME function:

The next step to creating the certificate is to authenticate and enroll the trust point with the Certificate Authority.

Note: Each of the command i.e. trustpoint authenticate and enroll provide interactive prompts. Extraneous output has been omitted

Authenticating CUCME trustpoint & Enrolling CUCM Trustpoint:

 Next, we define the other trsutpoints, authenticate and enroll them with Certificate Authority.

TFTP Trustpoint definition:

CUCME(config)# crypto pki trustpoint TFTP
CUCME(ca-trustpoint)# enrollment url http://10.10.10.1:80
CUCME(ca-trustpoint)# revocation-check none
CUCME(ca-trustpoint)# rsakeypair TFTP

 Authenticating and enrolling TFTP trustpoint:

CUCME(config)# crypto pki authenticate TFTP
<output omitted>
!
CUCME(config)# crypto pki enroll TFTP
<output omitted>

 CAPF Trustpoint definition:

CUCME(config)# crypto pki trustpoint CAPF
CUCME(ca-trustpoint)# enrollment url http://10.10.10.1:80
CUCME(ca-trustpoint)# revocation-check none
CUCME(ca-trustpoint)# rsakeypair CAPF

 Authenticating and enrolling CAPF trustpoint:

 SAST1 Trustpoint definition:

 Authenticating and enrolling SAST1 trustpoint:

CUCME(config)# crypto pki authenticate SAST1
<output omitted>
!
CUCME(config)# crypto pki enroll SAST1
<output omitted>

SAST2 Trustpoint definition:

CUCME(config)# crypto pki trustpoint SAST2
CUCME(ca-trustpoint)# enrollment url http://10.10.10.1:80
CUCME(ca-trustpoint)# revocation-check none
CUCME(ca-trustpoint)# rsakeypair SAST2

Authenticating and enrolling SAST2 trustpoint:

CUCME(config)# crypto pki authenticate SAST2
<output omitted>
!
CUCME(config)# crypto pki enroll SAST2
<output omitted>

Enabling CAPF server on CUCME
Alike CUCM, Certificate Authentication Proxy Function (CAPF) server is accountable for issuing CTL signed Locally Significant Certificates (LSC). Following commands enable CAPF server on CUCME.

CUCME(config)# capf-server
CUCME(config-capf-server)# trustpoint-label CUCME
CUCME(config-capf-server)# cert-enroll-trustpoint CA password 0 cisco123
CUCME(config-capf-server)# phone-key-size 1024
CUCME(config-capf-server)# port 3084
CUCME(config-capf-server)# auth-mode null-string
CUCME(config-capf-server)# source-addr 10.10.10.1

Invoking IOS CTL Client 
The final step, before an e-phone can be configured for encryption and authentication is to enable Certificate Trust List (CTL) client on CUCME. CTL client helps sign the list of servers which can be trusted by a Cisco IP Phone with the certificates generated earlier – CUCME, TFTP, CAPF and so on.

The IP Phone will download the CTL file via TFTP and store the file on the phone. This is analogous to CUCM CTL and CTL client must be configured explicitly on IOS leverage the various certificates.

Configuring Telephony-Service To Leverage Security

CUCME support configuring endpoints for SRTP (media) and TLS (signaling). Once, the aforementioned steps are concluded, CUCME needs to be configured to use the defined certificates for different functions. The following commands in telephony-service mode helps enable authenticated TFTP file transfer and TLS for signaling.

Configuring Endpoints (E-Phones) For Security

The final step is to configure the e-phones for security mode. Now, there are two ways to configure the e-phones for security mode. Those two ways are as follows:

• Configure e-phone (device) security at global mode for all supported phone models
• Configure e-phone (device) security mode on a device by device basis

Configuring Device Security at Global Level
To enable security at global level in CUCME for all Cisco IP Phones which support encryption and authentication, issue the following commands in global configuration mode:

Configuring Device Security per Device Basis
In certain cases, it may be required to apply encryption to some, authentication to other devices, and no security to the rest of the phones. In such case, for each e-phone commands can be entered at e-phone level, on phone by phone basis.

Following series of commands can issued to enable security on phone by phone basis:

CUCME(config)# ephone 110
CUCME(config-ephone)# mac-address 1234.1234.1234
CUCME(config-ephone)# device-security-mode [none | authenticated | encrypted]
CUCME(config-ephone)# cert-oper upgrade auth-mode null-string
CUCME(config-ephone)# reset

About the Author

Akhil Behl is a Solutions Architect with Cisco Advanced Services, focusing on Cisco Collaboration and Security Architectures. He leads collaboration and security projects worldwide for Cisco Advanced Services and the Collaborative Professional Services (CPS) portfolio. Prior to his current role, he spent ten years working in various roles at Linksys as a Technical Support Lead, as an Escalation Engineer at Cisco Technical Assistance Center (TAC), and as a Network Consulting Engineer in Cisco Advanced Services. Akhil has a bachelor of technology degree in electronics and telecommunications from IP University, India, and a master’s degree in business administration from Symbiosis Institute, India.

Summary

Cisco Unified Communications Manager Express (CUCME) is an indispensible component of Cisco’s UC Express portfolio and has CUCM like capabilities. Moreover, CUCME can provide enterprise wide security by empowering you to enable media and signaling encryption between CUCME and Phones. This article outlines the capabilities of CUCME to support encryption and authentication for phone calls and signaling. The process to enable and pull together CUCME security may seem daunting at first however; it is a onetime configuration and can go a long way in safeguarding an organization’s voice channels.

Available as a free download in our Cisco Small Business Series Product Datasheet section is the Cisco SPA525G / SPA525G2 User Guide. This 68 page user guide contains all the necessary information on how to setup, configure and customise your Cisco SPA525 IP phone.

Topics covered include:

• Getting started
• Understanding your phone lines and buttons
• Using the keypad, buttons and menus
• Using the Cisco Attendant Console
• Connecting your IP phone to the network
• Updating firmware
• Phone functions (calling, volume, call-on-hold, live call, call pick-up, phone directories, call history lists, transfering calls and much more)
• Advanced phone functions (pairing SPA525 with bluetooth device, mobile phone battery and signal info on your SPA525, playing mp3 files, play lists and more)
• Configuring IP phone screen (contrast, brightness, wallpaper, screensaver)
• Viewing network information
• ...and much more!

Download your free copy by visiting the Firewall.cx Cisco Small Business Series Product Datasheet section.

Firewall.cx readers can now access and freely download the Cisco Small Business Administration Guide for Cisco SPA500 series IP phones. 

The Administration Guide for Cisco SPA500 series IP phone covers basic and advanced configuration of the following IP phones:
SPA301, SPA303, SPA501G, SPA502G, SPA504G, SPA508G, SPA509G, SPA512G, SPA514G, SPA525G, SPA525G2 and WIP310 model.

Features covered in this extensive 332-page guide include:

• Getting the IP phones to work with the Cisco SPA900 IP PBX
• Network Configuration
• Determining and Upgrading your IP phone firmware
• Web-Based Configuration Utility - Allowing web-access to the IP phone
• Configuring Line Key (shares-lines, call appearance, access services, busy lamp, call-pickup, speed dials and much more)
• Customizing the IP phone (background image, screen save, LCD brightness, backlight settings)
• Enabling Call Features ( Caller ID Bocking Services, call-back service, call transfer, conferencing, do-not-disturb)
• Customizing phone softkeys
• Configuring ring tones
• Configuring audio settings
• Configuring Bluetooth (Cisco SPA525G / SPA525G2 only)
• Enabling SMS
• Configuring LDAP for Cisco SPA300 and SPA500 series IP phones
• Configuring SIP (Basic parameters, RTP parameters, SIP settings)
• Managing NAT Transversal with Cisco IP phones
• Configuring Security, Quality and Network Features
• Configuring VLAN settings
• Configuring Dial Plans (Digit Sequences, examples, off-hook timers and more)
• and much more!

To download the Cisco Small Business Administration Guide for Cisco SPA500 series IP phones, simply visit our new Cisco Small Business Series Product Datasheet download section.

Firewall.cx readers can now download free Cisco firmware files for all Cisco IP Phones & Cisco ATA devices. Our new Cisco IP Phone & ATA Firmware Download section contains the latest SCCP (Skinny Protocol) and SIP files for immediate download.

As with all Firewall.cx downloads, no registration is required.

Firmware available currently covers the following Cisco IP phone & ATA models:

• 7906 & 7911
• 7910
• 7912
• 7914
• 7915
• 7916
• 7920
• 7921
• 7925
• 7926
• 7931
• 7935
• 7936
• 7937
• 7940 & 7960
• 7941 & 7961
• 7942 & 7962
• 7945 & 7965
• 7970 & 7971
• 7975
• 7985
• 8941 & 8945
• 8961
• 9951
• 9971
• ATA-186
• ATA-187
• ATA-188

This article explains how to reset your Cisco 7940, 7941, 7942, 7960, 7961, 7962 & 7920 IP phone to factory defaults, and how to upgrade its firmware to the latest available version.

When initiating a factory reset procedure certain information from the IP phone is erased while other information is reset to its factory default value as shown in the list below:

 Information Erased:

• CTL File (Certificate Trust List)
• LSC File (Locally Significant Certificate)
• IP Phone Call History (Calls Received, Placed, Missed etc)
• Phone application

Information Reset to Default:

• User configuration settings (ring tone, screen brightness, sound levels etc)
• Network configuration settings

It is highly advisable to follow the firmware upgrade procedure in a non-working environment to ensure other phones are not affected (in case of an accidental IP phone reboot) and to avoid the freshly factory reset ip phones obtaining the working environment’s settings.

Things To Consider Before Factory Resetting Your Cisco IP Phone

When performing the factory reset procedure we are about to describe, it is important to keep in mind that the IP phone will lose all configuration files and phone applications. This means that it is necessary to have CallManager or CallManager Express setup so that the IP phone will be able to receive the new information (phone application and configuration) after the reset procedure is complete, otherwise it is most likely  that the IP phone will not be usable until this information is loaded on to it.

This preparation also happens to be the procedure for upgrading a Cisco IP phone firmware.

Performing the Factory Reset On Cisco 7940, 7960 IP Phones

Follow the steps below to successfully factory reset your Cisco 7940, 7960 IP phone:

1. Unplug the power cable from the ip phone and then plug it back in.
2. Immediately press and hold # and when the Headset, Mute and Speaker buttons begin to flash in sequence, release the # button.
3. At this point, you’ll notice the Headset, Mute and Speaker buttons flash in sequence, indicating that the ip phone is waiting for you to enter the reset sequence.
4. Press 123456789*0#  to begin the reset. If you accidently press a key within the sequence twice e.g 1123456789*0#, the ip phone will still accept the code and begin the reset. If an invalid key is pressed, the phone will continue its normal startup procedure.
5. Once the correct key sequence is entered, the ip phone will display the following prompt:  Keep network cfg? 1 = yes 2 = no 
6. To maintain the current network configuration settings for the phone when the phone resets, press 1. To reset the network configuration settings when the phone resets, press 2. If you press another key or do not respond to this prompt within 60 seconds, the phone continues with its normal startup process and does not reset. Otherwise, the phone goes through the factory reset process.

Performing The Factory Reset On Cisco 7941, 7961 IP Phones

Follow the steps below to successfully factory reset your Cisco 7941, 7961 IP phone:

1. Unplug the power cable from the ip phone and then plug it back in.
2. Immediately press and hold # and when the Headset, Mute and Speaker buttons begin to flash in sequence, release the # button.
3. At this point, you’ll notice the Headset, Mute and Speaker buttons flash in sequence, indicating that the ip phone is waiting for you to enter the reset sequence.
4. Press 123456789*0#  to begin the reset. If you accidently press a key within the sequence twice e.g 1123456789*0#, the ip phone will still accept the code and begin the reset. If an invalid key is pressed, the phone will continue its normal startup procedure.
5. Once the correct key sequence is entered the ip phone will display the following prompt and begins its reset process:  Upgrading

Performing The Factory Reset On Cisco 7942, 7962 IP Phones

Follow the steps below to successfully factory reset your Cisco 7942, 7962 IP phone:

1. Unplug the power cable from the phone and then plug it back in. The phone begins its power up cycle.
2. While the phone is powering up, and before the Speaker button flashes on and off, press and hold #. Continue to hold # until each line button flashes on and off in sequence in amber.
3. Release # and press 123456789*0#.

You can press a key twice in a row, but if you press the keys out of sequence, the factory reset will not take place.

After you press these keys, the line buttons on the phone flash red and the phone goes through the factory reset process.

Do not power down the phone until it completes the factory reset process and the main screen appears.

Performing The Factory Reset On Cisco 7920 Wireless IP Phone

To reset a Cisco 7920, the ip phone must be started in administration mode using the following steps:

1. Press the Menu softkey
2. Press * (star), # (hash) and * (star) again.
3. Press the Green phone key (used to answer a call) to open the administration mode.

Note: Power cycle the phone or press any of these keys while in the first level submenu and then press the Green phone key to hide the options:

• any key between 0 and 9
• * (star) key
• # (hash) key

Follow the steps below to successfully factory reset your Cisco 7920 IP phone:

1. Choose Menu > Phone Settings > Factory Default.
2. The phone displays the Restore to Default? message. Press the OK softkey. All settings are deleted.
3. Choose Menu > Network Config in order to reconfigure the network settings for your WLAN.

This completes the factory reset procedure for all Cisco 7940, 7941, 7942, 7960, 7961, 7962 and 7920 IP phones.

This article will show how to configure CallManager Express (CME) for the IP phone firmware upgrade process. Upgrading your Cisco IP phones is generally a good practice, especially when upgrading your CallManager or CallManager Express version, as it will ensure all new options and features supported by your CallManager/CME system are also available to your IP phones.

Upgrading your Cisco IP phone firmware is a very simple process, however special consideration must be taken into account when upgrading to the latest firmware.

If the Cisco Unified IP phone is currently running firmware earlier than 6.0(2) on and you want to upgrade to 8.x(x), you must first install an intervening 7.0(x) load to prevent upgrade failure.

Cisco recommends using the most recent 7.0(3) load as the intervening load to avoid lengthy upgrade times.

If the Cisco Unified IP phone is currently running firmware 6.0(2) to 7.0(2) and you want to upgrade to 8.x(x), you can do so directly. However, expect the upgrade to take twice as long as usual.

Step 1: Download The Correct Firmware

To download Cisco IP Phone firmware from Cisco.com, a valid Cisco CCO account is required. In most cases, the firmware file name is something similar to the following:  cmterm-7945_7965-sccp.9-2-1.tar.  From the file name, we can understand that this is firmware version 9.2.1, for Cisco 7945 and 7965 SCCP IP phones.

Step 2: Upload Firmware Files To CallManager Express Flash Storage

Next, the firmware must be uploaded and unpacked on our CME router. For this, we’ll need a TFTP server running on a workstation, plus access to the CME router.  From the CME prompt, we instruct the router to download the firmware and unpack it onto our CME flash:

When complete, the system’s flash should contain all 8 files as shown above.

Step 3: Configure The CallManager Express TFTP Server To Serve The Firmware Files & Setup DHCP Server (option 150)

Now we must configure CME’s tftp server to ‘serve’ these files so that the IP phones can request them.  This is done by adding the following commands to the router’s configuration:

We also must ensure there is a valid DHCP server running with option 150 set to CME’s IP address. When the IP phone boots up, it will look for a DHCP server that will provide it with an IP address, but also expect to find DHCP option 150 which designates the CME the phone should try to register with:

ip dhcp excluded-address 10.0.0.1  10.0.0.15
!
ip dhcp pool Firewall.cx
 network 10.0.0.0 255.255.255.0
 dns-server 10.0.0.1 8.8.8.8
 default-router 10.0.0.1
 option 150 ip 10.0.0.1

The above configuration excludes IP address ranges 10.0.0.1 to 10.0.0.15 from being handed out by the DHCP server. It also creates a DHCP scope named Firewall.cx and configures various self-explanatory parameters including the critical DHCP option 150, which represents the CME the IP phone should try to register to.

Step 4 – Configure CallManager Express To Use New Firmware Upon Next IP Phone Bootup

The final step involves configuring CME to use the new firmware and instruct IP phones to download it. This is done by issuing the following commands under the telephony-service section of CME:

The load command is followed by the phone type and associated firmware (.load) file. Notice we do not add the .loadof the filename at the end of the command.

The create cnf command instructs CME to recreate the XML files that will be used by the IP phones to download all necessary network parameters and force it to check its firmware and begin downloading the new one.

This completes our article on configuring Cisco CallManager Express for Cisco IP Phone Firmware upgrade.

This article shows how to connect Cisco's Unified CallManager with a CallManager Express system (including UC520, UC540 and UC560) via H323 gateway, allowing the two systems to route calls between each other. This scenario is typically used between remote offices running CallManager Express that need to connect to their Headquarters running on CallManager.

Our example network assumes there is a direct connection between the two CallManager systems via leased line as shown in the diagram below:

Engineers who wish to establish a VPN connection instead (via Internet) can refer to the following popular VPN articles:

• Configuring Point-to-Point GRE VPN Tunnels on Cisco Routers
• Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers

The above network diagram was designed using GNS3 in a simulated environment consisting of two CallManager clusters, one at the Headquarters (CUCM) with an IP Communicator client (CIPC_HQ) assigned with extension 2002 and at the remote branch we have a CallManager Express system with an IP Communicator client (CIPC_BR) with extension 5010.

To simplify things, our CME router is directly connected with the Headquarters router (CUCM_HQ), providing a path for us to reach the main CallManager (192.168.10.11).

While CallManager (Headquarters) requires a voice gateway to make and receive calls on the PSTN/ISDN network (Telco Providers), it is not a requirement for intra-site communication.

We assume no configuration exists on the CME router and basic configuration on CallManager.

Configuring CallManager Express or UC500 Series System

Following is the CallManager Express router configuration covering its LAN and WAN configuration:

The h323-gateway voip interface and h323-gateway voip bind srcaddr commands define the source interface and IP address for all h323 protocol communications and is necessary to ensure VoIP communication with CUCM.

Next, we enable the CallManager Express service and configure our single IP phone (IP Communicator) that will be used for our test:

The CallManager Express service is enabled via the telephony-service and the important ip source-address subcommand, which defines the source IP address of the CallManager Express system. In case the CME router has multiple interfaces connected to various networks (VLANs), we set the source IP address to be that of the Voice VLAN, so the CME router will use the correct interface (and therefore source IP address) to communicate with its clients (IP phones).

Finally, all that is left is to configure a dial-peer that would direct all calls to CallManager at our Headquarters. This is done by using dial-peers as shown below:

This dial-peer instructs CallManager Express to forward any calls made to any four digit number starting with 2, e.g. 2000, 2452, 2900 etc, to IP address 192.168.10.11, our headquarters CallManager.

Dial-peers are an essential ingredient to managing outgoing and incoming calls and will be covered in greater depth in another article.

This completes our CallManager Express configuration. We are now ready to move on to our CallManager configuration

Configuring CallManager (CUCM)

Configuring CallManager involves a number of easy-to-follow steps as outlined below. As shown in the network map, we've assigned extension number 2002 to the IP Communicator connected to the system. This phone will be accepting incoming calls from the remote CallManager Express system.

First step is to check that the Cisco CallManager and Cisco TFTP Server are activated. This can be done by visiting Cisco Unified Serviceability > Tools > Service Activation as shown below:

Here we will need to enable the mentioned CM Services by selecting them and clicking on Save.

If IP Communicator is not already connected and registered to CallManager, we can automate this process by going to Cisco Unified CM Administrator > System > Cisco Unified CM Configuration:

Here, uncheck the box Auto-registration Disabled on this Cisco Unified Communications Manager. This will allow any IP phone (CIPC - IP Communicator in our case) to register and automatically assign them an extension.  This is a very easy and painless method to register IP phones on a CallManager system.

Now to configure CIPC with extension 2002, we go to Device > Phones > Add New> Phone Type  and select Cisco IP Communicator.

Next, go to Device Name (Select the MAC address of CIPC), and for the field Softkey Template select Standard CIPC SCCP:

Scrolling down the page, you'll come across the SUBSCRIBE Calling Search Space field. Click on it and select Cisco IP Communicator:

Click on save then choose Directory Number Configuration, enter 2002 or desired extension then reset the phone to allow the successfuly registration of CIPC with CallManager:

Setting Up H.323 Gateway on CallManager

With the IP phone registered we now need to setup the H.323 gateway.

Setting up an H.323 gateway in CallManager is a straightforward process. From the main menu, select: Device > Gateways > Add New > Gateway Type  and select H.323 Gateway.

When selecting the H.323 Gateway, we need to provide a bit more information until it is usable by the system. 

In the field Device Name and Description, enter the IP address of the remote CME system, 192.168.20.1.

Next, click on the Device Pool field and select Default.  Finally cick on Save and Reset to have the changes take effect:

Configuring CallManager Route Group, Route List & Route Pattern

Our next step is to configure a Route Group, Route List and finally Route Pattern. This is a similar process to CME's dial-peer confguration but it's slightly more complicated in CallManager.

From the main menu, go to Call Routing > Route/Hunt > Route Group > Add New > Add Available Device and select the newly created H.323 Gateway. Click on Add To Route Group then click on save.

Now we go to Call Routing > Route/Hunt > Route List > Add New > Name, we used Route to 5xxx to help distinguish this route list. In the Cisco Unified Communication Manager Group drop-down option select Default then click on Save.

Right below we see the Route List Member Information section. Here we click on the Add Route Group button:

At the new screen select the Route Group field and choose WAN Devices-[NON-QSIG], then click on Save:

Finally we configure the Route Pattern. Go to Call Routing > Route/Hunt > Route Pattern > Add New > Route Pattern and enter 5XXX.  The pattern "5XXX" is similar to CallManager Express's "2..."  and will match any four digit number starting with 5.

Below, at the Gateway/Route List, select Route to 5xxx and uncheck Provide Outside Dial Tone. Finally, click on Save:

At this point CallManager has been configured to route all 5xxx extensions to the remote CallManager Express system and both systems should be able to communicate with each other.

About The Author

Mohammad Saeed is a guest writer on Firewall.cx,  freelancer and Video trainer, who loves working with Cisco techologies. As a CCNA & CCNP certified engineer, Mohammad works with small and medium size networking projects and helps students and network engineers to understand Cisco topics.

This article explains how to reset your Cisco 7945, 7965 and 7975 IP phone to factory defaults, and how to upgrade the firmware to the latest available version. We also provide necessary information on how to setup a DHCP server on a CME router or Cisco Catalyst switch, to support Cisco IP Phones and provide them with DHCP Option 150 so they know where to find and register with the CallManager or CallManager Express server.

According to Cisco, when initiating a factory reset procedure certain information from the IP phone is erased while other information is reset to the factory default value, as shown in the list below:

Information Erased:

• CTL File (Certificate Trust List)
• LSC File (Locally Significant Certificate)
• IP Phone Call History (Calls Received, Placed, Missed etc)
• Phone application

Information Reset to Default:

• User configuration settings (ring tone, screen brightness, sound levels etc)
• Network configuration settings

It is highly advisable to follow the firmware upgrade procedure in a non-working environment to ensure other phones are not affected (in case of an accidental reboot), and to avoid the freshly factory reset ip phones obtaining the working environment’s settings.

Cisco IP phone SCCP firmware files version 9.2.1 for 7945, 7965 & 7975 IP phones (latest version at the time of writing this article) are available at our Cisco IP Phone & ATA Firmware Download section. For our example, we used version 9.1.1.

Firewall.cx readers can visit our free Cisco IP Phone & ATA Firmware Download section to freely download the latest available firmware for their Cisco IP phones.

Things To Consider Before Factory Resetting Your Cisco IP Phone

When performing the factory reset procedure we are about to describe it is important to keep in mind that the IP phone will lose all configuration files and phone application. This means that it is necessary to have CallManager or CallManager Express setup so that the IP phone will be able to receive the new information (phone application and configuration) after the reset procedure is complete, because it is likely the IP phone will not be usable until this information is loaded.

This preparation also happens to be the procedure for upgrading a Cisco IP phone firmware.

Configuring CallManager Express (CME) For IP Phone Firmware Upgrade

Upgrading your Cisco IP phone firmware is a very simple process. Special consideration must be taken into account when upgrading to the latest firmware.

If the Cisco Unified IP phone is currently running firmware earlier than 6.0(2) on and you want to upgrade to 8.x(x), you must first install an intervening 7.0(x) load to prevent upgrade failure.

Cisco recommends using the most recent 7.0(3) load as the intervening load to avoid lengthy upgrade times.

If the Cisco Unified IP phone is currently running firmware 6.0(2) to 7.0(2) and you want to upgrade to 8.x(x), you can do so directly. However, expect the upgrade to take twice as long.

Step 1 – Download the Appropriate Firmware

To download Cisco IP Phone firmware a valid Cisco CCO account is required. In most cases, the firmware file name is something similar to the following:  cmterm-7945_7965-sccp.9-1-1.tar.  From the file name, we can understand that this is firmware version 9.1.1, for Cisco 7945 and 7965 SCCP IP phones.

Step 2 – Upload Firmware to CallManager Express

Next, the firmware must be uploaded and unpacked on our CME router. For this, we’ll need a TFTP server running on a workstation, plus access to the CME router.  From the CME prompt we instruct the router to download the firmware and unpack it onto our CME flash:

When complete, the system’s flash will contain all 8 files extracted above.

Step 3 – Configure The CallManager Express TFTP server to serve these files & Setup DHCP Server (option 150)

Now we must configure CME’s tftp server to ‘serve’ these files so that the IP phones can request them.  This is done by adding the following commands to the router’s configuration:

We also need to ensure there is a valid DHCP server running with option 150 set to CME’s IP address. In our example, this is IP address 10.0.0.10. When the IP phone boots up, it will look for a DHCP server that will provide it with an IP address, but also expect to find DHCP option 150 which designates the CME the phone should try to register with:

The above configuration excludes IP address ranges 10.0.0.1 to 10.0.0.15 from being handed out by the DHCP server. It also creates a DHCP scope named Firewall.cx and configures various self-explanatory parameters including the critical DHCP option 150, which represents the CME the IP phone should try to register to.

Step 4 – Configure CallManager Express to use new Firmware on Next IP Phone Bootup

The final step involves configuring CME to use the new firmware and instruct IP phones to download it. This is done by issuing the following commands under the telephony-service section of CME:

The load command is followed by the phone type and associated firmware (.load) file. Notice we do not add the .loadof the filename at the end of the command.

The create cnf command instructs CME to recreate the XML files that will be used by the IP phone to download all necessary network parameters and force it to check its firmware and begin downloading the new one.

When our IP phone next reboots, it will download the latest firmware installed on the CME router and begin the upgrade process.

Performing the Factory Reset on Cisco 7945, 7965, 7975 IP Phone

Follow the steps below to successfully Factory reset your Cisco IP phone:

1. Unplug the power cable from the ip phone and then plug it back in.
2. While the phone is powering up, and before the Speaker button flashes on and off, press and hold the hash # key.
3. Continue to hold # until each line button (right of the LCD screen) flashes on and off in sequence in orange colour.
4. Now release the hash # key and type the following sequence 123456789*0#

After the sequence has been entered the line buttons on the phone flash orange, then green and the phone goes through the factory reset process. This process can take several minutes and the firmware of the IP Phone will be erased.

When complete, the IP phone will reboot and the bootloader will try to obtain an IP address via DHCP. The IP phone also expects the IP address (option 150) or the name (option 66) of the TFTP server to be delivered by the DHCP server. This is why these DHCP options are critical at this phase.

The phone then tries to obtain the appropriate termXX.default.loads file depending in its model:

• term75.default.loads - Cisco 7975
• term65.default.loads - Cisco 7965
• term45.default.loads - Cisco 7945

This "loads" file indicates all the files the IP phone has to download from the TFTP server to make up the device firmware. The IP phone should first obtain the “loads” file and then proceed with the individual files. Once complete, the IP phone will install the files and finally reboot

Below is a screenshot of our 7945 IP phone during the firmware upgrade process:

The IP phone should now be ready for use with the new IP phone firmware installed.  The firmware can be verified by going to the phone Settings / Model Information menu option, where the load file installed is shown:

This article explained how to perform a factory reset for Cisco IP phones 7975, 7965 & 7945 models. We saw what information is lost during the reset, how to configure Cisco CallManager Express TFTP Server so that the updated SCCP firmware is automatically loaded on the IP phones and how to verify the IP phone firmware after the upgrade is complete.

The Cisco ATA 186 and 188 analog phone adaptor is very common amongst Cisco CallManager (CUCM) & Cisco CallManager Express (CUCME) installations.

The ATA 186/188 provides two analog phone ports, allowing support for up to two analog phones and supports a number of features allowing an engineer to configure it according to the requirements and environment.

One neat feature is the ability to disable one of the two analog phone ports, something administrators might want to do if the second phone port is not used, providing an additional security measure.

On the other hand, a couple of second-hand ATA’s might fall into your hands and, upon testing, you may find out that only the phone port works – this doesn’t necessarily mean the second phone port is faulty!

When an ATA 186/188 registers on either CallManager or CallManager Express (CME), two MAC addresses appear in the device section.

Let’s take CME for example:

When an ATA 186/188 is registered with CUCM or CUCME, the system will show two new MAC addresses. The first is the actual MAC address of the ATA device. This represents Phone Port No.1.

The second MAC address is similar to the first but with a ‘01’ appended at the end. The whole MAC address is then shifted to the left by two positions, as shown in the above screenshot. This second MAC address represents Phone Port No.2.

When a phone port is disabled, for example port Phone 2, the second MAC address ending in ‘01’ will not register anymore. If removed from the CUCM/CME system, it will not appear again until it is enabled.

How to Enable – Disable Cisco ATA Phone Port No.1 or No.2

The first step is to try resetting the ATA to its factory default setting. This is fully covered in our ATA 186/188 Upgrade and Factory Reset article.

In many cases a factory reset might not prove to be that useful, in which case manual configuration of the ATA parameter SID is required. To do this, open a web browser and connect to the ATA using its address e.g http://192.168.135.5. From the web interface, select SCCP Parameters under the Change Configuration menu option.

At the presented page, Phone 1 and Phone 2 ports at the back of the ATA are represented by the SID0 and SID1 field respectively.

To enable a port, simply enter a dot “.” as a parameter, or “0” to disable it. Simple as that!

The screenshot below helps make this practice clearer:

Of course, it is always highly recommended to upgrade to the latest ATA firmware version to ensure stability and enhanced functionality of the Cisco ATA 186/188 device. The latest Cisco ATA 186/188 firmware is freely available in our Cisco Download section.

As technology has advanced, things have become simpler yet more complex. One prime example is that of today’s communication networks. With the evolution of VoIP, the most obvious convergence is that of voice and data networks wherein both types of traffic leverage the same physical infrastructure, while retaining a possible logical network separation. While, this whole concept seems to be very exciting, there’s a big tradeoff in terms of security!

It’s unfortunate but true that, converged communication solutions are more often than not, deployed without much regard for the underlying security issues. In most cases, organizations tend to either ignore the security aspect of Unified Communication (UC) network’s security or underestimate the importance of the same. As a result a host of threats and attacks which used to be relevant to data networks now pester the voice implementation which leverages underlying data networks. Moreover, the existing security solutions which were designed for the data networks cannot adequately meet the new security challenges where voice meets data.

Unified Communications (UC) (Unified Communications is also referred to as IP Telephony) brings alongside a host of new security risks that cannot be resolved by existing security measures or solutions. While, UC risk mitigation strategies are just beginning to become known, UC threat mitigation entails significant costs or otherwise gets translated into cost of security that should be taken into account while designing the corporate UC security strategy. The first step to mitigate any risk is to know what your assets worth protecting are and what types of risks you should avert.

Let’s first understand the fundamentals of risk management.

UC Risk Management – Overview

Risk management is an art in itself as it spans multiple domains. Ideally, every asset in your UC network should be identified before going through risk management for your Cisco UC solution. This is important since it will identify what is most important to a business and where investment of time, manpower, and monetary resources will yield most favorable results. The assets that can be selected in a typical Cisco UC environment are (not limited to):

1. Cisco Unified Communications Manager (CUCM)
2. Cisco Unity Connection (CUC)
3. Cisco Unified Presence Server (CUPS)
4. Cisco Unified Communications Manager Express (CUCME)
5. Cisco Unity Express (CUE)
6. Cisco Voice Gateways
7. Cisco Unified IP Phones (wired, wireless, softphones)
8. Cisco Unified Border Element
9. Cisco Catalyst Switches
10. Cisco IOS Routers
11. Cisco Adaptive Security Appliance (ASA)

Once the elements of your Cisco UC solution are identified, it’s time to give them their risk ratings, based on your risk appetite.

Let’s start by defining risk.

Risk – is defined as probability of something going wrong when conducting business as usual and has a negative impact.

Now, while you may know that your call-control - CUCM for example - is not secure and can be compromised, you are essentially bearing a risk that a known or an unknown threat may be realized leading to realization of the risk. In other words, you are setting up your risk appetite. Risk appetite may be classified into 3 major categories:

• Risk aversion – Averting risks, adopting security where possible, high cost affair
• Risk bearing – knowing that the network could be attacked, still bearing risk, least cost affair
• Risk conforming – knowing that the network could be attacked, bearing risk to a minimal degree by implementing most critical security measures only, a balance between risk and cost

Next comes the risk rating, i.e. how you wish to rate the criticality of an element of Cisco UC solution to the operations of your network. For example, if CUCM is under attack, what will be the impact of the same on your network? Or, if an edge router is attacked, how do you expect the communication channels to be impacted?

Each application, device and endpoint should be given a risk rating which can be low, moderate or high. The Figure below depicts risk impact vs. likelihood.

Risk Impact vs. Likelihood (ratings)

Let’s now understand the threats that lurk around your UC solution and could possibly prove detrimental to the operations of a UC network.

The Risks & The Threats

There’s always bad guys out there waiting to impart damage to your UC infrastructure for their financial benefit, to prove their superiority to other hackers or just for fun’s sake.

The table below gives an overview of various threats and the possibility of these threats maturing i.e. risk realization as well as the probable impact on an organization’s operations. Please note that these are the most commonly seen threats:

 Let’s pay a closer visit to these threats and their risk bearings.

Eavesdropping – gives the attacker the ability to listen and record private phone conversation(s). An attacker can eavesdrop on VoIP conversations by disconnecting a VoIP phone from the wall outlet and plugging in a laptop with a softphone or packet capture software (such as Wire Shark) or by virtue of VLAN hopping attacks. Additionally, eavesdropping can be implemented using SIP proxy impersonation or registration hijacking. If this threat is realized, the risk of damage or disruption is high.

Identity Theft – Can happen at various OSI layers right from layer 2 through layer 7. Some examples are: MAC spoofing; IP spoofing; call-control / proxy / TFTP spoofing. There are freely available tools such as macmakeup, nemesis and so on which can help the attacker spoof an identity, in other words perform identity theft to trick the source or destination in a voice conversation to believe it is communicating with a legitimate person whilst it’s the attacker playing on behalf of a legitimate source. Now, a typical example of such an attack is when an attacker can spoof the MAC address of a victim’s machine and register his softphone. The attacker has the privilege equivalent to that of the victim and can conduct toll-fraud (explained later in this article) or extract information from the softphone’s web server to launch a flurry of attacks on the voice infrastructure. If this threat is realized, the risk of damage or disruption is moderate to high (depending on the privilege the attacker gains based of the victim’s profile).

Compromised Information / Loss of Information: Every business has some confidential information which, if exposed to its competitor or leaked on the internet, can prove detrimental for the business. Moreover, incorrect information passed to a destination entity can result in the business running into issues. An attacker can compromise the information in voice calls by injecting malformed packets, modifying the RTP packets, or by eavesdropping the call (discussed earlier). Packet injection or malformation attacks are difficult to detect unless an integrity method / algorithm is implemented. If this threat is realized, the risk of impact is high.

Toll fraud – This has been a classic issue since PBX days and continues to be a real nuisance in the VoIP world. An attacker finds a way to place an external call to the victim’s call-control and “hairpin” it into an outgoing call to an external destination. This could be performed using DISA, via voicemail, by a compromised IP Phone (such as a softphone), or by simply having an insider forward the calls to a desired international destination. This attack can land an organization with a skyrocketing bill in no time. The threat level of risk is high.

Denial of service – A DOS attack prevents use of the corporate UC systems, causing loss of business and productivity. An attacker can initiate a war dialer, remote dialing, or manually initiate an attack by launching multiple calls against a system.  This in turn overloads the system on call-control and depletes the bandwidth. The effect can range from legit users getting the busy tone when trying to dial any number, using voice mail or IVR to system bandwidth being filled by unwanted traffic. Level of risk for this type of threat is medium.

Spam over IP Telephony (SPIT) – equivalent to email spam on data networks. It’s unsolicited and unwanted bulk messages sent / broadcast to an enterprise network’s end‐users. This causes the enterprise user’s voicemail box to be full and the endpoint to be busy with unwanted calls. These high‐volume bulk calls are very difficult to trace and inherently cause fraud and privacy violations.

Call Hijacking – UC endpoints / devices can be hijacked through a variety of hacking techniques, such as registration hijacking and call redirection. Rogue endpoints can enable a hacker to use the organization’s communication systems without authenticating to the call-control. This can lead to toll fraud and disrupt communications. Also, rogue endpoints or wireless access controllers (WLC) or wireless access points (WAP) can serve as a back door for attackers to gain entry to legitimate network zones and compromise call-control, voice messaging, presence, and other services. Level of risk for this type of threat is medium to high.

Mitigating Risks

A golden saying in the world of security is – Security is only as strongest as the weakest link!

To ensure that your Cisco UC network is secure and can deter most threats while reducing the associated risks, a multi-level security construct is required. In other words, no single security solution can restrain all threats or risks; security at multiple levels within a network i.e. at endpoint, server, application, network, perimeter, and device level helps avert a host of threats.

It’s important to treat the development of a UC risk management program as a collaborative cross‐organizational project. Any actionable risk assessment needs: a comprehensive list of threats; feasibility of realization of each threat; a prioritization of mitigation actions for each of the potential threats. It’s most important that risks be managed and mitigated in line with corporate vision and continuity of essential operations when deploying UC systems.

Following are the leading practice recommendations to mitigate risks pertinent to various threats in a Cisco UC network:

• Implement adequate physical security to restrict access to VoIP components; Voice and Data traffic segregation at VLAN level and, if possible, at firewall zone level.

• Implement VoIP enabled firewall (application layer gateway) e.g. Cisco ASA.

• If voice VLAN is propagated to a remote location, implement firewall zoning to separate inside from outside traffic.

• Disable unused switch ports.

• Implement DHCP snooping, Dynamic ARP Inspection (DAI), and port security features on Cisco Catalyst switches.

• IP Phones located in public areas such as lobby, elevator, or hotel rooms, must be separated from employee/internal network by firewalls and ideally should have their own dedicated VLAN.

• Implement 802.1x based network access control (NAC) using EAP-TLS where possible.

• Implement scavenger QoS class for P2P and other unwanted traffic.

• Secure telephony signaling using TLS and media SRTP (Cisco CAPF).

• Encrypt signaling and media traffic for endpoints, gateways, trunks, and other ecosystem applications where possible.

• Establish dedicated IDS for voice VLAN for traffic within campus and from remote sites (SPAN, RSPAN)

• Secure voice messaging ports.

• Utilize Cisco Malicious Call Identification (MCID) to tag and list malicious calls.

• Implement a call accounting/reporting system such as CAR or third party billing software to view call activity on an ongoing basis.

• Implement strong password and PIN policies as well as OTP policies.

• Use the SSO available in Cisco UC applications to suppress fraudulent admission to network.

• Configure off-hours calling policies in line with the organization’s policies.

• Configure administrative group privilege restriction levels.

• Disable PSTN to PSTN trunk transfer.

• Enable ad-hoc conferencing conclusion on exit of the initiator.

• Harden IP Phones by disabling unused features and restricting settings access.

• Sporadically review system usage reports for abnormal traffic patterns or destinations.

• Use VPN to provide a secure conduit for communication with telecommuters/remote workers. V3PN, available in Cisco IOS routers and security appliances, enables encryption of voice, video, and data traffic using IPSec. SSL VPN can also be used from VPN Phones and SSL VPN client on PC’s with softphone.

• Enforce Antivirus (on Windows based servers) and Host Intrusion Prevention System (HIPS) on Windows and Linux based servers.

• The human factor cannot be ignored. Hence, train people in your organization about their responsibility for executing enterprise risk management in accordance with established directives and protocols.

Summary

In a nutshell, there is no one-size-fits-all when it comes to securing a Cisco UC network. No two networks are alike and organizations must examine UC security from a business perspective by defining their vision, goals, policies, and patterns of usage. It’s important that the security implemented is aligned with and in compliance with applicable laws and regulations, while being effective against business risks.

Moreover, a change in risk appetite must be observed when an organization’s priorities or business processes change. A multitude of the UC security risks can be resolved by applying existing ad-hoc security measures and solutions in a planned manner as listed in previous sections. The risk management solution approach is based on evaluating the following factors in order to minimize costs and maximize mitigation of risks:

• Business Impact of realization of a risk

• Compliance requirements

• Threat surface

• Budgetary constraints

This schema is depicted in the below figure:

Risk Management Specifics for Cisco UC

A successful UC risk management system or construct will ideally address all threats from realizing while minimizing business impact in compliance with laws and regulations, and is within budget such that the Total Cost of Ownership (TCO) decreases with time while Return on Investment (ROI) increases.

About The Author

Akhil Behl is a Senior Network Consultant with Cisco Advanced Services, focusing on Cisco Collaboration and Security architectures. He leads Collaboration and Security projects worldwide for Cisco Services and the Collaborative Professional Services (CPS) portfolio for the commercial segment. Prior to his current role, he spent 10 years working in various roles at Linksys, Cisco TAC, and Cisco AS. He holds CCIE (Voice and Security), PMP, ITIL, VMware VCP, and MCP certifications.

He has several research papers published to his credit in international journals including IEEE Xplore.

He is a prolific speaker and has contributed at prominent industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Cisco SecCon, IT Expo, and Cisco Networkers. Akhil is also the author of Cisco Press title ‘Securing Cisco IP Telephony Networks’.

Read our exclusive interview of Akhil Behl and discover Akhil's troubleshooting techniques, guidelines in designing and securing VoIP networks, advantages and disadvantages of Cisco VoIP Telephony and much more: Interview: Akhil Behl Double CCIE (Voice & Security) #19564.

Unity Express provides any organization with a quick and convenient way to manage voicemail, auto attendant and interactive voice response (IVR) services.  These services are provided within the Unity Express module.

When purchased, Unity Express includes a few licenses for some services, such as voice ports for auto attendant, while other services like mailboxes are not included.  This policy forces companies requiring these services to purchase additional licenses from Cisco in order to activate or expand the system’s capacity.

A good example is the Unity Express voice mailbox service. When purchasing Unity Express, by default it does not include any mailboxes. 

While the Unity Express web interface allows the creation of voice mailboxes despite the fact no licenses are installed, you won’t be able to make use of them unless the appropriate number of licenses is installed.

When a caller is redirected to a user’s voice mailbox where the system does not have the necessary licenses installed, instead of hearing the called party’s voicemail prompting to leave a message, the following prompt is heard:

Voice mail system is unavailable, try again later, to talk to the operator, press zero.

Engineers and Administrators interested can read our popular articles covering the physical installation and initial setup of Unity Express on Cisco CallManager Express or Cisco Voice Gateways:

• Cisco Unity Express Installation & Setup - ISM-SRE-300-K9 & SM-SRE-700-K9 Installation – Part 1
• Cisco Unity Express Installation/Setup - Service Module & Initial Web Interface Configuration - Part 2

Installing & Verifying Unity Express Licenses – 4 Simple Steps

Installing Unity Express licenses is not all that complicated. We’ve broken down the process into four simple steps to make it as clear and simple as possible:

• Registering and Assigning your Product Authorization Key (PAK) number
• Obtaining the Correct UDI Product ID and Serial Number
• Installing the Software License on Unity Express
• Verifying Unity Express License Installation

No matter what type of license you have the installation process is the same. It is important to note that when installing multiple PAKs for a service they must be combined into a single license. For example, if you have purchased four packs of 5-user-mailbox licenses to support a total of 20 users, you must ensure these are combined into a single 20 mailbox license file and not four x 5-mailbox license files. If problems arise, Cisco support is always available to help resolve any licensing problem.

Before we begin the license installation process it is important to verify the existing licenses so we are sure of what we have already.

Verifying Existing Cisco Unity Express Licenses

Before considering purchasing licenses it is necessary to verify what is already installed. This is easily done by using the following command to view the currently installed licenses. Note that the License Type: Permanent from the command output is what we are looking for. This represents a permanent license, which is also the installed licenses:

Note: We’ve removed the rest of the command output to avoid redundant information.

License Type: Evaluation is, as the output indicates, evaluation licenses. These are not installed/purchased licenses and normally are limited to a 60 day trial period after which they expire and are disabled.

Another way to verify the installed licenses is to log into the Unity Express GUI interface and visit the Administration>Licenses section:

As both CLI output and GUI interface confirm, we currently have two VMIVR-PORT licenses installed. This license feature will allow up to two simultaneous calls to the autoattendant system or user voice mailbox service.

Register & Assign Your Cisco Product Authorization Key (PAK) Number

When purchasing a Unity Express license, you’ll receive it either as a hardcopy or electronically delivered license. The license contains an 11-digit Product Authorization Key number, also known as PAK. The PAK is basically your license, which needs to be associated with your Unity Express hardware. This process is done through the Cisco.com website. Once associated, the necessary license file will be delivered to you electronically and you’ll then need to install it on Unity Express.

To begin registration, visit  http://www.cisco.com/go/license.  A valid CCO account is required, so users without a CCO account will be required to register first. After the logon process is complete, we need to enter our 11-digit PAK number as shown in the screenshot below:

If more than one license PAK has been purchased for the same family product, for example 2 packs of 5-user mailbox license, then click on the Load More PAKs button and the page will provide additional fields to enter all purchased PAKs.

Since our example only contains a single PAK, we enter it and then click on Fulfil Single PAK.

The next page allows us to assign our PAK to our Unity Express hardware. Click the Quantity Available check-box to ensure all quantities are selected (one in our case) and below enter the UDI Product ID and Serial Number.

Note: The small arrow box on the right of the UDI Product ID field (shown in the screenshot below) will produce a pop-up window instructing to issue the “Show License UDI” CLI command in Unity Express, to obtain the correct Product ID and Serial Number, however, the information provided by the CLI prompt is misleading and can cause confusion.

 The next section covers how to obtain the correct UDI Product ID and Serial Number.

Obtaining The Correct UDI Product ID & Serial Number

From your router prompt, connect to the Unity Express CLI prompt and issue the show license udi command:

Note that, under the UDI column, the system shows ISM-SRE-300-K9:FOC162427RV – this is actually the UDI and serial number  (UDI:SERIAL_Number).  The UDI is everything before the semicolon (:).

So, UDI is ISM-SRE-300-K9 and the system serial number is FOC162427RV. If ISM-SRE-300-K9:FOC162427RV is entered in the UDI Product ID field, the system will not accept it.

Cisco does not mention how to distinguish the correct UDI from the output provided, this can cause frustration when trying to assign the PAK to the hardware.

Even the show version provides the same confusing result. Notice the UDI section:

Register & Assign Your Product Authorization Key (PAK) Number (continued)

After entering the UDI Product ID and Serial Number in the provided fields, press the Assign button to assign the PAK to the Unity Express hardware. The page will update and show Device, PAK and SKU assignment:

We are now ready to continue by clicking on the Next button.

The system now presents us with the final page where we enter our email address and confirm the end user. We must agree to the License terms before the license can be generated. When ready, click on the Get License button:

A pop up window confirms the license is being processed and will be emailed when complete. This takes a couple of seconds. There is also an option to download the license directly in case access to email is not possible:

A final confirmation window tells us the license is ready for download and has also been emailed to our registered address:

The license file name is somewhat long and contains the system’s serial number and a 17 digit number.

Installing The Software License On Unity Express

Unity Express licenses are installed via an FTP server. The FTP server will serve the license file and we’ll instruct Unity Express to fetch the license using the CLI prompt.

We assume an FTP server is up and running on a workstation and is accessible from Unity Express.

Now we need to log into Unity Express and issue the command so it can fetch the license and install it.

Note the command syntax is ftp://username:password@ftp_server_ip/licensefilename:

Verify Unity Express License Installation

Upon reboot, Unity Express will enable the newly installed license and it will be available for use. When the reboot completes, we can verify the license status using the show license status application command.

To make things a bit more interesting we created 10 voice mailboxes while installing a 5 user mailbox license. This means we had more mailboxes than our installed license allowed. Check out the result:

When dialing a user’s extension where voicemail was enabled, as explained earlier, instead of the standard greeting message we got the Cisco lady telling us : Voice mail system is unavailable, try again later, to talk to the operator, press zero.

After deleting the 5 additional mailboxes and issuing the show license status application command, we notice the voicemail service is now enabled:

Useful Unity Express License Show Commands

Following is a collection of useful commands that provide information on Unity Express’s license condition:

'show license status application'

The show license status application command displays the status of the license applications installed in Unity Express. The command accepts additional parameters such as: ivr, ports, timecardview, voicemail. By entering the command as shown, it will display information for all applications:

'show license all'

The show license all command displays the summary of all the licenses installed in your Unity Express system. The command has no additional parameters:

'show license in-use'

The show license in-use command displays information about the licenses that are in use on your Unity Express module. Again, there are no additional parameters for this command:

This concludes our Cisco Unity Express License Setup & Installation - Software Activation article.

Cisco is continuously developing its CallManager Express product, introducing new features and services to help keep up with its customers' and the market’s demands.

With the rapid increase of the mobile phone market, customer requests for CallManager Express to support them are on the rise. In response, Cisco added support for Apple’s popular iPhone with CallManager Express v8.6 ( IOS 15.1(4)M ), but unfortunately did not include Android support, leaving millions of Android phone users in the dark. 

At the time Cisco Mobile 8.1 & 8.0 was available for iPhone users, allowing them to connect and make phone calls via CME just as any normal softphone client.  Cisco Mobile was later renamed Cisco Jabber.

Thankfully, with CallManager Express v9.1 ( IOS 15.2(4)M1 ), Cisco finally added support of the Jabber application for the Android operating system.  Both Cisco Jabber versions (Android and iPhone) use SIP as the communication protocol with CME. SCCP is not used. 

While CME 9.1 now supports both iPhone and Android phones, getting them to work is a different story.

This article will demonstrate how to configure your CallManager Express v9.1 to support Cisco Jabber for both iPhone and Android operating systems.

At the time of writing, the latest version of Cisco Jabber for iPhone is 9.0 (1) and 9.0.1.1911 for the Android operating system.

Cisco ISR 2800 Series CME – No Support for Jabber Android Users

On the 1^st of November 2010, Cisco announced its discontinuation of all 2800 series ISR routers and, as a result, will only provide minor software upgrades.

The latest IOS version available for the 2800 series is 15.1(4) which, according to our CME-IOS Matrix, supports CallManager Express v8.6.  

Since support for the Android operating system begins officially with v9.1, the 2800 series CME routers will only be able to support Cisco Jabber for iPhone.  Unfortunately no support for Android is available (yet) for this platform, and we don’t expect to see any in the near future.  

IT Managers and engineers who want to provide CME services to their Android Jabber users must upgrade to the 2900 series platform.

Cisco Jabber For Android – How To Overcome Bugs!

Jabber support for the Android operating system is very new on CME and as such, the Jabber version available in Google’s Play Store might not work properly. 

When we tested Cisco’s Jabber from the Google Play Store using our Samsung Galaxy SII (Model GT-I9100) running Ice-Cream Sandwich 4.0.4, it was not able to connect to our CME v9.1.  We tried the LAN Wi-Fi and even the GSM network (via Anyconnect VPN) but the application failed continuously to register and requested we check our Internet Calling settings.

After consulting with Cisco engineers around the globe, we discovered we had hit a bug on the Android version of Jabber, specific to some Samsung phones running Android 4.0.4. This was later confirmed with some HTC Android phones as well.

However, we managed to obtained an Engineering Special (ES) edition (as Cisco calls it) of Jabber, that overcomes the problems mentioned and works like a charm!  This ES Jabber release is not available through Google’s Play Store, nor from Cisco as a direct download.

Fortunately, Firewall.cx Android users can download the engineering special edition from our Cisco Tools and Applications section!

Configuring CallManager Express To Support Jabber For Android & iPhone

The configuration settings of CME are pretty much identical for both Android and iPhone operating systems.

Since Jabber for CME uses SIP as a communication protocol, it is mandatory to enable SIP registration on CME.  Enabling SIP registration requires special attention to ensure registration is only restricted to the local network or VPN users at most.

Opening SIP registration to public IP’s or untrusted networks is definitely not recommended as it could allow anyone to connect and register to the CallManager Express.

First step is to configure CME to allow calls from SIP to SIP endpoints and enable SIP registrar:

The ip address trusted list section is used to list remote client IP addresses which are not part of the local network. This will allow them to register with CME and place or receive calls.  If for example your Android or iPhone connects to the corporate LAN via VPN (AnyConnect VPN) and obtains an IP address on a different network/subnet from CME, it will be necessary to list the VPN IP address or VPN network pool for the phone to register. 

The control source-interface GigabitEthernet0/1 command ensures SIP uses GigabitEthernet 0/1 as the binding interface for all SIP communications. The interface’s IP address will show up as the source IP for all outgoing communications.  All incoming communications are expected to terminate to this interface as well.

Next step is to configure the voice register global section. This section holds key configuration elements for the correct operation of our CME SIP service.

Here we will specify various parameters including: Set SIP registrar to CME mode, source-address for phone registration,  maximum extensions (max-dn), maximum phones (max-pool), set authentication for phone registration and finally create configuration files for all phones (tftp-path, file text & create profile).

Now we can configure our phone extension using the voice register dn command and SIP phone with the voice register pool command:

voice register dn 5
number 778
name Chris-Android 778
label Chris-Android 778
!
voice register pool 1
registration-timer max 720 min 660
id mac 147D.C5AF.79B2
session-transport tcp
type Jabber-Android
number 1 dn 5
username chris password firewallcx
codec g729r8

While most commands are self-explanatory, we’ll focus on the most important:

number 778: This specifies the extension our SIP phone will have.

id mac 147D.C5AF.79B2. This is the Wi-Fi MAC address of our mobile phone. In our example, our Samsung Galaxy SII.

type Jabber-Android.  Here we specify the sip client type. It can either be CiscoMobile-iOS for Apple iPhone users or Jabber-Android for Android users.

codec g729r8: This specifies the codec that will be used for this client. It is possible to use g711ulaw or g711alaw, g722-64k, g729r8 and ilbc.  Each code has different bandwidth requirements and sound quality.  G729r8 and ilbc require 8 and 13kbps-15.2kbps respectively, while the others require 64kbps.  Don’t forget to add the IP overhead to these figures.

Note: When the SIP phone extensions and devices configurations are complete or altered, it is imperative we go to the voice register global section and issue the create profile command.  This ensures the appropriate configuration files on CME are created for our SIP devices.

Cisco Jabber For Android (both 4.0.4 & 2.3) Settings – Configuration Example

Connect to the Google Play Store and search for Cisco Jabber:

After downloading and installing Cisco Jabber for Android, launch the application and click on Begin Setup:

Next, in the Device ID field, enter the SEP+MAC address (Applications ->Settings->Wi-Fi-> Advanced Wi-Fi) without any spaces or dots. Now, enter your CME IP address in the Server Address field.

You can selectively enable Use mobile data network and Use noncorporate Wi-Fi options.  We always select Use noncorporate Wi-Fi only to ensure the GSM mobile network is not used (especially if your provider charges GSM data).

If necessary, enable Auto Start so that Cisco Jabber starts every time your phone restarts. Now click Verify to register with CallManager Express:

 After Cisco Jabber successfully registers with CME, we are presented with the main screen and dial pad:

Cisco Jabber For iPhone Settings – Configuration Example

First we need to verify our phone is connected to the corporate Wi-Fi network and is accessible from CME.

1. Launch Cisco Jabber and complete the setup wizard.
2. Enter the Device Name SEP, followed by your MAC address without any dots. e.g SEP147DC5AF79B2
3. Enter your CME IP address in the TFTP Server field. E.g 192.168.9.5
4. Turn ON SIP Digest Authentication and enter the username and password configured under the voice register pool section

Following is a screenshot of the complete settings on our iPhone:

 This concludes our Cisco CallManager Express (CME) Cisco Jabber for Android and iPhone configuration.

Most engineers are aware that to download and install the latest Cisco CallManager Express (CCME) Graphical User Interface (GUI) files, Cisco requires a registered CCO account with the necessary privileges.  To help alleviate engineers and administrators from locating and downloading these files, we are now providing them free via direct download from Firewall.cx - no registration required!

We've conveniently packed in one zip file CallManager Express GUI files for CCME v3.3, CCME v4.1.0.2, CCME v4.2, CCME v7.1.0.1, CCME v8, CCME v8.5 and CCME v8.6.

Please note that CCME GUI v8.8 and v9.0 contain bugs and are pretty much useless as no CCME modifications can be saved using these GUI versions, and therefore you are advised to use CCME v8.6 if the GUI interface is absolutely necessary.  For more information on these bugs, please visit our CCME v8.8 & v9.0 bug announcement. CCME GUI version 9.1 was not yet published at the time of this post.

Users can download CCME GUI files by visiting our Cisco Download section.

Step-by-step installation instructions for the CCME GUI are available at the following Firewall.cx articles:

1) CallManager Express GUI Software Installation & Configuration - Part 1
2) CallManager Express GUI Software Installation & Configuration - Part 2

Users who wish to check their IOS CCME version can use the show telephony-service command:

The table below illustrates the Cisco IOS releases, CallManager Express versioning and CallManager Express GUI version that should be used or installed on the device (router or UC500):

Mentioned in Part-1 of our Cisco Unity Express installation article, the Cisco Unity Express setup procedure is identical for ISM-SRE-300-K9 and SM-SRE-700-K9 modules. We will be using the smaller ISM-SRE-300-K9 for this article. The only notable difference in the CallManager Express configuration will be the module’s interface that connects to CallManager Express.

Users interested can also visit our Cisco VoIP/CCME - CallManager Section where they'll find more articles covering Cisco VoIP, CallManager, CallManager Express and Unity Express.

For the SRE-300, the module’s interface name is interface ISM0/0, whereas for the SM-SRE-700 it is service-module sm2/0. Both interfaces are GigabitEthernet, connected via each router’s internal bus.

The ISM-SRE-300-K9 module is configured with its own IP address and acts as a separate machine inside the router. Before we can begin configuring Unity Express, preinstalled by Cisco, we must configure IP connectivity with the router so we can then access the ISM-SRE-300-K9 module and initialize the Unity Express setup.

When physically installing an SRE module, CCME will automatically make two additional interfaces available in its configuration. For the ISM-SRE-300-K9, they are interface ISM0/0 and interface ISM0/1, whereas for the SM-SRE-700 they are interface SM2/0 and interface SM2/1.

First step is to configure IP connectivity between the router (CCME) and Unity Express. This is achieved by configuring interface ISM0/0 with an IP address (ISM-SRE-300-K9) or interface SM2/0 for the SM-SRE-700.

Our CCME router has two IP addresses, 192.168.9.5/24 (Data VLAN) and 192.168.10.5/24 (Voice VLAN). When configuring an IP address on Unity Express, there is the choice of assigning one part of the existing network(s) (192.168.9.0 or 192.168.10.0) or one that is on a completely different network. 

It is a common practice to configure Unity Express with an IP address that is part of the Voice VLAN, that is, 192.168.10.0/24 in our example:

In the above configuration commands, we’ve configured our Unity Express module with IP address 192.168.10.10 and a default-gateway of 192.168.10.5 (CCME’s Voice VLAN IP address), this is because the Unity Express module is physically connected to our router’s internal interfaces (ISM) and therefore must use one of the router’s IP interfaces as a default-gateway.

The ip unnumbered <interface> command allows the Cisco Unity Express module to use a network subnet IP address associated with a specific router egress port such as GigabitEthernet0/0.2. This configuration method requires a static route to the service-engine interface. The router interface associated with the Cisco Unity Express interface (GigabitEthernet 0/0.2) must be in an "up" state at all times for communication between the router and module.

At this point we should note that GigabitEthernet0/0 is configured as a trunk link with our switch. This configuration method is known as ‘Router on a Stick’ and allows all configured VLANs to pass through a single interface. For more information on this configuration method, please refer to our Router-on-a-Stick article.

Following is the configuration of our GigabitEthernet 0/0 interface:

Next step is to create a static route to Unity Express’s IP address via the internal service module (ISM0/0):

At this point, we should be able to ping Unity Express’s IP address:

CallManager Express - Telephony-Service Configuration

Next step is to configure our CallManager Express web-based administrator user (if not already configured), voicemail extension on CallManager Express, voicemail dial-peer and Message Waiting Indicator (MWI) extensions used to enable/disable the red light (message waiting indicator) on the IP phone when there is a message waiting in the user’s voice mailbox:

Now we must enable the IP http & http secure server and ensure the http access-lists (if any) allow the login of Unity Express’s IP address:

Failing to configure the above commands will result in the failure of Unity Express to log into the CallManager Express system and not able to complete the Unity Express initialization process. In our setup, network 192.168.9.0 is the Data VLAN, whereas host 192.168.10.10 is our Unity Express IP address.

Unity Express Module Administrator User Configuration

Final step involves login into the Unity Express CLI and creating the admin user to be used for the web-based initialization process that follows:

We are now ready to connect to Unity Express and begin the module’s initialization.

Unity Express Web Interface Initialization & Configuration

Open a web browser and enter the IP address of the Cisco Unity Express module, in our case this is 192.168.10.10. The Unity Express is yet to be initialized and therefore will only allow administrator login.

Using the username and password entered above, we log in to the Unity Express administration panel:

Upon logon, we need to select the appropriate Call Agent Integration from the drop-down menu, in our case Cisco Unified Communication Manager Express:

After the selection, the system will warn that it will delete Jtapi related configuration and reboot. Do not be alarmed and click on OK to continue:

If you’re connected to the unity express CLI, you’ll also be able to view the whole reboot process. Here is the session we captured during this reboot:

While Unity Express reboots, the GUI interface shows a messaging explaining that the system is reloading and will automatically try to reconnect once the reboot cycle is complete:

When the system is back online it is necessary to log back in using the Unity Express administrator account previously created (admin).

After the logon process is complete, we are presented with the CUCME Logon screen. This screen is to provide the credentials so that Unity Express can log on to the CCME and obtain user account configuration. This account is the same account created under the Telephony-Service section of CCME (shown previously). We can also provide the hostname or IP address of CCME. We selected the IP address of the Voice VLAN, 192.168.10.5:

In case of logon failure, Unity Express will present a pop-up window explaining that it failed to log on. In such a case, check the CCME web user under telephony-services and ensure the rest of the required commands are present.

As soon as Unity Express’s login to CCME is complete, it will present all users it finds and allow the administrator to associate the Primary Extension for each one. Here, you can also enable Mailbox creation, set a specific user as an Administrator or set CFNA/CFB (Call Forward No Answer / Call Forward Busy) so that incoming calls to the user are directed to his/her voicemail when not answered or busy:

Clicking on Next takes us to the Defaults page where default settings are configured for all new users and mailboxes created from now on. Ensure the System Default Language is set to English (in most cases) and take note of the Password & PIN Options.  The rest can be changed as required:

Next page coves the handling of calls to Unity Express. Here you set the Voice Mail Number. This same number should be configured under Telephony-Service in CallManager Express (covered earlier in this article). MWI ON/OFF should be automatically configured, if not, select the correct extensions configured.  SIP MWI should be left as default unless there is a reason to change it:

A final screen is presented where there is an option to finalize the configuration and save it to the Unity Express startup-config. Review as necessary and click on Finish to begin the process:

As the saving of the configuration is in progress, Unity Express executes a number of scripts in the background and makes the necessary modifications. An update of this progress is shown on the web browser screen:

Finally, Unity Express will present a summary of the setup and inform the administrator of all successes and failures:

In our example, Unity Express failed to create and allocate a voice mailbox to our user due to the absence of an active mailbox license.

Unity Express licensing will be covered in a separate article, along with more details and information.

This completes a two-part article covering the physical installation of ISM300 and SME700 Service Engine Ready modules with Unity Express 8.0.

Unity Express is a popular add-on for Cisco Unified Communication Manager Express (CallManager Express) and Cisco Unified Communication Manager (CUCM), adding advanced auto attendant functionality with complex menu support through Unity Express voice scripts, user voice mail and advanced notification methods such as emailing voice messages directly to users, calling users to notify them about their new voice messages and much more.

Users interested can also visit our Cisco VoIP/CCME - CallManager Section where they'll find more articles covering Cisco VoIP, CallManager, CallManager Express and Unity Express.

Cisco Unity Express Hardware Platforms

Unity Express is offered on a variety of hardware platforms supporting the Cisco 2800, 3800, 2900 and 3900 series routers. Depending on the router and capacity required, Unity Express is available as a card that fits in an Advanced Integration Module (AIM) slot (2800, 3800 series), Internal Service Module (ISM) (2900, 3900 series), Network Module (NM-CUE-EC) for 3700, 2800 & 3800 series that support network modules, Enhanced Network Module (NME) for all 3700, 2800, 3800, and 2900, 3900 series routers supporting network modules and finally the newer Service Module (SM) supported only on ISRG2 routers (2900 and 3900 series), again that are able to accept network modules.

We were lucky to get our hands on two different Unity Express modules, the ISM-SRE-300-K9 installed on a Cisco 2911 CCME, and the larger SM-SRE-700-K9 installed into a Cisco 3945 CCME.

The following table shows the technical specifications of both ISM-SRE-300-K9 & SM-SRE-700-K9:

Meet The ISM-SRE-300-K9

While the configuration procedure for both modules is identical, physically there are many differences that cannot be overlooked.

The ISM-SRE-300 is the smallest internal module available for the newer ISRG2 routers but certainly does not hold back in performance or capabilities. With a whopping 100 mailbox support and up to 10 concurrent voice ports, its capable to deliver enterprise class services. 

As an ISM module, it is installed by opening the router’s lid and connecting it to the special ISM port located on the back left area of the main board or front right area, depending on which way the router is facing. On our Cisco 2911 ISR-G2 CallManager Express  router, we've marked the ISM connector yellow in the picture taken below: