Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Cisco (page 1 of 6)

Free public NTP servers from Google

It has passed somewhat unnoticed but Google have made available to us their free, accessible to all NTP servers. I have been using their DNS servers for years without any issues so will trust their NTP ones as well. So far works just fine. For a single server we can use time.google.com and for multiple servers, even though they all seem to be in the same class C yet I get different latencies - from 85 msec up to 185 msec, we can use time1.google.com, time2.google.com, time3.google.com, time4.google.com .

Useful CLI commands for Cisco CUCM

Useful CLI commands for Cisco CUCM .

I don’t work on the command line of CUCM often, if ever – you may add, but when the need arises here is the short list of commands to keep. A little reminder – the latest (starting version 5 and on) of Cisco CUCM software is Linux (namely Red Hat) based,  which of course includes the terminal access – be it a physical via console or a network one over ssh .
You create a username/password for the terminal during the CUCM  installation.
As Cisco do not want us to mess with the underlying OS, our interaction is limited to a very restricted kind of shell . So you don’t have access to the Linux commands, but you do have a predefined set of CUCM commands of which I present most useful ones here.
I run the examples below on a MCS hardware server so your output may vary.


– Changing password for yourself/another user . Know that it is here, but do not play with it risking to lock yourself out of the server.

admin:set password { age* | complexity* | expiry* | inactivity* | user* }

–  Get the disk usage

show diskusage activelog

– Show the status of the fans (irrelevant for VMware based install)

admin:show environment fans
(RPMS)     Lower                     Critical

ID     Current   Threshold Status

Fan Sensor 1 7800     4200      OK
Fan Sensor 2 7950     4200      OK
Fan Sensor 3 7800     4200      OK
Fan Sensor 4 7350     4200      OK
Fan Sensor 5 7200     4200      OK

– Show the server temperature (irrelevant for VMware based install)

show environment temperatures

(Celcius)    Non-Critical   Critical   Threshold    Threshold

     ID       Current  Lower   Upper   Lower   Upper  Location Temperature Sensor
24          53          54           55        62   1

– Show the server hardware (irrelevant for VMware based install)

show hardware

HW Platform    : 7825I4
Processors     : 1
Type           : Intel(R) Core(TM)2 Duo CPU E8400  @ 3.00GHz
CPU Speed      : 3000
Memory         : 2048 MBytes

show logins
administ pts/0   Wed Aug 12 09:56   still logged in

– Show physical memory (irrelevant for VMware based install)

show memory modules

Bank  Locator   Size  Active Status

– Show interface status (more useful for hardware based servers than VMware ones)

show network eth0

Ethernet 0
DHCP      : disabled        Status : up
IP Address   :     IP Mask :
Link Detected: yes             Mode    : Auto enabled, Full, 100 Mbits/s
Duplicate IP : no
DNS   Not configured.
Gateway   : on Ethernet 0

– Show number of open connections . If there is some network connectivity issue this number will be unusually low as each IP Phone/voice gateway is counted as a connection.
show network ip_conntrack


– Show open and accessible over the network ports

show network ipprefs public

Application  IPProtocol   PortValue Type      XlatedPort   Status    Description

———— ———— ———— ———— ———— ———— ————

sshd      tcp       22        public    –         enabled   sftp and ssh access
clm       udp       8500      public    –         enabled   cluster manager
clm       tcp       8500      public    –         enabled   cluster manager
tomcat    tcp       8443      translated   443       enabled   secure web access
tomcat    tcp       8080      translated   80        enabled   web access
ntpd      udp       123       public    –         enabled   network time sync Continue reading

Cisco reflexive access-lists are still on CCNP Security exam

Today I was surprised to hear from someone who just took one of the CCNP Security exams that they still test for Reflexive access-lists - what a nostalgy. I was sure it has long been ousted by ip inspect and Zone Based Firewall, but no - it is still tested and still available in the newest IOS images of at least ISR routers. If you, like me, are rusty on its config, here it is how to allow from inside outbound everything:
ip access-list extended OUTBOUND 
permit tcp any any reflect MIRROR 
permit udp any any reflect MIRROR 
permit icmp any any reflect MIRROR 
Then the access-list to put on external facing interface inbound:
ip access-list extended INBOUND 
evaluate MIRROR 
And finally apply it:
#conf t
(config)# interface FastEthernet 0/1 
(config-if)# ip access-group OUTBOUND out 
(config-if)# ip access-group INBOUND in
Do not forget of course its drawbacks:
  • It does not work well with complex protocols like FTP
  • It is not exactly stateful - what happens is that router dynamically adds non-stateful entries in INBOUND access list that mirror the passing traffic, expiring it after some time. In doing so Cisco router looks only on destination/source IP address and port.

RIPE database query for a route object, or why my network is not advertised via BGP to the world

Once it was a nice-to-have configuration that most ISPs in the world ignored anyway, but today it is a must if you are planning to advertise your networks via BGP through your uplink provider – your route object in the AS whois database of the uplink provider. If not – you will happily advertise your networks, the uplink provider will duly advertise them to its uplink peers, which will check AS registry database of your provider and not finding this route object will silently drop the advertising.
Of course it is duty of your transit ISP provider to update their records with your network, but after all, you are the one most interested – so as they say in Russian ” Доверяй но проверяй ” , and here is how to do it:
whois -h whois.ripe.net — ‘-a -r -i or -T route AS1680’ | grep route
In this example I assume your uplink provider is Netvision with AS1680 , replace AS number with the correct one.
Output will look like:

If you don’t find in such listing your network – Houston, you have a problem here.

Cisco CUCM CDR report – call duration and called numbers extraction script

Yesterday I had to extract some data from a CDR report for a client, namely call start time, its duration and the called number. And while I am sure Google has zillion scripts to be found, it was much faster to hack this one-liner .
The script extracts the following fields from the CDR report in this order:
dateTimeOrigination – for outgoing calls it is the time the device goes off hook
callingPartyNumber – initiator of the call
finalCalledPartyNumber – the reached/dialed number (after forwarding if any)
duration – duration of the call
The extracted data is placed in CSV format to be easily imported into Microsoft Excel.
Enjoy. Any questions – feel free to ask here.

[bash] awk -F, ‘BEGIN {OFS=","} {print strftime("%c",$5),$9,$31,$56}’ report_cdr [/bash]

Sun 04 May 2014 01:54:37 PM IDT,0555555555,2988,41
Sun 04 May 2014 01:55:07 PM IDT,2908,0555555555,25

In case you want to extract some other fields from CDR , here is the full list of available values and their position. For explanation you can look here – Cisco Call Detail Records Field Descriptions

1 cdrRecordType
2 globalCallID_callManagerId
3 globalCallID_callId
4 origLegCallIdentifier
5 dateTimeOrigination
6 origNodeId
7 origSpan
8 origIpAddr
9 callingPartyNumber
10 callingPartyUnicodeLoginUserID
11 origCause_location
12 origCause_value
13 origPrecedenceLevel
14 origMediaTransportAddress_IP
15 origMediaTransportAddress_Port
16 origMediaCap_payloadCapability
17 origMediaCap_maxFramesPerPacket
18 origMediaCap_g723BitRate
19 origVideoCap_Codec
20 origVideoCap_Bandwidth
21 origVideoCap_Resolution
22 origVideoTransportAddress_IP
23 origVideoTransportAddress_Port
24 origRSVPAudioStat
25 origRSVPVideoStat
26 destLegIdentifier
27 destNodeId
28 destSpan
29 destIpAddr
30 originalCalledPartyNumber
31 finalCalledPartyNumber
32 finalCalledPartyUnicodeLoginUserID
33 destCause_location
34 destCause_value
35 destPrecedenceLevel
36 destMediaTransportAddress_IP
37 destMediaTransportAddress_Port
38 destMediaCap_payloadCapability
39 destMediaCap_maxFramesPerPacket
40 destMediaCap_g723BitRate
41 destVideoCap_Codec
42 destVideoCap_Bandwidth
43 destVideoCap_Resolution
44 destVideoTransportAddress_IP
45 destVideoTransportAddress_Port
46 destRSVPAudioStat
47 destRSVPVideoStat
48 dateTimeConnect
49 dateTimeDisconnect
50 lastRedirectDn
51 pkid
52 originalCalledPartyNumberPartition
53 callingPartyNumberPartition
54 finalCalledPartyNumberPartition
55 lastRedirectDnPartition
56 duration
57 origDeviceName
58 destDeviceName
59 origCallTerminationOnBehalfOf
60 destCallTerminationOnBehalfOf
61 origCalledPartyRedirectOnBehalfOf
62 lastRedirectRedirectOnBehalfOf
63 origCalledPartyRedirectReason
64 lastRedirectRedirectReason
65 destConversationId
66 globalCallId_ClusterID
67 joinOnBehalfOf
68 comment
69 authCodeDescription
70 authorizationLevel
71 clientMatterCode
72 origDTMFMethod
73 destDTMFMethod
74 callSecuredStatus
75 origConversationId
76 origMediaCap_Bandwidth
77 destMediaCap_Bandwidth
78 authorizationCodeValue
79 outpulsedCallingPartyNumber
80 outpulsedCalledPartyNumber
81 origIpv4v6Addr
82 destIpv4v6Addr
83 origVideoCap_Codec_Channel2
84 origVideoCap_Bandwidth_Channel2
85 origVideoCap_Resolution_Channel2
86 origVideoTransportAddress_IP_Channel2
87 origVideoTransportAddress_Port_Channel2
88 origVideoChannel_Role_Channel2
89 destVideoCap_Codec_Channel2
90 destVideoCap_Bandwidth_Channel2
91 destVideoCap_Resolution_Channel2
92 destVideoTransportAddress_IP_Channel2
93 destVideoTransportAddress_Port_Channel2
94 destVideoChannel_Role_Channel2
95 incomingProtocolID
96 incomingProtocolCallRef
97 outgoingProtocolID
98 outgoingProtocolCallRef
99 currentRoutingReason
100 origRoutingReason
101 lastRedirectingRoutingReason
102 huntPilotDN
103 huntPilotPartition
104 calledPartyPatternUsage
105 outpulsedOriginalCalledPartyNumber
106 outpulsedLastRedirectingNumber
107 wasCallQueued
108 totalWaitTimeInQueue
109 callingPartyNumber_uri
110 originalCalledPartyNumber_uri
111 finalCalledPartyNumber_uri
112 lastRedirectDn_uri
113 mobileCallingPartyNumber
114 finalMobileCalledPartyNumber
115 origMobileDeviceName
116 destMobileDeviceName
117 origMobileCallDuration
118 destMobileCallDuration
119 mobileCallType
120 originalCalledPartyPattern
121 finalCalledPartyPattern
122 lastRedirectingPartyPattern
123 huntPilotPattern

How to enroll VPN client with IOS CA

If you didn’t notice Cisco IOS routers can serve as CA servers as well. The example configurations are easy to find on the cisco.com but the only trick to know when enrolling Cisco VPN client with IOS CA is the syntax you put as url – the string should look:
I attach below screenshot so you can see what I mean.
Some references as well .


URL to use when enrolling with Cisco CA

PKI client enrol with cisco CA

To continue the series I did this video of configuring users to manage IPS sensor – adding/deleting/resetting password/unlocking them. All the configs are being done on CLI.

Meet the Cisco IPS sensor 4200 series, episode 1 – Initial configuration

Some great products get unfair treatment for unclear reasons. One such gear is Cisco IPS sensor 4200 appliance, that while doing its job doesn’t get much attention, fame and even worse proper relation on Cisco.com documentation site. The documentation exists but scarce , examples of configuration – close to none, screenshots – go find. You got the picture – and here comes my humble effort to introduce the sensor to wider audience of this website.
First is the initial configuration using the console. The software used is 6.1 , sensor hardware is IPS 4235 . I am doing the config NOT running built-in #setup dialog.
Enjoy and have a nice day.

Archive IOS running configuration automatically for possible rollback

Here is a feature that will save you time and frustration in many possible scenarios – especially when managing Cisco routers in multi-user environment. Once enabled archiving saves periodically copy of the running configuration of IOS router to the flash or remote server. So
next time something stops working after changes and you don’t know which one caused this – just revert back to the working configuration that is readily available.

Older posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑