Voice Rack Rental Guide v3.11

Voice
Rack Rental Access Guide

Editor: Stephen Satchell Version 3.11 (3)
Voice Rack Rental Guide version 3.11
Copyright 2012 INE, Inc.
INE, Inc. Suite E200 170 120th Ave NE Bellevue, WA 98005 http://www.ine.com
ii
Copyright Information
Copyright 2012 INE, Inc. All rights reserved. This publication, Voice Rack Rental Access Guide, was developed by INE, Inc. All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means without the prior written permission from INE, Inc. Cisco, Cisco Systems, CCIE, CCNA, CCENT, and Cisco Certified Internetwork Expert, are registered trademarks of Cisco Systems, Inc., and its affiliates in the United States and certain countries. All other products and company names mentioned in this Guide are the trademarks, registered trademarks, and service marks of the respective owners. Throughout this Access Guide, the authors and editors have used their best efforts to distinguish proprietary trademarks from descriptive name by following the capitalization styles used by the manufacturer.
iii
Disclaimer
This publication, Voice Rack Rental Access Guide, is designed to assist candidates in their preparation for the Cisco Systems Voice Certification Exam. The enclosed material is presented to you on an as is basis. Every effort has been taken to ensure that all material contained in this Guide is complete and accurate. The contributors, editor, and INE, Inc. assume no liability or responsibility to any person or entity with respect to loss or damages incurred by using the information contained in this Access Guide. This Access Guide was developed by INE, Inc. and is an original work of the aforementioned editor and contributors. Any similarities between material presented in this guide and actual Cisco exam material is completely coincidental. We apologize if this document contains any errors or omissions. Please send your comments and corrections to racks@ine.com.
iv
Table of Contents
Section 1. Introduction ...................................................................................................1
1.1. 1.2. 1.3. 1.4. 1.5. Rack Reservation Confirmation Letter......................................................................................2 Lab Rack Access Overview.......................................................................................................2 Session Activity Overview........................................................................................................3 Passwords..................................................................................................................................3 IP Phone MAC addresses..........................................................................................................3
Section 2. Lab Rack Diagram.........................................................................................4 Section 3. Getting Started At Your Location.................................................................5

3.1. Minimum Necessary Equipment...............................................................................................5 3.2. Three Options for Using IP Phones...........................................................................................7 3.2.1. Option 1 Using Hardware IP Phones at Your Location .................................................7 3.2.2. Option 2 Remotely Control the IP Phones Attached to Our Racks................................7 3.2.3. Option 3 Using IP Softphones on Your PC.....................................................................8 3.3. Five Options For Voice Rack Connectivity...............................................................................9 3.3.1. Option 1 - Hardware-Based Layer 2 VPN Using IOS Router and Catalyst Switch..........9 3.3.2. Option 2 - Hardware-Based Layer 3 VPN Using a Cisco Router, PIX or ASA................9 3.3.3. Option 3 Software-Based Cisco SSL AnyConnect VPN Client...................................10 3.3.4. Option 4 Software-Based Cisco IPSec EasyVPN Client..............................................10 3.3.5. Option 5 VPN-Less Public-IP Connection...................................................................10 3.4. Firewall Information................................................................................................................11
Section 4. Linking Your Location To Ours Via VPN..................................................13

4.1. Establishing the Layer 2 VPN (L2VPN) or Layer 3 VPN (L3VPN) Link..............................13 4.2. Verifying the VPN Link and Connectivity..............................................................................15
Section 5. Accessing Routers and Etherswitches........................................................17

5.1. Single TELNET connection to multiple devices.....................................................................17 5.2. Multiple TELNET Connections to Console Lines..................................................................20 5.3. Clearing a busy console line....................................................................................................22 5.3.1. Clear a busy console line using the control panel............................................................23 5.3.2. Clear a busy console line using the access server............................................................24 5.4. TELNET over VPN to Rack Device Virtual Console.............................................................25
Section 6. Power-Cycling Your Lab Rack Devices.....................................................26 Section 7. Accessing Lab Rack Servers via VPN........................................................28
7.1. Servers accessed using a Web browser....................................................................................28 7.2. Servers accessed using a Microsoft Remote Desktop Connection (RDC)..............................31 7.2.1. MS-RDC in Windows......................................................................................................31 7.2.2. MS-RDC for Macintosh..................................................................................................31 7.3. Servers Accessed Using Secure Shell (SSH)..........................................................................32 7.4. Servers Without Any Administrative Access...........................................................................32 7.5. Resetting a Server To Its Initial State......................................................................................33
Voice Rack Rental Guide version 3.11 v Copyright 2012 INE, Inc.
Section 8. Accessing Lab Rack Servers via VPN-Less Public IP Address................34

8.1. Establishing the Direct Public-IP Link: Register your Local IP address................................34 8.1.1. Using a Web Browser To Register Your Local IP Address..............................................34 8.1.2. Using TELNET To Register Your Local IP Address.......................................................36 8.2. Public IP Address Servers Using a Web Browser...................................................................37 8.3. Public IP Address Servers Using Microsoft Remote Desktop Connection.............................40 8.3.1. MS-RDC in Windows......................................................................................................40 8.3.2. MS-RDC for Macintosh..................................................................................................40 8.4. Public-IP Server Access Using Secure Shell (SSH)................................................................41 8.5. Public IP Address Access of PSTN Router.............................................................................42
Section 9. Free Web-Based Variphy Insight Remote IP Phone Control................44 Section 10. Loading Configurations Into Your Voice Rack.......................................45
10.1. 10.2. 10.3. 10.4. Loading Configurations Into Your Routers and Switches.....................................................45 Loading or Saving Configurations Into or From the CUCM Server.....................................47 Configuring a MAC Address For Your PSTN Phone............................................................48 Setting SRST ON or OFF on Your Voice Rack.....................................................................49
Section 11. Changing Unity Express (AIM-CUE) Licensing.....................................52 Section 12. Lab Rack Support......................................................................................53
12.1. Scope Of Support..................................................................................................................53 12.2. Knowledge Base....................................................................................................................54 12.3. Common Lab Rack Access Problems And Their Solution....................................................54 12.3.1. Cannot Connect To TELNET Gateway racks.ine.com..................................................54 12.3.2. Line In Use.................................................................................................................55 12.3.3. Cannot Connect To My Lab Rack.................................................................................55 12.3.4. Lab Rack Connection Intercepted.................................................................................56 12.3.5. Cannot Connect To A Device.........................................................................................56 12.3.6. Cannot Bring Up a Link................................................................................................57 12.3.7. Cannot Establish a VPN Link To My Voice Rack.........................................................57 12.3.8. VPN Link Disconnections.............................................................................................58 12.3.9. Variphy Insight was unable to establish a connection...................................................58 12.3.10. Unable to connect using public IP addresses (FQDNs)...............................................58 12.4. Restore Lab Rack Password..................................................................................................59 12.5. Submitting An Emergency Support Ticket ...........................................................................61 12.6. Submitting A Support Request Ticket...................................................................................64 Appendix A. Using Customer Local Cisco Router for VPN (Allows for Customer Hardware Cisco IP Phones) .........................................................................................................................................65 Appendix A.1. Sample IOS Router L2VPN Configuration ..............................................................66 Appendix A.2. Sample Cisco IOS Catalyst Switch L2VPN Configuration ......................................68 Appendix A.3. Test Your Hardware VPN Prior to Your Lab Rack Session.......................................74 Appendix A.4. Connecting Your IP Phones.......................................................................................74 Appendix A.5. Troubleshooting Your Hardware IOS Router VPN Connection................................75
vi
Appendix B. Using Customer Local Cisco Router for VPN (Allows for Customer Hardware Cisco IP Phones) .........................................................................................................................................76 Appendix B.1. Sample IOS Router VPN Configuration ...................................................................76 Appendix B.2. Test Your Hardware VPN Prior to Your Lab Rack Session.......................................79 Appendix B.3. Connecting Your IP Phones.......................................................................................80 Appendix B.4. Multicast Music-on-Hold Will Not Function Across Your VPN Link.......................81 Appendix B.5. Troubleshooting Your Hardware IOS Router VPN Connection................................81 Appendix C. Using Customer Local ASA 5505 or PIX 501 for VPN (Allows for Customer Hardware Cisco IP Phones).......................................................................................................................82 Appendix C.1. Sample ASA/PIX VPN Configuration ......................................................................82 Appendix C.2. Test Your ASA/PIX VPN Prior to Your Lab Rack Session........................................85 Appendix C.3. Connecting Your IP Phones.......................................................................................86 Appendix C.4. Multicast Music-on-Hold Will Not Function Across Your VPN Link.......................87 Appendix C.5. Troubleshooting Your Hardware ASA/PIX VPN Connection...................................87 Appendix D. Using Cisco SSL VPN........................................................................................................88 Appendix D.1. Test Your SSL VPN Prior to Your Lab Rack Session................................................90 Appendix D.2. Multicast Music-on-Hold Will Not Function Across Your VPN Link......................91 Appendix D.3. Troubleshooting Your Cisco AnyConnect SSL VPN Connection.............................91 Appendix E. Using the Cisco IPSec EasyVPN Client...........................................................................92 Appendix E.1. Test Your Cisco EasyVPN Client Prior to Your Lab Rack Session...........................93 Appendix E.2. Multicast Music-on-Hold Will Not Function Across Your VPN Link.......................95 Appendix E.3. Troubleshooting Your Cisco IPSec EasyVPN Connection........................................95 Appendix F. VPN and Public-IP-Address Support Configuration....................................................96 Appendix G. Active Directory Schema, DNS Server Information.....................................................98 Appendix H. Router and Ethernet Port Tables...................................................................................101 Appendix I. Device Connectivity Quick Reference.........................................................................103
vii
This page intentionally left blank
viii
Section 1.
Introduction
This manual describes how to access all the features of our Voice Lab Racks. Specifically, it details how to establish a VPN connection between your location and our voice lab rack, and how to access each of the devices and servers described below within the lab rack from your location. Your voice lab rack consists of:
Three routers Two Etherswitches One PSTN/Frame Relay simulator (labeled PSTN in the diagram) One Advanced Integration Module for Cisco Unity Express (AIM-CUE) voicemail Six Cisco IP telephones directly connected to the Voice lab rack Six (optional) Cisco IP telephones at your place of study - provided by you One Windows XP Test/Utility server One Cisco Unified Communications Manager (CUCM) Publisher server One Cisco Unified Communications Manager (CUCM) Subscriber server One Cisco Unity Connection (CUC, or UC) server One Cisco Unified Contact Center (CUCCX, or UCCX) server One Cisco Unified Presence (CUPS) server One Microsoft Active Directory server (labeled MS Win2K AD in the diagram) One access server (not shown in the diagram) for console port access to routers and switches Additional infrastructure not visible to you, nor configurable by you, to connect your rack to servers and the VPN
Section 2 shows how all these components, except the access server and infrastructure elements, are wired together. Section 9 describes how to use free remote-control software to control the IP phones at our location. Section 11 describes how to change the licensing for the AIM-CUE module in the Branch 2 (R3) router, if necessary, to either CUCM or CME. Appendix G contains the summary tables of VLANs, IP Subnets, Router and Etherswitch Port connections, T1/E1 connection information, DSP resources, and PSTN codes. Appendix H, at the end of this document, is a one-page quick reference for rack access information.
1.1.
Rack Reservation Confirmation Letter
When you scheduled your voice lab rack session, you received a rack reservation confirmation e-mail message that includes (1) the date and time of your lab rack session, (2) authentication tokens for that lab rack session, and (3) useful links to information on how to effectively use the racks, including a link to this document. The authentication tokens are provided to you in a block that looks like this:
###########QUICKLOGININFORMATION########### RackTime/Date:06/11/20109:00AM2:30PMPDT TelnetAccessInformation: racks.ine.com Youmayuseport23or60023 VPNAccessInformation: vorackvpn.ine.com Authentication: Username:vorack12 Password:bc78ad
The user name and password are case-sensitive for both TELNET and VPN access. 1.2. Lab Rack Access Overview The routers, Etherswitches, and the PSTN/Frame Relay simulator are accessed using TELNET connections to the console port, exposing a command line interface (CLI) in each device. The AIM-CUE module, located in R3, is accessed using R3's Service Module connection capability in the router to link the module to the R3 console port. Servers use either Web browser links (Call Manager, Unity Connection, Presence), or Microsoft Windows Remote Desktop Connection links (Contact Center, XP Utility); connections for both methods is over a Virtual Private Network (VPN) defined within the lab rack that links equipment at your location to the lab rack, as well as direct externally-accessible IP addresses. We also offer SSH access for command-line interface access for Unity Connection, Unified Presence, and Call Manager. The hardware IP phones we provide, that are directly connected to our racks, are remotely controlled using the Variphy Insight Remote Phone Control software, software that we have licensed and provide to you at no additional cost. More information on the usage of this software can be found in Section 9, Free Web-Based Variphy Insight Remote Phone Control. Hardware IP phones you may provide (in lieu of our rack-connected remotely-controlled phones), or IP softphones you purchase and install onto your computer, are networked into the lab rack over the hardware or software VPN link between your location and ours. More information on hardware and software VPN can be found in Section 4, as well as Appendices A through D. Lab rack configuration information to support VPN and public-IP access is found in Appendix E.
1.3.
Session Activity Overview
Within a typical session, first establish the VPN link between your location (computer or extended network) and our lab rack. Load any initial configurations as directed by your workbook. Check to see that all devices have been configured: R1, R2, R3, SW1, SW2, PSTN. Then, in any order: Step 1. Step 2. Step 3. Connect to the routers and Etherswitches in the lab rack to set configuration. Connect with the servers to set up the telephony services. Test your set-up by using the hardware IP phones at our location (using remote control software), any hardware IP phones at your location, or any IP softphones you have installed in your computer.
Repeat these steps, as appropriate, to adjust and test your configurations to detect and fix problems and issues. Remember to save your configurations often. 1.4. Passwords
Unless otherwise directed in the Workbook Labs, if you need to set an enable password or vty password, please use the user name cisco and password cisco , all lower case. In particular, do not use any password other than cisco on the 3550 or 3560 Etherswitches, because password recovery can only be done by our technicians physically manipulating the device. 1.5. IP Phone MAC addresses
When configuring the routers, switches, and the servers, you need to collect the Media Access Control addresses (MAC addressses) of the IP phones you are using. For those phones provided by us, you can use CDP in SW1 and SW2 to collect the information. For those phones you use at your location, you can read the MAC addresses from the units. Our automation will extract the MAC address of the lab rack's PSTN phone (if present) and configure the PSTN router with that information when performing a rack reset, or a configuration load. This eliminates the need for you to manually set up the PSTN phone's MAC address when you are using our phone located in our rack room, as described in Section 10.3.
Section 2.
Lab Rack Diagram
For the IP phones at your location, you may use 7961, 7962, 7965, or 7970 phones at will for any of the phones listed.
Section 3.
Getting Started At Your Location
This section describes the minimum equipment you need to effectively work the lab tasks in our voice workbooks. This section also describes additional software and equipment you can utilize to expand your studies of Cisco Unified Communications. 3.1. Minimum Necessary Equipment
The minimum equipment you need at your location is a commodity computer with a Microsoft Windows operating system (XP, Vista or 7) or a Macintosh computer with the Mac OS X operating system. Verify you have suitable software installed that offer these services: TELNET client Remote Desktop Connection client Web browser
Static IP address recommended: We strongly recommend you use an Internet connection at your location that utilizes a static IP address to link to your ISP. We do realize that the majority of our CCIE candidates must connect using ISPs, hotels, or corporate networks that only offer IP addresses via DHCP. Many candidates have successfully worked with our racks using services that lease IP addresses via DHCP; some candidates, though, have found that the ISP, hotel, or corporate-network lease policies cause frequent disconnections. Also, ISPs who give you a static IP address typically don't block the TCP, UDP, and protocol ports you need to work with our racks. Users of local wireless access points need to verify that neither the access points, nor the uplink service, are blocking necessary TCP, UDP, and protocol ports.
For the Windows operating system, the following software is useful: TELNET: Secure CRT; paid from VanDyke Software (www.vandyke.com) Putty; free (www.putty.org) this is what the actual CCIE exam uses now Windows Telnet (Start > Run > cmd.exe > telnet.exe)
Remote Desktop: Remote Desktop Client (Start > Run > mstsc.exe) Web Browser: Internet Explorer version 7 or 8 Firefox; free from Mozilla (www.firefox.com) For the Macintosh operating system, the following software is useful: TELNET: ZOC; paid from EmTec (www.emtec.com) iTerm; free from SourceForge (iterm.sourceforge.net) Apple Terminal (Applications > Utilities > Terminal.app)
Remote Desktop: CoRD; free from SourceForge (cord.sourceforge.net) Remote Desktop Client for Mac; free from Microsoft (www.microsoft.com/mac/products/remote-desktop/default.mspx) Web Browser: Firefox; free from Mozilla (www.firefox.com) Internet Explorer version 7 or 8 running on VMWare Fusion
3.2. 3.2.1.
Three Options for Using IP Phones Option 1 Using Hardware IP Phones at Your Location
(best option use along with one of two Hardware-based VPN) To use your own hardware Cisco IP phones, you need to implement one of the two Hardware Network Extension options, described in just a bit. You can then attach your own IP phones to the your-location portion of the lab rack network and register the phones with your rack directly. More information about implementing this option is found in Chapter 4 Establishing the VPN Link, and Appendices A, B and C describing how to user a Cisco router or Cisco ASA to create the VPN link. 3.2.2. Option 2 Remotely Control the IP Phones Attached to Our Racks
(next best option use along with VPN-Less or Software-based SSL or IPSec VPN) INE has a set of dedicated IP phones attached directly to each one of our Voice lab racks; these phones are the same model phones we use when hosting a live CCIE Voice Bootcamp. The IP phone complement consists of: Two (2) 7961 phones attached to the CorpHQ switch (SW1); One (1) 7961 phone attached to the Branch1 (R2) Etherswitch Module; Two (2) 7961 phones attached to the Branch2 switch (SW2); and One (1) 7960 PSTN phone attached to the CorpHQ switch (SW1). Remotely controlling these phones can be accomplished by any standard web browser on any Mac, PC or Linux computer. More information about IP phone placement is found in the diagram in Section 2, and information (including a link to a video demo) about how to control these IP phones is found in Section 9.
3.2.3.
Option 3 Using IP Softphones on Your PC
(less desirable option use along with Software-based SSL or IPSec VPN) The last of the IP phone options is installing SCCP or SIP IP softphone software onto your computer. This option does not require the use of the hardware-based network extension method of establishing a VPN link. The major disadvantage of the IP softphone is that it doesn't support many of the features needed to pass your CCIE exam, such as Globalization and many Softkeys. For the SCCP IP softphone for Windows (only), check out http://www.ipblue.com for product information. For the SIP IP softphone for both Windows and Macintosh alike, check out http://www.counterpath.com/x-lite.html for product information. To use the softphone option, you will need to use the Cisco IPSec Easy VPN Client, or the Cisco AnyConnect SSL VPN Client, as described below.
3.3.
Five Options For Voice Rack Connectivity
These five options are ordered from most-to-least-desirable, and in fact you can read more about them 3.3.1. Option 1 - Hardware-Based Layer 2 VPN Using IOS Router and Catalyst Switch
BEST OPTION! With INE's Voice Racks, you can literally have the exact same setup as the actual CCIE Voice Lab uses at every location. In the real voice lab, you don't have any physical interaction with any of your lab equipment except for the candidate PC and the IP Phones. All lab equipment lives in San Jose, California, US, regardless of testing facility, and all IP Phones are connected back to the rack of equipment via Layer 2 VPN (even in San Jose, CA for uniformity of testing experience). This means your IP phones appear directly connected to your switches in your INE Voice rack (e.g. If you do a show cdp neighbor on your rack-connected switches, they will show your IP phones that are actually in front of you at your study location, and all layer 2 broadcasts/multicasts will work just as they would if your phones were physically connected to those rack-connected switches). INE gives you the option of using this exact same configuration for your lab practice. In fact, this is the same option we use in each of our CCIE Voice Bootcamps. You can extend your IP phones to INE's lab rack via Layer 2 VPN by having and configuring both a Cisco IOS router and a Cisco Catalyst switch. Pretty much the only reason you would not use this option is if you don't have both a (supported) Cisco IOS router and Cisco Catalyst switch and/or IP phones of your own. More information about this (including requirements for both router and switch) is found both in the next chapter Chapter 4 Establishing the VPN Link, as well as at the end of this document in Appendix A. 3.3.2. Option 2 - Hardware-Based Layer 3 VPN Using a Cisco Router, PIX or ASA
With this option, you still get to use your own IP phones, however they will not appear directly connected to your switches in your INE Voice rack as in the previous option. However this option still allows you to extend the INE voice rack network to your location by configuring a Cisco IOS router (with an Advanced Security IOS image installed), a Cisco PIX security appliance, or a Cisco ASA (Adaptive Security Appliance). The only reason you would use this option over the previous option is if you either don't have a (supported) Cisco switch or if you only have a PIX or ASA but not an (supported) IOS router. More information about this is found both in the next chapter Chapter 4 Establishing the VPN Link, as well as at the end of this document in Appendices B and C.
3.3.3.
Option 3 Software-Based Cisco SSL AnyConnect VPN Client
With this option you use INE's rack-connected IP phones and our free, included remote phone control software. SSL AnyConnect VPN is convenient because it works for Mac, PC and Linux, and because it doesn't require you to download any software from Cisco the web-based installer does this all automatically for you, and updates the client automatically when we upgrade the software on our SSL VPN portal. You would use this option if you don't have IP phones and an IOS router, PIX or ASA of your own. More information about this is found at the end of this document in Appendix D. 3.3.4. Option 4 Software-Based Cisco IPSec EasyVPN Client
With this option you use INE's rack-connected IP phones and our free, included remote phone control software. Cisco's IPSec-based EasyVPN software client is available for Mac or PC. You must download this software on your own, and you must have a valid Cisco SMARTNet software licensing agreement to do so. We cannot provide EasyVPN Client for you, as it would violate our software licensing agreement with Cisco. You would use this option if you don't have IP phones and an IOS router, PIX or ASA of your own, and you also (for whatever reason) are not able to use the SSL AnyConnect VPN option above. More information about this is found at the end of this document in Appendix E. 3.3.5. Option 5 VPN-Less Public-IP Connection
With this option you use INE's rack-connected IP phones and our free, included remote phone control software. Connecting to INE Voice Racks is as simple as it could possibly be with this method, whereby you simply browse to your rented rack's authentication portal, authenticate yourself, and then browse, TELNET, SSH or RDP to any machine in your rack that you need to access. This method does allow for full remote control of all the IP phones that we have attached to each voice rack. You would use this option if you don't have IP phones and an IOS router, PIX or ASA of your own, and you also (for whatever reason) are not able to use the SSL AnyConnect or Cisco IPSec VPN client options above (such as not having administrative access to your laptop to install software although the SSL AnyConnect does still typically work when you do not). More information about this option (including a link to a video demo) is found in Section 8.
10
3.4.
Firewall Information
This section is provided for those people who run into trouble reaching our lab racks. In most cases, you should not need any of this information. The information here becomes extremely useful if you find yourself behind a corporate or hotel firewall, behind a personal firewall set to a mostly-closed configuration, or using an ISP or corporate network with unusual characteristics. TELNET access to our portal, racks.ine.com, uses port 23/TCP.1 If you run into a situation where this port is blocked, then establish a VPN link and TELNET directly to the devices using the addresses shown in Appendix H, or use the Public-IP method described in Section 8 to connect to the PSTN router, then through that to the rest of the routers and switches in your lab rack. Remote Desktop Protocol (RDP) connections use port 3389/TCP. This is true when using our VPNless access method (such as to util.vorack#.ine.com) or trying to connect over a VPN link. The SSL VPN system uses 443/TCP for its connections. Because this port is used to access secure Web pages, it should work when all else fails. The Virtual Private Network (VPN) system uses several different combinations of protocols and ports to make a connection. The standard EzVPN connection uses 450/UDP (ISAKMP) plus two IP level protocols, Encapsulating Security Payload (ESP, IP protocol 50) and Authentication Header (AH, IP protocol 51). An alternate connection scheme uses two UDP ports, 500/UDP (ISAKMP) and 4500/UDP (ipsec-nat-t). If you are using a Cisco router, the IOS image software release where this feature was added was 12.2(13)T. This feature support IPSec transparency over connections with Network Address Translation (NAT) or Port Address Translation (PAT) at any point. Finally, we support tunneling IPSec over 80/TCP and 8080/TCP. The disadvantage of using this form of tunneling is that the header size increases, which may fragment packets going back and forth through the VPN. Fragmented packets will slow things down, but it's better than not passing any data at all. To those having trouble connecting to our VPN server, you may want to try an option, described below, to bypass any firewalls your company or ISP may provide. For Cisco routers, add this:
cryptoctcpkeepalive cryptoipsecclientezvpnINEVORACK cryptoctcpport80
1 Access using an alternative port, such as 60023/TCP, is under development but not available at this time. Voice Rack Rental Guide version 3.11 11 Copyright 2012 INE, Inc.
For the Cisco ASA5505, add these commands to your configuration:

cryptoipsecdfbitcleardfoutside vpnclientipsecovertcpport80
Using tunneling over TCP/80 increases packet overhead, which can lead to fragmented packets and slow the connection down but that's better than not being able to connect at all.
12
Section 4.
Linking Your Location To Ours Via VPN2
Unlike our lab racks for other CCIE tracks, the Voice CCIE lab racks require you to not only access some of the components using TELNET, but also some components using a Web browser, some components using a Windows Remote Desktop Connection (MS-RDC) client, and some components using direct IP phone SCCP and/or SIP signaling as well as RTP media streaming. Our rack components are isolated from the Internet, so we provide a Virtual Private Network (VPN) portal to link your computer and phone equipment with our lab rack equipment. You then connect to the components via TELNET, Web browser, MS-RPC or direct IP phone signaling and RTP media streaming, all over the secure VPN link. 4.1. Establishing the Layer 2 VPN (L2VPN) or Layer 3 VPN (L3VPN) Link
We support five options to connect your equipment to our lab rack via VPN. But which method works best? That depends on what equipment you have at your study location. If you have hardware IP phones, a Cisco router and a Cisco Catalyst switch at your location, you may use the Layer 2 Hardware VPN option: Use one of the supported Cisco routers with an Enterprise IOS image installed, along with one of the supported Cisco Catalyst switches to extend each of your INE rented rack's 3 sites' Layer 2 switched networks to your IP phones and study computer at your study location. Supported Cisco IOS Enterprise feature-set routers: 2611XM (2611 non-XM will not support necessary L2TPv3) 1841 1941 28xx 29xx 38xx 39xx
Supported Cisco Catalyst switches: 3550 (Inline Power preferable, but PWR-CUBEs can be used for IP phones) 3560 (PoE preferable, but PWR-CUBEs can be used for IP phones) 3750 (PoE preferable, but PWR-CUBEs can be used for IP phones)
2 Section 8 describes an alternative method for accessing the voice lab servers when you are not using any phones at your location, eliminating the need to establish a VPN link from your location to ours. Voice Rack Rental Guide version 3.11 13 Copyright 2012 INE, Inc.
When connecting via this method, you will see that you connect both interfaces from your router to your switch. This is because one of the interfaces (Fa0/1 in our provided configuration) must be a L2-ONLY interface, leaving the other Fa0/0 interface to act as both the inside and outside L3 interface, pointing to your study computer and to the Internet, respectively. This is accomplished by breaking out the Fa0/0 interface of the router into 2 more Dot1Q VLAN sub-interfaces, and then connecting both your Internet connection and your study laptop or desktop to the switch as well. All of this is very clearly described in detail in remarks above each section in the sample configurations that we provide for you. For instructions and sample configurations on setting up our Layer 2 Hardware VPN option on both your Cisco router and switch, see Appendix A for instructions. If you have hardware IP phones, a Cisco router or a Cisco ASA, but not a Cisco switch at your location, you may use the Layer 3 Hardware VPN option: Use a Cisco router with an Advanced Security IOS image installed, Cisco PIX, or Cisco ASA to extend the lab rack internal network to all the devices and computers at your location. For instructions on setting up VPN on Cisco routers, see Appendix A for Cisco routers; see Appendix B for Cisco ASA and PIX instructions. (Other Cisco-compatible VPN facilities may also be used, but they are not supported by our technicians, nor can we provide configuration instructions; use the information in Appendix A and B as guides to configuring such equipment.) If you are using only a single computer with no hardware phones at your location, you may use the Layer 3 Software VPN option: Use Cisco SSL VPN or Cisco IPSec EasyVPN software to establish the link between your location's computer and our lab rack. Cisco SSL VPN uses a standard browser, while the IPSec EasyVPN software is a software package sold by Cisco, which you install into your computer. Your computer may use this VPN link to remotely control our rack-connected IP phones, or use software-based IP softphones purchased by you and installed on your PC. Appendix C describes how to use your browser to build up a SSL VPN connection, while Appendix D describes how to use IPSec Easy VPN software to build the link.
Voice Rack Rental Guide version 3.11 14 Copyright 2012 INE, Inc.
4.2.
Verifying the VPN Link and Connectivity
Once you have established your Layer 3 Hardware or Software VPN link3 from your location to our lab racks, it's a good idea to verify that your VPN link is working, and that the basic routing and switching functions are OK. To make this verification, you use a series of ping tests to points within the lab rack. In order: Test Ping 177.254.254.254sourceFa0/1 Ping 177.1.254.254 Ping 177.1.254.1 Ping 177.1.11.20 Ping 177.1.10.10
4
Path VPN to VPN-portal-resident loopback VPN to PSTN VPN to PSTN to R1 VPN to PSTN to R1 to SW1 VPN to PSTN to R1 to SW1 to CUCM Publisher
At the first failure, use the diagram in Section 2 of this document to trace the source of the connectivity problem in the last link of the path. For example, if the first three ping tests pass, but the fourth one fails, then the problem is in R1, SW1, or the connection between them. Failure of the ping test to 177.254.254.254 means that the VPN tunnel itself is not set up properly, or routing is not set up properly at your location. In particular, check the gateway IP setting, that you are sending all requests to Net 177 to your VPN device in the case of a router, PIX, or ASA configuration. Failure of the ping test to 177.1.254.254 is special. This is the hop from our VPN access portal to your lab rack, through the PSTN router. Verify using the TELNET portal (see section 5 of this document) that the PSTN router interface has these two interfaces configured:
interfaceLoopback0 ipaddress177.1.254.254255.255.255.255 ! interfaceFastEthernet0/0 description==VPNUplink ipaddress177.253.#.1255.255.255.0 duplexauto speedauto !
where # is the voice rack ID number: 1 for VORack1, 12 for VORack12.
3 This verification will not work if you are connecting via the Layer 2 Hardware VPN option. 4 Adding source Fa0/1 is only if you are connecting via a Hardware-based VPN solution, and Fa0/1 denotes your inside interface. Pinging using the inside interface as the source is essential to getting a reply from the far side. Voice Rack Rental Guide version 3.11 15 Copyright 2012 INE, Inc.
If the PSTN router does not have these interfaces set up properly, we recommend you use the voice rack control panel to reload all the devices to the default state (initial config), or to the initial state for the Deep Dive lab on which you are working. See Section 10 of this document for step-by-step instructions for doing this task.
16
Section 5.
Accessing Routers and Etherswitches
Routers (including the PSTN/Frame Relay simulator) and Etherswitches are accessed using TELNET connections to the command line interface (CLI) of the devices. You have several options, which can be, with limitations, mixed and matched: Single TELNET connection, accessing the lab rack access server's console, and reverse telnet to each device Multiple TELNET connections, accessing the lab rack access server's direct line to the device TELNET over the VPN to the device's loopback IP address, as shown in the quick reference guide Single TELNET connection to the PSTN router using the public-IP addressing system (Section 8), and reverse-telnet to each of the other router and switch devices. Multiple TELNET connections to the PSTN router using the public-IP addressing system (Section 8), and reverse-telnet to one each of the other router and switch devices.
(You could enable the HTTP server in each device, and use your Web browser to connect to the device using the IP address shown in the quick reference guide. Not all devices have the HTTP support loaded onto them, so this may not work reliably. We recommend using the TELNET methods of working with the routers and Etherswitches.) For more detailed instructions on using the access server provided in our racks, see the on-demand video at http://classroom.ine.com/p55597555/ for our recommended way of accessing the equipment using the access server and racks.ine.com. 5.1. Single TELNET connection to multiple devices
You establish a single connection through our TELNET portal to the voice rack access server:
host$telnetracks.ine.com Trying75.140.41.59... Connectedtoracks.ine.com. Escapecharacteris'^]'. UserAccessVerification Username:vorack12 Password:bc78ad
(you may need to press Enter a few times here)

VORack12AS>
17
From here, you can access the console of almost any device in the rack. First, list the hosts available to you:
VORack12AS>showhosts Defaultdomainisnotset Name/addresslookupusesstaticmappings Codes:UNunknown,EXexpired,OKOK,??revalidate temptemporary,permpermanent NANotApplicableNoneNotdefined Host R1 R2 PSTN SW2 R3 SW1 Port 2001 2002 2003 2004 2005 2006 Flags Age (perm,OK) (perm,OK) (perm,OK) (perm,OK) (perm,OK) (perm,OK) Type 59 64 ** 59 ** ** Address(es) IP1.1.1.1 IP1.1.1.1 IP1.1.1.1 IP1.1.1.1 IP1.1.1.1 IP1.1.1.1
Note the device names in the Host column: you can type any name from this list then hit Enter, and the access-server will reverse-telnet to the specific device. Hit Enter again to see the router prompt of the newly-connected device.
VORack12AS>r1 TryingR1(1.1.1.1,2001)...Open VORack12R1#
Press Ctrl-Shift-6 (all at once) then release and press "x" to return back to the access-server prompt. Enter the special w command (where), which shows you the currently open sessions:
VORack12AS>w Conn Host Address Byte *1 R1 1.1.1.1 0 VORack12AS>
Idle ConnName 4 R1
Now you can open connection to another router, using its hostname from the list you get using the show host command.
VORack12AS>r2 TryingR2(1.1.1.1,2002)...Open VORack12R2#
18
Press Ctrl-Shift-6, (then) x again to return back to the access-server prompt. Now the w command reveals two active connections:
VORack12AS>w Conn Host AddressByte 1 R1 1.1.1.10 *2 R2 1.1.1.10
Idle ConnName 4 R1 1 R2
Note the numbers in the Conn column: its the connection number for that connection. At the access-server prompt, you can enter the connection number to switch back to the respective router. For example, now you can enter 1 or 2 to switch back to R1 or R2. If you simply hit Enter at the access-server prompt, it resumes the last active connection (marked by the * sign in the w command output).
VORack12AS>1 [Resumingconnection1toR1...] VORack12R1#
When using the access-server with a single TELNET connection from your location, we recommend you open connections to all devices in the rack, and switch between them using Ctrl-Shift-6-x and then entering the connection number in the access-server prompt. When you finish opening all the connections, the output of the w command would look like this:
VORack12AS>w Conn Host 1 R1 2 R2 3 R3 4 PSTN 5 SW1 *6 SW2
Address 1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1
Byte 0 0 0 0 0 0
IdleConnName 0R1 6R2 0R3 0PSTN 0SW1 0SW2
When you instruct our automation to load an initial configuration, all the connections to all the devices will be forced closed; you will need to re-open the connections when the configuration loading is complete.
19
5.2.
Multiple TELNET Connections to Console Lines
Flipping back and forth from device to device using the access server to do the multiplexing can become tiring, especially when you try to make a configuration change that affect two ends of the same link. Windows, Mac, and Linux users can have multiple windows open, each with a TELNET session. Modern versions of programs like Secure CRT offer tabbing, so that changing the focus to another device is a single mouse-click. If you prefer that method of working with multiple devices, you start an instance of TELNET for each device on your computer. Within each instance, you log into the rack and the device with a single user ID for each device:
window1$telnetracks.ine.com Trying75.140.41.59... Connectedtoracks.ine.com. Escapecharacteris'^]'. UserAccessVerification Username:vorack12r1 Password:bc78ad

VORack12R1#
Now change to (or create) your second window or tab


VORack12R2#
20
Now change to (or create) your third window or tab


VORack12R3#
Continue the process, in additional windows or tabs, specifying the user names vorack12pstn, vorack12sw1, and vorack12sw2. You end up with six windows or tabs, one per device. With multiple separate windows, you can shift each of them around so that you can see the contents of one window while keying configuration data into another. Another benefit of using multiple windows is you can see error messages on multiple devices at the same time, so you can trace and debug problems like connection flapping. On the other hand, tabbed windows require only one mouse movement plus one click to change focus, and you don't have to shift anything to see the entire output. Which method you use is a matter of personal style and preference. When you instruct our automation to load an initial configuration, all the connections to all the devices will be forced closed; you will need to re-open the connections when the configuration loading is complete.
21
5.3.
Clearing a busy console line
This section applies to both styles of TELNET connection(s) to your lab rack described in the previous two sections. Occasionally you may get disconnected from the access server as a result of a temporary network outage or your ISP's DHCP changing your local IP address. You may find that the router refuses your attempt to log in again, issuing messages similar to this one:
host$telnetracks.ine.com Trying75.140.41.59... Connectedtoracks.ine.com. Escapecharacteris'^]'. UserAccessVerification Username:vorack1r3 Password:mn98ty ++ || |Lineinuse.Logintotheaccessserverusingthe| |usernameclearvorack1andmanuallycleartheline.| || ++ Connectionclosedbyforeignhost.
In order to fix this problem, you need to clear the access server's connection to the console line for the router you wish to access. We offer two ways to do this. The first way is to use your Member's Site account and clear the line with the control panel. The second is to use the special log-in to the access server that lets you clear lines.
22
5.3.1.
Clear a busy console line using the control panel
Log into your members site account, at http://members.ine.com Click on the gray Rack Rentals tab Scroll down to My Current and Future Rack Rental Sessions Find your current voice rack session Click on the link Control Panel. You should see this:
Click on the button Clear line next to the desired device to tell the access server to close the connection to the device's console port.
23
5.3.2.
Clear a busy console line using the access server
You can use the access server for your rack to clear busy console lines. To do this, you use a special log-in sequence to our TELNET gateway:
host$telnetracks.ine.com Trying75.140.41.59... Connectedtoracks.ine.com. Escapecharacteris'^]'. UserAccessVerification Username:clearvorack1 Password:bc78ad
When the authentication is successful, you will see this menu:

Server"VORack1AS"Line171Terminaltype(unknown) ++ || |AccessServerMenu| || ++ 0.CleartheConsoleconnection 1.ClearR1line 2.ClearR2line 3.ClearPSTNline 4.ClearSW2line 5.ClearR3line ExitExit Pleaseenteryourselection:
You key the menu number of the console line you want to clear, followed by ENTER. The access server will then clear the line. For example, to clear R3's console line, press 5 followed by ENTER.
24
5.4.
TELNET over VPN to Rack Device Virtual Console
When connecting to multiple console-based devices, having to key the rack/device user name and the password multiple times sometimes just doesn't appeal. If the devices are configured correctly to allow virtual consoles (and, by default, our rack automation does configure all devices to allow for them), after establishing the VPN connection you can connect to the appropriate loopback address for the device. For example:
window9$telnet177.1.254.3 Trying177.1.254.3 Escapecharacteris'^]'. VORack12R3#
Unlike using the console ports, which utilizes RS-232 links between the access server and the router or Etherswitch, this technique instead establishes a direct TCP-based virtual console connection to the device. This means that any banner defined for virtual consoles, and the prompt for input, is always displayed. In the example above, the virtual console ports have been configured to use level 15 permissions instead of level 1 for CLI operations. Having the console ports configured in that way eliminates the need to enter the enable command each time you connect. The table of lab rack device IP addresses for a default-configured voice lab rack are in Appendix G. If, for some reason, a router or Etherswitch was not properly configured by the lab rack automation system, you will not be able to establish a connection to it using the TELNET-over-VPN method. You will need to make a TELNET connection via TELNET to racks.ine.com and use your credentials to gain a link to the Lab Rack access server, and then connect to the router or switch to set up proper address don't forget VLAN setup when you do this. Alternatively, you may use your rack control panel to reload a working initial configuration into your rack devices, so that you can use a direct TELNET connection. This will reset all your rack devices to the specified configuration, so remember to save all your work first in the devices you have already configured.
25
Section 6.
Power-Cycling Your Lab Rack Devices
Sometimes your configuration can cause a router or Etherswitch to blow out like an out-of-control oil well; you can't stop its output or break it out of a frozen state. When that happens, we offer a way to power-cycle a specific device to bring it back. Here's how: Log into your members site account, at http://members.ine.com Click on the gray Rack Rentals tab Scroll down to My Current and Future Rack Rental Sessions Find your current Service Provider rack session Click on the link Control Panel. You should see this:
Click the Power Cycle button corresponding to the device you need to turn off and turn back on.
26
The control panel will then cause the automation to turn off the device for five seconds, then turn it back on. We recommend that you have a TELNET session to monitor the power-up and IOS image loading and starting. If your configuration that caused the device to go insane had been saved to NVRAM, you may want to force the device into ROMMON mode to bypass loading the problem configuration saved in the device. Use the device-specific method for clearing out the configuration from NVRAM, then let the device boot again.
27
Section 7.
Accessing Lab Rack Servers via VPN5
The section following this one describes how to access your voice lab rack servers without forcing you to use a VPN link. This section describes how to access your servers over the VPN. 7.1. Servers accessed using a Web browser
Your rack has the following servers available for access via a web browser:
Device/Server CUCM Publisher CUCM Subscriber Cisco Unity Connection (CUC) Cisco Unified Presence (CUPS) Unified Contact Center Express (UCCX) IP Address https://177.1.10.10 https://177.1.10.20 https://177.1.10.30 https://177.1.10.50 http://177.1.10.40/appadmin Username admin admin admin admin uccxadmin Password cciecisco cciecisco cciecisco cciecisco cisco
To access these servers, open a VPN connection to the voice rack establish an HTTP connection, specifying the IP address from the table
5 Section 8 describes how to use the VPN-Less Public-IP method for accessing your servers. This is useful if there is no other reason to establish a VPN connection from your location to our location. Voice Rack Rental Guide version 3.11 28 Copyright 2012 INE, Inc.
You will see an opening page, like this one6:
Click the link to access the Administration Page. A warning will appear (like the one below) reporting a problem with the websites security certificate. Please click the link Continue to this website as highlighted below. This warning is fine, and will not affect your session or computer. The example here is for Microsoft Internet Explorer; for other browsers, follow the instructions to grant an exception for the Web site.
You then see an authentication entry page where you will use the username and password that you saw in the table at the beginning of this section, namely: admin cciecisco (without the quotes).
6 All servers will show the above pages except for the UCCX server. For the UCCX server, you should open your web browser and browse to the URL of: http://177.1.10.40/appadmin (notice that all of the rest of the servers use SSL with https, but this UCCX server does not, and only uses http) Voice Rack Rental Guide version 3.11 29 Copyright 2012 INE, Inc.
When you browse to that URL, you will see this login screen:
You then see an authentication entry page where you will use the username and password that you saw in the table at the beginning of this section, namely: uccxadmin cisco (without the quotes). However, browsing to this web page will be best done by first RDP'ing into the UCCX server, to ensure maximum browser compatibility.
30
7.2.
Servers accessed using a Microsoft Remote Desktop Connection (RDC)
Your rack has the following servers available for access via Microsoft Remote Desktop Connection:
Device/Server XP Test/Utility Unified Contact Center Express (UCCX) IP 177.1.10.100 177.1.10.40 Username admin admin Password cciecisco cciecisco
We recommend using a screen resolution of 1280x1024 or above on your remote desktop client from your location. To bring up the Windows Task manager inside a remote desktop session, press CTRL+ALT+END on your keyboard or click on the "Task Manager" icon on the desktop of the lab machines. 7.2.1. MS-RDC in Windows
For further instructions on using Remote Desktop Connection in Windows, please visit the following link, and reference the bottom section on connecting to a remote PC.
http://www.microsoft.com/windowsxp/using/ mobility/getstarted/remoteintro.mspx
Click here to download the Windows Remote Desktop Connection client for Windows 95, Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0, or Windows 2000:
http://www.microsoft.com/windowsxp/downloads/tools/rdclientdl.mspx
7.2.2.
MS-RDC for Macintosh
For further instructions on using Remote Desktop Connection to connect to Window systems, please visit this link, and reference the bottom section on connecting to a remote PC:
http://www.microsoft.com/windowsxp/using/ mobility/getstarted/remoteintro.mspx
To download the Remote Desktop Connection client for Macintosh, visit this link:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID= 6573f9f18ae14da9ab5cf8457ecdaf2d&displaylang=en
31
7.3.
Servers Accessed Using Secure Shell (SSH)
Four of the seven servers in your Voice Lab Rack offer command-line style access to their services. Those servers, and the credentials you use to access them, are:
Device/Server CUCM Publisher CUCM Subscriber Cisco Unity Connection (CUC) Cisco Unified Presence (CUPS) Command sshadmin@177.1.10.10 sshadmin@177.1.10.20 sshadmin@177.1.10.30 sshadmin@177.1.10.50 Password cciecisco cciecisco cciecisco cciecisco
When using a package like SecureCRT, the user name is admin and the password is cciecisco for all four servers. The domain name is the IP address. To illustrate how to use the Unix or Macintosh tool ssh to access your servers, we illustrate the sequence to access the CUCM Publisher server's command line interface:
$sshadmin@177.1.10.10 admin@177.1.10.10'spassword: Lastlogin:FriMay2702:16:412011from10.4.100.129 WelcometothePlatformCommandLineInterface WARNING,VMwareVirtualEnvironmentDetected! VMwareisNOTasupportedplatform! admin:
The warning is expected, and normal. Ignore it. To access the other servers, simply replace 177.1.10.10 with the IP address of the server you wish to access. 7.4. Servers Without Any Administrative Access
In your Voice Lab Rack, there is a Windows Active Directory server. This server is accessible to you and to the rest of the Lab Rack only via Lightweight Directory Access Protocol (LDAP) transactions. You will not be able to RDP or HTTP into this machine. The Active Directory server may be accessed by ping from the routers, but not from your location. This may be changed in the future.
32
7.5.
Resetting a Server To Its Initial State
During the course of I've tried A, I've tried B, I've tried C experimentation, your actions may leave the server completely useless, or even inaccessible. In real life this can be a considerable problem. In our lab environment, though, we provide a quick way for you to reset a given server to the same state it was in when your lab rack session started. Here's how to do it: Log into your members site account, at http://members.ine.com Click on the gray Rack Rentals tab Scroll down to My Current and Future Rack Rental Sessions Find your current voice rack session Click on the link Control Panel. You should see this:
Click on the button Reset servername to return the server servername to its original state.
You will lose all configuration settings made on the server you reset. This also includes
previously activated services, so you will have to activate them again. There is no button for the Active Directory server.
33
Section 8. Accessing Lab Rack Servers via VPN-Less Public IP Address

For a detailed video demonstration of the method to access Voice Lab Rack devices and servers, see:
http://ieclass.ine.com/p70126296/
8.1.
Establishing the Direct Public-IP Link: Register your Local IP address
In order to use the direct public IP address method of accessing your rack servers and PSTN router, you have to register your IP address with our access portal. There are two ways to do this, using a Web browser link, or using TELNET to the PSTN address. Once you have registered your IP address with our portal, future accesses will go right through to the rack. For the public-IP access to your lab rack servers to work, you need to have your configuration in the PSTN router, R1 router, and SW1 Etherswitch set up properly for outside access and for connection to the server. If your routers and Etherswitch are, for some reason, misconfigured, we recommend strongly that you use your rack control panel to initialize the configuration of all routers and Etherswitches to the default configuration, or to the configuration of the lab you are doing, before doing a lab exercise. See Section 10 for instructions on loading configurations; see Appendix X for more information about the minimum configuration necessary. 8.1.1. Using a Web Browser To Register Your Local IP Address
When you make initial contact with the voice servers for a particular lab rack for a particular session, you will see a series of screens. For this example, we will show each step when we connect to the CUCM Publisher server on VORack12 using this technique. The other servers connect in a similar way.
34
As you connect to servers, you may see multiple times a window saying This connection is untrusted like this one (from Firefox) or a similar window from other browsers:
Use the browser-specific method to tell your browser that connections to this server are OK. This is normal, because the certificates on the servers and in the VPN portal are self-signed certificates. Issue the request to the browser using the URL from the table in the next session to your browser. In this example we use https://pub.vorack12.ine.com. You are then shown this window. Enter the lab rack ID and password contained in your Lab Rack Reservation Confirmation Letter; in this example we use vorack12 and the password for our current session:
35
Press the OK button. When you have successfully established the link, you will see this:
Press the DONE button. You will then see the screen for the server whose URL you specified; in our example, it's the screen from CUCM Publisher server:
In this particular case, click the blue Cisco Unified Communications Manager Administration link to gain access to the server login page. Other servers will present different screens. Using TELNET To Register Your Local IP Address
8.1.2.
One of the links, pstn.vorack#.ine.com, is used with TELNET to access your PSTN router via a public IP address. You can authenticate your public-IP access using TELNET. In the example shown below, again we use VORack12.
36
$telnetpstn.vorack12.ine.com Trying75.140.41.214... Connectedtopstn.vorack12.ine.com(75.140.41.214). Escapecharacteris'^]'. WelcometoGradedLabsVoiceRackRentalVPNLessAccess. Pleaseauthenticateyourselfwiththecredentialsyoureceivedinyour rentalconfirmationemail.Afteryouauthenticateyourself,youwill bedisconnected.Simplyreconnecttothesamehostnameandyouwill beatyourPSTNprompt. Username:vorack12 Password: FirewallauthenticationSuccess. Connectionwillbeclosedifremoteserverdoesnotrespond Connectingtoremoteserver... Connectionclosedbyforeignhost. $telnetpstn.vorack12.ine.com Trying75.140.41.214... Connectedtopstn.vorack12.ine.com(75.140.41.214). Escapecharacteris'^]'. PSTN#showver|includeCisco CiscoIOSSoftware,3700Software(C3725ADVENTERPRISEK9_IVSM), Version12.4(15)T13,RELEASESOFTWARE(fc3) Copyright(c)19862010byCiscoSystems,Inc. use.DeliveryofCiscocryptographicproductsdoesnotimply AsummaryofU.S.lawsgoverningCiscocryptographicproductsmaybe foundat: Cisco3725(R7000)processor(revision0.1)with247808K/14336Kbytes ofmemory. PSTN#
8.2.
Public IP Address Servers Using a Web Browser
Your rack has the following servers available for access via a web browser, where vorack# is vorack1 for voice rack 1, and vorack12 for voice rack 12:
Device/Server CUCM Publisher CUCM Subscriber URL https://pub.vorack#.ine.com https://sub.vorack#.ine.com Username admin admin admin admin uccxadmin admin Password cciecisco cciecisco cciecisco cciecisco cisco cciecisco
Cisco Unity Connection (CUC) https://cuc.vorack#.ine.com Cisco Unified Presence (CUPS) https://cups.vorack#.ine.com Unified Contact Center Express http://uccx.vorack#.ine.com/appadmin (UCCX) Variphy Insight Remote Control http://util.vorack#.ine.com
To access these servers, open a VPN connection to the voice rack establish an HTTP connection, specifying the IP address from the table
37
You will see an opening page, like this one7:
Click the link to access the Administration Page. A warning will appear (like the one below) reporting a problem with the websites security certificate. Please click the link Continue to this website as highlighted below. This warning is fine, and will not affect your session or computer. The example here is for Microsoft Internet Explorer; for other browsers, follow the instructions to grant an exception for the Web site.
All servers will show the above pages except for the UCCX server. For the UCCX server, you should open your web browser and browse to the URL of: http://177.1.10.40/appadmin (notice that all of the rest of the servers use SSL with https, but this UCCX server does not, and only uses http) 38 Copyright 2012 INE, Inc.
You then see an authentication entry page where you will use the username and password that you saw in the table at the beginning of this section, namely: admin cciecisco (without the quotes).
When you browse to that URL, you will see this login screen:
You then see an authentication entry page where you will use the username and password that you saw in the table at the beginning of this section, namely: uccxadmin cisco (without the quotes). However, browsing to this web page will be best done by first RDP'ing into the UCCX server, to ensure maximum browser compatibility.
39
8.3.
Public IP Address Servers Using Microsoft Remote Desktop Connection
Your rack has the following servers available for access via Microsoft Remote Desktop Connection, where vorack# is vorack1 for voice rack 1, and vorack12 for voice rack 12:
Device/Server XP Test/Utility Unified Contact Center Express (UCCX) URL rdp://util.vorack#.ine.com rdp://uccx.vorack#.ine.com Username admin admin Password cciecisco cciecisco
We recommend using a screen resolution of 1280x1024 or above on your remote desktop client from your location. To bring up the Windows Task manager inside a remote desktop session, press CTRL+ALT+END on your keyboard or click on the "Task Manager" icon on the desktop of the lab machines. You must establish a link with your local IP address using a browser or with TELNET. There is no way to do so using Microsoft Remote Desktop. 8.3.1. MS-RDC in Windows
For further instructions on using Remote Desktop Connection in Windows, please visit the following link, and reference the bottom section on connecting to a remote PC.
http://www.microsoft.com/windowsxp/using/mobility/getstarted/remoteintro.mspx
Click here to download the Windows Remote Desktop Connection client for Windows 95, Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0, or Windows 2000:
http://www.microsoft.com/windowsxp/downloads/tools/rdclientdl.mspx
8.3.2.
MS-RDC for Macintosh
For further instructions on using Remote Desktop Connection to connect to Window systems, please visit this link, and reference the bottom section on connecting to a remote PC:
http://www.microsoft.com/windowsxp/using/mobility/getstarted/remoteintro.mspx
To download the Remote Desktop Connection client for Macintosh, visit this link:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6573f9f18ae14da9ab5cf8457ecdaf2d&displaylang=en
40
8.4.
Public-IP Server Access Using Secure Shell (SSH)
Four of the seven servers in your Voice Lab Rack offer command-line style access to their services. Those servers, and the credentials you use to access them, are:
Device/Server CUCM Publisher CUCM Subscriber Cisco Unity Connection (CUC) Command sshadmin@pub.vorack#.ine.com sshadmin@sub.vorack#.ine.com sshadmin@cuc.vorack#.ine.com Password cciecisco cciecisco cciecisco cciecisco
Cisco Unified Presence (CUPS) sshadmin@cups.vorack#.ine.com
When using a package like SecureCRT, the user name is admin and the password is cciecisco for all four servers. The domain name is the IP address. To illustrate how to use the Unix or Macintosh tool ssh to access your servers, we illustrate the sequence to access the CUCM Publisher server's command line interface on VORack3:
$sshadmin@pub.vorack3.ine.com admin@pub.vorack3.ine.com'spassword: Lastlogin:FriMay2702:16:412011from10.4.100.129 WelcometothePlatformCommandLineInterface WARNING,VMwareVirtualEnvironmentDetected! VMwareisNOTasupportedplatform! admin:
The warning displayed by the server is expected, and normal. Ignore it. The same technique, and display, applies to all four servers. You must establish a link to our VPN portal with your local IP address using a browser or with TELNET. There is no way to do so using Secure Shell.
41
8.5.
Public IP Address Access of PSTN Router
Your rack's PSTN router is directly accessible via your TELNET program, where vorack# is vorack1 for voice rack 1, and vorack12 for voice rack 12:
Device/Server PSTN FQDN pstn.vorack#.ine.com Username none Password none
There can be a user name and password, or just a password, configured for the virtual console configuration of the PSTN router, but our standard default configuration does not configure either a username or a password. The picture below is an example of connecting to the PSTN router on VORack12:
$telnetpstn.vorack12.ine.com Trying75.140.41.214... Connectedtopstn.vorack12.ine.com(75.140.41.214). Escapecharacteris'^]'. PSTN#showver|includePSTN PSTNuptimeis18hours,15minutes PSTN#
This is more powerful than would seem at first glance. From the PSTN router, you can use the IOS TELNET command to connect to the other routers and Etherswitches in your rack. Even better, you can have multiple TELNET connections from your local computer to the PSTN router, connections which in turn can be used to TELNET to the other devices. This lets you have multiple windows on the computer at your location, once for each of R1, R2, R3, PSTN, SW1, and SW2. Or, if you are using SecureCRT from Van Dyke software, or another TELNET program that allows for multiple tabs, you can used the tab feature to switch from device to device. Within the PSTN routers, you should find these host definitions already added; use the showhosts command to verify:
42
PSTN#showhosts Defaultdomainisnotset Name/addresslookupusesstaticmappings Codes:UNunknown,EXexpired,OKOK,??revalidate temptemporary,permpermanent NANotApplicableNoneNotdefined HostPortFlagsAgeTypeAddress(es) R1None(perm,OK)0IP177.1.254.1 R2None(perm,OK)0IP177.1.254.2 R3None(perm,OK)0IP177.1.254.3 SW1None(perm,OK)0IP177.1.11.20 SW2None(perm,OK)0IP177.3.11.20
So, to TELNET from the PSTN router to R1, all you need to type is R1 (followed by the Enter key). The same is true for the other four devices. Indeed, the PSTN router now looks just like the access server accessed via racks.ine.com, so the instrutions in Section 5 for using the PSTN router for navigating around the lab rack are the same as the instructions for using the access server. This is handy. The example below shows the output of the w command after opening connections to all the router and Etherswitch devices in VORack12:
PSTN#w ConnHostAddressByteIdleConnName 1r1177.1.254.100r1 2r2177.1.254.200r2 3r3177.1.254.300r3 4sw1177.1.11.2000sw1 *5sw2177.3.11.2000sw2
Use the standard Cisco escape sequence (Ctrl-Shift-^ x) to get back to the PSTN router, then use the connection (Conn) number to select the device you wish to talk with.
43
Section 9.
Free Web-Based Variphy Insight Remote IP Phone Control
INE has now licensed IP phone remote control software from Variphy to allow you, our customer, free access to remotely control all of the Cisco hardware IP phones connected directly to our voice racks via HTTP, using nothing more than a standard web browser. To access this Variphy Insight web-based remote phone control software, open a web browser using either of these URLs:
URL http://177.1.10.100/insight/ http://util.vorack#.ine.com/insight/ Username admin admin Password cciecisco cciecisco
For instructions on how to use Variphy Insight to remotely control the Cisco IP phones attached to our voice racks, please watch the video at
There is a limitation in using this web-based remote phone control software: you will not be able to hear any RTP audio from these IP phones. This is because the remote control software is not a "softphone, but that you are remotely controlling our rack-connected hardware IP phones. The following notes are from the video above; we strongly recommend watching the video and take whatever additional notes you need. Variphy, Inc. strongly advices you to use the Firefox browser Java must be enabled for the software to work properly In CUCM Publisher, each phone you wish to control needs to have a device association with the user varify
44
Section 10.
10.1.
Loading Configurations Into Your Voice Rack
Loading Configurations Into Your Routers and Switches
When first connecting to your Voice rack, you may wish to apply Initial configurations, or possibly after having configured for a while, you may wish to apply Final configurations to your devices to see how the instructor configured the routers and switches. Make sure you have Java and JavaScript enabled in your browser for the domain ine.com To apply configurations to your routers and switches, you should: Log into your members site account, at http://members.ine.com Click on the gray Rack Rentals tab Scroll down to My Current and Future Rack Rental Sessions Find your current voice rack session Click on the link Control Panel. You should see this:
45
Click on the link Click here to choose a configuration to be loaded on your Voice Rack; you will then see this window (shown here with the pull-down list expanded):
Choose the Initial or Final configuration8 from the pull-down list:
Then click the Load Config button. You will see this conformation and progress window:
While the configuration is being installed into your lab rack, please do not try to access any of the router or Etherswitch devices over your VPN link or using the public IP address method. Doing so may interrupt our automation's loading process, and corrupt the configuration load.
8 If you wish to return your rack's router and Etherswitch devices to the same state as they were when you first got your rack at the beginning of your lab rack session, pick Workbook v3.0 Volume 1 & 2 Initial Configs from the pull-down list. Voice Rack Rental Guide version 3.11 46 Copyright 2012 INE, Inc.
When the configuration load is complete, you will see this window.
Configurations are only applied to your rack's PSTN, R1, R2, R3, SW1 and SW2 routers and switches, and not to any of your Voice servers (for that see the next paragraph) or to the AIM CUE card in R3. This process will erase the current configuration on the router and Etherswitch devices before applying the new Initial or Final configurations. If you wish to preserve your existing configurations before applying the new ones, please set up logging, or copy and paste the configurations off of those devices, prior to running this option. At the time of publication of this edition of the Voice Rack Rental Access Guide, only the CCIE Voice Deep Dive product and some of the CCIE Voice Volume II mock labs have unique Initial and Final configurations. Please check the beginning of any CCIE Voice lab product to see if it says to load a specific Initial configuration before working the lab. If a lab doesn't specify a configuration, tell our automation to load the configuration labeled Workbook v3.0 Volume 1 & 2 Initial Configs which provides the basic infrastructure configuration. As we update these Workbook products, Initial and Final configurations will be developed and called out at the start of each lab or chapter. 10.2. Loading or Saving Configurations Into or From the CUCM Server
To load or save 'Initial' or 'Final' configurations into or from your Unified Communications Manager server, please follow the directions laid out in these brief videos:
&
47
10.3.
Configuring a MAC Address For Your PSTN Phone
You will undoubtedly be working with a PSTN phone of some type, be it a hardware IP phone at your location, or the rack-connected, remotely-controlled 79609. You will need to ascertain the MAC address of the phone you wish to become your PSTN phone. Then perform these operations: Log into your members site account, at http://members.ine.com Click on the gray Rack Rentals tab Scroll down to My Current and Future Rack Rental Sessions Find your current voice rack session Click on the link Control Panel. You should see this:
9 Our automation detects and sets, in the PSTN router, the MAC address of the rack-room-located PSTN phone associated with your lab rack at the time you reset the rack, or load a configuration. If you want to use our PSTN phone, this means you can skip entering the PSTN IP phone MAC address using the control panel. Voice Rack Rental Guide version 3.11 48 Copyright 2012 INE, Inc.
Click on the link Click here to enter the MAC address of your phone for use with the PSTN, where you will be shown a screen that looks like this:
Here you should enter the MAC address of your phone into the window, and press Submit. You may go about other tasks, however please do not close the window or attempt to access the PSTN router during the few minutes that it takes to set the MAC address. The pop-up webpage will update when the submission of your MAC address to the PSTN router is complete. You will then need to set your PSTN phones TFTP address as follows10: PSTN Phone TFTP Address: 177.1.254.254 Setting SRST ON or OFF on Your Voice Rack
10.4.
During the course of your studying, you will inevitably need to study Cisco Unified Survivable Remote Site Telephony (SRST). To do so in an actual lab exam, the test can be verified quite easily by simply shutting down the Serial interface on a router at a site where you wish to invoke SRST. This is possible because your phones in front of you are local to the router's Ethernet subnet. However, when renting a Voice rack from INE, you are connecting your IP phones (hardware or software) remotely across a VPN connection, where the IP path of traffic flows through your remote site router's Serial interface to be able to connect to it, and thus shutting down that router's Serial interface would result in a complete loss of remote phone, or remote phone control, connectivity. Our solution is to have an access control list applied to your CorpHQ R1 to block certain types of traffic, while allowing others. This is easily accomplished by following this procedure: Log into your members site account, at http://members.ine.com Click on the gray Rack Rentals tab Scroll down to My Current and Future Rack Rental Sessions Find your current voice rack session
10 You only need to input the TFTP address into the PSTN phone if it is one that you have direct contact with. For the INEprovided, rack-connected, remotely-controlled 7960 IP phone, you do not need to do this, because the CorpHQ Switch (SW1) has a separate VLAN and DHCP Pool laid out for specifically this purpose. Voice Rack Rental Guide version 3.11 49 Copyright 2012 INE, Inc.
Click on the link Control Panel. You should see this:
Click on Click here to configure SRST on your Voice Rack, where you will be presented with a pop-up window like this:
Here you will choose which Branch router you wish to deal with regarding SRST, and whether you wish to send that Branch into SRST mode (ON) which applies a blocking ACL, or if you wish to take that Branch out of SRST mode (OFF) which removes the blocking.
50
If you choose to send either Branch into SRST mode (ON), you will be allowed to enter one or two IP addresses of a phone(s) in front of you that you wish to participate in falling back to SRST, as shown11:
If you choose to take a Branch out of SRST mode (OFF), you do not need to enter an IP address, but simply need to press the 'Submit' button, as shown:
In either case, please allow the configuration to complete, and the pop-up window to close, before attempting to connect to, or make any changes to your CorpHQ R1. If you are remotely-controlling our 7961 IP phone directly connected to your voice rack, you will still be able to fully control these phones after they go into fallback mode, however please note that you may need to shut your current remote control window, and reestablish a direct IP control window. This procedure is outlined in Section 9, as well as demonstrated in the video demo link found there.
11 There is no need to enter the IP addresses of the phone(s) attached to your voice rack, as they will automatically be included in the fallback ACL. The ability to enter IP address(es) is soley if you have phones in front of you that you wish to include in a fallback process. Voice Rack Rental Guide version 3.11 51 Copyright 2012 INE, Inc.
Section 11.
Changing Unity Express (AIM-CUE) Licensing
The XP Utility machine contains two license files for Cisco Unity Express, the AIM-CUE module located inside the Branch2 (R3) router, to integrate the CUE module with either CUCM or CME. If you need a different license than the one currently installed on the CUE module, here are the steps to do so: To test to see which software license is currently loaded, connect to the CUE module and get into global EXEC mode. Issue the following commands:
Branch2#servicemoduleserviceengine0/0session CUE# CUE#showsoftwarelicenses
To change from the CUCM to the CME license, connect to the CUE module and get into global EXEC mode. Issue the following commands12:
Branch2#servicemoduleserviceengine0/0session CUE# CUE#softwareinstallcleanurlftp://177.1.10.100/cuecme.pkguseradminpasswordcciecisco CUE#reload
To change from the CME to the CUCM license, connect to the CUE module and get into global EXEC mode. Issue the following commands11:
Branch2#servicemoduleserviceengine0/0session CUE# CUE#softwareinstallcleanurlftp://177.1.10.100/cueccm.pkguseradminpasswordcciecisco CUE#reload
The FTP server at 177.1.10.100, at the beginning of your lab session, is up and running with the proper configuration. You need not do anything to the server.
12 DO NOT copy and paste these commands to the AIM-CUE module it WILL NOT WORK. Instead you will need to hand-type the commands. You would also have to hand-type these commands in the actual CCIE Voice lab exam for the same reason. The problem is that the AIM-CUE module does not let you set a line width, like a router or Etherswitch does, so when you input a long line, it will generate a ton of output to make the text appear to scroll. Get too far ahead of the AIM-CUE command processor, and the sub-system will drop characters. Voice Rack Rental Guide version 3.11 52 Copyright 2012 INE, Inc.
Section 12.
Lab Rack Support
Most of the time, for most people, the facilities we provide to support your rental of a Voice lab rack is sufficient to let you be productive in your preparation for your lab exam. Sometimes, though, things do go wrong with your rack rental, so we have a technical support staff on-call to help you with failures in our lab racks. This section details that support. 12.1. Scope Of Support
Our technical staff are trained to: perform repairs on or, if necessary, perform replacement of our routers, Etherswitches, security appliances, and cabling within our lab racks and within our infrastructure identify in-the-cloud issues with your access to our TELNET and VPN gateways fix authentication issues with your access to our TELNET and VPN gateways use our cable and interface check reports, generated before your session or sessions start, to speed repair of your lab rack, and to verify that the repair was effective fix problems with lab rack bookings
The cable and interface check, that is run before your session or sessions, sniffs out problems with the rack before you start, and pinpoints the failures it detects. This facility eliminates the need for our technicians to perform diagnostic checking during your rack session to locate a failed cable or interface. Our automation also keeps extensive logs of its actions, and the results of those actions, again to speed identification of the root cause of a problem. Our sales team handle: purchase and accounting of lab rack tokens bulk booking of lab rack sessions conflicts between Boot Camps and self-paced customer rentals
INE staff handles issues for its products via the INE Online Community (http://www.IEOC.com): INE workbooks INE on-demand products INE Bootcamps and Workshops INE purchases and discounts Details on setting up Cisco equipment to implement a lab solution or scenario requirement Operation of Cisco software Technology questions, such as questions about CUCM, CUPS, IP phone, or AIM-CUE configuration
53
12.2.
Knowledge Base
INE maintains a Knowledge Base of information to help troubleshoot common issues, problems, and questions. The link for INE's Knowledge Base is:
http://support.ine.com/index.php?_m=knowledgebase&_a=view
12.3.
Common Lab Rack Access Problems And Their Solution
This section provides a quick troubleshooting guide of common issues and their resolution. 12.3.1. Cannot Connect To TELNET Gateway racks.ine.com
The most common reasons that you cannot reach our TELNET gateway to access your lab rack: Trying to use an SSH client, a Web browser, or using TELNET over SSL Port 23/TCP is firewalled in your computer, or your local network
The Firewall section of this document can help you with finding and opening the needed port to access our TELNET gateway. If you determine that a firewall isn't blocking port 23/TCP, generate a traceroute to racks.ine.com, then follow the instructions in Submitting An Emergency Trouble Ticket. Include the traceroute report in your ticket. Our technicians will then check for the problem.
54
12.3.2.
Line In Use
You are able to reach our gateway, but when you attempt to connect to your lab rack, you see a screen like this one:
host$telnetracks.ine.com Trying75.140.41.59... Connectedtoracks.ine.com. Escapecharacteris'^]'. UserAccessVerification Username:rsrack1 Password:mn98ty ++ || |Lineinuse.Logintotheaccessserverusingthe| |usernameclearrsrack1andmanuallycleartheline.| || ++ Connectionclosedbyforeignhost.
See the section on Clearing a Busy Access-Server Console Line. When trying to access the lab rack using the name, like rsrack1, you want to select the menu item 0. When trying to access a lab rack device directly, like rsrack1r3, use the corresponding menu item to clear the device console connection; in this example, use menu item 3 for the device r3. 12.3.3. Cannot Connect To My Lab Rack
You are able to reach our gateway, but your attempts to get to your lab rack appear to fail. Try using the Cisco escape sequence, in case the access server's console is linked to a lab rack device console; if this is the problem, you will be returned to an access-server command prompt. When that fails, hit ENTER a few times to see if you get a response. Most times, you will see something. When all else fails, clear all the lines using the procedure in Clearing a Busy Console Line to clear the console connection (menu item 0). If you still don't get a response. Follow the instructions in Submitting An Emergency Trouble Ticket. Our technicians will then check for the problem.
55
12.3.4.
Lab Rack Connection Intercepted
In certain circumstances, you will see a screen that looks like this when you try to connect to your lab rack via our TELNET gateway:
ThecurrenttimeisWedJan1213:20:34PST(GMT08)2011 ThisistheINERackSystem.Thepasswordforthisrackloginhasbeen temporarilydisabled.Thereareseveralpossiblereasonsthatthepassword wouldbetemporarilydisabled: 1.Yoursessionhasnotyetstarted.Oursessionsstartat03:00(GMT08), 09:00(GMT08),15:00(GMT08),and21:00Pacifictime(GMT08). 2.Yoursessionhasalreadyended.Oursessionsendat02:30am(GMT08), 08:30am(GMT08),14:30pm(GMT08),and20:30pm(GMT08). 3.Ourrackautomationisstillpreparingtherackforyoursession. 4.Youhaverequestedtheloadingofaproductconfiguration,orone ofyoursavedconfigurations,andourrackautomationisstill workingonyourrequest. 5.YouaretakingaMockLabandourrackautomationiscapturingyourrack forgrading,orpreparingyourrackforthenextpart. Connectionclosedbyforeignhost.
In the first line, you see the current time in our time zone. The time follows the Daylight Savings Time rules for the United States Pacific time zone. If you see this message, it's possible you are trying too early (or too late) to connect to your lab rack. When our automation system is performing a task on your rack, we disconnect you from your lab rack devices, and the access server, and also block you from logging into your rack. This is done so you don't accidentally corrupt your rack or the operation in progress. When the operation is complete, the system restores your ability to log into your rack via the TELNET gateway. This lockout is particularly important for Mock Labs, because the scoring is based on the automation being able to properly configure your rack for each part of the test, and to capture your settings when each part completed. Disrupting your rack will cause you to receive a lower grade. On very, very rare occasions, you may find that you don't have proper access to your rack at the beginning of the session, and you haven't asked the automation system to perform any tasks for you. In that case, wait 15 minutes and try again; if you continue to see the banner, follow the instructions in Restore Lab Rack Password to regain access to your rack. 12.3.5. Cannot Connect To A Device
You try to connect to a device, either from the access server or using the device-specific login sequence on our TELNET gateway. Try using the Cisco escape sequence first. When that fails, hit ENTER a few times to see if you get a response.
56
When all else fails, try power-cycling the device as described in Power-Cycling Your Lab Rack Devices. We recommend strongly that, before you perform the power cycle, you have a TELNET window open to the device (either directly, or through the access server) so that you can watch the bootup messages as they are output by the router. If you see a serious error message, follow the instructions in Submitting An Emergency Trouble Ticket and include the error message. Our technicians will then check for the problem. 12.3.6. Cannot Bring Up a Link
The vast majority of the time, problems with bringing up a link between two devices is a configuration issue, although on rare occasion an interface will die or a cable be knocked loose (but see next paragraph). Before submitting a trouble ticket, enable CDP on both devices, configure the interface on each end of the link to its default, issue noshutdown commands to the interfaces, wait 60 seconds, then use showcdpneighbor to verify the cable is in place. Then use showip interfacebrief to see if the link is reported as up/up. In our Voice lab racks, we have a number of T1 and E1 interface cards. Our experience is that once the T1/E1 interfaces are established, they work well, but getting them up initially takes a bit of work. What we find is that we someones need to power-cycle the device into which the T1 and E1 card is installed in order to make the T1 or E1 controller work again. Use the instructions in Section 6 to power-cycle devices with stuck T1 and E1 cards. If the link will not come up after this procedure, follow the instructions in Submitting An Emergency Trouble Ticket and include the text of your testing on both ends of the link. Our technicians will then check for the problem. 12.3.7. Cannot Establish a VPN Link To My Voice Rack
Most trouble tickets we have received regarding VPN failure has been ports blocked in the network at or near your location, and for router, PIX, and ASA hardware VPN, a problem in the configuration working with the local network or upstream link. Ensure that your firewalls allow the TCP, UDP, and IP packets listed in Section 3.4, Firewall Information. Your checks need to include any wireless access points you may be using. You may need to talk to your local network administrator and your upstream network administrator to be sure all ports are open and usable for outbound connections. The instructions in Section 4 and the various Appendicies A-E provide instructions for verifying proper operation of your VPN link, usually before you rent your first Voice lab rack session13.
13 The exception to verification of VPN before you rent your first session is the L2VPN. At this time, only the EzVPN portion of the L2VPN solution is supported to test before your first rack rental. The actual Layer 2 Tunnel that rides over the EzVPN unfortunately cannot be setup (or at least will not connect) until your rack session begins. Voice Rack Rental Guide version 3.11 57 Copyright 2012 INE, Inc.
12.3.8.
VPN Link Disconnections
When you lose VPN connections, there are a couple of possible reasons. First, the path between your location and our location may pass through routers in trouble. If you do not have a static IP address, either on your local computer or on an access router to your upstream, you need to check if your network or ISP is changing the IP address on DHCP lease renewal. Cable companies, trying to block servers, use short lease times with forced IP address changes. We request that any ticket for VPN disconnect issues include a traceroute from your computer to vorackvpn.ine.com so we may investigate whether congestion or mis-routing is causing the problem. Please include all information, such as IP addresses, so we can do reverse checking as part of troubleshooting. Please also include all error and debug logging information, as these log entries can provide us clues as to the reason for the disconnection. 12.3.9. Variphy Insight was unable to establish a connection
Check to see if you have associated the user variphy in CUCM to all the IP phones in your CUCM cluster. Phones in CME do not need to be associated to any user, per se the configuration should already be setup on your Branch2 R3 when you begin your rack session. This is all described in the video link in that chapter for remotely controlling your phones. 12.3.10. Unable to connect using public IP addresses (FQDNs)
More than likely, you have not registered the IP address at your location for access. In rare instances, when you haven't made use of public-IP connections, the registration can time out; just re-authorize using the Web or TELNET method and you are off to the races; this is particularly a problem when you have booked consecutive sessions on the same rack. Another possibility is that the configuration of your PSTN is incorrect. Verify using the TELNET portal (see section 5 of this document) that the PSTN router interface has these two interfaces configured:
interfaceLoopback0 ipaddress177.1.254.254255.255.255.255 ! interfaceFastEthernet0/0 description==VPNUplink ipaddress177.253.#.1255.255.255.0 duplexauto speedauto !
where # is the voice rack ID number: 1 for VORack1, 12 for VORack12.
58
12.4.
Restore Lab Rack Password
When your password has been disabled, and you believe that there is no good reason for it to be disabled, use this process. To restore your password: Log into your members site account, at http://members.ine.com Click on the gray Rack Rentals tab Scroll down to My Current and Future Rack Rental Sessions Find your current voice rack session Click on the link Control Panel. You should see this:
Click on Reset Rack Password. After a few seconds, you will see this confirmation dialog box:
If the rack is busy when you try to reset the password, you will see this dialog box:
59
Wait for your rack configuration, or other operation, to complete, and if you still cannot access your rack you may use this facility to reset the password.
60
12.5.
Submitting An Emergency Support Ticket
An emergency ticket is warranted in the following situations: Hardware failure in any device of the lab rack Can't login via racks.ine.com Can't connect to lab rack devices from the access server Rack control panel failure Can't establish a VPN link to vorackvpn.ine.com
If your issue is not one of these, use the information in the next subsection, Submitting A Support Request Ticket. We assume that, before you submit an emergency rack trouble ticket, you have tried the troubleshooting tips described in Common Problems and Their Solution, above, and that the tips didn't clear the problem. We also assume that you have collected debugging information to show the problem, and include that debug information in your ticket. This is particularly important to debugging VPN portal access problems. To submit a trouble ticket, go to your Member's Site page:
http://members.ine.com/member/911_tickets/active_session_support.php
If you are not logged into your Member's Site page, you will be asked to sign in:
Use the e-mail address and password for your INE Members account. You will need to click the link again to get to the active support page.
http://members.ine.com/member/911_tickets/active_session_support.php
If you are already signed in to your Member's Site page, our system bypasses this sign-in screen.
61
In either case, you will then see this screen:
If you have multiple rack reservations, you will need to select which lab rack is the one that is the subject of the ticket. Use the pull-down list to indicate which rack is the subject of your trouble ticket. Select the type of problem from the pull-down list (shown in its expanded form) that best describes the nature of the problem. In the problem description, provide as much information as you can to show the nature of the problem and what you've done to resolve it. Then, press the Submit button (hidden in the picture above underneath the pull-down list) to launch your ticket. For problems connecting to our TELNET gateway, please include a traceroute report (not just a ping report) from your location to racks.ine.com so we can begin investigating the problem when we get the ticket. For problems connecting to our VPN gateway, please include the debugging information called out in the appropriate Appendix of this document
You will then see this page, to let you know that your ticket has been accepted.
62
Initial submission of an emergency ticket causes our system to page the on-duty technician, so he is aware there is a serious problem to be addressed. Additions to an emergency ticket do not cause the technician to be paged. Our response time to emergency tickets is usually under half an hour. If the problem can't be fixed quickly, our on-duty technician will respond to your ticket and then perform adjustments, then respond again when the work is completed.
63
12.6.
Submitting A Support Request Ticket
You submit support request tickets by sending electronic mail to specific mail addresses. These addresses are used for tickets that aren't in the emergency-ticket class, described in the previous section. Tickets sent to these addresses are normally handled during United States Pacific coast business hours. The e-mail address varies by the classification of the ticket: Racks: racks@ine.com Sales Issues: sales@ine.com Customer Service: cs@ine.com Support: support@ine.com
When submitting tickets to our technicians, we need not only a statement of the problem, but supporting information so we may start working on resolving the ticket when we receive it. Please use a descriptive subject line. When the ticket is about a specific rack session, please include in the body of your e-mail message: the identification of the rack (like VORack4) the password for the rack session the starting time of the session, using Pacific time;
The password and starting time can be found in your rack reservation confirmation letter described in the Introduction; the information may also be found by clicking the link Rack Access Info... to obtain information similar to:
64
Appendix A. Using Customer Local Cisco Router for VPN (Allows for Customer Hardware Cisco IP Phones)
PLEASE READ Chapter 4 first, to understand requirements and why things are they are as below in the configurations Your router will need to be a supported router (Chapter 4) with an Enterprise IOS feature-set to support these capabilities. INE cannot provide you with this software, and therefore you will need a valid support contract with Cisco in order to download this software. For each lab rack session, you will need to adjust your configuration. The string vorackX is changed to vorack1 for rack1, vorack6 for rack 6, and vorack12 for rack 12. The string <password> is changed to the password for your session, as provided in your confirmation letter. You will also need to adjust the VLANs on your switch according to the rack you are renting. If you have problems, before sending in a ticket be sure to collect the debug information described below in sub-section 5. Our support people need this debug information to analyze your problem.
65
Appendix A.1. Sample IOS Router L2VPN Configuration This is a listing of our reference configuration for supported Cisco routers; you may need to change it to accommodate the needs of your network and uplink.
! !Thisconfigcanbedownloadedfrom: !http://www.ine.com/downloads/voicerouterl2vpnconfig.txt ! ! noipdomainlookup ! ! !ThisisaDHCPPooltoserveyourIPPhonesandLaptopwithIP'sandTFTPaddress ! ipdhcpexcludedaddress192.168.10.1192.168.10.10 ipdhcppoolINEVORACKDHCP network192.168.10.0255.255.255.0 defaultrouter192.168.10.1 dnsserver8.8.8.84.2.2.2 lease7 importall ! ! !ThisisatheEzVPNConfiguration.Replacethe"vorackX" !stringwithyourrackID(vorackX)andreplacethe<password>value !withthepasswordyoureceivedintheregistrationemail. !NOTE:YouwillneedtoreplacethisrackIDandkeyeverytimeyou !schedulealabrackandconnecttoanewsession,usingthenew !IDandpassword.Youwillnotneedtochangeanythingonthisrouter !regardingL2VPNsetup,howeveryouwillneedtochangeVLANsonyour !switchportswhereIPphonesreside,basedonthenotesprovidedin !theconfigurationfilefortheswitch. ! cryptoipsecclientezvpnINEVORACK connectauto groupvorackXkey<password> modenetworkextension peer75.140.41.126 xauthuseridmodeinteractive ! ! !Thisisathe1stpartoftheL2VPNConfiguration. !DonotchangeANYTHING,regardlessofrackassignedeachsession. ! l2tpclassINEVOICEL2TPCLASS authentication passwordcisco cookiesize4 ! pseudowireclassQinQXCONNECT encapsulationl2tpv3 protocoll2tpv3INEVOICEL2TPCLASS iplocalinterfaceLoopback0 ippmtu ! interfaceLoopback0 ipaddress177.177.177.1255.255.255.255 cryptoipsecclientezvpnINEVORACKINSIDE ! ! !
66
!Thisisyouroutsideinterface,connectedtoyourInternet/ISProuter. ! !IfyouhaveastaticIPaddress,setthatinsteadofusingDHCP. !Ifstatic,besuretoalsochangethedefaultroutetoyourupstreamrouter. ! interfaceFastEthernet0/0 description***InternetandStudyComputerCONNECTtoSWITCHPORTFa0/23*** noipaddress duplexauto speedauto ! interfaceFastEthernet0/0.101 description***PublicOutsideInternetDHCPSubInterface*** encapsulationdot1Q101 ipaddressdhcp noipunreachables ipnatoutside ipvirtualreassembly cryptoipsecclientezvpnINEVORACKOUTSIDE ! interfaceFastEthernet0/0.102 description***ConnecttoSwitchforbothInternetandStudyComputer*** encapsulationdot1Q102 ipaddress192.168.10.1255.255.255.0 ipnatinside cryptoipsecclientezvpnINEVORACKINSIDE ! ! !Thisistheinsideinterface,whereyour3550or3560Switchconnects !Donotchangeanything.DonottrytoassignanIPaddress. !ThisisaLayer2swtiched"psuedowire"now,NOTaroutedinterface ! interfaceFastEthernet0/1 description***InsideLayer2SwitchedInterfaceCONNECTtoSWITCHPORTFa0/24*** mtu1508 NOipaddress dot1qtunnelingethertype0x9100 xconnect177.177.177.2123pwclassQinQXCONNECT ! ! !IfusingstaticIP,besuretochangethedefaultroutetoyourupstreamrouterhere. ! iproute0.0.0.00.0.0.0dhcp ! ! !ThisisanACLandNATstatementtoallowyourtraffic !outtoyourISP ! ipaccesslistextendedNAT denyip192.168.10.00.0.0.255177.0.0.00.255.255.255 permitip192.168.10.00.0.0.255any ! ipnatinsidesourcelistNATinterfaceFastEthernet0/0.101overload ! ! ! ! ! !Thisnextbitistoallow(only)INEtoSSHtoyourroutertohelpwithanytroubleshooting ! ipdomainnameine.com usernameadminprivilege15passwordciscoine cryptokeygeneratersamod1024 !
67
linevty015 transportinputssh loginlocal !
(end)
Appendix A.2. Sample Cisco IOS Catalyst Switch L2VPN Configuration This is a listing of our reference configuration for supported Cisco switches; you may need to change it to accommodate the needs of your network and uplink.
! !Thisconfigcanbedownloadedfrom: !http://www.ine.com/downloads/voiceswitchl2vpnconfig.txt ! ! !ThisMTUchangeisneccessarytocarryextraDot1Qtags(Dot1QinQ). !YOUMUSTREBOOTyourswitchsometimeafterthiscommand !(youmayfinishtherestoftheconfiguration,thenreboot). ! systemmturouting1504 ! !YOUMUSTREBOOTyourswitchsometimeafterthiscommand !(youmayfinishtherestoftheconfiguration,thenreboot). ! !TheseVLANsareallofthepossibleVLANsusedforeachVoiceRack !Youwillonlybeusingthe6VLANsfortheVoiceRackyouare !assignedonanygivensession.Therestaresimplyhereforafuture !sessionwhereyoumaybeassignedtoadifferentrack. !EveryVLANisintuitivelynumbered(2XXY)andhasbeengivenaname, !sothatyouquicklyseewhichVLANbelongsonwhichinterface !basedontwothings:1)Rackyouareassigned(XX), !and2)WhatIPPhonethatportwillconnectto(Y). ! !BesuretochangetheVLANoneachofyour6FastEthernetports !connectedtoyour6IPPhones,oneverynewracksession. !Bytheway,ifyouhappentoassignthewrongVLANtoaport !(e.g.youassignaVLANforthewrongrack), !youwillNOTbeabletoconnecttothatrack.Thisisprotected !bytheEzVPNconfigurationontherouterwhereyouchangethe !VORACK#foreachnewsession.Thiswillprotectyouandothers !fromaccidentallyoverwritinganyoneelse'srackconfiguration. ! ! vtpmodetransparent ! vlan101 nameInternet ! vlan102 nameComputer ! vlan2011 nameVORack01CorpHQPh1 ! vlan2012 nameVORack01CorpHQPh2 ! vlan2013 nameVORack01PSTNPh
68
! vlan2014 nameVORack01Branch1Ph1 ! vlan2015 nameVORack01Branch2Ph1 ! vlan2016 nameVORack01Branch2Ph2 ! vlan2021 nameVORack02CorpHQPh1 ! vlan2022 nameVORack02CorpHQPh2 ! vlan2023 nameVORack02PSTNPh ! vlan2024 nameVORack02Branch1Ph1 ! vlan2025 nameVORack02Branch2Ph1 ! vlan2026 nameVORack02Branch2Ph2 ! vlan2031 nameVORack03CorpHQPh1 ! vlan2032 nameVORack03CorpHQPh2 ! vlan2033 nameVORack03PSTNPh ! vlan2034 nameVORack03Branch1Ph1 ! vlan2035 nameVORack03Branch2Ph1 ! vlan2036 nameVORack03Branch2Ph2 ! vlan2041 nameVORack04CorpHQPh1 ! vlan2042 nameVORack04CorpHQPh2 ! vlan2043 nameVORack04PSTNPh ! vlan2044 nameVORack04Branch1Ph1 ! vlan2045 nameVORack04Branch2Ph1 ! vlan2046 nameVORack04Branch2Ph2 ! vlan2051 nameVORack05CorpHQPh1 !
69
vlan2052 nameVORack05CorpHQPh2 ! vlan2053 nameVORack05PSTNPh ! vlan2054 nameVORack05Branch1Ph1 ! vlan2055 nameVORack05Branch2Ph1 ! vlan2056 nameVORack05Branch2Ph2 ! vlan2061 nameVORack06CorpHQPh1 ! vlan2062 nameVORack06CorpHQPh2 ! vlan2063 nameVORack06PSTNPh ! vlan2064 nameVORack06Branch1Ph1 ! vlan2065 nameVORack06Branch2Ph1 ! vlan2066 nameVORack06Branch2Ph2 ! vlan2071 nameVORack07CorpHQPh1 ! vlan2072 nameVORack07CorpHQPh2 ! vlan2073 nameVORack07PSTNPh ! vlan2074 nameVORack07Branch1Ph1 ! vlan2075 nameVORack07Branch2Ph1 ! vlan2076 nameVORack07Branch2Ph2 ! vlan2081 nameVORack08CorpHQPh1 ! vlan2082 nameVORack08CorpHQPh2 ! vlan2083 nameVORack08PSTNPh ! vlan2084 nameVORack08Branch1Ph1 ! vlan2085 nameVORack08Branch2Ph1 ! vlan2086
70
nameVORack08Branch2Ph2 ! vlan2091 nameVORack09CorpHQPh1 ! vlan2092 nameVORack09CorpHQPh2 ! vlan2093 nameVORack09PSTNPh ! vlan2094 nameVORack09Branch1Ph1 ! vlan2095 nameVORack09Branch2Ph1 ! vlan2096 nameVORack09Branch2Ph2 ! vlan2101 nameVORack10CorpHQPh1 ! vlan2102 nameVORack10CorpHQPh2 ! vlan2103 nameVORack10PSTNPh ! vlan2104 nameVORack10Branch1Ph1 ! vlan2105 nameVORack10Branch2Ph1 ! vlan2106 nameVORack10Branch2Ph2 ! vlan2111 nameVORack11CorpHQPh1 ! vlan2112 nameVORack11CorpHQPh2 ! vlan2113 nameVORack11PSTNPh ! vlan2114 nameVORack11Branch1Ph1 ! vlan2115 nameVORack11Branch2Ph1 ! vlan2116 nameVORack11Branch2Ph2 ! vlan2121 nameVORack12CorpHQPh1 ! vlan2122 nameVORack12CorpHQPh2 ! vlan2123 nameVORack12PSTNPh ! vlan2124 nameVORack12Branch1Ph1
71
! vlan2125 nameVORack12Branch2Ph1 ! vlan2126 nameVORack12Branch2Ph2 ! vlan2511 nameVORack51CorpHQPh1 ! vlan2512 nameVORack51CorpHQPh2 ! vlan2513 nameVORack51PSTNPh ! vlan2514 nameVORack51Branch1Ph1 ! vlan2515 nameVORack51Branch2Ph1 ! vlan2516 nameVORack51Branch2Ph2 ! vlan2521 nameVORack52CorpHQPh1 ! vlan2522 nameVORack52CorpHQPh2 ! vlan2523 nameVORack52PSTNPh ! vlan2524 nameVORack52Branch1Ph1 ! vlan2525 nameVORack52Branch2Ph1 ! vlan2526 nameVORack52Branch2Ph2 ! ! interfaceFastEthernet0/1 description==ConnectedtoCustomerCorpHQPhone1 switchportaccessvlan2011 switchportmodedot1qtunnel l2protocoltunnelcdp l2protocoltunnelstp l2protocoltunnelvtp nocdpenable ! interfaceFastEthernet0/2 description==ConnectedtoCustomerCorpHQPhone2 switchportaccessvlan2012 switchportmodedot1qtunnel l2protocoltunnelcdp l2protocoltunnelstp l2protocoltunnelvtp nocdpenable !
72
interfaceFastEthernet0/3 description==ConnectedtoCustomerPSTNPhone switchportaccessvlan2013 switchportmodedot1qtunnel l2protocoltunnelcdp l2protocoltunnelstp l2protocoltunnelvtp nocdpenable ! interfaceFastEthernet0/4 description==ConnectedtoCustomerBranch1Phone1 switchportaccessvlan2014 switchportmodedot1qtunnel l2protocoltunnelcdp l2protocoltunnelstp l2protocoltunnelvtp nocdpenable ! interfaceFastEthernet0/5 description==ConnectedtoCustomerBranch2Phone1 switchportaccessvlan2015 switchportmodedot1qtunnel l2protocoltunnelcdp l2protocoltunnelstp l2protocoltunnelvtp nocdpenable ! interfaceFastEthernet0/6 description==ConnectedtoCustomerBranch2Phone2 switchportaccessvlan2016 switchportmodedot1qtunnel l2protocoltunnelcdp l2protocoltunnelstp l2protocoltunnelvtp nocdpenable ! ! interfaceFastEthernet0/21 description==ConnectedtoCustomerInternet switchportmodeaccess switchportaccessvlan101 nocdpenable ! ! interfaceFastEthernet0/22 description==ConnectedtoCustomerComputer switchportmodeaccess switchportaccessvlan102 ! ! interfaceFastEthernet0/23 description==ConnectedtoCustomerRouterFa0/0forInternetandComputer switchporttrunkencapsulationdot1q switchporttrunkallowedvlan101102 switchportmodetrunk ! ! interfaceFastEthernet0/24 description==ConnectedtoCustomerRouterFa0/1forL2TPv3 switchporttrunkencapsulationdot1q switchporttrunknativevlan2999 switchporttrunkallowedvlan20002999 switchportmodetrunk ! !
(end)
73
Appendix A.3. Test Your Hardware VPN Prior to Your Lab Rack Session At this time, you unfortunately are not able to test all aspects of this particular option with the INE racks, due to the fact that we would actually have to connect the test mechanism to a live rack, and we don't have any to spare and dedicate specifically to testing. You will get a good test on your first connection, and should feel confident going forward from that time to the rest of your rental sessions. We do apologize, and are working on a way to get a pre-session testing environment setup. Appendix A.4. Connecting Your IP Phones Once you have connected your Layer 2 VPN via your Cisco IOS router, you may then connect all of your phones to your router-connected Cisco Catalyst switch. 1. First connect an Ethernet cable from the router's Inside Layer 2 Switched Interface FastEthernet port (FastEthernet 0/1 in our reference L2VPN-router configuration) to your supported Cisco Catalyst switchport (FastEthernet0/24 in our reference L2VPN-switch configuration) 2. Next connect Ethernet cables from each one of your IP Phone's "To Switch" ports to the appropriately marked Catalyst switchports per our reference L2VPN-switch configuration. Using option, you will need to establish a separate VPN link from your computer to your INE Voice rack, if you wish to also have Internet access. If you do not need Internet access, then you may "piggyback" on the VPN link that your phones are using, back to the rental rack, by connecting your computer to the PC port on the back of any of your (preferably) CorpHQ phones. If choosing to do the latter piggyback method, please be aware that you either will need to configure a static IP address on your laptop in the same Voice VLAN as your IP phone is configured for at your CorpHQ switch, or else have DHCP already setup for that VLAN, and allow your laptop to receive an IP address in that same range. For this particular option, the VPN path does not cross either the PSTN router, but does cross the R1 CorpHQ router (Voice VLAN to Server VLAN is routed through R1) as shown in the Voice Topology diagram. Thus, if you reload the PSTN router, no harm should come. However if you reload the R1 CorpHQ router, you will loose connectivity to your lab rack via the VPN connection. As soon as the router reloads, you regain connectivity. There is no need to take down and re-establish your VPN links again.
74
Appendix A.5. Troubleshooting Your Hardware IOS Router VPN Connection If you having issues with your VPN device connecting, make sure you performed the following tasks before submitting a trouble ticket: Try logging in with the same username/password via SSL VPN and see if that works Issue the following commands, attempt a connection, collect all output, and include the output in your trouble ticket:
showcryptoipsecclientezvpn showl2tun showcryptoisakmp showcryptoipsecsa showtechsupport debugcryptoisakmp debugcryptoipsec debugl2tun debugxconnect
The above information should provide enough details to help us troubleshoot your case.
75
Appendix B. Using Customer Local Cisco Router for VPN (Allows for Customer Hardware Cisco IP Phones)
Your router will need an IOS image with either the Advanced Security or Enterprise feature-set to support this capability. INE cannot provide you with this software, and therefore you will need a valid support contract with Cisco in order to download this software. For each lab rack session, you will need to adjust your configuration. The string vorackX is changed to vorack1 for rack1, vorack6 for rack 6, and vorack12 for rack 12. The string <password> is changed to the password for your session, as provided in your confirmation letter. If you have problems, before sending in a ticket be sure to collect the debug information described below in sub-section 5. Our support people need this debug information to analyze your problem.
Appendix B.1.
Sample IOS Router VPN Configuration
This is a listing of our reference configuration for Cisco routers; you may need to change it to accommodate the needs of your network and uplink.
!Thisconfigcanbedownloadedfrom: !http://www.ine.com/downloads/voiceroutervpnconfig.txt ! !23Sep2010updateaccesslist101(SS) !updateaccesslistIOSFWIN(MS) !updateaccesslistNAT(MS) !updatecryptoipsecclientezvpnINEVORACK(MS) ! !27Sep2010RemoveallDNSreferences ! !3Jan2011updatecryptoipsecclientezvpnandtroubleshooting (MS) ! !16Feb2011addsuggestedPPPoEcommands(commentedout)(MS) ! ! noipdomainlookup ! !ThisisthefirstpartofanIOSFirewalltohelpprotectyou. ! ipinspectnameIOSFWOUTtcptimeout3600 ipinspectnameIOSFWOUTudptimeout3600 ipinspectnameIOSFWOUThttp ipinspectnameIOSFWOUThttpstimeout3600 ipinspectnameIOSFWOUTicmp ipinspectnameIOSFWOUTddnsv3 ipinspectnameIOSFWOUTsmtp ipinspectnameIOSFWOUTpop3 ipinspectnameIOSFWOUTpop3s ipinspectnameIOSFWOUTimap ipinspectnameIOSFWOUTftps ipinspectnameIOSFWOUTntp ipinspectnameIOSFWOUTftptimeout3600 !
76
! !ThisisaDHCPPooltoserveyourIPPhonesandLaptopwithIP's andTFTPaddress ! ipdhcpexcludedaddress192.168.10.1192.168.10.10 ipdhcppoolINEVORACKDHCP network192.168.10.0255.255.255.0 option150ip177.1.10.10 defaultrouter192.168.10.1 importall ! !ThisisatheEzVPNConfiguration.Replacethe"vorackX" !stringwithyourrackID(vorackX)andreplacethekeyvalue !withthepasswordyoureceivedintheregistrationemail. !NOTE:YouwillneedtoreplacethisrackIDandkeyeverytimeyou !schedulealabrackandconnecttoanewsession,usingthenew !IDandpassword. ! cryptoipsecclientezvpnINEVORACK connectauto groupvorackXkey<password> modenetworkextension peer75.140.41.126 xauthuseridmodeinteractive ! !Thisisyouroutsideinterface,connectedtoyourInternet/ISP !ItisalreadyprovisionedwithaIOSFirewallwiththe"inspect" !and"accessgroup"statements ! !IfyouhaveastaticIPaddress(highlyrecommended),setthat !insteadofusingDHCP.Alsobesuretoinstallthedefault !routetoyourupstreamrouter ! interfaceFastEthernet0/0 description***OutsidePublicInterface*** ipaddressdhcp ipaccessgroupIOSFWINin noipunreachables ipnatoutside ipinspectIOSFWOUTout nocdpenable cryptoipsecclientezvpnINEVORACKoutside ! !Thisistheinsideinterface,whereyourIPphonesconnect !Ensurethatyouusea192.168.x.xaddresssothatEzVPNNetwork !ExtensionModeworksproperly ! interfaceFastEthernet0/1 description***InsidePrivateInterface*** ipaddress192.168.10.1255.255.255.0 ipnatinside nokeepalive cryptoipsecclientezvpnINEVORACKinside ! iproute0.0.0.00.0.0.0dhcp ! !ThisisthesecondpartoftheIOSFirewalltohelpkeepprotect you. ! ipaccesslistextendedIOSFWIN permitudpanyanyeqbootpc permiticmphost75.140.41.126any permittcphost75.140.41.126anyeq22 permitesphost75.140.41.126any permitudphost75.140.41.126anyeqisakmp permitudphost75.140.41.126anyeqnon500isakmp denyipanyanylog
77
! !ThisisanACLandNATstatementtoallowyourtraffic !outtoyourISP ! ipaccesslistextendedNAT denyip192.168.10.00.0.0.255177.0.0.00.255.255.255 permitip192.168.10.00.0.0.255any ! ipnatinsidesourcelistNATinterfacef0/0overload ! ! !Onlyuncommentthenext35linesifyouareusingPPPoEwithDSL ! !vpdnenable !vpdngroup1 !interfaceFastEthernet0/0 !noipaddress !noipproxyarp !nocdpenable !nomopenabled !noipaccessgroupIOSFWINin !noipnatoutside !noipinspectIOSFWOUTout !nocryptoipsecclientezvpnINEVORACKoutside !pppoeenablegroupglobal !pppoeclientdialpoolnumber1 ! !interfaceDialer1 !mtu1492 !ipaddressnegotiated !ipnatoutside !ipvirtualreassembly !encapsulationppp !loadinterval30 !dialerpool1 !dialergroup1 !nocdpenable !pppauthenticationpapcallin !ppppapsentusername<YOUR_ISP_USERNAME>password <YOUR_ISP_PASSWORD> !pppipcpaddressaccept !cryptoipsecclientezvpnINEVORACKoutside ! !dialerlist1protocolippermit !noiproute0.0.0.00.0.0.0dhcp !iproute0.0.0.00.0.0.0Dialer1 !noipnatinsidesourcelistNATinterfacef0/0overload !ipnatinsidesourcelistNATinterfaceDialer1overload ! !Thisnextbitistoallow(only)INEtoSSHtoyourroutertohelp withanytroubleshooting ! ipdomainnameine.com usernameadminprivilege15passwordciscoine cryptokeygeneratersamod1024 ! linevty015 transportinputssh loginlocal !
(end)
78
Appendix B.2.
Test Your Hardware VPN Prior to Your Lab Rack Session
We have setup a test Hardware VPN account that you may use to connect to our VPN portal prior to your Voice rack session, to be assured that when it comes time for your session to begin, that everything will work properly. The portion of the configuration that is different from the above normal configuration is listed just below, and basically consists of simply changing the group name and key in the crypto ipsec client ezvpn portion to that of:
Pleasedownloadtheentirenormalconfigurationhere: http://www.ine.com/downloads/voiceroutervpnconfig.txt Andusethisasthegroupnameandkey: GROUP:voracktest KEY:voracktest ToresultinthecryptoipsecclientezvpnINEVORACKsectionlooking likethis: ! cryptoipsecclientezvpnINEVORACK connectauto groupvoracktestkeyvoracktest modenetworkextension peer75.140.41.126 xauthuseridmodeinteractive !
After configuring this and connecting, you can verify that the VPN link itself is properly set up by pinging 177.254.254.254; this says that you have a VPN tunnel set up to our VPN portal.
ping177.254.254.254sourcefa0/1
To verify that you have full connectivity, ping the IP address of the CUCM Publisher: 177.1.10.10:
This test verifies that your VPN link was successfully established. When you use your configuration during a voice lab rack session, simply change the group and key line to match the information you received in the rack reservation confirmation letter.
79
On this test EasyVPN account, you will only be able to ping the CUCM Publisher at the IP address of 177.1.10.10. You also will not be able to connect to the CUCM Publisher via HTTP, as we only allow ICMP for this test account. You will not be able to ping any other devices on this test account, however you will, of course, be able to ping all of the IP addresses when you connect with a normal, Voice rack rental session. Appendix B.3. Connecting Your IP Phones
Once you have connected your VPN via your Cisco IOS router, you may then connect all of your phones to the router. The easiest, and least expensive, way to do this is to daisy-chain your hardware IP phones. 1. First connect an Ethernet cable from the router's Inside Private Interface FastEthernet port (FastEthernet 0/1 in our reference configuration) to your first IP Phone's "10/100 SW" port. 2. Next connect another Ethernet cable from the same IP Phone's "10/100 PC" port to the next IP Phone's "10/100 SW" port. 3. Keep repeating this until you have connected all of your IP Phones together. 4. Finally connect an Ethernet cable from your last IP Phone's "10/100 PC" port to your Mac or PC's network port. Using this daisy-chain technique, you will not need to establish a separate VPN link from your computer or computers; instead you will "piggyback" on the VPN link that your phones are using, back to the rental rack. If you use this method, you do not need to purchase an Etherswitch that provides Power over Ethernet (Poe) or PoE converters. To provide power to your daisy chained Cisco IP phones, you will need Cisco Power "bricks" to power the phones. (Cisco Part# PWR-CUBE-3) The VPN path crosses both the PSTN and R1 (HQ) routers, as shown in the Voice Topology diagram. Thus, if you reload either of these routers, you will temporarily lose connectivity to your lab rack via the VPN connection. As soon as the router reloads, you regain connectivity. There is no need to take down and re-establish your VPN links again. You may, of course, use a Cisco Catalyst PoE or (depending on which phones you have) Inline Power switch to connect your IP phones to, and then connect that switch to the Inside Private Interface FastEthernet port on your IOS router, but if you have both the router and the switch, you should explore the previous Layer 2 VPN option (Appendix A) as it supports an exact replica environment to the actual Cisco CCIE Voice lab exam.
80
Appendix B.4.
Multicast Music-on-Hold Will Not Function Across Your VPN Link
IPSec doesn't support carriage of multicast packets. This does not mean that you cannot test MMoH, rather than instead of trying to hear the MMoH from an IP Phone in front of you (you won't ever hear it there), you should 1. Place a call from your PSTN phone (in front of you) into the R2-BR1 gateway,into a Branch 1 phone, 2. Have that Branch 1 phone place the call from the PSTN phone on hold. You will now hear MoH on your remote PSTN phone because it has been converted into Unicast traffic, however upon inspection you will find that Multicast MoH is indeed flowing from the CUCM to your BR1 router Technical details: the multicast packets are sent out from the CUCM Pub or Sub server, across R1-HQ, across the Serial Frame-Relay link, over to R2-BR1, and there converted from VoIP packets into a PCM DS0 stream to be sent out over the PRI link to PSTN. Then, once at PSTN, it will be sent using unicast packets across the VPN to the IP Phone in front of you. Remember it is only multicast packets from your CUCM Server to the R2-BR1 router - then it becomes PCM DS0 signaling over TDM.
NOTE: The previous Layer 2 VPN option (Appendix A) does not have this multicast limitation. Appendix B.5. Troubleshooting Your Hardware IOS Router VPN Connection
If you having issues with your VPN device connecting, make sure you performed the following tasks before submitting a trouble ticket: Try logging in with the same username/password via SSL VPN and see if that works Issue the following commands, attempt a connection, collect all output, and include the output in your trouble ticket:
showcryptoipsecclientezvpn showcryptoisakmp showcryptoipsecsa showtechsupport debugcryptoisakmp debugcryptoipsec
81
Appendix C. Using Customer Local ASA 5505 or PIX 501 for VPN (Allows for Customer Hardware Cisco IP Phones)
For each session, you will need to adjust your configuration. The string vorackX is changed to vorack1 for rack1, vorack6 for rack 6, and vorack12 for rack 12. The string <password> is changed to the password for your session, as provided in your confirmation letter. letter. If you have problems, before sending in a ticket be sure to collect the debug information described below in sub-section 5. Our support people need this debug information to analyze your problem. The reference configuration we supply below also works for the PIX 501 or 515 if you have an IOS image of 7.0 or higher. If you have a PIX 501 or 515 with an earlier IOS image, we offer a reference configuration via download; you may need to change it to accommodate the next of your specific appliance, network, and uplink:
http://www.ine.com/downloads/voicepix63vpn.config.txt
Appendix C.1.
Sample ASA/PIX VPN Configuration
This is a reference configuration; you may need to change it to accommodate the needs of your specific appliance, network, and uplink. The instructions in this Appendix are specific to the Cisco ASA 5505; essentially the same configuration can also be used with a Cisco PIX 501.
!ReferenceconfigurationforASA5505.Youmayneedtomake !changestothisconfigurationtomatchyournetworkrequirements !andtheparticulardeviceyouareusing. ! !ThisconfigurationcanalsobeusedwiththeCiscoPIXv7.2or higher. ! !Thisconfigcanbedownloadedfrom !http://www.ine.com/downloads/voiceasa5505vpn.config.txt ! ! !NetworkExtensionModeforEzVPNwillONLYworkonINE'snetworkif youuseIP !addressingonyourinternalnetworkintherangeof192.168.x.0/24 ! interfaceVlan1 description***InsidePrivateVLANInterface*** nameifinside securitylevel100 ipaddress192.168.10.1255.255.255.0 ! !
82
interfaceVlan2 description***OutsidePublicVLANInterface*** nameifoutside securitylevel0 ipaddressdhcpsetroute ! !IfyouhappentobeconnectingtoDSL,thenuncommentthe6lines below !andreplacewithyourISPgivenusernameandpassword !pppoeclientvpdngroupMYDSL !ipaddresspppoe !vpdngroupMYDSLrequestdialoutpppoe !vpdngroupMYDSLlocalname<username> !vpdngroupMYDSLpppauthenticationpap !vpdnusernamemonavy82password<password> ! interfaceEthernet0/0 description***OutsidePublicInterface*** switchportaccessvlan2 ! interfaceEthernet0/1 description***InsidePrivateInterface*** switchportaccessvlan1 ! ! !SetupNATsothatInsidetrafficdestinedforInternet(notfor VPN),hasaroutableIP !ACLtoensurethatVPNtrafficdoesnotgetNAT'dtotheOutside interface ! accesslistnonatpermitip192.168.10.0255.255.255.0177.0.0.0 255.0.0.0 global(outside)1interface nat(inside)0accesslistnonat nat(inside)10.0.0.00.0.0.000 ! ! !27Sept2010:DNSremoved !ThisDNSinformationisnecessarytoresolvetheINEVPNserver hostname !dnsdomainlookupoutside !dnsservergroupDefaultDNS !nameserver8.8.8.8 ! ! !ThisisaDHCPserverforyourInternalnetworkdevicesincluding IPphonesandlaptop !PIX/ASAautomaticallyaddtheirownIPaddressasthedefault gateway ! dhcpdaddress192.168.10.20192.168.10.200inside dhcpddns8.8.8.84.2.2.2 dhcpdlease3600 dhcpdping_timeout750 dhcpdauto_configoutside dhcpdoption150ip177.1.10.10 dhcpdenableinside ! ! ! !ThisistheEzVPNclientconfigurationwithNetworkExtensionMode !NetworkExtensionModeforEzVPNwillONLYworkonINE'snetworkif youuseIP !addressingonyourinternalnetworkintherangeof192.168.x.0/24 ! !Replace'X'in'vorackX'withyourRack#,andreplace'<password>' withyoursessionpassword
83
! vpnclientenable vpnclientvpngroupvorackXpassword<password> vpnclientserver75.140.41.126 vpnclientmodenetworkextensionmode vpnclientnemstautoconnect ! ! !ThisisforINEtechnicalsupportusageifweneedtohelpyou troubleshootyour !VPNconnection.Youwillneedtohavethisenabledifyoudesire forustoassistyou. !ItonlyallowsSSHaccessfrom1IPaddressatINE,viayour Outsideinterface ! passwordciscoine enablepasswordciscoine ssh75.140.41.126255.255.255.255outside !
(end)
84
Appendix C.2.
Test Your ASA/PIX VPN Prior to Your Lab Rack Session
We have setup a test Hardware VPN account that you may use to connect to our VPN portal prior to your Voice rack session, to be assured that when it comes time for your session to begin, that everything will work properly. The portion of the configuration that is different from the above normal configuration is listed just below, and basically consists of simply changing the vpngroup and password parameters in the vpnclient line:
Pleasedownloadtheentirenormalconfigurationhere: http://www.ine.com/downloads/voiceasa5505vpn.config.txt Andusetheseasthevpngroupandpassword: VPNGROUP:voracktest PASSWORD:voracktest ! vpnclientvpngroupvoracktestpasswordvoracktest !
After configuring this and connecting, you can verify that the VPN link itself is properly set up by pinging 177.254.254.254; this says that you have a VPN tunnel set up to our VPN portal.
To verify that you have full connectivity, ping the IP address of the CUCM Publisher: 177.1.10.10:
This test verifies that your VPN link was successfully established. When you use your configuration during a voice lab rack session, simply change the vpngroup and password parameters in the vpnclient line to match the information you received in the rack reservation confirmation letter. On this test EasyVPN account, you will only be able to ping the CUCM Publisher at the IP address of 177.1.10.10. You also will not be able to connect to the CUCM Publisher via HTTP, as we only allow ICMP for this test account. You will not be able to ping any other devices on this test account, however you will, of course, be able to ping all of the IP addresses when you connect with a normal, rented Voice rack session.
85
Appendix C.3.
Connecting Your IP Phones
Once you have connected your VPN via your ASA or PIX appliance, you may then connect all of your phones to the ASA/PIX. The easiest,and least expensive, way to do this is to daisy-chain your hardware IP phones. 1. First connect an Ethernet cable from the ASA or PIX appliance's Inside FastEthernet port to your first IP Phone's "10/100 SW" port. 2. Next connect another Ethernet cable from the same IP Phone's "10/100 PC" port to the next IP Phone's "10/100 SW" port. 3. Keep repeating this until you have connected all of your IP Phones together. 4. Finally connect an Ethernet cable from your last IP Phone's "10/100 PC" port to your Mac or PC's network port. Using this daisy-chain technique, you will not need to establish a separate VPN link from your computer or computers; instead you will "ride in" the VPN link that your phones are using back to the rental rack. If you use this method, you do not need to purchase an Etherswitch that provides Power over Ethernet (Poe) or PoE converters. To provide power to your daisy chained Cisco IP phones, you will need Cisco Power "bricks" to power the phones. (Cisco Part# PWR-CUBE-3) The VPN path crosses both the PSTN and R1 (HQ) routers, as shown in the Voice Topology diagram. Thus, if you reload either of these routers, you will temporarily lose connectivity to your lab rack via the VPN connection. As soon as the router reloads, you regain connectivity. There is no need to try to take down and re-establish your VPN links again.
86
Appendix C.4.
IPSec doesn't support carriage of multicast packets. This does not mean that you cannot test MMoH, rather than instead of trying to hear the MMoH from an IP Phone in front of you (you won't ever hear it there), you should 1. Place a call from your PSTN phone (in front of you) into the R2-BR1 gateway,into a Branch 1 phone, 2. Have that Branch 1 phone place the call from the PSTN phone on hold. You will now hear MoH on your remote PSTN phone because it has been converted into Unicast traffic, however upon inspection you will find that Multicast MoH is indeed flowing from the CUCM to your BR1 router Technical details: the multicast packets are sent out from the CUCM Pub or Sub server, across R1-HQ, across the Serial Frame-Relay link, over to R2-BR1, and there converted from VoIP packets into a PCM DS0 stream to be sent out over the PRI link to PSTN. Then, once at PSTN, it will be sent using unicast packets across the VPN to the IP Phone in front of you. Remember it is only multicast packets from your CUCM Server to the R2-BR1 router - then it becomes PCM DS0 signaling over TDM. Appendix C.5. Troubleshooting Your Hardware ASA/PIX VPN Connection
If you having issues with your VPN device connecting, make sure you performed the following tasks before submitting a trouble ticket: Try logging in with the same username/password via SSL VPN and see if that works Issue the following commands, attempt a connection, collect all output, and include the output in your trouble ticket:
showtechsupport debugcryptoisakmp debugcryptoipsec
87
Appendix D.
Using Cisco SSL VPN
If you have problems, before sending in a ticket be sure to collect the debug information described below in sub-section 3. Our support people need this debug information to analyze your problem.
The SSL VPN server supports clients running Mac OS X, Windows 2000/XP/Vista/7 and Linux operating systems. In order to start a new SSL VPN session, you should point your browser to the following URL, where X is you rack number:
https://vorackvpn.ine.com/vorackX
For example, if your rack number is 9, use the URL:

https://vorackvpn.ine.com/vorack9
You may be prompted to accept a certificate. Accept the certificate, and the SSL VPN login window will appear, similar to the following screenshot (however for your Rack, and not necessarily Rack1):
Enter the credentials that you received in your rental rack registration email.
88 Copyright 2012 INE, Inc.
After successful authentication, the Web Launch process starts. You may be required to download and install, or activate, the new Java applet or ActiveX component (make sure you have your browser set to prompt you to allow or disallow Java or ActiveX and accept when prompted). Follow the on-screen instructions and install the required components. Your browser may prompt you a few times about accepting certificates and running applications. Make sure you accept and install all of them.
When the installation process and VPN link connection is successful, you will see a new icon in your tray, similar to the following:
After this, you should be able to access any device that has an IP address inside your rack. Verify connectivity by pinging the IP address of the CUCM Publisher: 177.1.10.10:
host$ping177.1.10.10 PING177.1.10.10(177.1.10.10):56databytes 64bytesfrom177.1.10.10:icmp_seq=0ttl=125time=45.243ms 64bytesfrom177.1.10.10:icmp_seq=1ttl=125time=32.706ms 64bytesfrom177.1.10.10:icmp_seq=0ttl=125time=38.713ms 64bytesfrom177.1.10.10:icmp_seq=1ttl=125time=35.596ms
This test verifies that your VPN link was successfully established. Your browser may cache the session information from a previous rental on a different voice rack; you may need to close the browser and open it again in order to access the current voice rack. In some situations, if using a PC, you may need to reboot after the installation of the SSL VPN client software.
89
Appendix D.1.
Test Your SSL VPN Prior to Your Lab Rack Session
We have setup a test SSL VPN account that you may use to install the SSL AnyConnect client and connect to our VPN portal prior to your Voice rack session beginning, to be assured that when it comes time for your session to begin, that everything will work properly. In order to start this Test SSL VPN session, you should point your browser to the following URL and use the accompanying username and password:
https://vorackvpn.ine.com/voracktest Username:voracktest Password:voracktest
After this, you should be able to verify your connectivity by pinging the IP address of the CUCM Publisher: 177.1.10.10:
This test verifies that your VPN link was successfully established. When you use your configuration during a voice lab rack session, simply change the username and password to match the information you received in the rack reservation confirmation letter. On this test SSL VPN account, you will only be able to ping the CUCM Publisher at the IP address of 177.1.10.10. You also will not be able to connect to the CUCM Publisher via HTTP, as we only allow ICMP for this test account. You will not be able to ping any other devices on this test account, however you will, of course, be able to ping all of the IP addresses when you connect with a normal, rented Voice rack session.
90
Appendix D.2.
While SSL does support carriage of multicast packets, we don't flood them throughout our network. This is so that you, and everyone else that rents both Voice and other CCIE track-related racks from us do not experience degraded network performance due to the flooding of multicast IP voice and other data packets. This does not mean that you cannot test MMoH, rather than instead of trying to hear the MMoH from an IP Phone in front of you (you won't ever hear it there), you should 1. Place a call from your PSTN phone (in front of you) into the R2-BR1 gateway,into a Branch 1 phone, 2. Have that Branch 1 phone place the call from the PSTN phone on hold. You will now hear MoH on your remote PSTN phone because it has been converted into Unicast traffic, however upon inspection you will find that Multicast MoH is indeed flowing from the CUCM to your BR1 router Technical details: the multicast packets are sent out from the CUCM Pub or Sub server, across R1-HQ, across the Serial Frame-Relay link, over to R2-BR1, and there converted from VoIP packets into a PCM DS0 stream to be sent out over the PRI link to PSTN. Then, once at PSTN, it will be sent using unicast packets across the VPN to the IP Phone in front of you. Remember it is only multicast packets from your CUCM Server to the R2-BR1 router - then it becomes PCM DS0 signaling over TDM.
Appendix D.3.
Troubleshooting Your Cisco AnyConnect SSL VPN Connection
If you having issues with your SSL AnyConnect VPN making connection or staying connected, make sure you performed the following tasks before submitting a trouble ticket: Please click on the Export button in the Cisco AnyConnect client to export to text file a list of the statistics related to your VPN connection.
The above information should provide additional details that will assist us in troubleshooting your case.
91
Appendix E.
Using the Cisco IPSec EasyVPN Client
In rare situations where you cannot use the easy-to-use SSL VPN technology, you may want to try and use Ciscos IPSec-based Easy VPN Client. You will need to download the client software yourself for your operating system and configure it as described below. You can download the software from Cisco at the following website:
http://www.cisco.com/cisco/software/navigator.html? mdfid=270636499&flowid=4466
INE cannot provide you with this software, and therefore you will need a valid Cisco SMARTNet support contract in order to download this software, or you will need to locate a Cisco reseller who can sell the software to you.
If you have problems, before sending in a ticket be sure to collect the debug information described below in sub-section 3. Our support people need this debug information to analyze your problem. After you have downloaded and installed the VPN software, configure a new connection entry as detailed below: Host: vorack-vpn.ine.com On the Authentication properties page click the Group Authentication radio button. Set Name to vorackX (like vorack1 or vorack12) Set Password to the password specified in your confirmation letter Set Confirm Password to the same password value Click Save button
92
Here is an example for a session on VORack3:
After this, you should be able to access any device that has an IP address inside your rack. Verify connectivity by pinging the IP address of the CUCM Publisher: 177.1.10.10:
This test verifies that your VPN link was successfully established. Appendix E.1. Test Your Cisco EasyVPN Client Prior to Your Lab Rack Session We have setup a test EasyVPN account that you may use to connect to our prior to your Voice rack session beginning, to be assured that when it comes time for your session to begin, that everything will work properly.
93
In order to start this Test EasyVPN session, you should temporarily configure your EasyVPN client with the following information: Host: vorack-vpn.ine.com On the Authentication properties page click the Group Authentication radio button. Set Name to voracktest Set Password to voracktest Set Confirm Password to voracktest Click Save button Double-click the new entry to test
After this, you should be able to verify your connectivity by pinging the IP address of the CUCM Publisher: 177.1.10.10:
This test verifies that your VPN link was successfully established. On this test EasyVPN account, you will only be able to ping the CUCM Publisher at the IP address of 177.1.10.10. You also will not be able to connect to the CUCM Publisher via HTTP, as we only allow ICMP for this test account. You will not be able to ping any other devices on this test account, however you will, of course, be able to ping all of the IP addresses when you connect with a normal, rented Voice rack session.
94
Appendix E.2. Multicast Music-on-Hold Will Not Function Across Your VPN Link IPSec doesn't support carriage of multicast packets. This does not mean that you cannot test MMoH, rather than instead of trying to hear the MMoH from an IP Phone in front of you (you won't ever hear it there), you should 1. Place a call from your PSTN phone (in front of you) into the R2-BR1 gateway,into a Branch 1 phone, 2. Have that Branch 1 phone place the call from the PSTN phone on hold. You will now hear MoH on your remote PSTN phone because it has been converted into Unicast traffic, however upon inspection you will find that Multicast MoH is indeed flowing from the CUCM to your BR1 router Technical details: the multicast packets are sent out from the CUCM Pub or Sub server, across R1-HQ, across the Serial Frame-Relay link, over to R2-BR1, and there converted from VoIP packets into a PCM DS0 stream to be sent out over the PRI link to PSTN. Then, once at PSTN, it will be sent using unicast packets across the VPN to the IP Phone in front of you. Remember it is only multicast packets from your CUCM Server to the R2-BR1 router - then it becomes PCM DS0 signaling over TDM.
Appendix E.3. Troubleshooting Your Cisco IPSec EasyVPN Connection If you having issues with your Cisco IPSec EasyVPN client making connection or staying connected, make sure you performed the following tasks before submitting a trouble ticket: Please go to the menu item where you find Log or Logging and perform the following: Choose Log Settings and set all of the drop-down items to 3-High Next click on Enable or Enable Log Next try to double-click on the INE VPN entry to connect to our VPN server Next, once failed, please go back to the Log menu item, and Save the log file somewhere that is easy for you to locate Finally please start your trouble ticket submission, and be sure to include the log file that you just saved
The above information should provide additional details that will assist us in troubleshooting your case.
95
Appendix F.
VPN and Public-IP-Address Support Configuration
For your reference, these are the configuration fragments that establish connectivity between the public IP addresses and the various servers in your lab rack; X is the number of the rack: 1 for VORack1, 12 for VORack12:
PSTN: interfaceLoopback0 ipaddress177.1.254.254255.255.255.255 ! interfaceFastEthernet0/0 description==VPNUplink ipaddress177.253.X.1255.255.255.0 duplexauto speedauto noshutdown ! interfaceFastEthernet0/1 description==ToR1/HQFastEthernet0/1 ipaddress177.1.19.1255.255.255.0 duplexauto speedauto noshutdown ! routerospf1 logadjacencychanges network0.0.0.0255.255.255.255area0 ! R1: interfaceFastEthernet0/0 description==ToSW1 noipaddress duplexauto speedauto noshutdown ! interfaceFastEthernet0/0.10 description==ServerVLAN10 encapsulationdot1Q10 ipaddress177.1.10.1255.255.255.0 noshutdown ! interfaceFastEthernet0/1 description===ToPSTNFastEthernet0/1 ipaddress177.1.19.254255.255.255.0 duplexauto speedauto noshutdown ! routerospf1 logadjacencychanges network0.0.0.0255.255.255.255area0 ! SW1: vlan10 nameServers ! interfaceFastEthernet0/1 description==ServerUplink noshutdown switchporthost
96
switchportaccessvlan10 ! interfaceFastEthernet0/5 description==R1/HQFastEthernet0/0 noshutdown switchporttrunkencapsulationdot1q switchportmodetrunk spanningtreeportfasttrunk !
97
Appendix G.
Active Directory Schema, DNS Server Information
This information is for SIP SRV Call-Routing and Unity Connection/Unity Express VPIM Integration
Active Directory Schema
LDAP Server: 177.1.100.110
98
DNS Server Information for SIP SRV Call-Routing and CUC-CUE VPIM Integration (Note: VPIM license is already installed in the Unity Connection server)
DNS Server: 177.1.100.110 Zone:ine.com

cucm7pub cucm7sub win2k8dc1 corphq branch1 branch2 cucmpub cucmsub _sip._tcp.ine.com _sip._tcp.ine.com A A A CNAME CNAME CNAME CNAME CNAME SRV SRV 177.1.10.10 177.1.10.20 177.1.100.110 corphqr1.ine.com branch1r2.ine.com branch2r3.ine.com cucm7pub.ine.com cucm7sub.ine.com cucm7pub.ine.com cucm7sub.ine.com
[0][100][5060] [10][100][5060]
Zone:cucm.ine.com
_sip._tcp.cucm.ine.com _sip._tcp.cucm.ine.com _sip._udp.cucm.ine.com _sip._udp.cucm.ine.com SRV SRV SRV SRV [0][100][5060] [10][100][5060] [0][100][5060] [10][100][5060] cucm7pub.ine.com cucm7sub.ine.com cucm7pub.ine.com cucm7sub.ine.com
Zone:corphqr1.ine.com
corphqr1.ine.com _sip._tcp.corphqr1.ine.com _sip._udp.corphqr1.ine.com A SRV SRV [0][100][5060] [0][100][5060] 177.1.254.1 corphqr1.ine.com corphqr1.ine.com
Zone:branch1r2.ine.com
branch1r2.ine.com _sip._tcp.branch1r2.ine.com _sip._udp.branch1r2.ine.com A SRV SRV [0][100][5060] [0][100][5060] 177.1.254.2 branch1r2.ine.com branch1r2.ine.com
Zone:branch2r3.ine.com
branch2r3.ine.com _sip._tcp.branch2r3.ine.com _sip._udp.branch2r3.ine.com A SRV SRV [0][100][5060] [0][100][5060] 177.1.254.3 branch2r3.ine.com branch2r3.ine.com
Zone:corphq.ine.com
uc1.corphq.ine.com _sip._tcp.corphq.ine.com _sip._udp.corphq.ine.com A SRV SRV [0][100][5060] [0][100][5060] 177.1.10.30 corphqr1.ine.com corphqr1.ine.com
Zone:branch1.ine.com
_sip._tcp.branch1.ine.com _sip._udp.branch1.ine.com SRV SRV [0][100][5060] [0][100][5060] branch1r2.ine.com branch1r2.ine.com
99
Zone:branch2.ine.com
cuelo5.branch2.ine.com cuevv.branch2.ine.com _sip._tcp.branch2.ine.com _sip._udp.branch2.ine.com A A SRV SRV [0][100][5060] [0][100][5060] 177.3.254.2 177.3.11.2 branch2r3.ine.com branch2r3.ine.com
Zone:att.com
sip1 sip2 _sip._tcp.sip1.skype.com _sip._tcp.sip2.skype.com _sip._udp.sip1.skype.com _sip._udp.sip2.skype.com A A SRV SRV SRV SRV [10][100][5060] [10][100][5060] [10][100][5060] [10][100][5060] 177.1.254.250 177.1.254.251 sip1.skype.com sip2.skype.com sip1.skype.com sip2.skype.com
Zone:skype.com
sip _sip._tcp.sip.skype.com _sip._udp.sip.skype.com A SRV SRV [10][100][5060] [10][100][5060] 177.1.254.250 sip.skype.com sip.skype.com
100
Appendix H.
Router and Ethernet Port Tables
(DEFAULT) VLANs and IP Subnets (These may change from Lab-to-Lab)

VLAN Name Server Voice Data VLAN # 10 11 12 HQ Subnet 177.1.10.0/24 177.1.11.0/24 177.1.12.0/24 BR1 Subnet N/A 177.2.11.0/24 177.2.12.0/24 BR2 Subnet N/A 177.3.11.0/24 177.3.12.0/24
Switch Port Allocation

Device
CUCM Publisher CUCM Subscriber Unity Connection Unified Presence Contact Center Express CorpHQ Phone 1 CorpHQ Phone 2 R1 Fa0/0 Branch 1 Phone 1* Branch 2 Phone 1* Branch 2 Phone 2 R3 Fa0/0 PSTN Phone*
*
* * *
Logical Location
HQ Site HQ Site HQ Site HQ Site HQ Site HQ Site HQ Site HQ Site BR1 Site BR2 Site BR2 Site BR2 Site PSTN
Physical Port
SW1 Fa 0/1 SW1 Fa 0/1 SW1 Fa 0/1 SW1 Fa 0/1 SW1 Fa 0/1 SW1 Fa 0/2 SW1 Fa 0/3 SW1 Fa 0/5 R2 Fa 0/1/0 SW2 Fa 0/1 SW2 Fa 0/2 SW2 0/24 SW1 Fa 0/4
VLAN
Server Server Server Server Server Lab-Specific Lab-Specific Trunk Lab-Specific Lab-Specific Lab-Specific Trunk Lab-Specific CCM Publisher CCM Subscriber Cisco Unity VM
Description
Unified Presence Contact Center Express 7961 Phone* 7961 Phone* HQ Router (R1) 7961 Phone* 7961 Phone* 7961 Phone* BR2 Router (R3) 7960 Phone
These phones are the IP phones that are directly connected to the Lab Voice rack that you can remotely control with our free, web-based Variphy Insight Remote Phone Control software. If you are connecting to INE using a Cisco hardware IOS router or ASA, so that you may use your own Cisco hardware IP phones at your local studying facility, then your phones replace what is seen here, and you may ignore the phones attached directly to your rented Voice rack. It COMPLETELY depends on which set of phones you are using. For more information regarding how to access and use our free Variphy Insight Remote Phone Control software, please see Section 8.
101
(DEFAULT) ISDN Digital Gateways (These may change from Lab-to-Lab)

Name GW_HQ GW_BR1 GW_BR2 Port R1 T1 0/0 R2 T1 0/0/0 R3 E1 0/0/0 Type T1 PRI T1 PRI E1 PRI ISDN Switch NI2 NI2 NET5 Line Settings 8BZS/ESF 8BZS/ESF HDB3/CRC4 Timeslots 1-3 1-3 1-3
DSP Resources
Location CorpHQ (R1) Branch 1 (R2) Branch 2 (R3) N/A N/A R3 PVDM2-32 Conference Transcode R1 PVDM2-16 R2 PVDM2-16 R3 PVDM2-32
102
Appendix I.
Device/Server R1 R2 R3
Device Connectivity Quick Reference

IP 177.1.254.1 177.1.254.2 177.1.254.3 Defined by Lab 177.1.254.254 177.1.11.20 177.3.11.20 https://177.1.10.10 https://177.1.10.20 https://177.1.10.30
http://177.1.10.40/appadmin
Method Telnet Telnet Telnet Session from R3 Telnet Telnet Telnet Web browser Web browser Web browser Web browser Windows RDC Web browser Windows RDC LDAP (only)
Username
Password
Cisco Unity Express (CUE) PSTN SW1 SW2 CUCM Publisher CUCM Subscriber Cisco Unity Connection (CUC)
Unified Contact Center Express (UCCX) Unified Contact Center Express (UCCX)
admin admin admin

uccxadmin
cciecisco cciecisco cciecisco cisco cciecisco cciecisco cciecisco cciecisco Password cciecisco cciecisco cciecisco cciecisco cisco cciecisco cciecisco none
177.1.10.40 https://177.1.10.50 177.1.10.100
admin admin admin admin Username admin admin admin admin uccxadmin admin admin none
Cisco Unified Presence (CUPS) XP Test/Utility Win2k8 Active Directory Device/Server CUCM Publisher CUCM Subscriber
14
177.1.100.110 URL/Command https://pub.vorack#.ine.com https://sub.vorack#.ine.com
Cisco Unity Connection (CUC) https://cuc.vorack#.ine.com Cisco Unified Presence (CUPS) https://cups.vorack#.ine.com Unified Contact Center Express http://uccx.vorack#.ine.com/appadmin (UCCX) XP Test/Utility rdp://util.vorack#.ine.com Unified Contact Center Express rdp://uccx.vorack#.ine.com (UCCX) PSTN telnetpstn.vorack#.ine.com
Veriphy Insight Remote Control Software

URL http://177.1.10.100/insight/ Username admin Password cciecisco
14 The Active Directory server cannot be pinged from your location directly. You can ping it within the routers of your lab rack. Voice Rack Rental Guide version 3.11 103 Copyright 2012 INE, Inc.

Voice Rack Rental Guide v3.11

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Voice Rack Rental Guide v3.11

Uploaded by

Copyright:

Available Formats

Voice

Rack Rental Access Guide

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Section 2. Lab Rack Diagram.........................................................................................4 Section 3. Getting Started At Your Location.................................................................5

Section 4. Linking Your Location To Ours Via VPN..................................................13

Section 5. Accessing Routers and Etherswitches........................................................17

Section 8. Accessing Lab Rack Servers via VPN-Less Public IP Address................34

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

This page intentionally left blank

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Rack Reservation Confirmation Letter

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Session Activity Overview

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Lab Rack Diagram

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Getting Started At Your Location

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Option 3 Using IP Softphones on Your PC

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Five Options For Voice Rack Connectivity

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Option 3 Software-Based Cisco SSL AnyConnect VPN Client

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

For the Cisco ASA5505, add these commands to your configuration:

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Linking Your Location To Ours Via VPN2

Verifying the VPN Link and Connectivity

where # is the voice rack ID number: 1 for VORack1, 12 for VORack12.

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Accessing Routers and Etherswitches

(you may need to press Enter a few times here)

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Voice Rack Rental Guide version 3.11

Copyright 2012 INE, Inc.

Address 1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1 1.1.1.1