Planet Collab

❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayOgre Inn

Cisco Universal AP problems and solutions

By Marcel
Today I was asked by a customer to revive a few 2702i access points. These access points were unable to join the WLC. The WLC told me : 

Country UX for this APis not configured
The system detects an invalid regulatory domain 802.11bg:-E     802.11a:-E for AP

Uhm ok. The regulatory domain is okay (they're in the Netherlands) but it seems the country code isn't. After strugling to get some information on this (almost none) and trying several methods to get these back to live again, I found a way to revive them:

1. Connect a console cable, login and do 'clear capwap private-config'. Do a reload without saving the config.

2. Let the AP join the WLC, it will work this time but it will be unprimed. Add this AP to the Priming WLAN AP Group.

3. After the AP gets back, open in in the WLC interface and do a 'clear config' (aka a factory reset).

4. When it it is back online, use the AP on your phone to start the priming.

This way I got 4 APs back to life. This all takes into account you have a Priming SSID which is only available to APs int the Priming WLAN AP Group. I've tried it without step 2 and it failed, don't know why. This all was on Aireos 8.2.170 and a 2504 WLC.

AAA with Tacacs+ on Debian

By Marcel
A while ago I've tried setting up different authorisation levels on a Cisco router with privilege levels. It failed miserably because this is badly documented by Cisco and the amount of effort needed to get something useful out of it was too much. The main problem is the hierarchical privilege structure of commands and the somewhat illogical relation between these commands (enable write privileges to allow read privilege....).

Anyway time to try something else : Tacacs+ or Radius. Radius does authentication pretty well but does not have any way to restrict commands except setting predefined privilege levels during authentication. 

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization. 


RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services. 

Source Cisco

Tacacs+ on the other hand allows you to give someone privilege level 15 but denying some commands (switchport trunk allow vlan anyone ;-)??). At the moment I have a request of a 3rd party supplier to give them rights at a customer site to shut/no shut ports to reboot POE-devices, nothing more, nothing less.

I've dabbled a bit with Centos but ended up with Debian because it has a binary package ready in its repository (Raspbian also BTW).

Read this for installation. Do not forget to add the admin users to your linux system.

Tried PAM authentication but failed and did not spend that much time on it (had some examples using PAM). Changed it to local authentication based on /etc/passwd and that worked. For testing I created 2 groups: admins and operators.

For this test setup I used my old trusty Cisco 2940 switch but any other Cisco device will do.
This is a part of my /etc/tacacs/tac_plus.conf file

# admin group
group = admins {
        default service = permit
#        login = PAM
        service = exec {
             priv-lvl = 15

group = operators {
        default service = deny
        service = exec {
            priv-lvl = 15
        cmd=show {
            permit .*
        cmd=enable {
                permit .*
        cmd=exit {
                permit .*
        cmd = configure {
                permit terminal
        cmd = interface {
                permit FastEthernet.*
                permit GigabitEthernet.*
        cmd = shutdown {
                permit .*
        cmd = no {
                permit shutdown

# Create a block for every admin user you have
user = tempelman {
        member = operators
        login = file /etc/passwd

user = marcel {
        member = admins
        login = file /etc/passwd

The operators are only allowed to (no) shutdown Fa and Gi interfaces. The rest is restricted.

In most examples the necessary command to get this working on the Cisco side, is omitted:

aaa authentication login default group tacacs+ local none
aaa authorization config-commands
aaa authorization exec default group tacacs+ local none
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Without this command the operators had access to all commands in configure mode.

Now this is working I'm going to try a config for HP Procurve switches and get Rancid authenticating with Tacacs+.

All in all setting up a Tacacs+ server is not hard and when you Google around there is enough documentation to be found.

To be continued....

Interesting links:

NMAP Automation and reporting

By Marcel
If you need a tool to check your devices firewall settings, NMAP is the tool to use. It is possible to automate this check so you can get a daily report even with a report on differences.

The following script checks a subnet, reports on all active hosts and open ports. Differences will also be reported and these reports will be mailed.

The script below is a slightly edited script found here.

I have made some changes in the command line variables and added the xsltproc command to convert de NMAP XML file to HTML.

# scans “TARGETS” with nmap
# compares with previous scan using ndiff
# emails results

OPTIONS="-v -T3 -F -sV"
date=`date +%F`

#where to put scans
cd /home/marcel/nmap/scans

nmap $OPTIONS $TARGETS -oA $DIR/scan-$date > /dev/null

#compare scans
if [ -e scan-prev.xml ]; then
ndiff scan-prev.xml scan-$date.xml > diff-$date
echo “*** NDIFF RESULTS ***”
cat diff-$date
echo “*** NMAP RESULTS ***”
cat scan-$date.nmap
ln -sf scan-$date.xml scan-prev.xml

# create an HTML report
xsltproc scan-$date.xml -o scan-$date.html

#email results
#/home/marcel/email/ –host –port 587 –from –to –subject “External Nmap Diff” –body-plain=/home/marcel/nmap/scans/diff-$date –attach=/home/marcel/nmap/scans/scan-$date.xml  


Cisco ATA 190 and CUCM

By Marcel
Today I had a fight with an ATA 190. After I powered the critter up it autoregistered itself with the CUCM 8.6 but after that it failed to register; it stayed "rejected".

Probably it has something to do with this bug.

The ATA did not load the newer firmware from the CUCM and did not use the downloaded config file.

Not wanting to wait on TAC to resolve this and getting some hints that a manual upgrade would solve this problem I started to focus getting the firmware .bin-file.

(use at your own risk!)

Step 1 - Download the latest firmware from Cisco

Step 2 - Download HxD and 7Zip

Step 3 - Read this link

Step 4 - Open cmterm-ata190.1-1-2-005.cop.sgn in HxD and remove the certificate

Step 5 - Save the file (.gz !)

Step 6 - Unzip the .gz file with 7Zip

Step 7 - Open ATA190.1-1-2-005.bin.sgn and remove the certificate

Step 8 - Save the file (.bin !)

Step 9 - Open webinterface of the ATA 190, login (admin/admin) 

Step 10 - Go to Administration -> Upgrade and load the .bin file

If the ATA has the first available firmware it takes a while and will result in a "Upgrade Failed". Ignore this because it just works.

It seems the ATA still needs some help after this because after adding the TFTP address manually in the config of the ATA and a reboot the ATA registered correctly and worked like a charm.

Ziggo IPv6 Up and Running

By Marcel
Since April this year our ISP Ziggo (largest cable operator in The Netherlands) started rolling out IPv6 addresses to its clients. Luckily Ziggo was wise enough to provide us with a /56 address space meaning we have 255 subnets ready for use.

(The Ziggo Prefix is 2001:1c00:1000::/36)

My first setup wass Ziggo Ubee modem (still in router mode) -> Cisco ASA.

I've spent a few frustrating evenings getting things working on my ASA. Finally I gave up because the ASA is not able to get delegated prefixes (DHCP-PD) from the modem and putting them through to the LAN side. In comes an trusty old 1841 router. If you think everything was going smooth from then, wrong...... IPv6 is a #$@%&!&@ 20 years old but it took an 2012 version of IOS (12.4.24T) getting things working (in other words getting IPv6 DHCP working).

My setup is now : ASA for IPv4 and the 1841 for IPv6. Both behind the Ubee modem.

First step : enable ipv6

ipv6 unicast-routing
ipv6 cef

Step two configuring the outside interface (fa0/0)

int fa0/0
! get your own IPv6 address by neighbour discovery
! and get a default route
ipv6 address autoconfig default
! this command is obsolete as soon you enter a
! IPv6 command but I left it there
ipv6 enable
! gimme a prefix, preferably a ::/60
ipv6 dhcp client pd hint ::/60
! put that prefix in this variable
ipv6 dhcp client pd prefix-from-ziggo

Step three configure the inside interface (fa0/1)

int fa0/1
! first a recognizable link-local address
ipv6 address FE80::1 link-local
! now let's get a routable address (this will
! form the address {prefix-from-ziggo}2:0:0:0:1)
ipv6 address prefix-from-ziggo ::2:0:0:0:1/64
ipv6 enable

Let's check if the config is working

RTR-01#sh ipv6 interface
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::{EUI-64 address}
  No Virtual link-local address(es):
  Stateless address autoconfig enabled
  Global unicast address(es):
    default-ziggo-prefix:x00:{EUI-64 address}, subnet is default-ziggo-prefix:x00::/64 [EUI/CAL/PRE]
      valid lifetime 1209594 preferred lifetime 604794
  Joined group address(es):
  MTU is 1500 bytes

The outside interface will get the same ::/64 prefix as the LAN-interface of the Ubee modem (default-ziggo-prefix:x00). The last 2 bytes are for you to use (the 2 zeroes).

The inside interface:

FastEthernet0/1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::1
  No Virtual link-local address(es):
  General-prefix in use for addressing
  Global unicast address(es):
    prefix-from-ziggo:xc2::1, subnet is prefix-from-ziggo:xc2::/64 [CAL/PRE]
      valid lifetime 56 preferred lifetime 26
  Joined group address(es):
  MTU is 1500 bytes

The Ubee modem delegated a prefix ending in C0. The
::2:0:0:0:1/64 in the address statement changes this in C2.

The prefix hint was a ::/60 but the modem delegated a ::/59  

RTR-01#sh ipv6 dhcp interface
FastEthernet0/0 is in client mode
  Prefix State is OPEN (0)
  Information refresh timer expires in 23:59:52
  Renew will be sent in 00:00:07
  Address State is IDLE
  List of known servers:
    Reachable via address: FE80::{EUI-64}
    DUID: 0003000190{MAC-ADDRESS}
    Preference: 0
    Configuration parameters:
      IA PD: IA ID 0x00030001, T1 15, T2 22
        Prefix: prefix-from-ziggoC0::/59
                preferred lifetime 30, valid lifetime 60
                expires at Jun 06 2015 10:36 PM (53 seconds)
      DNS server: 2001:B88:1002::10
      DNS server: 2001:B88:1202::10
      Information refresh time: 0
  Prefix name: prefix-from-ziggo
  Prefix Rapid-Commit: disabled
  Address Rapid-Commit: disabled
  Prefixes sent as hint:

I am able to assign the subnets C0 to DF to my internal networks (just one :-)).I will only use C2.

Step four : DHCPv6 on the inside

Little sidenote : personnaly I want to move this function to my Raspberry PI server (ISC HDCP server) because of dynamic DNS updates in Bind9.

ok IPv6 developers I haven't read all the RFCs (so I might miss any good reason why it's the way it is now) but why why why did you mess up the IPv4 method of assigning IP addresses ? Why do we need 2 different daemons / server modules for this (RA and DHCPv6). The current complexity of setting up IPv6 will severely hinder acceptance.

To get the prefix advertised on the LAN we need to use the neighbour discovery commands:

int fa0/1
! use the full subnet prefix found when using
! sh ipv6 interface fa0/1 | i subnet

 ipv6 nd prefix {subnet-prefix}
! tell the client it will contact a IPv6 DHCP server
! for the DNS settings. Gateway will automatically be
! the router advertising the subnet prefix
ipv6 nd Managed-config-flag

The router is also a DHCPv6 server

ipv6 dhcp pool intern
 ip address prefix {subnet-prefix}

 dns-server 2001:B88:1002::10
 domain-name tempelman.local

int fa0/1
 ipv6 dhcp server intern

That's it. Now I'm going to look into getting a proper firewall config. The Ubee modem has a IPv6 firewall running so while testing you will not be exposed that much but better safe than sorry !

Edit: made some changes based on this link
Edit 2 : Suggested reading : Cisco DHCPv6 Based Access Services
Edit 3 : Extra config info @ Internode website


Unbricking 79XX phones

By Marcel
On this link you find necessary info on resetten a IP phone

But sometimes you brick a phone. I had some troubles with phone having firmware pre 8.5.2. After hard resetting a few phones I was left a few blank bricks.

The cure ?  A Callmanager Express with firmware 8.5.2.

1. Enable CME (telephony-service etc.)
2. Add firmware to flash and config
3. Enable autoregistration or add ephones with the MAC addresses of the phones
4. Enable DHCP
5. Connect phones

As soon as the phones get a config XML from the CME, life will flow back into the phones. Firmware will be loaded and screens will pop on.

SIP-trunking with Routit (Broadsoft/Broadworks) part 3

By Marcel
In the first 2 parts I showed you how registration with Routit works and how to avoid problems with the global SIP-proxy statement. In this blog I add some extra info and knowledge obtained by implementing Routit SIP-trunks.

First get a IP-VPN. Only fools buys and bastards sell Internet based SIP trunks. Sorry sales it will add a extra 30 euro's and destroys your case maybe but it will pay off in the end.
Config an IP VPN (1x /24 segment), with the CPE-router having an address in the Voice VLAN of the customer. Only for multisegment customers you need an IP VPN Plus (costomers with multiple locations/branches with different IP-segements).

Internet based connection
If you go for an Internet based (#@$) SIP-trunk do the following: Use a modern firewall/router in front of the PBX. It should be able to do SIP Inspect (SIP ALG). Do not connect the Internet connection directly to the UC or CUBE. It will make troubleshooting troublesome because it is not always clear which source address it uses in it's SIP packets. It will work in the end but I tend to avoid this. Next to that just do not combine edge security and voip on your voice gateway/PBX.

I assume this setup:

This setup has a few caveats:
Outbound calls can only have the main number as calling party
Inbound calls do not get the DDI in the request URI of the INVITE, only in the To: header. Routit always sends the registration number in the INVITE request URI

There are 3 workarounds:
  • Use a TCL-script to get the info from the To: field to the internal DNIS field (works) link
  • Use a SIP-profile to change inbound SIP-headers (not tested by me) link link2
  • Add the DDI to the extension as secondary number (UC500/CME) works.
In the last case use the format you used to create the (extra) Trunk users. As soon you add the secondary number it will register with Routit. In some cases this setup is not always handy but will do.

In all cases do some header stripping because during any support call they will tell you they see unnecessary header info. Add the following:

Voice service voip
 sip-profiles 1000
voice class sip-profiles 1000
request ANY sip-header Cisco-Guid remove
response ANY sip-header Cisco-Guid remove
request ANY sdp-header Connection-Info remove
response ANY sdp-header Connection-Info remove
Do not set asserted-id under voice service voip. It will not work when connected via the Internet.

For outbound calls be sure to replace all calling party references with the registration number. This is quite easy with a translation profile

translation-profile outbound
 translate calling 1
translation rule 1
 rule 15 /.*/ /31XXXXXXXXX/
You might add the following when using a CUBE:

voice class sip-profiles 1000
request INVITE sip-header P-Asserted-Identity add "P-Asserted-Identity:<>"

I will add another blog for getting things working with CUBE+CUCM (and IP-VPN!).

Cisco announces Multigigabit switches

By Marcel

To support the higher throughput o 802.11ac wave 2. Cisco bundled forces with other vendors to develop NBaseT, a standard that enables 2.5 and 5 Gigabit/s on Cat 5e/6 cabling. Now the first batch of switches are announced (pre-standard that is).


  • January 21st 2015 at 16:20

E.164 addressing with Cisco Unified Communications Manager

By Marcel
[I will add the pictures again]

During my last project I had to work on a CUCM already configured for a few German SIP providers. All outbound calls where using E.164 addressing. It seemed a bit complex at first sight but was pretty easy to setup in the end (so this is not my idea, I just used the method for the Dutch branche). 

First create a partition for your SIP-trunk, lets call it PT_NL_PSTN. Create a Route pattern \+.! and put this in the PT_NL_PSTN partition. Add your gateway or trunk to this pattern. Create a CSS containing only the PSTN-partition. In this case we name is CSS_NL_E164.

Create two Translation Patterns 00.! and 000.!. The first one is for national numbers, the second one is for international numbers (the first zero is the outside prefix). This is a Translation Pattern for phones using their External Phone Mask as their Calling Party number. 

The route pattern is placed in a seperate partition based on the calling rules for outside calls. In this case the calling party number should be a DDI. This partition is added to the Line or Device CSS (depening on the setup). 

The 00 is discarded and a +31 is added to the Called Party number. The Translation Pattern uses the CSS_NL_E164 to reach the Route Pattern needed to to get the call outside the building. In the Translation Pattern 000.! the prefix is simply a +. 

 This is the flow: Caller A calls B. B is in Amsterdam and has number 020-1234567. A has DDI number 085-7654321. 

- Caller A, calls 00201234567 
- Translation Pattern 00.! is matched because partition PT_NL_DDI is in his line CSS 
- The prefix is discarded 
- +31 is added to the number 
- Route pattern \+.! is matched because it is in a partition in de Calling Search Space CSS_NL_E164. 
- The Call is routed towards the voice gateway and the SIP provider. 

The SIP provider they are using is only allowing an E.164 address for the Called Party, not the Calling Party. So the ANI and DNIS look like this: 

 ANI : 0857654321 
 DNIS : +31201234567

New Cisco certification tracks

By Marcel

Cisco has added new certification tracks next to the overhaul of the R&S track:

·      A major revision to the Cisco CCNP Routing and Switching certification

·      Four new Network Programmability Specialist certifications

·      A new Cisco Industrial Networking Specialist certification

·      A new Cisco Enterprise IT-Business Specialist certification

·      Updated Cisco Unified Contact Center Enterprise training

View Netflix on linux without pipelight

By Marcel

Cisco CCNA free trainingsresources

By Marcel
Lately I see a lot of free trainingsresources posted on Reddit. For those interested here are some links:

Cisco Learning Network

GNS3 Vault

INE CCNA Training on Youtube

For those try to get certified: Good Luck !

Transcoding on a CUBE without SCCP

By Marcel

This has been able to fly under my radar till this week. A CUBE with CME 9.0 and higher can transcode without using SCCP (ISR G2). The resources are local only so only the CUBE can use them.


SIP-trunking with Routit (Broadsoft/Broadworks) part 2

By Marcel
This week I've implemented a SIP-trunk at a customer site. This trunk is connected to a Cisco UC540. I could use almost all settings which I used in my lab setup. Before configuring the trunk I wasn't sure if the line setup would work with the CUE (VM-module) embedded in the UC540.

The customer has a simple IP-VPN connection with Routit, this means Routit supports a single IP-sgement with a maximum of 255 hosts and no routing of other customer IP-segments. I wasn't to sure if this was enough or if I had to use NAT because the embeded CUE lives on a different IP-segment. This UC500 was manually configured instead of with CCA. This meant some commands which CCA injects were missing. The following commands made the CUE work with the SIP-trunk without NAT:

voice service voip
 no supplementary-service sip moved-temporarily
 no supplementary-service sip refer

The ACME SBC, which Routit uses, apparently does not support SIP REFER of MOVED-TEMPORARILY (302). 

Next the Dial-peer for the CUE
dial-peer voice 999 voip
 description *** VOICEMAIL ***
 destination-pattern 999
 session protocol sipv2
 session target ipv4:
 voice-class sip outbound-proxy ipv4: 
 dtmf-relay sip-notify
 codec g711ulaw
 no vad
The Dial-peer has to have it's own outbound-proxy otherwise it will try to contact the proxy defined in the Voice Serve Voip > SIP section. The B2BUA statement is needed so the UC540 uses it's own address for communication with the ISP SBC instead of the IP-address of the CUE (which in this case will result in no connection because the IP-segment of the CUE can not be routed towards the SBC of the ISP.

The trunk is directly connected to the Voice VLAN of the customer. If routing is needed, you have to upgraded the line to a IP VPN Plus.

SIP-trunking with Routit (Broadsoft/Broadworks)

By Marcel
Routit is a Dutch ISP which does not only offer Internetconnectivity for businesses they also offer hosted telephony and SIP-trunks. Although this is a Dutch ISP, their hostingplatform is an international one; Broadworks by Broadsoft. At the moment they are at version 19 I believe.
I already have experience with their hosted products but configuring a Routit SIP-trunk on a Cisco Unified Communication Manager Express (short CME) was new for me (not the SIP-trunk itself but connecting it with Routit). 
Everytime I have to configure a SIP-trunk for an ISP I haven't worked with it always take time to discover what it takes to get it working. In this case I haven't even looked at the tunable SIP-parameters and options but only at the authentication. The ISP didn't have any real examples available for setting things up on a CME (or UC500) only a snippet of a sip-ua config once sent to them by another partner.

It took me some time to get the authentication right (and some cursing etc. :-))

In short this is what you do:

  • Setup a Trunk Group in Broadworks (with all the licenses etc.)
  • While setting this up you have to enter a Trunk Authentication User and password, write them down! (for this example we use OgreTrunk with password Inn2014
  • When the Trunk Group is ready, add a Pilot User;
    • User name : Main line number in the following format 031{9 digit NL number} e.g. 031201234567
    • First name : same as User name
    • Last name : same as User name
    • Line/Port : Use the main line number without the leading zero e.g. 31201234567
The following example is based on the demo/lab site we have at Routit. When configuring it for a customer make sure you have a dedicated Internet connection for the SIP-trunk without oversubscription (those who offer SIP-trunks via the Internet should look for other jobs, that's only testing or for max 3 users scenarios). Routit offers dedicated lines for VOIP-only use with a Private VPN one it for little more than a normal Internet line and less than a traditional PSTN connection with less capacity (so there's no excuse).

LPN = Line/Port number of Pilot User
AUN = Trunk Authentication User Name
AUP =  Trunk Authentication User Password

The bold items have to be filled in

voice service voip
ip address trusted list ipv4 {Routit SBC}
allow-connections sip to sip
  registrar server expires max 3600 min 2600
  localhost dns:{partner}
  outbound-proxy ipv4:{Routit SBC}
credentials number {LPN} username {AUN} password 0 {AUP} realm {partnername}

authentication username {AUN} password 0 {AUP}
registrar dns:{partner} expires 3600
sip-server dns:{partner}

Now let's add some info::

credentials number 31201234567 username OgreTrunk password 0 Inn2014 realm {partnername}

authentication username OgreTrunk password 0 Inn2014

For a Routitpartner it's easy to get the partner and Routit specific information.

If you need more external numbers  just add them in Broadworks and thay can be used in dial-peers, translation rules and as secondary numbers without extra authentication info.

One remark. The number of the pilot user has the format 31201234567, the other external numbers us this format : 201234567.

Monitoring with Cacti on FreeBSD 9.1

By Marcel
Sorry this is not a kick-off for an extensive step-by-step manual for getting Cacti working on FreeBSD. The good news is someone already made a good guide :-).

When I got it running I added the LM-sensors template for temperature monitoring as described here (I used the 0.8.7 steps).

Happy monitoring !

Hello Mac OS X, Linux stay for a while

By Marcel
A week ago my new Mac Mini arrived and since then my main desktop has become Mac OS X. It's my second Mac, the first one being a PPC 6100 which was later upgraded to a 6100AV

This doesn't mean I won't be using Linux or any other form of UNIX-like OS's besides Mac OS X. My Worklaptop is still Linux-based and a VM with Linux Mint has already been installed.
I'm busy with my prepartions for CCNP Route and GNS 3 isn't ready for Mountain Lion (yet) I end up with a Linux machine anyway :-)