This design has a bunch of technologies mixed into it so I have laid out the goals and the configuration that supports the design.
• #1 Bring up a 2811 named Chico running Advanced IP Services 12.4(15) T9 and hang a WAN connection off it - using either a static IP, or DHCP given address, both option will be shown.
11 -rw- 51432612 May 22 2009 07:17:46 -07:00 c2800nm-advipservicesk9-mz.124-15.T9.bin
interface FastEthernet0/0
ip address 192.168.100.1 255.255.255.252
duplex auto
speed auto
• #2 Configure DHCP and option 150 on Chico to show the devices (phones) where the Call Manager Express (CME) lives.
ip dhcp pool VOICE
network 172.16.100.0 255.255.255.0
option 150 ip 162.2.245.1
default-router 172.16.100.1
ip dhcp excluded-address 172.16.100.1
• #3 Configure a PoE switch with a voice vlan for the phones to hang off and uplink that to Chico via a trunk.
chico#
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 172.16.100.1 255.255.255.0
• #4 Build a WAN between Chico and a 2801 named Redding and load Advanced IP Services 12.4(15) T7 and the appropriate CME files into its flash.
chico#
router ospf 1
log-adjacency-changes
redistribute connected subnets
network 192.168.100.0 0.0.0.3 area 1
sacramento#
router ospf 1
log-adjacency-changes
redistribute connected subnets
network 10.10.1.4 0.0.0.3 area 0
yolo#
router ospf 1
log-adjacency-changes
redistribute connected subnets
network 10.10.1.4 0.0.0.3 area 0
network 192.168.100.0 0.0.0.3 area 1
redding#
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
- Files in Redding's Flash. Not sure all this stuff is needed but here's the mess:
1 10035 Feb 1 2010 18:06:10 -08:00 CME41-basic-readme.txt
2 0 Feb 1 2010 18:06:10 -08:00 gui
3 4802 Feb 1 2010 18:06:12 -08:00 gui/admin_user.html
4 657587 Feb 1 2010 18:06:16 -08:00 gui/admin_user.js
5 1602 Feb 1 2010 18:06:16 -08:00 gui/CiscoLogo.gif
6 716 Feb 1 2010 18:06:16 -08:00 gui/CME_GUI_README.TXT
7 953 Feb 1 2010 18:06:16 -08:00 gui/Delete.gif
8 16344 Feb 1 2010 18:06:18 -08:00 gui/dom.js
9 864 Feb 1 2010 18:06:18 -08:00 gui/downarrow.gif
10 6146 Feb 1 2010 18:06:18 -08:00 gui/ephone_admin.html
11 4658 Feb 1 2010 18:06:18 -08:00 gui/logohome.gif
12 3724 Feb 1 2010 18:06:18 -08:00 gui/normal_user.html
13 81443 Feb 1 2010 18:06:20 -08:00 gui/normal_user.js
14 1347 Feb 1 2010 18:06:20 -08:00 gui/Plus.gif
15 843 Feb 1 2010 18:06:20 -08:00 gui/sxiconad.gif
16 174 Feb 1 2010 18:06:20 -08:00 gui/Tab.gif
17 2431 Feb 1 2010 18:06:20 -08:00 gui/telephony_service.html
18 870 Feb 1 2010 18:06:20 -08:00 gui/uparrow.gif
19 9968 Feb 1 2010 18:06:22 -08:00 gui/xml-test.html
20 3412 Feb 1 2010 18:06:22 -08:00 gui/xml.template
21 496521 Feb 1 2010 18:06:26 -08:00 music-on-hold.au
22 0 Feb 1 2010 18:06:26 -08:00 phone
23 0 Feb 1 2010 18:06:26 -08:00 phone/7906-7911
24 0 Feb 1 2010 18:07:08 -08:00 phone/7921
25 0 Feb 1 2010 18:08:18 -08:00 phone/7936
26 0 Feb 1 2010 18:08:32 -08:00 phone/7940-7960
27 0 Feb 1 2010 18:08:42 -08:00 phone/7941-7961
28 42944292 Feb 3 2010 15:43:44 -08:00 c2801-advipservicesk9-mz.124-15.T7.bin
29 2453223 Feb 1 2010 19:10:24 -08:00 apps41.8-2-2ES1.sbn
30 435144 Feb 1 2010 19:10:26 -08:00 cnu41.8-2-2ES1.sbn
31 2141085 Feb 1 2010 19:10:42 -08:00 cvm41sccp.8-2-2ES1.sbn
32 509001 Feb 1 2010 19:10:46 -08:00 dsp41.8-2-2ES1.sbn
33 229364 Feb 1 2010 19:10:48 -08:00 jar41sccp.8-2-2ES1.sbn
34 642 Feb 1 2010 19:10:48 -08:00 SCCP41.8-2-2SR1S.loads
35 642 Feb 1 2010 19:10:48 -08:00 term41.default.loads
36 642 Feb 1 2010 19:10:48 -08:00 term61.default.loads
37 129828 Feb 1 2010 21:23:42 -08:00 P00308000400.bin
• #5 Building the ephones and telephony-service on Redding
To get to the CME GUI on the router you need to set this path:
!
ip http path flash:/gui
As you can see from the flash directory listing above the /gui is where all the files that make the CME web function.
This is a dump of all the files you find in the flash after performing the steps outlines in the "archive" retrieval. That process is documented here:
1. Download the phone load files from CCO. The latest load files will be included in cme-124-15T.zip file or the cme-basic-4.1.0.0.tar file.
For example, if the system is running CME 4.1, you would use cme-basic-4.1.0.0.tar
All cme-basic-x.x.x.x.tar files are posted on the CCO site below:
http://www.cisco.com/cgi-bin/tablebuild.pl/ip-iostsp
2. Extract phone load files to your router flash. Copy the cme-basic-x.x.x.x.tar to a TFTP server,
and enter archive command to extract contents of tar file to router Flash:
For example, if you the TFTP server address is 192.168.1.1, you would enter:
archive tar /xtract tftp://192.168.1.1/cme-basic-4.1.0.0.tar flash:
3. Share the phone load files by issuing the command 'tftp-server flash:Pxxxxxx' for each file on the flash.
TFTP Server statements needed for 7941 7961 phones
archive tar /xtract tftp://x.x.x.x/cmterm-7941_7961-sccp.8-2-2SR1.tar flash:
tftp-server flash:apps41.8-2-2ES1.sbn
tftp-server flash:cnu41.8-2-2ES1.sbn
tftp-server flash:cvm41sccp.8-2-2ES1.sbn
tftp-server flash:dsp41.8-2-2ES1.sbn
tftp-server flash:jar41sccp.8-2-2ES1.sbn
tftp-server flash:SCCP41.8-2-2SR1S.loads
tftp-server flash:term41.default.loads
tftp-server flash:term61.default.loads
telephony-service
load 7941 SCCP41.8-2-2SR1S
load 7961 SCCP41.8-2-2SR1S
____________________________________________________________
TFTP Server statements for 7940 7960 phones
archive tar /xtract tftp://x.x.x.x/P00308000400.tar flash:
tftp-server flash:P00308000400.bin
tftp-server flash:P00308000400.loads
tftp-server flash:P00308000400.sb2
tftp-server flash:P00308000400.sbn
telephony-service
load 7960-7940 P00308000400
4. Specify the load command for each phone type (refer to examples above) - afterwards, configure the command "create-cnf" underneath telephony service.
For CME 4.1, your running configuration will look like this:
telephony-service
load 7960-7940 P00308000400
max-ephones 24
max-dn 24
ip source-address 192.168.1.1 port 2000
max-conferences 12 gain -6
transfer-system full-consult
create cnf-files version-stamp Jan 01 2010 00:00:00
____________________________________________________________
After following all that, this is what mine looks like:
tftp-server flash:apps41.8-2-2ES1.sbn
tftp-server flash:cnu41.8-2-2ES1.sbn
tftp-server flash:cvm41sccp.8-2-2ES1.sbn
tftp-server flash:dsp41.8-2-2ES1.sbn
tftp-server flash:jar41sccp.8-2-2ES1.sbn
tftp-server flash:SCCP41.8-2-2SR1S.loads
tftp-server flash:term41.default.loads
tftp-server flash:term61.default.loads
!!
!
sccp local Loopback0
sccp ccm 162.2.250.250 identifier 1
sccp
!
sccp ccm group 123
associate ccm 1 priority 1
associate profile 1 register IP_7961
keepalive retries 5
switchover method immediate
switchback method immediate
switchback interval 5
!
dspfarm profile 1 transcode
associate application SCCP
shutdown
!
!
dial-peer voice 1 voip
destination-pattern 9.T
session target ipv4:10.255.253.200
incoming called-number .
dtmf-relay h245-alphanumeric
no vad
!
!
telephony-service
load 7961 P00308000400
max-ephones 24
max-dn 24
ip source-address 162.2.245.1 port 2000
time-format 24
date-format dd-mm-yy
max-conferences 8 gain -6
moh music-on-hold.au
multicast moh 239.10.16.4 port 2000
transfer-system full-consult
create cnf-files version-stamp Feb 01 2010 19:20:00
!
!
ephone-dn 1 dual-line
number 43701
label Cisco
description 43701
name Admin Desk
!
!
ephone-dn 2 dual-line
number 43702
label Cisco
description 43702
name Agent Desk
!
!
ephone-dn 12 dual-line
number 4724154
!
!
ephone 1
device-security-mode none
mac-address 001F.9E24.870E
speed-dial 1 43700 label "PAGE ALL PHONES"
paging-dn 11
type 7961
button 1o1,12
!
!
!
ephone 2
device-security-mode none
mac-address 0003.E32A.1DEA
speed-dial 1 43700 label "PAGE ALL PHONES"
paging-dn 11
type 7960
button 1o2,12
• #6 Place an ASA 5500 in transparent mode in between the last hop router named Sacramento and Redding to protect the internal network and the voice traffic coming in.
ASA Version 8.2(1)
!
firewall transparent
hostname dmz-asa
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
description Cisco Skinny Client Control Protocol
port-object eq 2000
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host CME object-group Cisco_SCCP
access-list outside_access_in extended permit udp any host CME eq isakmp
access-list outside_access_in extended permit udp any host CME eq tftp
access-list outside_access_in extended permit icmp any host CME
access-list outside_access_in extended permit icmp any host Laptop
!
ip address 162.2.245.10 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
!
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
aaa authentication enable console LOCAL
http server enable
http 162.2.245.0 255.255.255.0 inside
!
#7 Build an IPSec over GRE tunnel to allow secure communication from the phones to the call manager.
Chico Router:
crypto isakmp policy 10
authentication pre-share
!
crypto isakmp key CISCO address 162.2.245.1
!
!
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile CHICO
set transform-set TRANS
crypto map IPSEC 10 ipsec-isakmp
set peer 162.2.245.1
set transform-set TRANS
match address 101
!
interface Tunnel0
ip address 10.200.1.6 255.255.255.254
tunnel source 192.168.100.1
tunnel destination 162.2.245.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CHICO
!
access-list 101 permit ip 172.16.100.0 0.0.0.255 host 162.2.245.1
____________________________________________________________
Redding Router:
crypto isakmp policy 10
authentication pre-share
!
crypto isakmp key CISCO address 192.168.100.1
!
!
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
mode transport
crypto ipsec profile REDDING
set transform-set TRANS
!
crypto map IPSEC 10 ipsec-isakmp
set peer 192.168.100.1
set transform-set TRANS
match address 101
!
interface Tunnel0
ip address 10.200.1.4 255.255.255.254
tunnel source 162.2.245.1
tunnel destination 192.168.100.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile REDDING
!
access-list 101 permit ip host 162.2.245.1 172.16.100.0 0.0.0.255
