Introduction

MPLS generates Implicit Null label (The Implicit NULL label is the label that has a value of 3) for directly connected interfaces and for the summary routes. Label Switch Router (LSR) generates this label and shares it with its directly connected peers with PoP (Point of Presence) tag. The advantage of using this label helps the destined router to increase its performance as the top most label tag was removed by the penultimate router (Router before the destined router).  

The question that arises here is what will happen when all the IGP loopbacks are advertised as a single network in order to save the number of routes advertised?  Will this drop the traffic as per Penultimate Hop Popping (PHP) logic or will traffic forwarding still work as it is supposed to?

This article focuses on the impact of route summarization summary on loopback addresses in an MPLS environment and examines available work-arounds to overcome problems caused by the route summarization.

Understanding MPLS Labels: PUSH / POP / SWAP / PHP

When talking about MPLS environments we often come across terms such as PUSH, POP & SWAP & PHP. Below we explain what these terms mean and their functions:

Following is a brief explanation of the popular MPLS terms PUSH, POP & SWAP, PHP:

1. PUSH: Adding a label to incoming packet. Also known as label imposition.
2. SWAP: Swap the incoming label with another outgoing label
3. POP: Remove the label from outgoing packet. Also known as label disposition.
4. PHP: Stands for Penultimate Hop Popping. It refers to the process whereby the outermost label of an MPLS tagged packet is removed by a Label Switch Router (LSR) before the packet is passed to an adjacent Label Edge Router (LER).

Requirements For Our Test Environment

Prior to reading this document you should be familiar with mpls vpn environment. This article assumes the reader has experience in MPLS environments and routing protocols. It is recommended that you understand functions such as Penultimate Hop Popping (PHP) and Double Penultimate Hop Popping Lookup.

Understand the Current Topology - Example

As shown in the figure below, the service provider network is based upon a tier-three architecture. It has three types of layers:  Core, Distribution and Access.

Core Layer is usually referred to as Tier 1, Distribution Layer as Tier 2 and Access Layer as Tier 3. Core Layer is used to connect the different areas with each other and is largely responsible for the forwarding of traffic only. At the Distribution Layer, areas are segregated and used for the area summarization. Customers are terminated at the Access Layer i.e. Tier-3.  

VMware Announces End of Availability Date for VMware vSphere® ESX hypervisor 4.x and VMware Management Assistant Versions 1 and 4

On November 28, 2012, VMware is notifying customers of an End of Availability (“EoA”) date for VMware vSphere® ESX hypervisor 4.x and for VMware Management Assistant (“vMA”) versions 1 and 4. The end of availability date is August 15, 2013. This is a follow-on communication to the general announcement made in July 2011 in connection with the launch of vSphere 5.0.

This notification has NO IMPACT on existing vSphere ESXi 4.x environments, and your customers are NOT required to take any action. However, it is recommended that customers make a backup or keep an archived copy of these binaries and generate any necessary license keys in order to maintain or expand a vSphere ESX hypervisor version 4.x or vMA versions 1 and 4 environment. These steps should be completed prior to August 15, 2013. VMware will not provide any binaries or license keys for vSphere ESX hypervisor 4.x or vMA versions 1 and 4 after August 15, 2013.

Please note:

• vSphere ESX hypervisor 4.X and vMA support lifecycle
  The end of support life (“EOSL”) date remains May 21, 2014. Learn more about VMware’s support lifecycle.
• Customer’s ability to use the binaries of vSphere ESX hypervisor 4.x or vMA versions 1 and 4 past August 15, 2013
  Customers retain the ability to use licensed binaries past the EoA or EOSL dates. However, they will not be able to download binaries or generate new license keys after the EoA date or obtain technical support and subscription after the EOSL date.
• vSphere ESXi 4.X availability and support – There is NO impact
• vMA 4.1, 5, or 5.1 availability and support for all versions – There is NO impact

A common problem amongst Windows users is that the Show Desktop icon can accidentally be deleted, thus losing the ability to minimize all open programs and reveal your desktop.

This short article will explain how you can recover and create the Show Desktop icon and restore this functionality. The instructions included are valid for Windows 95, 98, 2000, Windows Vista and Windows 7 operating systems.

To recreate the Show Desktop icon, follow these steps:

1) Click on Start, Run, type Notepad and click on OK or Hit Enter. Alternatively, open the Notepad application.

2) Carefully copy and paste the following text into the Notepad window:

The ATA 186 and 188 analog phone adaptor is very common amongst Cisco CallManager (CUCM) & Cisco CallManager Express (CUCME) installations.

The ATA 186/188 provides two analog phone ports, allowing support for up to two analog phones and supports a number of features allowing an engineer to configure it according to the requirements and environment.

One neat feature is the ability to disable one of the two analog phone ports, something administrators might want to do if the second phone port is not used, providing an additional security measure.

On the other hand, a couple of second-hand ATA’s might fall into your hands and, upon testing, you may find out that only the phone port works – this doesn’t necessarily mean the second phone port is faulty!

When an ATA 186/188 registers on either CallManager or CallManager Express (CME), two MAC addresses appear in the device section.

Let’s take CME for example:

When an ATA 186/188 is registered with CUCM or CUCME, the system will show two new MAC addresses. The first is the actual MAC address of the ATA device. This represents Phone Port No.1.

The second MAC address is similar to the first but with a ‘01’ appended at the end. The whole MAC address is then shifted to the left by two positions, as shown in the above screenshot. This second MAC address represents Phone Port No.2.

When a phone port is disabled, for example port Phone 2, the second MAC address ending in ‘01’ will not register anymore. If removed from the CUCM/CME system, it will not appear again until it is enabled.

How to Enable – Disable Cisco ATA Phone Port No.1 or No.2

The first step is to try resetting the ATA to its factory default setting. This is fully covered in our ATA 186/188 Upgrade and Factory Reset article.

In many cases a factory reset might not prove to be that useful, in which case manual configuration of the ATA parameter SID is required. To do this, open a web browser and connect to the ATA using its address e.g http://192.168.135.5. From the web interface, select SCCP Parameters under the Change Configuration menu option.

At the presented page, Phone 1 and Phone 2 ports at the back of the ATA are represented by the SID0 and SID1 field respectively.

To enable a port, simply enter a dot “.” as a parameter, or “0” to disable it. Simple as that!

The screenshot below helps make this practice clearer:

Of course, it is always highly recommended to upgrade to the latest ATA firmware version to ensure stability and enhanced functionality of the Cisco ATA 186/188 device. The latest Cisco ATA 186/188 firmware is freely available in our Cisco Download section.

The moment we find a book that gears us for a certification, straightaway we get into ‘I need to achieve’ mode. With it comes the urge to use shortcuts and randomly ignore things that you might think are irrelevant. I have said this before and I will say it again: a certification is just one milestone in the journey to attaining expertise, it is not the endgame. In spite of the fact that this book is written for the purpose of a certification, it does much more than that.

This is tailored to make you competent on vSphere 5. I would, however, tip my hat to the author for making that task much more manageable and entertaining. He has given careful attention to the goals and has kept the journey as simple as possible. I would not waste your time extolling the need for virtualisation. That is a well established fact. What this book does is prepare you to extract the best out of some really efficient virtualisation tools brought to us by VMware, which holds the position of being pathfinder in the virtualisation industry.

To continue reading this excellent VMware certification guide review by Arani Mukherjee, and learn how it can help you achieve your VCP5 certification, click here: Book Review: The Official VMware VCP5 Certification Guide.

Introduction to Risk Management for Cisco Unified Communications

As technology has advanced, things have become simpler yet more complex. One prime example is that of today’s communication networks. With the evolution of VoIP, the most obvious convergence is that of voice and data networks wherein both types of traffic leverage the same physical infrastructure, while retaining a possible logical network separation. While, this whole concept seems to be very exciting, there’s a big tradeoff in terms of security!

It’s unfortunate but true that, converged communication solutions are more often than not, deployed without much regard for the underlying security issues. In most cases, organizations tend to either ignore the security aspect of Unified Communication (UC) network’s security or underestimate the importance of the same. As a result a host of threats and attacks which used to be relevant to data networks now pester the voice implementation which leverages underlying data networks. Moreover, the existing security solutions which were designed for the data networks cannot adequately meet the new security challenges where voice meets data.

Unified Communications (UC) (Unified Communications is also referred to as IP Telephony) brings alongside a host of new security risks that cannot be resolved by existing security measures or solutions. While, UC risk mitigation strategies are just beginning to become known, UC threat mitigation entails significant costs or otherwise gets translated into cost of security that should be taken into account while designing the corporate UC security strategy. The first step to mitigate any risk is to know what your assets worth protecting are and what types of risks you should avert.

Let’s first understand the fundamentals of risk management.

UC Risk Management – Overview

Risk management is an art in itself as it spans multiple domains. Ideally, every asset in your UC network should be identified before going through risk management for your Cisco UC solution. This is important since it will identify what is most important to a business and where investment of time, manpower, and monetary resources will yield most favorable results. The assets that can be selected in a typical Cisco UC environment are (not limited to):

1. Cisco Unified Communications Manager (CUCM)
2. Cisco Unity Connection (CUC)
3. Cisco Unified Presence Server (CUPS)
4. Cisco Unified Communications Manager Express (CUCME)
5. Cisco Unity Express (CUE)
6. Cisco Voice Gateways
7. Cisco Unified IP Phones (wired, wireless, softphones)
8. Cisco Unified Border Element
9. Cisco Catalyst Switches
10. Cisco IOS Routers
11. Cisco Adaptive Security Appliance (ASA)

Once the elements of your Cisco UC solution are identified, it’s time to give them their risk ratings, based on your risk appetite.

Let’s start by defining risk.

Risk – is defined as probability of something going wrong when conducting business as usual and has a negative impact.

Now, while you may know that your call-control - CUCM for example - is not secure and can be compromised, you are essentially bearing a risk that a known or an unknown threat may be realized leading to realization of the risk. In other words, you are setting up your risk appetite. Risk appetite may be classified into 3 major categories:

• Risk aversion – Averting risks, adopting security where possible, high cost affair
• Risk bearing – knowing that the network could be attacked, still bearing risk, least cost affair
• Risk conforming – knowing that the network could be attacked, bearing risk to a minimal degree by implementing most critical security measures only, a balance between risk and cost

Next comes the risk rating, i.e. how you wish to rate the criticality of an element of Cisco UC solution to the operations of your network. For example, if CUCM is under attack, what will be the impact of the same on your network? Or, if an edge router is attacked, how do you expect the communication channels to be impacted?

Each application, device and endpoint should be given a risk rating which can be low, moderate or high. The Figure below depicts risk impact vs. likelihood.

Risk Impact vs. Likelihood (ratings)

Let’s now understand the threats that lurk around your UC solution and could possibly prove detrimental to the operations of a UC network.

The Risks and the Threats

There’s always bad guys out there waiting to impart damage to your UC infrastructure for their financial benefit, to prove their superiority to other hackers or just for fun’s sake.

The table below gives an overview of various threats and the possibility of these threats maturing i.e. risk realization as well as the probable impact on an organization’s operations. Please note that these are the most commonly seen threats:

Let’s pay a closer visit to these threats and their risk bearings.

It's not everyday you get the chance to interview a CCIE, and especially a double CCIE!  Today, Firewall.cx interviews Akhil Behl, a Double CCIE (Voice & Security) #19564 and author of the popular Cisco Press title ‘Securing Cisco IP Telephony Networks'.

Akhil Behl's Biography

Akhil Behl is a Senior Network Consultant with Cisco Advanced Services, focusing on Cisco Collaboration and Security architectures. He leads Collaboration and Security projects worldwide for Cisco Services and the Collaborative Professional Services (CPS) portfolio for the commercial segment. Prior to his current role, he spent 10 years working in various roles at Linksys, Cisco TAC, and Cisco AS. He holds CCIE (Voice and Security), PMP, ITIL, VMware VCP, and MCP certifications.

He has several research papers published to his credit in international journals including IEEE Xplore.

He is a prolific speaker and has contributed at prominent industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Cisco SecCon, IT Expo, and Cisco Networkers. Akhil is also the author of Cisco Press title ‘Securing Cisco IP Telephony Networks’.

Be sure to not to miss our on our review of Akhil's popular Securing Cisco IP Telephony Networks.

Interview Questions

Q1. What are the benefits of a pure VoIP against a hybrid system?

Pure VoIP solutions are a recent addition to the overall VoIP portfolio. SIP trunks by service providers are helping covert PSTN world reachable by IP instead of TDM. A pure VoIP system has a number of advantages over a hybrid VoIP system for example:

• All media and signaling is purely IP based and no digital or TDM circuits come into picture. This in turn implies better interoperability of various components within and outside the ecosystem.
• Configuration, troubleshooting, and monitoring of a pure VoIP solution is much more lucid as compared to a hybrid system.
• The security construct of a pure VoIP system is something which the provider and consumer can mutually agree upon and deploy. In other words, the enterprise security policies can now go beyond the usual frontiers up to the provider’s soft-switch/SBC.

Q2. What are the key benefits/advantages and disadvantages of using Cisco VoIP Telephony System, coupled with its security features?

Cisco’s IP Telephony / Unified Communications systems present a world class VoIP solution to consumers from small to medium to large enterprises and SMB’s as well as various business verticals such as education, finance, banking, energy sector, and government agencies. When the discussion is around security aspect of Cisco IP Telephony / UC solution, the advantages outweigh the disadvantages because of a multitude of factors:

• Cisco IP Telephony endpoints, and underlying network gear is capable of providing robust security by means of built in security features
• Cisco IP Telephony portfolio leverages industry standard cryptography and is compatible with any product based on RFC standards
• Cisco engineering leaves no stone unturned to ensure that the IP Telephony products and applications deliver feature rich consumer experience; while maintaining a formidable security posture
• Cisco Advanced Services helps consumers design, deploy, operate, and maintain a secure, stable, and robust Cisco IP Telephony network
• Cisco IP Telephony and network applications / devices / servers can be configured on-demand to enable security to restrain a range of threats

Q3. As an author, please comment on the statement that your book can be used both as a reference and as a guide for security of Cisco IP Telephony implementation.

Over the past 10 years, I have seen people struggling with lack of a complete text which can act as a reference, a guide, and a companion to help resolve UC security queries pertinent to design, deployment, operation, and maintenance of a Cisco UC network. I felt there was a lack of a complete literature which could help one through various stages of Cisco UC solution development and build i.e. Plan, Prepare, Design, Implement, Operate, and Optimize (PPDIOO) and thought of putting together all my experience and knowledge in form of a book where the two realms i.e. Unified Communications and Security converge. More often than not, people from one realm are not acquainted with intricacies of the other. This book serves to fill in the otherwise prominent void between the UC and Security realms and acts as a guide and a reference text for professionals, engineers, managers, stakeholders, and executives.

Q4. What are today’s biggest security threats when dealing with Cisco Unified Communication installations?

Reviewer: Arani Mukherjee

The days of staring at a mess of wires under the desk coming out of a PSTN Master Socket are truly over. The advent of VoIP has broken the stranglehold of a telephone cable and the network has finally taken over. I would not say that IP Telephony has revolutionised the telephony sector. That momentous transition happened years ago. We currently are going through a phase where it is common to have IP Telephony integrated into any enterprise and network administrators are actively implementing security measures and policies to it. Network security is of paramount importance and IP Telephony is not to be left behind. The fact is that Cisco, the market leader in network technology, also happens to be leading the IP Telephony field. Hence it has rightly decided that establishing robust security architecture is core to Cisco IP Telephony.

• Securing Cisco IP Telephony Networks Book Review