Flylib.com

Books Software

 
 
 

Category list


Similar pages

Call Preservation


Buy on amazon.com >>
Donohue D. Mallory D. Salhoff K.
    << Previous page
    Table of contents
    Next page >>

    Call Preservation

    One of the primary decision factors in selecting which gateway protocol to run is the preservation of calls during a failover situation. As discussed previously, MGCP gateways preserve active calls when an IP phone fails over from its primary CallManager to its secondary CallManager. Failover from CallManager to SRST is a little different.

    For H.323 gateways, active calls are preserved until the H225 keepalive timer expires . You can disable the H225 keepalive timer so that active calls through an H.323 gateway are preserved indefinitely. Example 13-11 demonstrates how to disable the H225 timer.

    Example 13-11. Preserving H.323 Calls on SRST Fallback 

    Miami(config)#

voice service voip

Miami(conf-voi-serv)#

h323

Miami(conf-serv-h323)#

no h225 timeout keepalive



    For MGCP gateways, call preservation depends on the type of circuit. For analog or CAS circuits, calls are preserved on failover from CallManager to SRST. For ISDN circuits, active calls are dropped on failover. Technically, the call is dropped when you initiate MGCP Gateway Fallback. This is because the D channel of the ISDN circuit is backhauled to CallManager. When MGCP Gateway Fallback is initiated, the gateway tears down and reestablishes the D channel, resulting in all active calls being dropped. Calls are also dropped when communication is reestablished with CallManager.

    Two of the primary reasons for selecting MGCP are call preservation and not having to build the dial plan in each gateway. Cisco IOS 12.4(4)XC introduced a new feature that allows calls through an H.323 gateway to be preserved when an IP phone fails over its primary CallManager to its secondary CallManager. This feature requires CallManager 4.1(3)SR1. Example 13-12 illustrates the configuration for preserving H.323 calls on a CallManager failover.

    Example 13-12. Preserving H.323 Calls on CallManager Failover 

    Miami(config)#

voice service voip

Miami(conf-voi-serv)#

h323

Miami(conf-serv-h323)#

call preserve



    As discussed earlier, each gateway needs appropriate dial peers to function in SRST mode. Because H.323 call preservation is more robust for SRST, and the dial plan must be configured, most people select H.323 for their remote gateways.



    Secure SRST

    CallManager supports secure communication with IP phones. SRST 3.3 added support for secure communication when an IP phone is registered to an SRST router. The security features include support for authentication, integrity, and media encryption. Authentication assures to one device that the other device is who it claims to be. Integrity assures that the data exchanged between two devices has not been altered . Media encryption provides a level of confidentiality by scrambling the data so that only the intended recipient can read it.

    Configuring Secure SRST

    Follow these steps to configure Secure SRST:

    Step 1.

    Configure a certification authority (CA).

    To support secure communications, the network must have a CA server. The CA server can be a Cisco IOS certificate server or a third-party server. Example 13-13 illustrates how to configure a Cisco IOS certificate server.



    Example 13-13. Configuring a Cisco IOS Certificate Server 

    CA_Rtr#

config t

!
! Enable the certificate server
!
CA_Rtr(config)#

crypto pki server srstca

CA_Rtr(cs-server)#

database level minimum

CA_Rtr(cs-server)#

database url nvram

CA_Rtr(cs-server)#

issurer-name CN=srstca

CA_Rtr(cs-server)#

grant auto

*May 2 16:51:12.664: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be
automatically granted.
CA_Rtr(cs-server)#

no shutdown

%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

MiamiSRST

Re-enter password:

MiamiSRST

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.
CA_Rtr(cs-server)#
*May 2 16:53:45.800: %SSH-5-ENABLED: SSH 1.99 has been enabled
*May 2 16:53:47.288: %PKI-6-CS_ENABLED: Certificate server now enabled.



    Note

    The password entry, MiamiSRST , is shown in the example for illustration purposes. The password you type will not be visible.

    The database level command sets what type of data is stored in the certificate database. The default is minimal , which stores the minimal information to continue issuing new certificates. The other options are names , which adds the serial number and name of each certificate, and complete , which writes each certificate issued. If you use the complete option, you should store the data on an external TFTP server. The database url command specifies where the database entries will be stored. The default is flash memory, but it is recommended that you store the entries in nvram.

    Step 2.

    Autoenroll and authenticate the Secure SRST router to the CA server.

    The SRST router must obtain a device certificate from the CA server. Example 13-14 illustrates the procedure for enrolling the Secure SRST router to a Cisco IOS certificate server. If you are using a third-party certificate server, you need to cut and paste in the certificate or use TFTP.



    Example 13-14. Autoenroll the Secure SRST Router

    [View full width] 

    
[View full width]

    
Miami#

config t

Miami(config)#

crypto pki trustpoint srst

Miami(ca-trustpoint)#

enrollment url http://10.1.10.1

Miami(ca-trustpoint)#

revocation-check none

Miami(ca-trustpoint)#

exit

Miami(config)#

crypto pki authenticate srst

!
! Note: The

crypto pki authenticate

command is not necessary if the
! IOS CA server is configured on the SRST router.
!
Certificate has the following attributes:
Fingerprint MD5: 4C324B3D 71ABD56F 54532FE7 782D2C4A
Fingerprint SHA1: 5C3B6B9E EFA40927 9DF6A826 58DA618A BF39F291
% Do you accept this certificate? [yes/no]:

y

Trustpoint CA certificate accepted.

Miami(config)#

crypto pki enroll srst

%

% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:

MiamiSRST

Re-enter password:

MiamiSRST

% The fully-qualified domain name in the certificate will be: Miami

.cisco.com
% The subject name in the certificate will be: Miami.cisco.com
% Include the router serial number in the subject name? [yes/no]:

Y

% The serial number in the certificate will be: D0B9E79C

% Include an IP address in the subject name? [no]:

n

Request certificate from CA? [yes/no]:

y

% Certificate request sent to Certificate Authority
% Certificate request sent to file system
% The 'show crypto ca certificate srst verbose' command will show the

fingerprint.
Miami(config)#Writing file to flash:srst.req
*May
2 18:54:53.843: CRYPTO_PKI:  Certificate Request Fingerprint MD5: E7DE5ADE

1C9FE495 543783C0 85D369A4
*May
2 18:54:53.843: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: C008A45
7
8FBFD73A E48E7232 AED19BD1 A857C47A
Miami(config)#

end



    After you enroll the SRST router with the CA server, enter the no auto grant command on the Cisco IOS certificate server. You must shut down the certificate server to turn off auto grant.

    Step 3.

    Enable credentials service on the SRST router.

    Enabling credentials service allows CallManager to retrieve the device certificate of the SRST router and place it in the IP phone configuration files. Example 13-15 illustrates how to enable credentials service.

    Example 13-15. Enabling Credentials Service 

    Miami#

conf t

Miami(config)#

credentials

Miami(config-credentials)#

ip source address 10.10.25.1

Miami(config-credentials)#

trustpoint srst

Miami(config-credentials)#

end



    The ip source address is a local address on the SRST router that you will use as the source address when communicating with CallManager. You can also modify the port number for retrieving certificates by using the port option on the ip source address command. The default port is 2445.

    Step 4.

    Import phone certificate files.

    For the SRST router to authenticate the IP phones, it must retrieve the certificate of the phone. The SRST router must manually import the phone certificates. The certificates required vary by phone model and version of CallManager you are running. Example 13-16 illustrates importing a certificate for 7960 phones with CallManager 4.1.3. Prior to entering the SRST configuration, you should obtain the appropriate certificates on CallManager. The certificates are stored in C:\Program Files\Cisco\Certificates and have a .0 extension. Open the appropriate certificate with WordPad and copy the contents between "-BEGIN CERTIFICATE-" and "-END CERTIFICATE-".

    Example 13-16. Importing Phone Certificate Files 

    Miami#

config

Miami(config)#

crypto pki trustpoint 7960

Miami(ca-trustpoint)#

revocation-check none

Miami(ca-trustpoint)#

enrollment terminal

Miami(ca-trustpoint)#

exit

Miami(config)#

crypto pki authenticate 7960

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

MIIDqDCCApCgAwIBAgIQNT+yS9cPFKNGwfOprHJWdTANBgkqhkiG9w0BAQUFADAu


MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQDEwtDQVAtUlRQLTAwMjAe


Fw0wMzEwMTAyMDE4NDlaFw0yMzEwMTAyMDI3MzdaMC4xFjAUBgNVBAoTDUNpc2Nv


IFN5c3RlbXMxFDASBgNVBAMTC0NBUC1SVFAtMDAyMIIBIDANBgkqhkiG9w0BAQEF


AAOCAQ0AMIIBCAKCAQEAxCZlBK19w/2NZVVvpjCPrpW1cCY7V1q9lhzI85RZZdnQ


2M4CufgIzNa3zYxGJIAYeFfcRECnMB3f5A+x7xNiEuzE87UPvK+7S80uWCY0Uhtl


AVVf5NQgZ3YDNoNXg5MmONb8lT86F55EZyVac0XGne77TSIbIdejrTgYQXGP2MJx


Qhg+ZQlGFDRzbHfM84Duv2Msez+l+SqmqO80kIckqE9Nr3/XCSj1hXZNNVg8D+mv


Hth2P6KZqAKXAAStGRLSZX3jNbS8tveJ3Gi5+sj9+F6KKK2PD0iDwHcRKkcUHb7g


lI++U/5nswjUDIAph715Ds2rn9ehkMGipGLF8kpuCwIBA6OBwzCBwDALBgNVHQ8E


BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUpIr4ojuLgmKTn5wLFal


mrTUm5YwbwYDVR0fBGgwZjBkoGKgYIYtaHR0cDovL2NhcC1ydHAtMDAyL0NlcnRF


bnJvbGwvQ0FQLVJUUC0wMDIuY3Jshi9maWxlOi8vXFxjYXAtcnRwLTAwMlxDZXJ0


RW5yb2xsXENBUC1SVFAtMDAyLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG


9w0BAQUFAAOCAQEAVoOM78TaOtHqj7sVL/5u5VChlyvU168f0piJLNWip2vDRihm


E+DlXdwMS5JaqUtuaSd/m/xzxpcRJm4ZRRwPq6VeaiiQGkjFuZEe5jSKiSAK7eHg


tup4HP/ZfKSwPA40DlsGSYsKNMm3OmVOCQUMH02lPkS/eEQ9sIw6QS7uuHN4y4CJ


NPnRbpFRLw06hnStCZHtGpKEHnY213QOy3h/EWhbnp0MZ+hdr20FujSI6G1+L39l


aRjeD708f2fYoz9wnEpZbtn2Kzse3uhU1Ygq1D1x9yuPq388C18HWdmCj4OVTXux


V6Y47H1yv/GJM8FvdgvKlExbGTFnlHpPiaG9tQ==


quit

Certificate has the following attributes:
       Fingerprint MD5: F7E150EA 5E6E3AC5 615FC696 66415C9F
      Fingerprint SHA1: 1BE2B503 DC72EE28 0C0F6B18 798236D8 D3B18BE6

% Do you accept this certificate? [yes/no]:

y

Trustpoint CA certificate accepted.
% Certificate successfully imported

Miami(config)#

end


    Step 5.

    Configure CallManager.

    After the SRST router has the appropriate phone certificates, you must enable Secure SRST on CallManager. You do this by checking the Is SRST Secure? checkbox in the SRST Reference configuration page in CallManager. You should also modify the Certificate Provider port if you did not use the default port in Step 3. If the IP phones are already registered, you must reset them for this change to take effect.

    Step 6.

    Configure SRST.

    After you have completed and verified the certificate configuration, you configure SRST the same as if certificates were not in use.



    Buy on amazon.com >>
    Donohue D. Mallory D. Salhoff K.
      << Previous page
      Table of contents
      Next page >>

      Similar products

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy