Techtorial Collaboration - Cloud ISR with IOS SSL VPN ... Enable Host ID Check ... will be saved in...

© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public CIscoEXPO 1

Techtorial Collaboration

Tomáš Horák Jaroslav Martan Jiří Rott Ivan Sýkora

2

© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public CiscoEXPO

Program

  11:00 – 12:00 - UC@UCS - Ivan Sýkora

  12:00 – 12:20 – Mobilita – Tomáš Horák

  <oběd>

  13:30 – 14:00 – Intercompany Media Engine (IME) - Tomáš Horák

  14:00 – 15:00 – Service Advertisemnet Framework – Jiří Rott

  <přestávka>

  15:15 – 15:45 – Presence a Instant Messaging – Ivan Sýkora

  15:45 – 16:05 – Contact Center Express – Tomáš Horák

  <přestávka>

  16:20 – 16:50 – Bezpečnostní Prvky UC – Jaroslav Martan

  16:50 – 17:30 – UC API, CUAE – Jaroslav Martan


Bezpečnostní prvky UC

Jaroslav Martan CCIE #5871 e-mail/xmpp: [email protected]

4


Agenda

  VPN client on IP Phones

  Trusted Relay Point

5


VPN Client for IP Phones

6


Cisco VPN Client

Endpoint support

  7942G, 7945G, 7962G, 7965G, and 7975G SCCP Devices Only, IPv4 Only

Deployment mode

  IP Phone Remote Access

Services secured

  Voice

  Data (Phone Services)

Licenses   VPN Concentrator License

  IP Phone DLUs

VPN Concentrators

  Cisco ASA 5500 Series

  Cisco ISR with IOS SSL VPN

Encryption Technology

  Secure Socket Layer (SSL)

Deployment Considerations

  No additional hardware needed at remote location other than IP Phone

  Concurrently running IP Phone Services Reduced When Enabled (i.e. no midlets)

VPN Client for IP Phones

CUCM

Internet

Small Business, Branch Office, Enterprise Network

Home, Hotel Room, Anywhere

VPN Concentrator

•  Easy to Deploy – All settings configured via CUCM administration

  Easy to Use – After configuring the phone within the Enterprise, user takes it home and plugs in into their broadband router for instant connectivity. No difficult menus to traverse.

  Easy to Manage – Phone can receive firmware updates and configuration changes remotely

  Secure – VPN tunnel only applies to voice and IP phone services. PC connected to PC port responsible for authenticating and establishing own tunnel with VPN client software

7


VPN Client for Phones Configuration

  Setup the VPN Concentrators for each VPN Gateway

  Upload the VPN Concentrator Certificates

  Configure the VPN Gateways

  Create a VPN Group using the VPN Gateways

  Create a VPN Feature Configuration

  Create a VPN Profile (optional)

  Assign a VPN Group and Profile in the Common Phone Profile

  Phone needs to be running firmware release 9.0(2) or higher

8


Upload VPN Concentrator Certificates

Upload the VPN certificates to a new Phone-VPN-Trust

Cisco Unified OS Administration ► Security ► Certificate Management

9


VPN Gateway Configuration Cisco Unified CM Administration ► Advanced Features ► VPN ► VPN Gateway

Up to 10 certificates can be assigned to a VPN Gateway. At least one must be assigned to each gateway. Only certificates associated with the VPN role shall show in the available VPN Certificates list. The URL should be for the main concentrator in the gateway.

10


VPN Group Configuration

  Up to 3 VPN Gateways can be added to a VPN Group.

  The total number of certificates in the VPN Group can not exceed 10.

Cisco Unified CM Administration ► Advanced Features ► VPN ► VPN Group Configuration

11


VPN Feature Configuration Cisco Unified CM Administration ► Advanced Features ► VPN ► VPN Feature Configuration

  Where overlapping, VPN Profile fields override these, if set   Client Authentication Method – User and Password, Password

Only, or Certificate (LSC or MIC)

12


VPN Profile Configuration

  Enable Auto Network Detect - If enabled, the VPN client will only be able to run if it detects that it is out of the corporate network

  Enable Host ID Check - If enabled, the VPN gateway's certificate's subjectAltName or CN must match the URL to which the VPN Client has connected

  Enable Password Persistence - If enabled, a user's password will be saved in the phone until a failed login or a user clears it

Cisco Unified CM Administration ► Advanced Features ► VPN ► VPN Profile Configuration

13


Assign a VPN Group and Profile in the Common Phone Profile

Cisco Unified CM Administration ► Device ► Device Setttings ► Common Phone Profile

  By associating a phone to a Common Phone Profile, a phone is assigned a specific VPN Group and VPN Profile

14


VPN Client on the IP Phone

Settings ► Security Configuration ►VPN Configuration

15


VPN Client on the IP Phone

Settings ► Network Configuration

Settings ► Status ► Network Statistics

16


Trusted Relay Point (TRP)

17


Agenda

  Overview

  Secure SoftPhone Connectivity (TRP)

  Secure UC and Firewalls (TRP)

  Virtual Networking (Segmentation) (TRP and VRF)

18


WAN Aggregation

Branch Router

Distribution/ Core Switch

Access Switch

Access Switch IP WAN

Branch Router

Access Switch

Software Client

IP Phones

  Software function that runs on Cisco network devices such as campus switches and routers (similar to an MTP)

  Inserted in the call flow by CUCM 7.0 (or CUCME 4.0) based on config

  Provides trusted anchoring point for media to enable several functionalities (QoS enforcement, Trusted VLAN traversal, ...)

Data VLAN

UC VLAN

UC Trusted VLAN Traversal

UC Trusted Firewall Control

UC Trusted QoS Enforcement

UC Manager

Trusted Relay Point (TRP) Overview

19


TRP Functionality and Benefits

  MTP-like function Network/transport media traversal services

  Resides in an external (for CUCM) or internal (CME) IOS platform

  Dynamically inserted into a call flow by CUCM/CME

  Provides a trusted anchoring point for media, enabling

QoS trusted edge (shipping) Virtual/Segmented (VLAN) traversal (shipping) Firewall traversal (12.4.22T for CME; roadmap

for CUCM) Virtual/Segmented (VRF) traversal (12.4.22T) Monitoring/Recording (future) Media Conversion

SRTP to RTP (future) IPv4-IPv6 (future)

+

+

+

+

+

Router

Switch

Firewall

Wireless Access Point

WLAN Controller

Potential TRP Devices

20


IOS MTP (ISRs)

Endpoints (anything that terminates media) Media Termination Points (MTPs)

selection based on MRG/MRGL

Configurating TRP Features in CUCM 7.0

21


UC-trusted (TRP) Implementation

UC-trusted QoS Control

US-trusted VLAN Control

UC-trusted FW Control VRF

CUCM CUCM 7.0 TRP Standard MTP configuration on router

CUCM 7.0 TRP Standard MTP configuration on router

Future CUCM 7.0 TRP CUCM is VRF-unaware, but can connect into VRF-segmented networks aided by IOS TRP 12.4.22T IOS

CME Implicit in CME B2BUA Ephone “mtp” option

Implicit in CME B2BUA Ephone “mtp” option

CME + IOS FW collocated on same platform, 12.4.22T

Multi-VRF and VRF traversal in 12.4.22T

SRST N/A N/A N/A Single-VRF   SIP SRST:

12.4.15T   SCCP SRST:

12.4.22T

22


TRP Basic Functionality, Places in the Network

  MTP-like Device   Source and Destination

Address NAT   Flow Awareness (Non

NAT) Payload Source

IP/UDP Payload

IP and UDP headers translated in both directions

Destination IP/UDP

Source IP/UDP

Destination IP/UDP

IP WAN

Internet

  Currently TRP is implemented only on the ISR branch office routers

  The implementation can be extended to other infrastructure devices

Campus

Branch

Reference

23


  If multiple functions are required for a given call (Xcoder, TRP, RSVP Agent, DTMF relay...), CUCM will first attempt to select an MTP that can fulfill them all

  If that is not possible, the TRP will be placed ‘closest’ to the endpoint

  TRP supports SRTP and video (“pass-through” codec)   If a call is placed on hold, TRP stops streaming media, but

resource is kept   If CUCM is unable to allocate a TRP for a call, the call will

fail or not depending on the service parameter “Fail Call if Trusted Relay Point allocation fails” (default is true)

G.729 G.711 DTMF

Use TRP

CUCM TRP Insertion “Rules” Reference

24


Agenda

  Introduction

  New Features Overview

  Secure SoftPhone Connectivity (TRP) UC-trusted QoS Enforcement

UC-trusted VLAN Traversal


  Virtual Networking (Segmentation)

25


UC-Trusted QoS Enforcement

WAN Aggregation Branch

Router

Distribution Switch

Access Switch Access

Switch

IP WAN

SoftPhone

Access switch does not trust QoS from PC

CUCM configured to insert TRP for all “untrusted” devices

TRP is trusted and marks QoS EF/CS4 for CUCM-controlled call flow

IP Phone CUPC

IP Phone

UC media marked best-effort from PC to TRP

QoS and Call Admission Control applied across WAN

  Feature may be enabled for all “untrusted” endpoints that register to CUCM/CME (software-based, video, 3rd party, ...)

  To minimize number of MTPs involved in a call, ensure the same network device can perform all needed functions (TRP, RSVP Agent, Xcoder, ...)

  Use a plain MTP configuration on the router – no changes in router config. CUCM 7.0 allows “Use TRP” checkbox

26


  CUCM’s existing codec and CAC mechanisms are used to enforce how much and what type of media is allowed to access the network

Media Packets sent with no or incorrect QoS marking from application registered with CUCM

Media Packets sent via TRP with QoS marking as instructed by CUCM

Media Packets leaving switch are marked Best Effort as they do not come from a TRP

Media Packets sent with no or incorrect QoS marking from an application NOT registered with CUCM

UC-Trusted QoS Enforcement Reference

27


UC-Trusted VLAN Traversal Controlling Access to UC VLANs (1)

UC VLAN

Data VLAN

Mechanisms based on ACLs rely on port numbers—no way to ensure only ‘trusted’ media enters UC VLAN

28


UC VLAN

Data VLAN

UC-Trusted VLAN Traversal Controlling Access to UC VLANs (2)

TRP enables you to limit entry into UC VLAN only to media streams controlled by CUCM or CME

Provides an effective and simple mechanism to control access to UC VLANs

Mechanisms based on ACLs rely on port numbers—no way to ensure only ‘trusted’ media enters UC VLAN

29


Access Switch

Access Switch IP WAN

CCME Access Switch

Softphone in Data Segment

Calls between Segments bridged by TRP – same TRP can be used for QoS enforcement

Branch Router

CME

  TRP enables Secure IP Phone Connectivity by securely bridging only “authorized” (CUCM or CME) media from Data to UC VLAN

  TRP can also remark the QoS for “authorized traffic” from the Softphone

  CUCM 7.0 and CME 4.0 (12.4.9T)

CUCM configured to insert TRP for devices in Data VLANs (PC clients)

ACL only allows packets coming from TRP into UC VLAN

UC-Trusted VLAN Traversal

30


TRP Configuration

  The CME “mtp” designation forces all media to that endpoint to be “flow-through” on CME, i.e. CME proxies the media and can then do functions like QoS remarking and VLAN traversal

  Introduced in CME 4.0 (12.4.9T)

CUCM 7.0 Phone (Endpoint/Device) Configuration CME 4.0 Ephone Configuration

ephone 1 description xxx mac-address 0012.8055.D2EE mtp

31


Agenda

  Introduction





32


UC-Trusted Firewall Control

IOS Firewall

Access Switch

IP WAN Router with TRP

Access Switch Endpoint

CUCM

IOS Firewall

Router with TRP Endpoint

Shared secret configured in TRPs and FWs

STUN/ICE message with crypto token

FW opens pinhole after verifying crypto token

  Cisco UC cooperates with Cisco firewalls to enable trusted media control

  Innovative Cisco solution based on STUN/ICE standards

  Implemented on CME and IOS FW in 12.4.22T

  Future (roadmap) on CUCM and other Firewalls

33


  FW looks at the signaling to determine what media ports to open

  If you upgrade a Voice application server the FW might be affected

  If the FW does not see signaling (encrypted, asymmetric path) then media ports cannot be opened

  FW may not support the latest voice protocols (SIP, MGCP, H.323), call flows or video

CUCM A A CUCM

Signaling

FW ALG UC-Trusted FW Control

RTP

I see signaling, maybe valid call? Open media ports???

Signaling

RTP

TRP

Valid Authorized Call Details

  FW receives a hashed STUN message with details of an authorized call

  Protocol version independent   Secures encrypted signaling paths   Secures asymmetric signaling and

media paths

UC-Trusted Firewall Control

34


UC-Trusted FW – STUN Protocol

  Authentication of FW open port request

  Only call agent authorized flows are allowed through FW

  Asymmetric signaling/media paths

  Encrypted signaling supported (i.e. more secure)

  Ports open only for session length – opened and closed by call agent/TRP for valid session duration only

A CUCM TLS (Encrypted signaling

TRP

RTP

Setup

Engage TRP

Setup

STUN (open ports)

RTP through FW

STUN (keepalive)

Reference

35


IP

  CME, TRP and IOS Firewall are co-located on the same router Different router could be used in future, but this is not yet implemented

in 12.4.22T   FW opens a port dynamically when it receives a STUN request

for a media flow Request is authenticated/authorized by the FW to open pinholes only

for genuine calls sanctioned by the call agent (CME) FW extracts a Token from the STUN request, validates the Token and

opens the pinhole If the FW sees no validated keepalive messages for a user-configured

interval (30 seconds), the pinhole is closed

Implementation: CME + IOS FW

36


CME TRP Configuration UC-trusted FW Traversal

  A FW-traversal TRP requires the following information: Authorization agent-id Shared secret CAT (Token) life Keepalive interval

voice class stun-usage <tag> stun usage firewall-traversal flowdata

voice service voip stun stun flowdata agent-id <id> stun flowdata keepalive <interval> stun flowdata catlife <lifetime> keepalive <interval>

dial-peer voice <tag> voip voice-class stun-usage <tag>

STUN usage attached to VoIP dial-peer:

STUN usage is enabled:

STUN parameters are defined:

Reference

37


voice service voip stun stun flowdata agent-id 15 stun flowdata shared-secret ciscopasswd1234 stun flowdata keepalive 5 ! voice class stun-usage 10000 stun usage firewall-traversal flowdata ! dial-peer voice 1 voip destination-pattern 2... voice-class stun-usage 10000 session protocol sipv2 session target ipv4:9.13.23.6 codec g711ulaw

Reference

Define stun flowdata parameters: agent-id, shared-secret and keepalive interval (default is 10 sec)

Define a voice class for FW traversal

Apply the FW voice-calss to the required dial-peer (the leg which has to traverse FW)

CME UC-trusted FW Traversal Configuration

38


CUCM UC-trusted FW Traversal Configuration

  UC-Trusted FW control is not yet supported on CUCM – it will be in a future release

  This slide shows only the IOS TRP configuration that would be used once CUCM support US-Trusted FW traversal

Reference

voice service voip stun stun flowdata agent-id 15 stun flowdata shared-secret ciscopasswd1234 stun flowdata keepalive 5 ! dspfarm profile 1 mtp codec g711ulaw trp firewall-traversal maximum sessions software 10 associate application SCCP sdspfarm units 1 sdspfarm tag 1 TRP1

Define stun flowdata parameters: agent-id, shared-secret and keepalive interval (default is 10 sec)

Enable TRP-based FW traversal for the MTP profile

39


TRP Show Commands

  Without the detail keyword, the following is displayed: Call ID Source IP address Source port Destination IP address Destination port

  With the detail keyword, the following additional is displayed: GUID Authentication tag UHK EHK Number of open pinhole messages sent Time at which the last open pinhole message was sent Time at which the next open pinhole message is scheduled Number of keepalive messages sent Time at which the last keepalive message was sent

show voip trp session [call-id <id> | source-address <ip-address> source-port <port> | destination-address <ip-address> destination-port <port>] [detail]

Reference

40


TRP Clear Command

  If a SIP BYE is lost or there is a bug, it can result in hung/stale TRP sessions and leave the firewall pinholes open

  The following command clear TRPs sessions and closes any open pinholes

show voip trp session [call-id <id> | source-address <ip-address> source-port <port> | destination-address <ip-address> destination-port <port> | force] [force]

Reference

41


Agenda

  Introduction





42


VRF Concepts

  VRF —Virtual Route Forwarding Network segmentation technology A mechanism to define multiple “virtual” routers in a single

physical router Provides convergence/sharing of facilities/infrastructure but

logical isolation of traffic VLAN: L2 segmentation VRF: L3 segmentation

  Technologies that utilize VRF MPLS — Multi Protocol Label Switching

MPLS uses labels to make packet forwarding decisions

DMVPN – Dynamic Multi-point Virtual Private Network Dynamic establishment of secure tunnels between sites for data

exchange

43


Why is Segmentation important to Customers?

  Enterprises need to group securely systems and applications by business criticality or function without the overhead of maintaining physically separate networks Examples: Guest Access; Partner Access; Outsourcing services (India

ITS model); Universities; inter-company collaboration teams   Growing requirement for businesses to comply with regulations

for separation of sensitive data and are looking for solutions without the overhead of maintaining physically separate networks Examples: Financial Banking/Trading; Healthcare services

  State and Federal Governments worldwide have various isolated agencies that need to work together on a network that allows dynamic and controlled sharing of information on an as-needed basis Examples: Department of Homeland Security; closed user groups

  Requirement for securely “hosting” external services on a converged network Examples: Bank ATMs, kiosks or pharmacies in retail stores; airport

“virtual” gates

44


Regulatory Separation of Banking, Analysts

Mergers and Acquisitions

Automation of Production Plants

Integration of Sales Sites, Suppliers and Partners

Kiosks

Public Wi-Fi Access

Virtual Network Customer Use Cases Enterprise Trends across Verticals

Manufacturing/Retail

Individual “Hotel” Services for Patients

Isolated medical Networks for Records, Services

Healthcare

Shared Buildings and Facilities across different Agencies:

Police

Fire Department

Tax Administration

Financial

Separate Departments

Inter-University Research Programs

Student Devices

Government Education

45


VRF Overview What is a VRF (Virtual Routing and Forwarding)?

  Typically all route processes and static routes are populating one routing table

  All interfaces are part of the global routing table

router eigrp 1 network 10.1.1.0 0.0.0.255 ! router ospf 1 network 10.2.1.0 0.0.0.255 area 0 ! router bgp 65000 neighbor 192.168.1.1 remote-as 65000 ! ip route 0.0.0.0 0.0.0.0 140.75.138.114

global routing table

Reference

46


VRF Overview What is a VRF (Virtual Routing and Forwarding)?

  VRFs allow dividing up your routing table into multiple virtual tables

  Routing protocol extensions allow binding a process/address family to a VRF

  Interfaces are bound to a VRF using ip vrf forwarding <vrf-name>

router eigrp 1 network 10.1.1.0 0.0.0.255 ! router ospf 1 vrf orange network 10.2.1.0 0.0.0.255 area 0 ! router bgp 65000 address-family ipv4 vrf blue … ! ip route vrf green 0.0.0.0 0.0.0.0 …

global routing table

VRF routing tables

Reference

47


VRF Overview How are VRFs used?

  VRFs can be used by themselves (multi-VRF or VRF-lite) or within an MPLS VPN

VRF-lite (aka Multi-VRF CE)

MPLS VPNs

• Defines from which VRF traffic was sourced / for which VRF traffic is destined • FIB table needs to have this information for each prefix

VLAN ID

L2 Header IP SRC PAYLOAD IP DST 802.1q

TAG

MAC DST

MAC SRC

ETHERTYPE 0x8100

802.1p CoS CFI Label

(VPN ID) MAC DST

MAC SRC

ETHERTYPE 0x8847

L2 Header

MPLS Label IP SRC PAYLOAD MPLS

Label IP DST

EXP TTL S

MPLS 802.1q

Reference

48


Security with Virtual Networks

  You cannot attack what you cannot reach   Virtualization allows multiple “networks” to share physical

infrastructure without being visible to each other

Segment HR

Segment Finance

Secure Server

Segment Voice

Global

HR Secure Server

Softphones, Video, MPlace, Webex and other applications need to be visible to both Data and Voice Segments. TRP can bridge the gap with VRF traversal.

Finance SP

A

Voice

49


Use Case 1: SP SIP-Controlled Retail Branch

SIP-SRST MPLS CE Router

Voice Services Provided by SP

Fax

FXO

  Segmentation of traffic required for isolation of Retailer’s network from the Kiosk and other Vendor

  SP requires MPLS labels to be applied at the CE to route traffic to the appropriate server/network ATM machine traffic (blue) goes

to Bank X Kiosk traffic goes to Pharmacy Y Voice traffic goes to SIP SP Z

  SIP IP Phones registered/controlled by SP SIP softswitch

–  SIP-SRST provides failover voice services

–  SRST must be in same VRF as the other voice elements (PSTN, Fax and Phones)

50


ip cef ! ip vrf vrf-srst rd 90:1 ! no ip dhcp use vrf connected ! ip dhcp pool vrf-srst vrf vrf-srst network 11.1.1.0 255.255.255.0 default-router 11.1.1.20 option 150 ip 10.1.1.3 dns-server 172.18.196.38 domain-name mh.cisco.com class vrf-srst address range 11.1.1.220 11.1.1.235 ! ip dhcp class vrf-srst ! voice vrf vrf-srst ! voice service voip allow-connections sip to sip sip bind control source-interface GigabitEthernet0/0 bind media source-interface GigabitEthernet0/0 registrar server expires max 600 min 60

voice register pool 1 id mac 000F.23FC.A595 call-forward b2bua noan 3001 timeout 10 codec g711ulaw ! interface GigabitEthernet0/0 ip vrf forwarding vrf-srst ip address 11.1.1.20 255.255.255.0 duplex auto speed auto ! ip route vrf vrf-srst 0.0.0.0 0.0.0.0 11.1.1.1 ! dial-peer voice 2 pots destination-pattern 9000 port 2/0/0 ! sip-ua retry invite 3 registrar ipv4:10.1.1.3 expires 3600 !

VRF Configuration: SIP-SRST Reference

51


Use Case 2: Multi-VRF CME with SIP Trunk

  CME endpoints can support up to 5 VRFs Hardphones in Company-VRF

Hardphones in Guest-VRF Softphones in the Data VRF

  CME routes calls (VRF traversal) between the different endpoint VRFs, and between endpoints and SIP Trunk VRF

  Inter-site calls are routed via the SIP trunk in the Voice VRF (global voice VRF)

CME, MPLS CE Router CME, MPLS CE Router

MPLS SP

SIP Trunk in global Voice VRF

52


CME

SoftPhone

Finance Department Sales Department

Voice VRF

Data VRFs (FINANCE & SALES)

Ethernet Ports on CME Router associated with VRF

Separating the networks by creating separate VRFs – one CME becomes multiple virtual CMEs

VRFs are tagged with the interfaces:

Voice VRF: VOICE

Data VRF: FINANCE

Data VRF: SALES

Virtual CUCME Virtual CUCME

VRF-Aware CME

VG224

SP

53


CME VRF Configuration (1) ip vrf vcme1 ip vrf vcme2 ip vrf vcme3 ip vrf vcme4 ip vrf vcme5 ! voice vrf vcme2 ! interface GigabitEthernet0/0.301 encapsulation dot1Q 301 ip vrf forwarding vcme1 ip address 10.1.10.1 255.255.255.0 ! interface GigabitEthernet0/0.302 encapsulation dot1Q 302 ip vrf forwarding vcme2 ip address 10.2.10.1 255.255.255.0 ! interface GigabitEthernet0/0.303 encapsulation dot1Q 303 ip vrf forwarding vcme3 ip address 10.3.10.1 255.255.255.0 ! interface GigabitEthernet0/0.304 encapsulation dot1Q 304 ip vrf forwarding vcme4 ip address 10.4.10.1 255.255.255.0

interface GigabitEthernet0/0.305 encapsulation dot1Q 305 ip vrf forwarding vcme5 ip address 10.5.10.1 255.255.255.0

Define the 5 CME VRFs

Define the global Voice VRF (SIP Trunk)

Define the VRFs on the various interfaces/subinterfaces on the CME router

54


CME VRF Configuration (2)

interface Service-Engine1/0 ip vrf forwarding vcme2 ! telephony-service group 1 vrf vcme1 ip source-address 10.1.10.1 port 2000 group 2 vrf vcme2 ip source-address 10.2.10.1 port 2000 group 3 vrf vcme3 ip source-address 10.3.10.1 port 2000 group 4 vrf vcme4 ip source-address 10.4.10.1 port 2000 group 5 ip source-address 12.5.10.1 port 2000 ! ephone 232 device-security-mode none mac-address 001A.A246.05AC username "kshang" password 7001 group phone 1 type 7970 keep-conference button 1:232

Tie VRFs to CME “groups” of phones/users

Designate specific ephones (soft or hard phones) to belong to a specific group (i.e. VRF)

Define the VRF that CUE (if present) belongs to

55


rtr(config)#telephony-service rtr(config-telephony)#group <tag> [vrf <vrfname>] rtr(conf-tele-group)#ip source-address <ip-addr> [port <port] [secondary <ip-addr> [rehome

<seconds>]] rtr(conf-tele-group)# cnf-file <tftp:> <TFTP URL> rtr(conf-tele-group)# url <info | messages | services | directories | idle | authentication | proxy-

server> <url string> [idle-timeout <timeout>]

Summary VRF Configuration Steps for CME

Define a VRF group

Assign a VRF group to an ephone

rtr(config)#ephone 1 rtr(config-ephone)#group phone <group tag> [tapi <group tag>]

Assigning a VRF group to an ephone-template

rtr(config)#ephone-template 1 rtr(config-ephone-template)#group phone <group tag> [tapi <group tag>]

56


Use Case 3: CUCM Segmented Network TRP for VRF-Traversal between Endpoints

  Create a Services-VRF visible to all the VRFs to be bridged

  There is no direct path between the Data and Voice VRFs and endpoints on these VRFs can not ping each other

  CUCM connects a TRP to do VRF-traversal TRP does this via the Services-VRF

TRP Router

Segment Data

Segment Voice

VLAN-Data

VLAN-Voice

IP Data-VRF

Voice-VRF

A

CUCM (VRF-unaware)

Data-VRF export Data-VRF import Services-VRF ! Services-VRF export Service-VRF import Data-VRF import Voice-VRF ! Voice-VRF export Voice-VRF import Services-VRF

57


Use Case 4: CUCM Segmented Network Media Resources in VRFs

  Put DSP resources for Conf/Xcod in a separate Resources-VRF so that the TRP (via a Services-VRF) can bridge any endpoint (from any VRF) to access the shared resources, w/o create a direct ping path between the endpoints

TRP Router

Segment Data

Segment Voice

VLAN-Data

VLAN-Voice

IP

A

CUCM (VRF-unaware)

Xcod

Conf

Segment Resources

Resource-VRF

Data-VRF

Voice-VRF

Data-VRF export Data-VRF import Services-VRF ! Services-VRF export Service-VRF import Data-VRF import Voice-VRF import Resource-VRF ! Voice-VRF export Voice-VRF import Services-VRF ! Resource-VRF export resource-VRF import Services-VRF

58


interface GigabitEthernet0/0.801 encapsulation dot1Q 801 ip vrf forwarding VRFdata ip address 21.22.21.1 255.255.255.0 ip helper-address 21.20.10.11 ! interface GigabitEthernet0/0.802 encapsulation dot1Q 802 ip vrf forwarding VRFvoice ip address 21.22.22.1 255.255.255.0 ip helper-address 21.20.10.11 ! interface GigabitEthernet0/0.803 encapsulation dot1Q 803 ip vrf forwarding VRFservice ip address 21.10.3.1 255.255.255.0 ! interface GigabitEthernet0/0.804 encapsulation dot1Q 804 ip vrf forwarding VRFvoicesig ip address 21.10.4.1 255.255.255.0 ! interface GigabitEthernet0/0.805 encapsulation dot1Q 805 ip vrf forwarding VRFresource ip address 21.10.5.1 255.255.255.0

interface GigabitEthernet0/1 ip vrf forwarding VRFvoicesig ip address 21.20.10.1 255.255.255.0 duplex auto speed auto ! sccp local GigabitEthernet0/1 sccp ccm 21.20.10.11 identifier 2 version 6.0 sccp ! sccp ccm group 2 bind interface GigabitEthernet0/0.805 associate ccm 2 priority 1 associate profile 103 register CFB00175a378101 ! sccp ccm group 3 bind interface GigabitEthernet0/0.805 associate ccm 2 priority 1 associate profile 101 register MTP00175a378101 associate profile 105 register softmtp-3825

VRF Configuration for CUCM Conf/Xcod Reference

59


VRF Caveats/Notes   Single-VRF support for TDM GWs

MGCP and SCCP are not supported   Multi-VRF Support for CME and CUCM DSP resources (conf/

xcod/MTP) only Other components (SRST, Voice GW, CUBE…) are single-VRF

capable only   VRF-configuration per dial-peer is not supported   Connecting calls between different VRFs require CME flow-

through mode, even for local SCCP-SCCP calls   No video support for VRF   FW traversal and VRF traversal are mutually exclusive

Not supported at the same time on the same platform   RSVP (and RSVP-Agent) is not VRF-aware   GK is not VRF-aware

If GK is co-resident with VRF-aware Voice GW or CUBE configuration, then they cannot communicate with each other

60


VRF-Aware Voice Gateway

  VRF-aware voice components use the global VRF ID when referencing a routing table

  Awareness for a single VRF in voice components H323, SIP and CUBE signaling components can

reference routing table with the VRF ID RTP Media is sent using VRF ID SIP SRST allows phones in Voice VRF to fall back

  Single global voice VRF configuration

VRF PC VRF ATM VRF Voice

MPLS PSTN

Single router deployment now possible as voice gateway source traffic is VRF aware

Example: Segmentation required to isolate and protect traffic from ATM and PCs from the other devices in the network

Reference

61


ip cef ! ip vrf red ! isdn switch-type primary-net5 ! voice vrf red ! voice service voip fax protocol t38 ls-redundancy 0 hs-redundancy 0

fallback none modem passthrough none codec g729r8 pre-ietf ! controller E1 7/1 pri-group timeslots 1-31 ! interface Loopback0 ip vrf forwarding red ip address 4.4.4.4 255.255.255.255 h323-gateway voip interface h323-gateway voip id GK1 ipaddr 9.13.32.52 1719 h323-gateway voip h323-id CE2 h323-gateway voip tech-prefix 1# h323-gateway voip bind srcaddr 4.4.4.4

interface Serial7/0:0 ip vrf forwarding red ip address 14.1.1.2 255.255.255.0 ! router ospf 99 vrf red log-adjacency-changes capability vrf-lite network 4.4.4.4 0.0.0.0 area 0 network 14.1.1.0 0.0.0.255 area 0 ! dial-peer voice 10 pots destination-pattern 26682... no digit-strip direct-inward-dial port 7/1:D ! dial-peer voice 1 voip destination-pattern 9.T session target ipv4:2.3.3.2 (session protocol sipv2)

VRF Configuration: H.323/SIP GW Reference

62


Voice VRF Show Commands

router#sh ip route vrf red Routing Table: red Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

2.0.0.0/8 is variably subnetted, 3 subnets, 3 masks O 2.2.2.2/32 [110/101] via 14.1.1.1, 1d00h, Serial7/0:0 O E2 2.3.0.0/16 [110/20] via 14.1.1.1, 1d00h, Serial7/0:0 O 2.3.3.0/24 [110/101] via 14.1.1.1, 1d00h, Serial7/0:0 4.0.0.0/32 is subnetted, 1 subnets C 4.4.4.4 is directly connected, Loopback0 5.0.0.0/32 is subnetted, 1 subnets O IA 5.5.5.5 [110/70] via 14.1.1.1, 1d00h, Serial7/0:0 9.0.0.0/24 is subnetted, 1 subnets O IA 9.13.32.0 [110/70] via 14.1.1.1, 1d00h, Serial7/0:0 11.0.0.0/24 is subnetted, 1 subnets C 14.1.1.0 is directly connected, Serial7/0:0

Reference

63


Voice VRF Show Commands router#sh ip route vrf vrf-srst

Routing Table: vrf-srst Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 11.1.1.1 to network 0.0.0.0

11.0.0.0/24 is subnetted, 1 subnets C 11.1.1.0 is directly connected, GigabitEthernet0/0 S* 0.0.0.0/0 [1/0] via 11.1.1.1

router#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

Reference


Vývoj UC aplikací

Jaroslav Martan CCIE #5871 e-mail/xmpp: [email protected]

65


Obsah

  CUCM API

  CUP API

  Cisco Unified Application Environment

66


Horizontal Half

CUCM APIs

67


APIs for CUCM

•  Serviceability Interfaces

–  Serviceability XML - PerfMon, Real-time Device/CTI feed, Log Collection, Service Control, Call Detail Records

–  SNMP/MIBs

•  Provisioning Interfaces –  Administration XML

–  Extension Mobility Service API

•  Device Monitoring & Call Control Interfaces

–  Cisco TAPI & Cisco Wave Driver

–  Cisco JTAPI

–  Cisco WebDialer

68


Administrative XML Interface (AXL)

  Enables remote provisioning of Cisco Unified Communication Manager

•  Users, Devices, Lines, Gateways, Hunt Groups, Trunks…literally everything is an object in the UC Mgr. database.

•  XML, SOAP-based

•  Each object has attributes

•  AXL enables applications to Create, Read, Update, and Delete these objects

69


AXL documentation on the server

  Cisco CallManager AXL SQL Toolkit is available in the Plugin list

  contains complete schema definition: AXLAPI.wsdl, AXLEnums.xsd, axlmessage.xsd, axlsoap.xsd,

axl.xsd

70


What is the Extension Mobility API

  An XML-based HTTP interface that allows applications to remotely invoke the Extension Mobility feature on behalf of a user.

Check In

Check out

User: Paulo Correia DN: 253123456 Premier Guest Language set to Portuguese

User: Room 901 DN: 90001 Internal & 911 access

User A checks into hotel

App Server provisions room phone

71


APIs for CUCM

•  Serviceability Interfaces

–  Serviceability XML - PerfMon, Real-time Device/CTI feed, Log Collection, Service Control, Call Detail Records

–  SNMP/MIBs





–  Cisco JTAPI


72


Cisco TAPI – Telephone Service Provider

  Provides 1st Party Call Control (1PCC) Perfect fit for desktop softphones and server-based IVR applications

  Provides 3rd Party Call Control (3PCC) Perfect fit for server or desktop applications that perform screen pops

for incoming calls and click-to-connect from Windows applications

  Provides ability to interact with Media Layer Allows applications to terminate media, play announcements, record

calls Cisco TAPI provides a Wave Driver that allows 1PCC applications to

easily interact with call audio using standard Windows sound APIs

  Programming in C and C++

  Conforms to Microsoft TAPI 2.1 standard

73


Cisco JTAPI

  Provides 1st Party Call Control Perfect fit for desktop softphones and server-based IVR

applications

  Provides 3rd Party Call Control Perfect fit for server or desktop applications that perform screen

pops for incoming calls and click-to-connect from Windows applications

  Provides all the hooks necessary to integrate with standard or custom RTP libraries (for example: Java Media Framework), but does not provide a specific audio implementation

  Conforms to Sun JTAPI 1.2 standard

74


What is WebDialer?   A CUCM service responsible for processing MakeCall

requests on behalf of SOAP and HTTP based applications

  Efficiently uses CTI resources •  Limited to MakeCall. Other

functions such as Hold, Transfer, Conference, etc are not supported (use CTI, TAPI, JTAPI)

•  Classified as a Macro-API because the Developer is abstracted from many of the details compared to standard CTI (TAPI, JTAPI).

75


Architecture

HTTPS

User Phone

Connect/End Call

3rd Party App

SOAP Service Requester

Web Browser

UCM DB

Tomcat Web Dialer and

Redirector Servlet WSDL Doc

CTI Manager

Subscribers

HTTPS

Web Browser

76


APIs for CUCM

•  Serviceability Interfaces –  Serviceability XML - PerfMon, Real-time Device/CTI feed,

Log Collection, Service Control, Call Detail Records

–  SNMP/MIBs





–  Cisco JTAPI


77


Serviceability Interfaces

  Log Collection – collects and packages UC Mgr trace files and logs for troubleshooting and analysis

  Call Detail Record on Demand – provides applications with CDR files based on search criteria

  SNMP/MIBs – provides management consoles with SNMP/Trap events specific to Cisco UC Mgr. and Cisco MCS hardware.

  Perfomance Monitoring - PerfMon is a simple but very usable performance monitoring tool for network element. It's high performance polling engine uses very little cpu processing and can handle multiple unreachable elements without locking up.

78


Serviceability SOAP APIs

SOAP Client

Cisco Serviceability SOAP includes: •  Access Perfmon Counters •  Query Device Information (CTI, CCM &

GWs) •  Log Collection Service •  CDR on Demand Service •  Control Center Service SOAP client can run on different OS

An extensible SOAP-based XML web service

SOAP

Serviceability Backend

79


Performance Monitoring (PerfMon)   Allow clients to perform the following tasks:

Collect perfmon counter data Session-based and single-transaction

– Retrieve a list of all perfmon objects and counter names installed on a particular host

– Retrieve a list of the current instances of a perfmon object

– Retrieve textual description of a perfmon counter

https://<server>:8443/perfmonservice/

80


SNMP Architecture

SysAppl Agent

SNMP Application

SNMP Manager

SNMP/R Master Agent

SNMP Packets

SNMP Master Agent listens on port 161 and forwards SNMP packets to appropriate agents

Ccm Agent

MIB2 Agent

Host Resource Agent

Native Agent Adapter

Platform (HP/IBM/Dell) MIB Agents

SysAppl Agent

SNMP Manager talks to SNMP/R Master Agent on each node

SNMP Packets

SysLog Agent CDP Agent

81


Documentation on Cisco.com

  Products, Communications Manager, Configure, Programming Guides

  you will get AXL programming guide

CDR definitions

JTAPI developer guide

TAPI developer guide

Data Dictionary

...

82


Horizontal Half

CUP APIs

83


CUP API Developer Use case:- First time resolution.. In health care…

 Mobile working is key to the successful operation of health care

 Rapid resolution is key in Healthcare to drive, effective health care and immediacy of service.

  In emergency situations the typically questions asked are:

Who’s got the skill to help? What’s their availability / presence? Who is closest to the emergency? How can I contact them?

The solution.. Cisco Unified Presence with Communication Manager and WLAN Location Services

SOAP REST SIMPLE

CUP Who is available?

How can I contact?

Where are they?

CUMA

WLAN Location Services

Access Point

Location Engine

84


Enterprise Business Applications MS Exchange/ IBM Sametime / Siebel / PeopleSoft

SIP

SIMPLE

SIP Network with various SIP / SIMPLE vendor applications

Cisco Unified Application Environment

Media Server

Application Server

Applications

Visual Designer

Cisco Unified Presence

/ SIMPLE / SOAP / REST SIMPLE / SOAP /REST

Partner Applications

Cisco Unified Presence

  CUP provide presence related information via SOAP and REST to 3rd development environments

  SIMPLE provides presence and IM related information to 3rd party developers

  Native integration or via Cisco Unified Application Environment (CUAE)

85


Which Interface to Use & When

Ease of use

Performance / scale

REST & SOAP

SIP / SIMPLE

•  Web Centric •  Scale to 2000 users / 20

buddies •  Effectively a layer on top of

SIP / SIMPLE

•  More native •  Greater scale 5000 users /

100buddies •  IM ability •  Partner developed solutions

as opposed to web solutions

2,000 users * 5,000 users * * Capacity numbers are “indicative” and dependant on application, server type etc..

86


Which Interface to Use & When

Interface / attribute SIP / SIMPLE REST / SOAP

Ease of use Native Protocol Web Centric and Web Developer oriented

Presence Yes Yes

IM / Presence Yes Presence (Yes)

IM (No)

Performance / Scale * 5,000 users / 100 buddies

2,000 users / 20 buddies

* Capacity numbers are “indicative” and dependant on application, server type etc..

87


CUPS Configuration Interface Capabilities

  Client Configuration Interface (SOAP related) Get System Configuration Information

Contact (Buddy List) Management

Get/Set/Delete Presence Rules

Publish/UnPublish long-term presence

Get Dialing Rules and Communications History

Get, Add, Delete Access Control Lists

Get/Set Calendaring

88


  Cisco Unified Presence new XMPP interfaces Presence/Instant Message/Roster Interface (Desktop) XMPP

Presence/Instant Message/Roster Interface (Browser) XMPP using JabberWerx AJAX API

The JabberWerx AJAX library sends and receives XMPP messages to/from the XCP BOSH interface using standard XSF publications.

BOSH http://www.xmpp.org/extensions/xep-0124.html XMPP BOSH http://www.xmpp.org/extensions/xep-0206.html BOSH Script http://www.xmpp.org/extensions/xep-0252.html

Third Party Open API Additional Interfaces

89


  Cisco Unified Presence Developer Guide Client Configuration Web Service Presence Web Service

  Third Party Reference Application Source Code, Build Script Provided Eclipse Project

  Cisco Unified Presence Developer Cookbook

All of these are accessible through Developer Services

http://developer.cisco.com/web/cup

Third Party Open API Developer Support

90


Horizontal Half

Messaging APIs

91


Web Service

  Standard SOAP, XML over HTTP/HTTPS

  Authentication required (authorization too)

  Implemented using Apache AXIS (Tomcat/Java)

  Installed and running by default

92


Documentation and Support

  Unified Communications Forum Support is available on the Cisco Unified Communications

Forum at http://forums.cisco.com.

  Database Help File Comprehensive information about the database –

structure, stored procedures, errors, etc. currently exists. This is installed in the Unity TechTools folder: TechTools\Docs\UnityDirDb.chm.

It includes a chapter on the web service API.

93


Documentation and Support (continued)

  CUDLE (on box) “Data Link Explorer” allows viewing data, executing queries,

and includes descriptions of database objects.

CUDLE includes descriptions of the tables and columns.

http://www.ciscounitytools.com/App_CUDLE.htm

  Apache Axis web site - http://ws.apache.org/axis/ The Apache Axis web site has good general information on their

web service implementation and tools (such as WSDL2Java).

94


Cisco Unified Application Environment

95


Cisco Unified Application Environment Customer Challenges

  Applications run directly against the Cisco Unified Communications Manager

  Significant threat to reliability and performance of dial tone

  Manageability an afterthought

  Lack of lifecycle management tools

  No standard way for development, QA, and operations to handle deployment, configuration, capacity, performance management

Complexity

  Telephony protocols, media processing, a plethora of UC products/versions/APIs and other unique requirements

  Building everything from scratch

  No experience, steep learning curve

Reliability Lifecycle Mgmt

96


CUAE Versus Native APIs

  Native APIs offer the complete power of the native technology, but leave it up to the developer to determine the deployment model.

  CUAE offers an abstracted interface to the native APIs and also includes a deployment and configuration model.

  Native APIs are best for full featured standalone applications that focus on a single technology.

  CUAE is best for applications that combine multiple technologies or in situations where the learning curve for a specific technology is too steep to justify the requirements of the application.

97


Cisco Unified Application Environment The Solution

  What does it offer? -  Platform to develop, deploy & manage enterprise applications that

integrates with Unified Communication suite of products & services.

-  Simplifies application development by abstracting complexities involved in communicating with various UC services by way of SDK and Application Designer

  What are the components? –  Cisco Unified Application Server –  Cisco Unified Media Engine –  Cisco Unified Application Designer –  Etch Framework

98


High Level Architecture

SQL SIP H.323 SCCP JTAPI AXL/ SOAP IMAP LDAP

IP Phone Service

RTP ANY

Unified Communications

Application Environment

Other Technologies

IP Phone CUCM Presence Unity/Cxn Active

Directory Database Web

Service

SOAP

ANY

CUAE APIs

Developer Any IDE Application Designer

99


Component Architecture

•  Software implementation of DSP •  Originates and terminates audio streams for apps. •  Tightly integrates with App. server

•  C# client •  Visually construct communication business logic •  Abstracts complex Telephony protocols into simplified API calls •  1-click deployment

•  Manages applications, plug-ins, telephony servers •  User Management •  Diagnostics

•  C#, Java server •  Core of the platform where apps are stored & executed •  VM manages application execution •  Facilitates communication with external systems via “Providers” •  Scripts are assembled from XML into in-memory compiled code ready to execute

100


•  Applications and plug-ins run anywhere •  Any language or IDE you want •  Now: Java or C#. Next: Javascript etc.

Major Themes in Etch Release 2.5+

Language Independence

Management Architecture

Expanded Cisco UC Plug-in Support

•  New java web app, redesigned UI •  No more PHP, simplified SDK experience •  Solid foundation for future enhancements

•  New APIs for other Cisco UC products •  Continuous process, modular releases •  Now: Messaging. Next: Collaboration

All of this while making no core application server architecture changes and still providing 100% API

compatibility

101


CUCM CDS CUP/Jabber CHS MP Unity/Unity Cnx

Browser-based UC Application (Cisco or 3rd Party)

UC Enabled Service or Desktop Application (Cisco or 3rd Party)

Web Service Gateway

Etch Router

Messaging Call Control Presence

3rd Party UC Service Provider

CUAE Service Providers (plug-ins)

CUAE 8.0

Etch

Web 2.0

Service Specific

Java, C# Java, C#

CUAE 8.0 Architecture

102


Horizontal Half

Etch

103


What is Etch?

  Network Service Description Language, Compiler & Runtime

  Service Description specifies abstracted service definition

  Compiler generates language binding

  Runtime responsible for sending the message across the wire.

  Etch was developed by Cisco

  Etch is open source

  Etch is part of the apache foundation http://cwiki.apache.org/ETCH/

104


Why Etch?

  Language independence

  Transport independence

  Small and quick – high performance

  Alternatives (i.e. SOAP/REST) too verbose, not suited for real time communication

  Symmetric

105


Etch Language   Messages

int add( int x, int y )

  Native types boolean, byte, short, int, long, float, double,

string, object, List, Map, Set

  Structured data types

struct Point( double x, double y, double z )

  External data types

@Extern( java, “com.company.User”, … )

extern User   Constants

const int ZERO = 0   Enumerations

enum PrimaryColor ( RED, GREEN, BLUE )   Exceptions

exception LoginFailed( int code, string msg )

•  Attributes –  @Direction( which ) – server, client, both –  @Oneway –  @Timeout( millis ) –  @AsyncReceiver( which ) – none, queued,

free –  @Authorize( method, args … )

•  Formal Comments /** * Adds two numbers together. * @param x the first number. * @param y the second number. * @return the sum of the arguments. */ int add( int x, int y )

•  Mixins Service Foo {

mixin Bar mixin Baz

}

106


Etch Language Example (plug-in)

module com.acme

service GeoFun {

const double DEFAULT_HOW_FAR = 10 // miles

const int DEFAULT_NUM_LANDMARKS = 20

struct Point( double latitude, double longitude )

struct Landmark( Point where, string description )

void addLandmark( Landmark landmark )

void removeLandmark( Landmark landmark )

Landmark[] searchLandmarks( Point where, double how_far, int count )

}

107


Etch Roadmap

  Javascript, Python, Ruby & other language support

  More transports and transport modes

  Web Services Gateway

  Better Integration with IDEs, Maven

108


Cisco Unified Application Designer

109


Developer Resources

  Application Designer or other Java and C# based IDEs (Eclipse, Visual Studio, Netbeans).

  Developer Portal: http://developer.cisco.com/web/cuae/home

  Forums, Wiki, Blogs, Videos, Sample Code, Developer alias ([email protected])

  Advance Services Training course   Myriad Java,C# developer courses/resources

110


Techtorial Collaboration - Cloud ISR with IOS SSL VPN ... Enable Host ID Check ... will be saved in...

Documents

Transcript of Techtorial Collaboration - Cloud ISR with IOS SSL VPN ... Enable Host ID Check ... will be saved in...