Single-Node CUCM Single-Node IMP 10.201.203.76 10.201.203.75 10.201.203.67 10.201.203.72

#CLUS CCIE Collaboration Techtorial

Ben Ng, Exam PM, L@C, Cisco CX Ishan Sambhi, CSE, Cisco CX

TECCCIE-3503

#CLUS Agenda

• Session 1: CCIE® Program Overview

• Session 2: CCIE Collaboration Overview

• Session 3: CCIE Collaboration Modular Lab Exams

• Session 4: Lab Exam Diagnostic Module with Case Studies

• Session 5: Lab Exam Troubleshooting Module with Case Studies

• Session 6: Lab Exam Configuration Module with Case Studies

• Session 7: Exam Preparation Tips, In-Lab Strategies, and Q&A

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#TECCCIE-3503 by the speaker until June 16, 2019.

CCIE Track Major Skills R&S Configure and troubleshoot complex converged networks Security Configure complex, end-to-end secure networks, troubleshoot environments, and anticipate and respond to network attacks Service Provider Configure and troubleshoot advanced technologies to support service provider networks

Collaboration Design, implement, integrate, and troubleshoot complex collaboration networks Wireless Plan, design, implement, operate, and troubleshoot wireless network and mobility infrastructure Data Center Configure and troubleshoot Cisco Data Center technologies including DC infrastructure, compute and virtualization.

Routing/Switching Written LAB Security Written LAB Service Provider Written LAB Collaboration Written LAB Wireless Written LAB Data Center Written LAB

• Two-hour exam with 90 to 110 multiple-choice questions

• Closed book; no outside reference materials allowed

• Pass/fail results are available immediately following the exam

• Waiting period of fifteen calendar days to retake the exam

• Candidates who pass a CCIE written exam must wait a minimum of six months before taking the same number exam

• From passing written “Must” take first lab exam attempt within 18 months

• Eight-hour exam requires working configurations and troubleshooting to demonstrate expertise

• Cisco documentation available via Cisco Web; no personal materials allowed

• Scores can be viewed normally online within 48 hours and failing score reports indicate areas where additional study may be useful

• CCIE Collaboration recognizes technical experts with the highest level of knowledge and hands-on experience with Cisco Collaboration solutions.

• CCIE Collaboration assesses candidates on their ability to design, implement, integrate, and troubleshoot complex collaboration networks where voice, video, presence, and mobility work together to enable highly engaging communication anytime, on any device.

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 CCIE Collab v2.0 New Unified Exam Topics (Written + Lab) • Improved Customer Relevancy in UC/Collab Technologies • New Unified Exam Topics (Written + Lab) • New key topics added: • Collaboration APIs • Cisco Expressway dial plan • Mobile and Remote Access • Single-Sign-On • Ad-hoc and rendezvous conferencing on Cisco Meeting Server • Increased Coverage on Collaboration programmability, cloud and hybrid services, conference and meeting, edge servers • Removed legacy topics such as T1-CAS, E1-R2, H.323 RAS, SAF and CCD • Modular Lab Exams • Diagnostics, Troubleshooting, and Configuration modules

CCIE Collaboration v1.0 Written and Lab CCIE Collaboration v2.0 Unified Exam Topics Exam Topics: (Written + Exams):

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 CCIE Collaboration v2.0 Lab Sample Topology Headquarters Cisco Meeting Server DMZ External Expressway-E IM and DNS Presence Expressway-C Internet Unity Connection Unified Communications Manager vCUBE UCCX PSTN Internal DNS

IP Branch Branch Office B Office C

Candidate Exam Desk Candidate Exam Rack

HTTPS SSH RDP Candidate PC Telnet SFTP TFTP RDP …

UnifiedFX Phoneview Lab Edition Remote Control

Written Exam Lab/Practical Exam pass pass CCIE TS DIAG CFG 120min 120min 60min 300 min

1. Troubleshooting 2. Diagnostic 3. Configuration

A B Problem Solution

TS A B Problem Solution

TS DIAG A B Problem Solution

Y Z Design Implementation Requirement Decision

Y CFGZ Design Implementation Requirement Decision

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 CCIE Collaboration v2.0 Modular Lab Exam Skill Assessment Overview TS DIAG CFG • Resolve networking • Perceive problem areas • Abstract functional element of problems • Analyze symptoms of complex Collaboration • Use IOS and other networking issues, identify and network environment troubleshooting tools describe root cause • Understand how solution • Apply troubleshooting • Correlate information from components interoperate methodologies multiple sources • Implement Collaboration • Troubleshoot Collaboration • Discern appropriate solution technologies (any topic on the technologies (any topic on • Apply troubleshooting blueprint) the blueprint) Methodologies • Design appropriate solutions • Implement and verify • Troubleshoot Collaboration to Collaboration network working solution to resolve technologies (any topic on the challenges within constraints networking issues blueprint) and verify functionality

• TS is maximum 150min

• DIAG is fixed to 60min

• CFG is 8h minus (TS + DIAG) == minimum 270min

• 2 required conditions to PASS: • #1: MUST meet or exceed each module’s minScore • #2: MUST meet or exceed the Lab’s TOTAL cutScore

TS 20 10 14 TS 15 PASS

DIAG 10 4 6 DIAG 2 FAIL

CFG 70 35 50 CFG 55 PASS

100 70 LAB 72 FAIL

• #1: DIDN’t meet or exceed each module’s minScore • #2: met or exceeded the Lab’s TOTAL cutScore

• Strong in both TS and CFG but very weak in DIAG.

This example is for illustration only! Actual values vary per exam questionnaire!

TS 20 10 14 TS 12 PASS

DIAG 10 4 6 DIAG 5 PASS

CFG 70 35 50 CFG 40 PASS

100 70 LAB 57 FAIL

• #1: met or exceeded each module’s minScore • #2: DIDN’T meet or exceed the Lab’s TOTAL cutScore

• Passed all modules minScore, but total < cutScore!

This example is for illustration only! Actual values vary per exam questionnaire!

TS 20 10 14 TS 10 PASS

DIAG 10 4 6 DIAG 8 PASS

CFG 70 35 50 CFG 52 PASS

100 70 LAB 70 PASS

• #1: met or exceeded each module’s minScore • #2: met or exceeded the Lab’s TOTAL cutScore • Compensated a weakness in TS with strength in CFG!

• TS( minScore < score < cut score )

This example is for illustration only! Actual values vary per exam questionnaire!

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Session 4: Lab Exam Diagnostic Module with Case Studies CCIE Collaboration v2.0 Modular Lab Exam Skill Assessment TS DIAG CFG • Resolve networking • Perceive problem areas • Abstract functional element of problems • Analyze symptoms of complex Collaboration • Use IOS and other networking issues, identify and network environment troubleshooting tools describe root cause • Understand how solution • Apply troubleshooting • Correlate information from components interoperate methodologies multiple sources • Implement Collaboration • Troubleshoot Collaboration • Discern appropriate solution technologies (any topic on the technologies (any topic on • Apply troubleshooting blueprint) the blueprint) Methodologies • Design appropriate solutions • Implement and verify • Troubleshoot Collaboration to Collaboration network working solution to resolve technologies (any topic on the challenges within constraints networking issues blueprint) and verify functionality

• A DIAG question consists of: • Question Body • Multiple document sources to assist candidates in making the correct diagnosis: • Email Threads • Topology Diagram • Device configuration files (IOS or device screenshots) • Debug or traces files • MCSA or MCMA options

• Play the role of a support engineer and understand the situation, analyze the documentation, correlate information and discern between relevant vs non-relevant data point, make a choice between the options.

• Read the entire question and options before diving into the additional resources (email thread, topology diagram, logs, …)

• Select as many options as requested.

• No partial scoring on item level.

• Answers can be changed until timer is expired, final answers are auto-submitted.

• Game plan: 1. Understand the problem • Use Question body and customer email threads 2. Analyze the documentation • Process email, topology and debug/trace files 3. Correlate and Discern between relevant and non-relevant data point • Review and summarize provided facts • Apply technical knowledge to: • Identify key events in all documentation • Email - problem in customer’s own words – some useful, some not. • Traces and/or debugs – correlation protocol facts with problem description • Arrive at diagnostic snapshot 4. Choose the next step • Eliminate wrong or irrelevant options

• DIAG Question 1:

• John K, a Cisco Collaboration engineer at Customer.com, emailed to inform you that an user of a Cisco 8845 phone has been complaining about intermittent failures when he uses the numeric keypad to dial to voicemail pilot number to check messages. The user hears fast busy tones on failed calls. • Attached in the email is a snippet of CUCM SDI trace file which, according to John, was captured when the problem occurred. • Review the topology diagram, customer’s email and, the SDI trace file snippet and select the next step to troubleshoot this problem.

• DIAG Question 1 Supplementary Document I: Topology

IP 8845 Phone Cisco Unified Communications Manager Cisco Unity Connection Cluster

DN: 2003 Publisher (Secondary Call Processing Node)

IP address: VM Pilot number: 2220 10.1.1.1 IP address: SEPF8B7E29503F0 IP address: Subscriber 1 (Primary Call Processing Node) 10.1.1.5 10.10.1.32 IP address: 10.1.1.2

• DIAG Question 1 Supplementary Document II: EMAIL From Customer

• DIAG Question 1 Supplementary Document III: UCM Trace Snippet 1

• DIAG Question 1 Supplementary Document III: UCM Trace Snippet 2

• DIAG Question 1: Answer Options • Choose one answer.  The snippet captured the call from customer’s description, but we need additional SDI traces to inspect potential Digit Analysis exceptions  The call in the snippet is not captured from the correct CUCM node, request SDI trace from all other nodes at the same time  The snippet captured the call from customer’s description, request traces from the Cisco Unity Connection to make sure the call arrived  The snippet did not capture the call from customer’s description, need to request another round of traces with the correct dialing method  The snippet showed the phone dialed correctly, inform customer to raise a case with the networking infrastructure team to see if packet drops exists on the network  The call in the snippet is an SIP Early offer, check to see if it is supported on CUC  The snippet showed the device is defective, raise an RMA to replace the phone

• Game plan: Step 1: Understand the problem: • From Question body:

• From Customer email:

• Problem Summary: • Intermittent call failure from an 8845 IP phone to voicemail pilot when dialing via keypad

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study I: Debrief • Game plan: Step 2: Analyze the documentation: Customer email

Useful information: • Voicemail pilot: 2220 • User dials from phone keypad • Fast busy tone sometimes

Less useful information, but okay to know: • New 8845 IP phone

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study I: Debrief • Game plan: Step 2: Analyze the documentation: Topology

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study I: Debrief • Game plan: Step 2: Analyze the documentation: UCM Trace Snippet 1

The Most Valuable Information (MVI): • SIP INVITE from phone to UCM

Less useful information, but okay to know: • SDP in SIP INVITE

• Game plan: Step 3: Correlate and Discern: • Review and summarize provided facts: • Question and customer email says voicemail pilot number was dialed via keypad entry • Provided UCM trace showed all digits came in a single SIP INVITE • Apply technical knowledges: • Background technical knowledge candidates should know about the given Collab setup: • SIP protocol between 8845 and UCM • Two ways to call VM from the phone: voicemail button vs individual numeric keypad entry • Individual dialed digits are collected via SIP SUBSCRIBE and multiple NOTIFY messages

• Arrive at diagnostic snapshot • The trace provided by the customer showed a call from an 8845 phone to the voicemail pilot number, but: • It was dialed by pressing the voicemail button instead of entering individual numeric keypad • The next step to troubleshoot this problem is:

• Game plan: Step 4: Choose the Next Step: • Choose one answer. The snippet captured the call from customer’s description, but we need additional SDI traces to inspect potential Digit Analysis exceptions The call in the snippet is not captured from the correct CUCM node, request SDI trace from all other nodes at the same time The snippet captured the call from customer’s description, request traces from the Cisco Unity Connection to make sure the call arrived The snippet did not capture the call from customer’s description, need to request another round of traces with the correct dialing method The snippet showed the phone dialed correctly, inform customer to raise a case with the networking infrastructure team to see if packet drops exists on the network The call in the snippet is an Sip Early offer, check to see if it is supported on CUC The snippet showed the device is defective, raise an RMA to replace the phone

• DIAG Question 2:

• John K, a Cisco Collaboration engineer at Customer.com, emailed to inform you that he could not register a new IP phone 8845 phone to a CUCME router which already has a IP phone 8865 registered. • Attached in the email thread in which John provided the CUCME router’s configuration as well as a screenshot captured on the phone which failed to register • Select the next step to get the new phone to register

• DIAG Question 2 Supplementary Document: EMAIL #1 From Customer with router configuration

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study (Cont’d) • DIAG Question 2 Supplementary Document II: CUCME router configuration: Kool-CUCME#sh run voice-card 0 voice register pool 4 Building configuration... ! busy-trigger-per-button 2 version 15.7 voice service voip id mac F8B7.E295.081A service timestamps debug datetime msec allow-connections sip to sip session-transport tcp service timestamps log datetime msec sip type 8845 no service password-encryption registrar server number 1 dn 4 ! ! ! hostname Kool-CUCME voice register global license udi pid CISCO2951/K9 sn ! mode cme FTX1740ALJA boot-start-marker source-address 10.20.1.254 port 5060 ! boot system flash flash:c2951-universalk9- max-dn 24 interface GigabitEthernet1/0 mz.SPA.157-3.M.bin max-pool 6 description MGMT-To-SW boot-end-marker create profile sync 5395493377521517 ip address 10.1.1.1 255.255.255.0 ! camera ! enable password secret video interface GigabitEthernet1/1 ! auto-register description Internal switch interface no aaa new-model ! connected to Service Module ! voice register dn 3 switchport mode trunk ip dhcp excluded-address 10.20.1.1 10.20.1.100 number 1003 no ip address ! ! ! ip dhcp pool phones voice register dn 4 interface Vlan20 network 10.20.1.0 255.255.255.0 number 1004 description Voice option 150 ip 10.20.1.254 ! ip address 10.20.1.254 255.255.255.0 default-router 10.20.1.254 voice register pool 3 ! lease infinite busy-trigger-per-button 2 interface Vlan22 ! id mac 94D4.690C.E1EE description data no ip domain lookup session-transport tcp ip address 10.22.1.254 255.255.255.0 type 8865 number 1 dn 3

• DIAG Question 2 Supplementary Document II: CUCME router “show voice register global”

Kool-CUCME# sh voice register global Max redirect number is 5 Total SIP phones registered: 1 CONFIG [Version=12.0] IP QoS DSCP: Total Registration Statistics ======ef (the MS 6 bits, 46, in ToS, 0xB8) for media Registration requests : 88 Version 12.0 cs3 (the MS 6 bits, 24, in ToS, 0x60) for signal Registration success : 36 Mode is cme af41 (the MS 6 bits, 34, in ToS, 0x88) for video Registration failed : 6 Auto-registration is enabled default (the MS 6 bits, 0, in ToS, 0x0) for service unRegister requests : 34 Max-pool is 6 Telnet Level: 0 unRegister success : 34 Max-dn is 24 Tftp path is system: /cme/sipphone unRegister failed : 0 Outbound-proxy is enabled and will use global Generate text file is disabled Auto-Register requests : 0 configured value Tftp files are created, current syncinfo 5395493377521517 Attempts to register Security Policy: DEVICE-DEFAULT OS79XX.TXT is not created after last unregister : 20 Forced Authorization Code Refer is enabled timeout interdigit 10 Last register request time : Source-address is 10.20.1.254 port 5060 timeout transfer recall 0 *10:47:37.031 UTC Wed April 4 2018 Time-format is 12 network-locale[0] US (This is the default network locale for Last unregister request time : Date-format is M/D/Y this box) *10:02:09.831 UTC Wed April 4 2018 Time-zone is 5 network-locale[1] US Register success time : *09:57:09.832 Hold-alert is disabled network-locale[2] US UTC Wed April 4 2018 Mwi stutter is disabled network-locale[3] US Unregister success time : Mwi registration for full E.164 is disabled network-locale[4] US *10:02:09.831 UTC Wed April 4 2018 Forwarding local is enabled user-locale[0] US (This is the default user locale for this box) Video is enabled user-locale[1] US Camera is enabled user-locale[2] US Kool-CUCME# Privacy is enabled user-locale[3] US Privacy-on-hold is disabled user-locale[4] US Conference hardware is disabled MWI unsolicited notify is disabled Dst auto adjust is enabled Active registrations : 1 start at Apr week 1 day Sun time 02:00 stop at Oct week 8 day Sun time 02:00

• DIAG Question 2 Supplementary Document: EMAIL #2 From Support to Customer

• DIAG Question 2 Supplementary Document: EMAIL #3 From Customer to Support

• DIAG Question 2 Supplementary Document: EMAIL #3 Attachment From Customer to Support

• DIAG Question 2: Answer Options • Choose two correct answers.  Add “ip helper-address” to L3 interfaces on the Kool-CUCME router  Perform password recovery on ESW and then correct the voice vlan value on the port connected to the new 8845 phone  Delete configuration on the Kool-CUCME router for the 8865 phone so that the new 8845 can register  “id mac” was mistyped for the new 8845 phone, fix the typo on the Kool-CUCME router  Manually force voice vlan on the 8845 phone by entering 20 under “Admin VLAN ID”  Under “voice service voip” and “sip’, bind SIP control traffic to the vlan 20 interface  Add another DHCP scope for vlan 22 subnet on the Kool-CUCME router  Need to disable “auto-register” under “voice register global”

• Game plan: Step 1: Understand the problem: • From Question body:

• From Customer email:

• Problem Summary: • Can’t register a new SIP phone (8845) to a CUCME router which is currently servicing an existing, operational SIP phone.

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study II: Debrief • Game plan: Step 2: Analyze the documentation: Customer email

Useful information: • New Install • New phone added by copying and modifying config • Phone stuck at Detecting network • 8845 SIP phone’s MAC

Less useful information: • Urgency and priority

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study II: Debrief • Game plan: Step 2: Analyze the documentation: CUCME Config

Useful Info: • Router DHCP • Exclude address • Note DHCP IP and subnet info • Check SIP registrar service • SIP lineside global and phone config • L3 IP network info

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study II: Debrief • Game plan: Step 2: Analyze the documentation: show voice register global

Useful information: • Confirms existing registration

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study II: Debrief • Game plan: Step 2: Analyze the documentation: 2nd email from customer

Useful Info: • ESW module Very Important Info: • No enable access to ESW

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study II (Cont’d) • Game plan: Step 2: Analyze the documentation: Phone Screenshot

• DIAG Question 2 Supplementary Document: EMAIL #3 Attachment From Customer to Support

The Most Valuable Information (MVI): • Operational VLAN ID: 22 • This translates to “switchport voice vlan 22” for the interface connected to this phone

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study II (Cont’d) • Game plan: Step 2: Analyze the documentation: Router DHCP lease

• DIAG Question 2 Supplementary Document: EMAIL #3 Attachment From Customer to Support

Useful information:

• The entry is for the existing phone • New phone did not receive DHCP lease

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study II: Debrief • Game plan: Step 3: Correlate and Discern: • Review and summarize known facts: • CUCME SIP phone related configuration appears to be correct • Phone screenshot showed wrong operational VLAN: 22 instead of 20 • No DHCP scope configured on the router for data vlan 22 • Lack of DHCP lease adds evidence to Layer 2 configuration issue • Apply technical knowledges: • Background technical knowledge/facts candidates should know about the given setup: • Understanding of SIP endpoint (lineside) configuration for phones • Operational VLAN on phone is “switchport voice vlan x” on the switchport connected • L3 and upper OSI layers will not work until L2 works

• Arrive at diagnostic snapshot • Need to fix L2 first, but wait………. No enable access to ESW. What’s next?

• Game plan: Step 4: Choose correct options to get the phone registered: • Choose two answers. Add “ip helper-address” to L3 interfaces on the Kool-CUCME router Perform password recovery on ESW and then correct the voice vlan value on the port connected to the new 8845 phone Delete configuration on the Kool-CUCME router for the 8865 phone so that the new 8845 can register “id mac” was mistyped for the new 8845 phone, fix the typo on the Kool-CUCME router Manually force voice vlan on the 8845 phone by entering 20 under “Admin VLAN ID” Under “voice service voip” and “sip’, bind SIP control traffic to the vlan 20 interface Add another DHCP scope for vlan 22 subnet on the Kool-CUCME router Need to disable “auto-register” under “voice register global”

• DIAG Question 3: • John K, a Cisco Collaboration engineer at customer.com, emailed to inform you that an user imported from LDAP on the UCM is able to login to Jabber over MRA however phone services don’t register.

• Attached in the email is a snippet of Expressway-Core / Expressway- Edge and Jabber Logs which according to John were captured when the problem occurred.

• Review the topology diagram, customer’s email and, the logs and select the next step to troubleshoot this problem.

• DIAG Question 3: Supplementary Document I: Topology

Jabber Client External DNS Expressway-Edge Expressway Core Internal DNS CUCM Home UDS IM＆P Server

Expressway-Edge Expressway-Core Single-Node CUCM Single-Node IMP 10.201.203.76 10.201.203.75 10.201.203.67 10.201.203.72

• DIAG Question 3 Supplementary Document II: EMAIL From Customer

• DIAG Question 3 Supplementary Document II: Jabber Logs

• DIAG Question 3 Supplementary Document III: Expressway-E Logs

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study III (Cont’d) • DIAG Question 3 Supplementary Document III: Expressway-C Logs

• DIAG Question 3: Answer options • Choose one answer.

 The issue cannot be identified as the CUCM Logs are missing

 The REGISTER message is hitting the CUCM on the wrong port

 The snippet did not capture the REGISTER attempt from customer’s description, need to request another round of traces with the correct traces

 The Jabber device is not configured as a CSF device on the CUCM

 Check to see if there is a SIP trunk on the CUCM pointing to Expressway-C which is listening on port 5060

• Game plan: Step 1: Understand the problem: • From Question body:

• From Customer email:

• Problem Summary: • Jabber client can login over MRA but phone services does not work

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study III: Debrief • Game plan: Step 2: Analyze the documentation: Jabber logs

Useful information:

• Jabber client sent SIP REGISTER

• Jabber clients received “405 Method Not Allowed” from Expressway-E

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study III: Debrief • Game plan: Step 2: Analyze the documentation: Expressway-E Logs

Useful information:

• Expressway-E sent SIP REGISTER to Expressway-C

• Expressway-E received “405 Method Not Allowed” from Expressway-C

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study III: Debrief • Game plan: Step 2: Analyze the documentation: Expressway-C Logs

Useful Information

• Expressway-C sent SIP REGISTER to UCM

• Expressway-C received “405 Method Not Allowed” from UCM with…..

Most Valuable Information (MVI):

• Warning: “SIP trunk disallows REGISTER” from UCM

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study III: Debrief • Game plan: Step 3: Correlate and Discern: • Review and summarize known facts: • Jabber client can login over MRA but phone services fails • Jabber client received SIP 405 Method not Allowed from Expressway-E • Expressway-E received the same 405 Client Failure from Expressway-C • Expressway-C received SIP 405 Method not Allowed from UCM with Warning of “SIP trunk disallows REGISTER” • Phone services works fine if Jabber client is on internal network • Apply technical knowledges: • Background technical knowledge/facts candidates should know about the given setup: • The REGISTER message is hitting the UCM on port 5060 and there is a trunk configured on the UCM towards the Expressway-Core listening for incoming traffic from the Expressway Core on port 5060 . The REGISTER is thus hitting the Trunk instead of the UCM and the Trunk is not allowing registration. Customer needs to change the listening port on the trunk to a port other than 5060 / 5061

• Arrive at diagnostic snapshot • Need to check UCM SIP trunk configuration and listening port

• DIAG Question 3: Answer options • Choose one answer.  The issue cannot be identified as the CUCM Logs are missing

 The Expressway-C is sending the REGISTER message to the CUCM on the wrong port

 The snippet did not capture the REGISTER attempt from customer’s description, need to request another round of traces with the correct traces

 The Jabber device is not configured as a CSF device on the CUCM

 Check to see if there is a SIP trunk on the UCM pointing to Expressway-C which is listening on port 5060

• DIAG Question 4: • John K, a Cisco Collaboration engineer at customer.com, emailed to inform that Users are not able to initiate Adhoc conference calls using the CMS server.

• Attached in the email is a snippet of UCM logs , CMS logs and screenshots of the UCM.

• Review the topology diagram, customer’s email and, the logs and select the next step to troubleshoot this problem.

• DIAG Question 4: Supplementary Document I: Topology

User1(1002)

Jabber Client

CMS Server CUCM Jabber Client User2(1003) Single node CMS Single-Node Jabber Client cms.ciscolive.com CUCM IP : 192.168.122.17 cucm.ciscolive.com User3(1004) Webadmin FQDN : IP: 192.168.122.15 webadmin.cmslab.com Webadmin Port : 445 CallBridge FQDN : callbridge.cmslab.com

• DIAG Question 4 Supplementary Document II: EMAIL From Customer

• DIAG Question 4 Supplementary Document II: CMS Logs

• DIAG Question 4 Supplementary Document II: UCM SDI Traces

• DIAG Question 4: Answer options • Choose one answer.  Issue cannot be identified as the UCM Tomcat Logs are missing

 Issue cannot be identified without additional logs from the CMS

 The snippet did not capture the registration attempt from customer’s description, need to request another round of traces

 The UCM is trying to connect to port 443 on the CMS which is not the webadmin port

 Issue appears to be a network issue between the UCM and the CMS server

 Issue cannot be identified without packet captures on the UCM and the CMS

• Game plan: Step 1: Understand the problem: • From Question body:

• From Customer email:

• Problem Summary: • CMS failed to register to UCM as an adhoc conferencing resource and user cannot initiate adhoc conference

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study IV: Debrief • Game plan: Step 2: Analyze the documentation: UCM SDI Trace

Useful information:

• UCM attempting to connect to CMS at https://192.168.122.17:443 but not able to do so

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study IV: Debrief • Game plan: Step 2: Analyze the documentation: Topology

Most Valuable Information (MVI)

• UCM attempting to connect to CMS’s webadmin at https://192.168.122.17:443 but CMS listens to port 445

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study IV: Debrief • Game plan: Step 3: Correlate and Discern: • Review and summarize known facts: • CMS as an Ad Hoc conference bridge for UCM is not registered • UCM users cannot initiate Ad Hoc conferences using the CMS as conference bridge • CMS Web Admin listens to port 445 (as shown on the topology diagram) • UCM attempts to contact CMS on port 443 (as shown on the UCM SDI trace) • Apply technical knowledges: • Background technical knowledge/facts candidates should know about the given setup: • For CMS to work as Ad Hoc conference bridge, UCM needs to make an API call to CMS to create the conference • UCM needs to have the correct API credentials and Web Admin address and port configured

• Arrive at diagnostic snapshot • Need to check to make sure the Web Admin port matches between UCM and CMS

• DIAG Question 4: Answer options • Choose one answer.  Issue cannot be identified as the UCM Tomcat Logs are missing

 Issue cannot be identified without additional logs from the CMS

 The snippet did not capture the registration attempt from customer’s description, need to request another round of traces

 The UCM is trying to connect to port 443 on the CMS which is not the webadmin port

 Issue appears to be a network issue between the UCM and the CMS server

 Issue cannot be identified without packet captures on the UCM and the CMS

• DIAG Question 5: • John K, a Cisco Collaboration engineer at customer.com, emailed to inform you that an user imported from LDAP on the UCM is able to login to Jabber over MRA however phone services don’t register. • Attached in the email is a snippet of Expressway-Edge ,Jabber Logs and packet captures from the Jabber PC which according to John were captured when the problem occurred. • Review the topology diagram, customer’s email and, the logs and select the next step to troubleshoot this problem.

• DIAG Question 5: Supplementary Document I: Topology

Jabber Client External DNS Expressway-Edge Expressway Core Internal DNS CUCM Home UDS IM＆P Server

Expressway-Edge Expressway-Core Single-Node CUCM Single-Node IMP 10.201.203.76 10.201.203.75 10.201.203.67 10.201.203.72

• DIAG Question 5 Supplementary Document II: EMAIL From Customer

• DIAG Question 5 Supplementary Document III: Jabber Logs

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study V (Cont’d) • DIAG Question 5 Supplementary Document IV: Jabber PC Packet Captures

• DIAG Question 5 Supplementary Document V: Expressway-E Logs

• DIAG Question 5: Answer options • Choose one answer. The issue cannot be identified as the Expressway-E packet captures are missing The firewall is closing the TCP connection The snippet did not capture the symptoms the customer is reporting Check if the firewall has Phone Proxy feature enabled The firewall is blocking the TCP connections

• Game plan: Step 1: Understand the problem: • From Question body:

• From Customer email:

• Problem Summary: • Jabber client can login over MRA but phone services does not work

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study V: Debrief • Game plan: Step 2: Analyze the documentation: Jabber logs DIAG Question 5 Supplementary Document III: Jabber Logs

Useful information:

• Jabber client failed to Verify identity of the Expressway server in the CN of the cert presented by the Expressway • SSL connection to the Expressway on port 5061 failed

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study V: Debrief • Game plan: Step 2: Analyze the documentation: Expressway-E Logs DIAG Question 5 Supplementary Document IV: Jabber Packet Captures

Useful information: • Server certificate is presented by the Expressway Most Valuable Information (MVI): • Common name on the server certificate is _internal_PP_ctl_phoneprox y_file

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study V: Debrief • Game plan: Step 2: Analyze the documentation: Expressway-E Logs

Useful Information

• TCP connection from Jabber to Expressway-E gets established on port 5061

• TCP connection closes within a second with an EOF on socket

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101 CCIE Collaboration Modular Lab Exam Diagnostic (DIAG) Case Study V: Debrief • Game plan: Step 3: Correlate and Discern: • Review and summarize known facts: • Jabber client can login over MRA but phone services fails • Jabber client failed to Verify identity of the Expressway server in the CN of the cert presented by the Expressway on port 5061 • Common name on the Expressway server certificate is _internal_PP_ctl_phoneproxy_file • Phone services works fine if Jabber client is on internal network • Apply technical knowledges: • Background technical knowledge/facts candidates should know about the given setup: • The common name on the Expressway Server certificate should match the hostname of the Expressway server. Jabber verifies to see if the Common name on the certificate matches against the hostname of the Expressway.

• Arrive at diagnostic snapshot • Need to check if Phone Proxy is enabled on the ASA.

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103 Session 5: Lab Exam Troubleshooting Module with Case Studies CCIE Collaboration v2.0 Modular Lab Exam Skill Assessment TS DIAG CFG • Resolve networking • Perceive problem areas • Abstract functional element of problems • Analyze symptoms of complex Collaboration • Use IOS and other networking issues, identify and network environment troubleshooting tools describe root cause • Understand how solution • Apply troubleshooting • Correlate information from components interoperate methodologies multiple sources • Implement Collaboration • Troubleshoot Collaboration • Discern appropriate solution technologies (any topic on the technologies (any topic on • Apply troubleshooting blueprint) the blueprint) Methodologies • Design appropriate solutions • Implement and verify • Troubleshoot Collaboration to Collaboration network working solution to resolve technologies (any topic on the challenges within constraints networking issues blueprint) and verify functionality

• Troubleshooting (TS) Question Characteristics: • Hands-on, administrative access to devices/applications provided • Goal is to resolve multiple pre-injected faults (Tickets or Incident) in the topology • Devices/application preconfigured • Faults pre-injected • Each ticket involves a question body that describes the symptoms and desired resolution • Dependency between faults is possible but kept at minimal • Restrictions to candidate’s solutions possible: • For example: Do not remove pre-configured route patterns; Do not route calls via alternate paths

• Game plan: 1. Understand the problem • Use Question body 2. Narrow scope to critical components • Review topology diagram • Apply technical knowledge to identify critical components involved 3. Validate preconfigured states of critical components • Check and take mental notes of existing device/application configuration states • Apply technical knowledge to perform preliminary configuration checks 4. Collect and analyze traces/debugs • Collect and analyze traces • Pinpoint fault from trace/debug analysis 5. Implement the fix 6. Verify solution against problem statement

• TS Question 1: All PSTN calls originated from HQ UCM cluster should be sent to the Internet Telephony Service Provider (ITSP) via the HQ-CUBE. HQ users reported that they cannot call any international destinations. HQ users’ dialing habit for international calls is dialing 9011 followed by variable length numbers, sometimes with trailing # and sometimes without it. The ITSP expects 011 prefixed to called numbers and +E.164 calling numbers for international calls. Troubleshoot and make the necessary configuration changes so that these calls complete through the desired path. Restrictions: • Do not add or remove any preconfigured Translation Patterns or Route Patterns on UCM • Do not add or remove any dial-peers on HQ-CUBE • Do not use any alternate path through UCM or gateways of other sites

4 Points

• Game plan: Step 1: Understand the problem:

• Game plan: Step 2: Narrow scope to critical components:

SIP SIP SIP

• Game plan: Step 2: Narrow scope to critical components: Device Details

Cisco Unified Communications Jabber Client Manager Cluster HQ-CUBE

DN: +14155251001 Publisher (Secondary Call Processing Node)

IP address: IP address: IP address: 10.1.1.1 64.100.26.254 10.10.1.254 PSTN Simulation

IP address: Subscriber 1 (Primary Call Processing Node) 10.20.1.11 IP address: ITSP 10.1.1.2 DN: +3227041234 IP address: 64.100.26.1

• Game plan: Step 3: Validate preconfigured states: Jabber Client

Jabber Client

DN: +14155251001

IP address: 10.20.1.11

Validate and take mental (or written) notes on other important configuration fields: • Partition and CSS • Device Pool • Any other settings you deem important

• Game plan: Step 3: Validate preconfigured states: UCM configuration

Preconfigured Translation Patterns: Cisco Unified Communications Manager Cluster

Publisher (Secondary Call Processing Node) IP address: 10.1.1.1

Subscriber 1 (Primary Call Processing Node) IP address: Preconfigured Route Patterns: 10.1.1.2

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 3: Validate preconfigured states: UCM Translation Pattern Details I

Cisco Unified Communications Manager Cluster

Publisher (Secondary Call Processing Node) IP address: 10.1.1.1

Subscriber 1 (Primary Call Processing Node) IP address: 10.1.1.2

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 3: Validate preconfigured states: UCM Translation Pattern Details II

Cisco Unified Communications Manager Cluster

Publisher (Secondary Call Processing Node) IP address: 10.1.1.1

Subscriber 1 (Primary Call Processing Node) IP address: 10.1.1.2

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 3: Validate preconfigured states: UCM Route List

Cisco Unified Communications Manager Cluster

Publisher (Secondary Call Processing Node) IP address: 10.1.1.1

Subscriber 1 (Primary Call Processing Node) IP address: 10.1.1.2

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 3: Validate preconfigured states: UCM Route Group

Cisco Unified Communications Manager Cluster

Publisher (Secondary Call Processing Node) IP address: 10.1.1.1

Subscriber 1 (Primary Call Processing Node) IP address: 10.1.1.2

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 3: Validate preconfigured states: UCM SIP Trunk to HQ-CUBE

Cisco Unified Communications Manager Cluster

Publisher (Secondary Call Processing Node) IP address: 10.1.1.1

Subscriber 1 (Primary Call Processing Node) IP address: 10.1.1.2

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 3: Validate preconfigured states: HQ-CUBE HQ-CUBE voice service voip IP address: 10.10.1.254 IP address: 64.100.26.254 mode border-element allow-connections sip to sip dial-peer voice 10 voip sip voice translation-rule 11 description Outbound to UCM; inbound match called PSTN numbers header-passing rule 1 /^\+1$[2-9]..[2-9]...... $/ /\1/ translation-profile outgoing inbound-add-plus midcall-signaling passthru rule 2 /^\+$[2-9]$/ /\1/ session protocol sipv2 ! ! session transport udp voice class codec 1 voice translation-rule 12 session server-group 1 codec preference 1 g711ulaw rule 1 /^$[2-9]...... $/ /+1\1/ destination e164-pattern-map 1 codec preference 2 g729r8 rule 2 /^$[2-9]$/ /+\1/ incoming called e164-pattern-map 2 ! ! voice-class codec 1 voice class e164-pattern-map 1 voice translation-rule 101 voice-class sip bind control source-interface GigabitEthernet1 description HQ UCM numbers rule 1 /^\+$1[2-9]..[2-9]...... $/ /\1/ voice-class sip bind media source-interface GigabitEthernet1 e164 415525.... rule 2 /^\+$[2-9]$/ /01\1/ dtmf-relay rtp-nte ! ! no vad voice class e164-pattern-map 2 voice translation-rule 201 ! description PSTN e164 Patterns rule 1 /^$[2-9]...... $/ /+1\1/ dial-peer voice 64 voip e164 +1[2-9]..[2-9]...... ! description Outbound to PSTN; inbound called SME/CUCM numbers e164 +[2-9]T voice translation-profile inbound-add-plus translation-profile outgoing outbound-strip-plus ! translate calling 12 session protocol sipv2 voice class server-group 1 translate called 201 session transport udp ipv4 10.1.1.1 preference 2 ! session server-group 2 ipv4 10.1.1.2 preference 1 voice translation-profile outbound-strip-plus destination e164-pattern-map 2 description HQ-UCM translate calling 11 incoming called e164-pattern-map 1 ! translate called 101 voice-class codec 1 voice class server-group 2 ! voice-class sip early-offer forced ipv4 64.100.26.1 interface GigabitEthernet1 voice-class sip bind control source-interface GigabitEthernet2 description PSTN ip address 10.10.1.254 255.255.255.0 voice-class sip bind media source-interface GigabitEthernet2 ! dtmf-relay rtp-nte interface GigabitEthernet2 no vad ip address 64.100.26.254 255.255.255.0 #CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 4: Enable, Collect, Analyze Traces and debugs. It might be quicker to start from the edge and work your way back: i.e. did the call even reach the CUBE?

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 4: Enable “Detailed” trace on UCM

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 4: Enable SIP debugs on CUBE. Then it’s time to test calls.

HQCUBE#debug ccsip message SIP Call messages tracing is enabled

Annunciator: Your call cannot be completed as HQCUBE#debug ccsip message dialed………….  SIP Call messages tracing is enabled

No debugs showed up on the CUBE. The call failed at UCM!

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 6: UCM SDI Trace Analysis

01077839.007 |00:49:55.362 |AppInfo |Digit analysis: patternUsage=2 01077839.008 |00:49:55.362 |AppInfo |Digit analysis: match(pi="2",fqcn="+14155251001", cn="+14155251001", plv="5", pss="PT-Internal-DN:PT-Global-Translation:Global Learned Enterprise Numbers:Global Learned E164 Numbers:Global Learned Enterprise Patterns:Global Learned E164 Patterns:PT-US-PSTN:PT-International-PSTN", TodFilteredPss="PT-Internal-DN:PT-Global- Translation:Global Learned Enterprise Numbers:Global Learned E164 Numbers:Global Learned Enterprise Patterns:Global Learned E164 Patterns:PT-US-PSTN:PT-International-PSTN", dd="90113227041234#",dac="0") 01077839.009 |00:49:55.362 |AppInfo |Digit analysis: potentialMatches=NoPotentialMatchesExist

UCM exhausted potential matches for “90113227041234#’

Which preconfigured pattern matches this? Let’s take another look.

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 5: Implementing the fix Translation Pattern, “9.011.!#” preconfigured “Called Party Transformations”:

The fix:

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 6: Verify Solutions: Place a call to the same number again

But wait……….SIP debugs are showing up on HQ-CUBE!! Annunciator: Your call cannot be completed as dialed…………. 

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 6: Let’s look at the SIP debugs on HQ-CUBE to see what happened:

*Jan 6 08:18:28.666: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg: Received: HQ-CUBE received a SIP INVITE INVITE sip:[email protected]:5060 SIP/2.0 Via: SIP/2.0/TCP 10.1.1.2:5060;branch=z9hG4bK68407b78cc from UCM: From: "HQ Jabber One" ;tag=6493~aad45c32-d9ea-4ec1-981c-48be3a5413f5-36968123 To: Calling number: +14155251001 Date: Wed, 06 Jan 2018 08:19:18 GMT Call-ID: [email protected] Called number: +3227041234 Supported: timer,resource-priority,replaces Min-SE: 1800 User-Agent: Cisco-CUCM12.0 Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY CSeq: 101 INVITE Expires: 180 Allow-Events: presence, kpml Supported: X-cisco-srtp-fallback,X-cisco-original-called Call-Info: ;method="NOTIFY;Event=telephone-event;Duration=500" Call-Info: ;x-cisco-video-traffic-class=DESKTOP Session-ID: 00004f1100105000a0000050568c6b62;remote=00000000000000000000000000000000 Cisco-Guid: 1297042560-0000065536-0000000032-0205546538 Session-Expires: 1800 P-Asserted-Identity: "HQ Jabber One" Remote-Party-ID: "HQ Jabber One" ;party=calling;screen=yes;privacy=off Contact: ;video;audio;+u.sip!devicename.ccm.cisco.com="HQOneCSF";bfcp Max-Forwards: 69 Content-Length: 0

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 6: Let’s look at the SIP debugs on HQ-CUBE to see what happened:

*Jan 6 08:18:28.673: //63/4D4F4C800000/SIP/Msg/ccsipDisplayMsg: Sent: SIP/2.0 100 Trying Via: SIP/2.0/TCP 10.1.1.2:5060;branch=z9hG4bK68407b78cc From: "HQ Jabber One" ;tag=6493~aad45c32-d9ea-4ec1-981c-48be3a5413f5-36968123 To: Date: Wed, 06 Jan 2018 08:18:28 GMT Call-ID: [email protected] CSeq: 101 INVITE Allow-Events: telephone-event Server: Cisco-SIPGateway/IOS-16.3.6 Session-ID: 00000000000000000000000000000000;remote=00004f1100105000a0000050568c6b62 Content-Length: 0

HQ-CUBE sent 100 Trying to UCM:

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 6: Let’s look at the SIP debugs on HQ-CUBE to see what happened:

*Jan 6 08:18:28.676: //64/4D4F4C800000/SIP/Msg/ccsipDisplayMsg: Sent: INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP 10.10.1.254:5060;branch=z9hG4bK3A1258 Remote-Party-ID: "HQ Jabber One" ;party=calling;screen=yes;privacy=off From: "HQ Jabber One" ;tag=2EF41743-10C5 To: Date: Wed, 06 Jan 2018 08:18:28 GMT HQ-CUBE sent a SIP INVITE to Call-ID: [email protected] ITSP: Supported: 100rel,timer,resource-priority,replaces,sdp-anat Min-SE: 1800 Cisco-Guid: 1297042560-0000065536-0000000032-0205546538 Calling number: +14155251001 User-Agent: Cisco-SIPGateway/IOS-16.3.6 Called number: 013227041234 Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER CSeq: 101 INVITE Timestamp: 1528273108 Contact: Expires: 180 Allow-Events: telephone-event Max-Forwards: 68 Session-ID: 00004f1100105000a0000050568c6b62;remote=00000000000000000000000000000000 Session-Expires: 1800 Content-Type: application/sdp Content-Disposition: session;handling=required Content-Length: 295

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 6: Let’s look at the SIP debugs on HQ-CUBE to see what happened:

*Jan 6 08:18:28.684: //64/4D4F4C800000/SIP/Msg/ccsipDisplayMsg: Received: SIP/2.0 404 Not Found Via: SIP/2.0/UDP 10.10.1.254:5060;branch=z9hG4bK3A1258 From: "HQ Jabber One" ;tag=2EF41743-10C5 To: ;tag=3ADC6E5A-257B Date: Wed, 06 Jan 2018 08:18:16 GMT HQ-CUBE received an SIP 404 Call-ID: [email protected] Not Found from ITSP: Timestamp: 1528273108 CSeq: 101 INVITE Allow-Events: telephone-event “No matching outgoing dial-peer” Warning: 399 64.100.26.1 "No matching outgoing dial-peer" Server: Cisco-SIPGateway/IOS-16.3.4 Reason: Q.850;cause=1 Session-ID: 00004f1100105000a0000050568c6b62;remote=45a84ed6169c59d0a01191e8dc42986b Content-Length: 0

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study I Debrief (Cont’d) • Game plan: Step 6: Let’s look at the SIP debugs on HQ-CUBE to see what happened:

What’s not right and how can we fix it?

TS Question 2:

Jabber Client ([email protected] ) registered to the HQ UCM is trying to make B2B calls to [email protected] using the Expressway infrastructure. These calls are failing for all internal users, calls to other external domains work fine.

4 Points

CUCM Home UDS Expressway Core Jabber Client Expressway-Edge External DNS

Single-Node CUCM Expressway-Core Expressway-Edge 10.201.203.67 10.201.203.75 10.201.203.76

• Game plan: Step 1: Understand the problem:

TS Question 2:

4 Points

. HQ Jabber Clients . Outbound calls to ccieexam.com fail . Calls to other external domains work

• Game plan: Step 2: Narrow scope to critical components:

CUCM Home UDS Expressway Core Jabber Expressway-Edge External DNS Client Single-Node CUCM Expressway-Core 2001@ccielab. Expressway-Edge 5001@ccieexa 10.201.202.152 10.201.203.67 com 72.163.219.244 m.com

SIP SIP SIP DNS Lookup SIP

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study II Debrief (Cont’d) • Game plan: Step 4: Enable, Collect, Analyze Traces and debugs.

1. The UCM is the 1st point of entry , check if the dial plan on the UCM can route the call to the Expressway-Core • Use the DNA Tool on the UCM • Check UCM Traces 2. If the call hit the VCS , check if the search Rules on the VCS can route the call to the Expressway- Edge • Check the Search history • If the call is not being routed to the Expressway-E check Diagnostic logs 3. If the call hit the Expressway-E check if the Search rules can send the call to the DNS zone and if the _sip , _sips , h323ls or h323cs SRVs are resolving • Check the Search history • DNS Lookup Tool Utility on the Expressway • Check diagnostic Logs

• Game plan: Step 4: Enable, Collect, Analyze Traces and debugs (Dialed Number Analyzer)

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 135 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study II Debrief (Cont’d) • Game plan: Step 4: Enable, Collect, Analyze Traces and debugs: Search History Expressway-C

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study II Debrief (Cont’d) • Game plan: Step 4: Enable, Collect, Analyze Traces and debugs: Search History Expressway-E

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study II Debrief (Cont’d) INVITE from the C to the E

Module="network.sip" Level="DEBUG": Action="Received" Local-ip="72.163.219.228" Local-port="7001" Src-ip="10.127.228.14" Src-port="26841" Msg-Hash="5157895310537734883" SIPMSG: |INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/TLS 10.127.228.14:5061;egress-zone=TraversalClientB2BDMZ;branch=

Search Rule towards DNS Zone matching

2018-05-31T01:51:16.333+05:30 vcs-e-cmr01 tvcs: UTCTime="2018-05-30 20:21:16,333" Module="network.search" Level="DEBUG": Detail="Considering search rule 'Route B2B Call towards DNS Zone' towards target 'DNS_Zone_B2B' at priority '80' with alias '[email protected]’”

_sips , sip , h323ls and h323cs SRVs failing

2018-05-31T01:51:16.432+05:30 vcs-e-cmr01 tvcs: UTCTime="2018-05-30 20:21:16,432" Module="network.dns" Level="DEBUG": Detail="Sending DNS query" Name="_sips._tcp.ccieexam.com" Type="SRV (IPv4 and IPv6)" 2018-05-31T01:51:16.514+05:30 vcs-e-cmr01 tvcs: UTCTime="2018-05-30 20:21:16,514" Module="network.dns" Level="DEBUG": Detail="Could not resolve hostname” 2018-05-31T01:51:16.514+05:30 vcs-e-cmr01 tvcs: UTCTime="2018-05-30 20:21:16,514" Module="network.dns" Level="DEBUG": Detail="Sending DNS query" Name="_sip._tcp.ccieexam.com" Type="SRV (IPv4 and IPv6)” 2018-05-31T01:51:16.514+05:30 vcs-e-cmr01 tvcs: UTCTime="2018-05-30 20:21:16,514" Module="network.dns" Level="DEBUG": Detail="Could not resolve hostname” 2018-05-31T01:51:16.682+05:30 vcs-e-cmr01 tvcs: UTCTime="2018-05-30 20:21:16,681" Module="network.dns" Level="DEBUG": Detail="Sending DNS query" Name="_h323ls._udp.ccieexam.com" Type="SRV (IPv4 and IPv6)" 2018-05-31T01:51:16.764+05:30 vcs-e-cmr01 tvcs: UTCTime="2018-05-30 20:21:16,763" Module="network.dns" Level="DEBUG": Detail="Could not resolve hostname" 2018-05-31T01:51:16.764+05:30 vcs-e-cmr01 tvcs: UTCTime="2018-05-30 20:21:16,764" Module="network.dns" Level="DEBUG": Detail="Sending DNS query" Name="_h323cs._tcp.ccieexam.com" Type="SRV (IPv4 and IPv6)" 2018-05-31T01:51:16.848+05:30 vcs-e-cmr01 tvcs: UTCTime="2018-05-30 20:21:16,847" Module="network.dns" Level="DEBUG": Detail="Could not resolve hostname”

404 Not Found sent back to the Expressway-Core

2018-05-31T01:51:16.851+05:30 vcs-e-cmr01 tvcs: UTCTime="2018-05-30 20:21:16,851" Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="72.163.219.228" Local-port="7001" Dst-ip="10.127.228.14" Dst-port="26841" Msg- Hash="13695408399108411739" SIPMSG: |SIP/2.0 404 Not Found Via: SIP/2.0/TLS 10.127.228.14:5061;egress-

TS Question 2:

WebRTC clients trying to login internally fail to login with error – username or password entered is incorrect even though the right username and password is used.

4 Points

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 140 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study III Debrief (Cont’d) • Game plan: Step 1: Understand the problem:

TS Question 2:WebRTC clients trying to login internally fail to login with error – username or password entered is incorrect even though the right username and password is used. 4 Points

. Internal WebRTC login failing . Username or password is incorrect

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study III Debrief (Cont’d) • Game plan: Step 2: Understand the Flow:

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study III Debrief (Cont’d) • Game plan: Step 3: Narrow scope to critical components:

PC DNS Server CMS Webbridge CMS DNS Server CMS XMPP Server

A record Lookup SRV Lookup XMPP

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143 CCIE Collaboration Modular Lab Exam Troubleshooting (TS) Case Study III Debrief (Cont’d) • Game plan: Step 4: Enable, Collect, Analyze Traces and debugs.

1. The PC is where the A record lookup happens and a TCP connection is established to the CMS. • Use the command Prompt to run the lookup • Check packet captures 2. If the call hit the CMS , check to see if the CMS is able to perform the _xmpp-client SRV lookup and connect to the XMPP server • Use the dns lookup utility on CMS • Check the CMS logs 3. If the login attempt hits the XMPP server check if the callbridge is able to successfully authenticate the user with the LDAP server • Check the CMS logs

Timestamp user.info cmslabserver webbridge: INFO : login request received - session:0 user:1 password:1 Timestamp user.info cmslabserver webbridge: INFO : Session XYZ activated - 1 currently active Timestamp user.info cmslabserver webbridge: INFO :No DNS SRV records for _xmpp-client._tcp.tplabdomain.com Timestamp user.info cmslabserver webbridge: INFO : XMPP connection dropped while session was live for reason 2 Timestamp user.info cmslabserver webbridge: INFO : Session XYZ moving from state idle to disconnected Timestamp user.info cmslabserver webbridge: INFO :XMPP connection dropped while session was live for reason 0 Timestamp user.info cmslabserver webbridge: INFO : Session XYZ moving from state disconnected to disconnected Timestamp user.info cmslabserver webbridge: INFO : Session XYZ destroyed (0 active, cumulative 11)

What’s not right and how can we fix it?

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145 Session 6: Lab Exam Configuration Module with Case Studies CCIE Collaboration v2.0 Modular Lab Exam Skill Assessment TS DIAG CFG • Resolve networking • Perceive problem areas • Abstract functional element of problems • Analyze symptoms of complex Collaboration • Use IOS and other networking issues, identify and network environment troubleshooting tools describe root cause • Understand how solution • Apply troubleshooting • Correlate information from components interoperate methodologies multiple sources • Implement Collaboration • Troubleshoot Collaboration • Discern appropriate solution technologies (any topic on the technologies (any topic on • Apply troubleshooting blueprint) the blueprint) Methodologies • Design appropriate solutions • Implement and verify • Troubleshoot Collaboration to Collaboration network working solution to resolve technologies (any topic on the challenges within constraints networking issues blueprint) and verify functionality

• Configuration (CFG) Question Characteristics: • Hands-on, administrative access to devices/applications provided • Candidate choose best way to implement based on requirements • Some devices/applications preconfigured • High interdependency between questions • Some restrictions to candidate’s solutions

Configure Expressway-C , Expressway-E , UCM and IMP server so that Jabber clients at the HQ location can login and register over MRA

Jabber Client External DNS Expressway Edge Expressway Core Internal DNS CUCM Home UDS IM＆P Server

Expressway Edge Expressway Core Single-Node CUCM Single-Node IMP expressway.ciscolive.com SRV Record: cucm.ciscolive.com cups.ciscolive.com control.ciscolive.com

Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM＆P Server

Expressway Edge Expressway Core Single-Node CUCM Single-Node IMP control.ciscolive.com cucm.ciscolive.com cups.ciscolive.com expressway.ciscolive.com

* FQDN & IP Address listed above are just sample for configuration reference

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150 External DNS Configuration Configure SRV record – External DNS Note : This step may/may not have been already completed for the lab

Service Protocol Port Record Definition/Host _collab-edge TLS 8443 expressway.ciscolive.com  External DNS Record (for general deployment not specifically Mobile and Remote Access service)  Configure A/AAAA record as needed IMPORTANT: Make sure _cisco-uds/_cuplogin SRV/FQDN record are NOT resolvable outside of internal network otherwise Jabber client won’t start Mobile and Remote Access negotiation via Expressway-E (or VCS-Expressway).

Service Protocol Port Record Definition/Host _sips TCP 5061 expressway.ciscolive.com _sip TCP 5060 expressway.ciscolive.com

* FQDN & IP Address listed above are just sample for configuration reference

Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM＆P Server

Expressway-Edge Expressway-Core Single-Node CUCM Single-Node IMP expressway.ciscolive.com control.ciscolive.com cucm.ciscolive.com cups.ciscolive.com

* FQDN & IP Address listed above are just sample for configuration reference

Service Protocol Port Record Definition/Host _cisco-uds TCP 8443 cucm.ciscolive.com

 Configure A/AAAA record as needed

IMPORTANT: Make sure _cisco-uds SRV/FQDN record is NOT resolvable outside of internal network otherwise Jabber client won’t start Mobile and Remote Access negotiation via VCS Expressway (or Expressway-E).

* FQDN & IP Address listed above are just sample for configuration reference

• Jabber Client PC should be able to able to resolve _collab-edge SRV and should fail on _cisco-uds and _cuplogin

• Expressway-C should be able to resolve _cisco-uds SRV

• Activate all relevant services on the IM&P server

• Single SIP domain deployment • Simple deployment with single UDS and IMP server

Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM＆P Server

Expressway Edge Expressway Core Single-Node CUCM Single-Node IMP expressway.ciscolive.com SRV Record: cucm.ciscolive.com cups.ciscolive.com control.ciscolive.com

* FQDN & IP Address listed above are just sample for configuration reference

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 158 Expressway Edge Configuration • System host name and domain name  Ensure host name and domain name are specified for every VCS

 Ensure that time is Synchronized on every VCS . If NTP is not synchronized over traversal it may lead to a lot of problems

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 160 Expressway Edge Configuration  Install appropriate server certificates and trusted CA certificates for TLS traversal session between Expressway Core and Expressway Edge • This deployment requires secure communication between Expressway Core and Expressway Edge

•

Domain XMPP Extended Key Usage 1. TLS Web Server Authentication XMPP TLS 2. TLS Web Client Authentication

Expressway-C Expressway-E SAN elements configured with : 3. FQDN Expressway E 4. Public UC Domain Internet 5. IM and Presence chat node alias

SIP TLS 6. XMPP Federation Domains SIP MTLS Clustering XMPP TLS HTTPS

• Mobile and Remote Access  Enable Mobile and remote access feature from Configuration > Unified Communications > Configuration

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 164 Expressway Edge Configuration • Traversal Zone  Create Unified Communications traversal zone between Expressway Edge and Expressway Core

• Traversal Zone Create credentials to be used for Traversal authentication

• Traversal Zone  Create Unified Communications traversal zone between Expressway Edge and Expressway Core– Create a new User for Traversal Authentication

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 167 Expressway Edge Configuration • Traversal Zone  Create TLS verify enable Unified Communications traversal zone between Expressway Edge and Expressway Core – Create a new User for Traversal Authentication

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 169 Mobile and Remote Access : Verification After the Exp-C and Exp-E are fully configured go to Status -> Unified Communications on the Exp-E and verify the below • Unified Communications Status  After all configurations, Unified Communication status should show • Unified Communications mode: Enabled • Unified Communication service: Active • Zone (Sip status): Active

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 170 Expressway Core Configuration • Solution Configuration - Deployment Scenarios • Single SIP domain deployment • Simple deployment with single UDS and IMP server

Jabber Client External DNS Expressway Edge Expressway Core Internal DNS CUCM Home UDS IM＆P Server

Expressway Edge Expressway Core Single-Node CUCM Single-Node IMP expressway.ciscolive.com control.ciscolive.com cucm.ciscolive.com cups.ciscolive.com

* FQDN & IP Address listed above are just sample for configuration reference

• System host name and domain name  Ensure host name and domain name are specified for every Exp-C

• DNS Server on the Expressway Core  Ensure the DNS server the internal DNS is correctly configured on the Expressway Core

 Ensure that VCS is Synchronized on every VCS . If NTP is not synchronized over traversal it may lead to a lot of problems

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 174 Expressway Core Configuration • Server Certificate  Install appropriate serve certificates and trusted CA certificates for TLS traversal session between Expressway Core and Edge • This deployment requires secure communication between Expressway Core and Edge

Extended Key Usage CUCM 1. TLS Web Server Authentication Unified CM 2. TLS Web Client Authentication SIP MTLS Expressway-C Expressway-E SAN elements configured with : 3. FQDN Expressway C 4. IM and Presence chat node alias 5. Unified CM Security Profile names

SIP MTLS 6. Cluster Name Clustering MTLS IM&P

• Configure Unified CM servers  Add Unified Communication server used for remote access from Configuration > Unified Communications > Unified CM servers  Step 1: Click “New”

• Configure Unified CM servers  Step 2: Entre Unified CM publisher address, AXL Web service username and password, then click “Add address”

• Configure Unified CM servers  VCS automatically negotiates a SIP link between Unified CM • You can establish the connection with TCP or TLS depending on the question

• Neighbor zone between Unified CM  Non-configurable neighbor zone “CEtcp-” or/and “CEtls-” automatically created after configure Unified CM servers

• Search rule pointing to Unified CM  Non-configurable search rule “CEtcp-” or/and “CEtls- ” automatically created after configure Unified CM servers

• Configure IM and Presence server  Add IM and Presence used for remote access from Configuration > Unified Communications > IM and Presence servers  Step 1: Click “New”

• Configure IM and Presence server  Step 2: Add publisher FQDN, AXL Web service username and password, then click “Add address”

• Configure IM and Presence server  Configured IM and Presence server will add on VCS and status shows as “Active”

• Traversal Zone  Create TLS verify enable Unified Communication traversal zone between VCS Expressway and enable Mobile and remote access

• Traversal Zone  Create Unified Communications traversal zone between Expressway Edge and Core

• UC Traversal Zone  Create Unified Communications traversal zone between Expressway Edge and Core

• Entire FQDN of each VCS Expressway

• SIP domain to route to Unified CM  Configure the domains for registration, call control, provisioning, messaging and presence services are to be routed to Unified CM from Configuration > Domains (select target domain and click “View/Edit”)  Enable feature to route to Unified CM

• Zone Status  After all configurations, UC Traversal Zone status should show “Active” (Need to complete all Expressway Edge configuration before the zone will show Active )

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 189 Expressway Core Configuration - Verification After the Exp-C and Exp-E are fully configured go to Status -> Unified Communications on the Exp-C and verify the below  After all configurations, Unified Communication status should shows… • Unified Communications mode: Enabled • Unified Communication service: Active • Zone (Sip status): Active

• If the Traversal zone is not coming up , use the following tools available on the Expressway’s • DNS Lookup (Maintenance -> Tools -> Network Utilities -> DNS lookup) • Ping (Maintenance -> Tools -> Network Utilities -> Ping) • Event Logs - Exp-C (Status -> Logs -> Event Log)

• Event Logs - Exp-E (Status -> Logs -> Event Log)

• Diagnostic Logs Exp-C (Maintenance -> Diagnostics -> Diagnostic Logging) • 2014-08-16T18:41:47+05:30 VCS102 tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="10.106.93.178" Src- port="25066" Dst-ip="10.106.93.175" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Common- name="VCSE101.uctplab.com" Level="1" UTCTime="2014-08-16 13:11:47,631” • Diagnostic Logs Exp-E (Maintenance -> Diagnostics -> Diagnostic Logging) • 2014-08-16T20:55:00+05:30 VCSE101 tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src- ip="10.106.93.178" Src-port="25011" Dst-ip="10.106.93.175" Dst-port="7002" Detail="tlsv1 alert unknown ca" Protocol="TLS" Level="1" UTCTime="2014-08-16 15:25:00,324”

• IM&P domain not added or not enabled for IM&P

• Jabber login will fail – Cannot communicate with the server

• Diagnostic logs will show

xwaye XCP_JABBERD[12144]: UTCTime="2014-03-14 14:30:25,310" ThreadID="140582990952192" Module="Jabber" Level="INFO " CodeLocation="deliver.c:1492" Detail="bouncing a packet to 'domain3.com” from ‘cm- 1_jsmcp-1.xwaye-domain1.com’”

xwaye XCP_CM[12513]: UTCTime="2014-03-14 14:30:25,310" ThreadID="140004551300864" Module="cm- 1.xwaye-domain1.com" Level="INFO " CodeLocation="SASLManager.cpp:198" Detail="Failed to query auth component for SASL mechanisms"

• XMPP Router is Inactive • Verify IM Server status on Expressway Core • Look for warnings on the IMP Server for XCP Service . Restart XCP Router service if required

• Solution Configuration - Deployment Scenarios • Single SIP domain deployment • Simple deployment with single UDS and IMP server

Jabber Client External DNS Expressway Edge Expressway Core Internal DNS CUCM Home UDS IM＆P Server

Expressway Edge Expressway Core Single-Node CUCM Single-Node IMP expressway.ciscolive.com control.ciscolive.com cucm.ciscolive.com cups.ciscolive.com

* FQDN & IP Address listed above are just sample for configuration reference

• End User Configuration  Enable user for Unified CM IM and Presence service

• End User Configuration  Associated user with appropriate Controlled Devices

• End User Configuration  Make sure “Standard CCM End Users” are added as Access Control Groups

• Phone Configuration  Add Phone with appropriate profile and DN

• Phone Configuration  Device owner user ID must be mapped on the device to link the service profile  If owner user ID is not specified, user will use the default service profile

• Phone Configuration  Add owner user ID in “Associate End Users” under Directory Number Configuration

• Jabber Login successful and phone services registered

Phone registered on CUCM and ready for phone service Detail status available from Help > Show connection status

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 201 MRA: Critical Components • Register Jabber client on UCM via MRA Expected signaling flow for Jabber Client logon and registration on simple IM&P based deployment

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

Jabber login with [email protected]

Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

DNS Query

SRV _cisco-uds._tcp.ciscolive.com

Query Response

Not Found

DNS Query

SRV _cuplogin._tcp. ciscolive.com

Query Response

Not Found

Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

DNS Query

SRV _collab-edge._tls.ciscolive.com

Query Response

(Contain “Answers” including SRV and A/AAAA record) Service: collab-edge Protocol: tls Name: ciscolive.com Type: SRV Port: 8443 Target: expressway.ciscolive.com SRV ciscolive.com

DNS Query

A expressway.ciscolive.com

Query Response

(Contain “Answers” including A/AAAA record) Name: expressway.ciscolive.com Type: A Addr: 122.208.118.4

Jabber Client External DNS Expressway Expressway Internal DNS CUCM Home TFTP IM＆P Edge Core UDS Server Server

SSL: Client Hello

SSL: Server Hello Establish secure communication channel between VCS-E SSL: Certificate, Server Hello Done

HTTPS

HTTPS: GET /get_edge_config HTTPMSG: |GET https:///dWN0cGxhYi5jb20/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1 Authorization: xxxxx Client requests Edge Configuration data Host: expressway.ciscolive.com:8443 Accept: */* User-Agent: Jabber-Win-473 HTTPS

|GET http://vcs_control.uctplab.com:8443/dWN0cGxhYi5jb20/get_edge_config?service_name=_cisco- uds&service_name=_cuplogin HTTP/1.1 Authorization: xxxxx Basic username & password Host: expressway.ciscolive.com:8443 Accept: */* User-Agent: Jabber-Win-473 X-Forwarded-For: 10.106.93.185  IP-Address of Jabber client Via: https/1.1 vcs[0A6A5DAF] (ATS)

Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home TFTP IM＆P UDS Server Server When DNS record is not cached ExpressWay C will send out following DNS queries DNS Query SRV _cisco-uds._tcp.ciscolive.com Query Response

(Target: cucm.ciscolive.com)

A cucm.cisclive.com

Query Response DNS Query (Addr: 10.106.93.183

Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

HTTP(S)

Requesting CUCM home node HTTPS: GET ///cucm-uds/clusterUser? HTTPMSG: information |GET /cucm-uds/clusterUser?username=liveuser HTTP/1.1 Host: cucm.ciscolive.com:8443

HTTP(S) 200 OK

HTTPMSG: HTTP/1.1 200 OK Content-Type: application/xml Server: 172.16.1.36 2014-08-17T20:10:37+05:30 VCS102 UTCTime="2014-08-17 14:40:37,311" Module="developer.edgeconfigprovisioning.server" Level="DEBUG" CodeLocation="edgeprotocol(835)" Detail="Found user cluster" Username=”liveuser" Cluster="10.106.93.183”

2014-08-17T20:10:37+05:30 VCS102 UTCTime="2014-08-17 14:40:37,311" Module="developer.edgeconfigprovisioning.server" Level="DEBUG" CodeLocation="edgeprotocol(879)" Detail="Found UDS server" Cluster="10.106.93.183" UdsServer="10.106.93.183" ======

Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

HTTP(S)

HTTPS: GET ///cucm-uds/user//devices HTTPMSG: Get Devices |GET //10.106.93.183:8443/cucm-uds/user/liveuser/devices HTTP/1.1 Authorization:

HTTP(S) 200 OK

HTTPMSG: HTTP/1.1 200 OK Set-Cookie: JSESSIONIDSSO=DDE7D3BDDED087FDA64DB84AC2C66445; Path=/; Secure; HttpOnly Set-Cookie: JSESSIONID=4B288958CE61B4A939B489D66F478B6E; Path=/cucm-uds/; Secure; HttpOnly Content-Type: application/xml 34523a0d-7d0c-c90d-5276-124985b0a2deBOTliveuserCisco Dual Mode for Android ….. CSFliveuserCisco Unified Client Services Framework390SIPhttp://1 0.106.93.183:6970/CSFliveuser.cnf.xml…….. |

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P UDS Server Server HTTPS 200 OK

HTTPMSG: HTTP/1.1 200 OK Returned configuration: Server: CE_C ECS 1) IMP, CUCM _cisco-phone- 2) SIP edge tftpNameError_cuplogin008443

imp.ciscolive.com

_cisco- uds008443

cucm.ciscolive.com

4) XMPP edge tftpServer

10.106.93.183

………. etc.

HTTPS 200 OK

HTTPMSG: |HTTP/1.1 200 OK Content-Type: text/xml Server: CE_C ECS Set-Cookie: X-Auth=d5dc4a38-bf9d-46c5-bc1c-37e9e91c91b7; Expires=Sun, 17 Aug 2014 22:40:37 GMT; Domain=.uctplab.com; Path=/; Secure _cisco-phone- tftpNameError_cuplogin008443

imp.ciscolive.com

_cisco- uds008443

cucm.ciscolive.com

tftpServer

10.106.93.183

……….

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

HTTPS

HTTPS: GET /jabber-config.xml HTTPMSG: |GET https:///dWN0cGxhYi5jb20vaHR0cC8xMC4xMDYuOTMuMTgzLzY5NzA/jabber-config.xml HTTP/1.1 Host: VCSE101.uctplab.com:8443 Accept: */* Cookie: X-Auth=d5dc4a38-bf9d-46c5-bc1c-37e9e91c91b7 User-Agent: Jabber-Win-473

HTTPS: POST /EPASSoap/service/ login HTTPMSG: HTTPMSG: |POST https:///dWN0cGxhYi5jb20vaHR0cHMvMTAuMTA2LjkzLjE4NC84NDQz/EPASSoap/service/v80 HTTP/1.1 Host: VCSE101.uctplab.com:8443 User-Agent: gSOAP/2.8 User-Agent: Jabber-Win-473 Content-Type: application/soap+xml; charset=utf-8; action="urn:cisco:epas:soap/EpasSoapServiceInterface/login"

….

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

HTTPS

HTTPS: POST /EPASSoap/service/get_all_config HTTPMSG: |POST https:///dWN0cGxhYi5jb20vaHR0cHMvMTAuMTA2LjkzLjE4NC84NDQz/EPASSoap/service/v80 HTTP/1.1 Host: expressway.ciscolive.com:8443 User-Agent: gSOAP/2.8 User-Agent: Jabber-Win-473 Content-Type: application/soap+xml; charset=utf-8; action="urn:cisco:epas:soap/EpasSoapServiceInterface/get_all_config"

HTTPS: POST /EPASSoap/service/get_user_config |POST https:///dWN0cGxhYi5jb20vaHR0cHMvMTAuMTA2LjkzLjE4NC84NDQz/EPASSoap/service/v100 HTTP/1.1 Host: expressway.ciscolive.com:8443 User-Agent: gSOAP/2.8 User-Agent: Jabber-Win-473 Content-Type: application/soap+xml; charset=utf-8; action="urn:cisco:epas:soap/EpasSoapServiceInterface/get_user_config"

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

HTTPS

HTTPS: POST /EPASSoap/service/get_onetime_password |POST https:///dWN0cGxhYi5jb20vaHR0cHMvMTAuMTA2LjkzLjE4NC84NDQz/EPASSoap/service/v80 HTTP/1.1 Host: expressway.ciscolive.com:8443 User-Agent: gSOAP/2.8 User-Agent: Jabber-Win-473 Content-Type: application/soap+xml; charset=utf-8; action="urn:cisco:epas:soap/EpasSoapServiceInterface/get_onetime_password"

HTTPS: GET /CUCM UDS version HTTPMSG: |GET https:///dWN0cGxhYi5jb20vaHR0cHMvMTAuMTA2LjkzLjE4My84NDQz/cucm-uds/version HTTP/1.1 Host: expressway.ciscolive.com :8443 Accept: */* Cookie: X-Auth=d5dc4a38-bf9d-46c5-bc1c-37e9e91c91b7 User-Agent: Jabber-Win-473

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

HTTPS

HTTPS: GET /CTLSEP.cnf.xml HTTPMSG: |GET https:///dWN0cGxhYi5jb20vaHR0cC8xMC4xMDYuOTMuMTgzLzY5NzA/CSFliveuser.cnf.xml HTTP/1.1 Authorization: xxxxx Host: expressway.ciscolive.com:8443 Accept: */* Cookie: X-Auth=d5dc4a38-bf9d-46c5-bc1c-37e9e91c91b7 User-Agent: Jabber-Win-473

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

SIP - REGISTER

|REGISTER sip:10.106.93.183 SIP/2.0 Via: SIP/2.0/TLS 10.106.93.185:49173;branch=z9hG4bK0000072e Call-ID: [email protected] CSeq: 101 REGISTER Client includes the route set received at Contact: ;+sip.instance="";+u.sip!devicename.ccm.cisco.com="CSFAlok";+u.sip!model.ccm.cisco.com="503";video From: ;tag=005056ad6bf900020000075d-00004006 To: Max-Forwards: 70 Route: ,,

SIP 407 Proxy Authentication Required

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

SIP - REGISTER

|REGISTER sip:10.106.93.183 SIP/2.0 Via: SIP/2.0/TLS 10.106.93.185:49173;branch=z9hG4bK00000e15 Call-ID: [email protected] CSeq: 102 REGISTER Contact: ;+sip.instance="";+u.sip!devicename.ccm.cisco.com="CSFAlok";+u.sip!model.ccm.cisco.com="503";video From: ;tag=005056ad6bf900020000075d-00004006 To: Max-Forwards: 70 Route: ,, Proxy-Authorization: Digest username=”liveuser", realm="VCSE101.uctplab.com", uri="sip:10.106.93.183", response="baf0e381b85ddb5aebb8629ede80ba46", nonce="a177c49cd99139ca0fc7d72ce8b8afde8c628a709f3b8fb6b1199761eec4", opaque="AQAAAHzjirV+m5V1hLc0zgFv7yghsBS/", cnonce="00005e2b", qop=auth, nc=00000001, algorithm=MD5

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P UDS Server Server

SIP - SERVICE

SERVICE sip:[email protected] SIP/2.0 Via information include; Call-ID: [email protected]: 1001 REFER 1) Edge zone name From: ;tag=7be6e74dbefae446 To: 2) Client local and NAT address with P-Asserted-Identity: port number 00AD63151571751309liveuserVCS E101.uctplab.comcollab- edgeDigestSA1.0140828644510.106.93.183

SERVICE 200 OK

SIP/2.0 200 OK Call-ID: [email protected] CSeq: 12049 SERVICE From: ;tag=7be6e74dbefae446 To: ;tag=58c07d2f83ea795b From: ;tag=081196545e6500020000428b-00005ddf To: Route: 1571751309success50ff19a9493b1f5670f47225047a77abDigestSA1.01408286445

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P UDS Server Server SIP - REGISTER

REGISTER sip:10.106.93.183 SIP/2.0 Call-ID: [email protected] CSeq: 102 REGISTER Contact: ;+sip.instance="";+u.sip!devicename.ccm.cisco.com="CSFAlok";+u.sip!model.ccm.cisco.com="503";video Registration request including Contact From: ;tag=005056ad6bf900020000075d-00004006 and all Route information To: Route: P-Asserted-Identity: Reason: SIP ;cause=200;text="cisco-alarm:25 Name=CSFliveuser ActiveLoad=Jabber_for_Windows-9.7.1 InactiveLoad=Jabber_for_Windows-9.7.1 Last=initialized"

SIP - REGISTER

REGISTER sip:10.106.93.183 SIP/2.0 Via: SIP/2.0/TCP 10.106.93.178:5060;egress- zone=CEtcp1010693183;branch=z9hG4bKadc2425b2d31c472809865ebf680dedf14468.cc142c189f06ad47cb07c4fbf539 Proxy registration to CUCM e914;proxy-call-id=131f1613-19fa-42c0-b5ce-e6667fefeb2b;rport Call-ID: [email protected] CSeq: 102 REGISTER Cseq number for REGISTER is From: ;tag=005056ad6bf900020000075d-00004006 managing separately To: Route: User-Agent: Cisco-CSF/9.4.1 P-Asserted-Identity:

Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home TFTP IM＆P SIP 200OK - REGISTER UDS Server Server

SIP/2.0 200 OK Via: SIP/2.0/TLS 10.71.50.153:50036;branch=z9hG4bK00007a0d Call-ID: [email protected] CSeq: 102 REGISTER Contact: ;+sip.instance="";+u.sip!devicename.ccm.cisco.com=”CSFliveuser";+u.sip!model.ccm.cisco.com="503";video;x-cisco- newreg From: ;tag=005056ad6bf900020000075d-00004006 To: ;tag=490248183 Route: ,, SIP 200OK REGISTER

Configure the CMS and make sure you are able to login using WebRTC and a native CMA client . Also integrate CMS with UCM to be able to make Rendezvous and Adhoc calls

User1(1002)

CUCM CMS Server Jabber Client

Single node CMS Single-Node CUCM Jabber Client cms.ciscolive.com cucm.ciscolive.com User2(1003) Jabber Client

User3(1004)

External Cisco Meeting App Lync/S4B Direct Cisco Meeting App Federation WebRTC

Load Balancer TURN Server Web Bridge Edge Software XMPP Recording / Core Software Call Bridge Database Server Streaming

Internal UCM

Lync FE Cisco Meeting App Call Control Active Directory SIP / H.323

• Call Bridge

• Web Bridge

• Web Admin

• XMPP

• TURN Server

• Database

• Recording / Streaming Server

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 221 Callbridge Overview • Call Bridge service on the Meeting Server is to bridge the conference connections, enabling multiple participants to join meetings hosted on the Meeting Server • Primary component of the solution • Must exist somewhere in all deployments • Media processing engine • API integration point • Call processing and routing component • Fully brand-able audio and video prompts • Supports clustering for distributed calls

• Webadmin is the Service to enable Web GUI for Meeting server

• Webadmin is specifically to configure how the Call Bridge talks to other components

• Required for Call routing configuration

• Required for Clustering configuration

• Required for viewing logs via web and increasing log levels

• XMPP service to enable the Cisco Meeting Apps such as PC clients and iOS (iPhone and iPad) device to connect the Meeting Server. The XMPP service handles signaling to and from Cisco Meeting Apps

• Registration point for Desktop and Mobile clients as well as Web Bridge

• Allows for calls, IM, and presence

• Traversal capable

• Can balance between multiple servers in large deployment

• Requires LDAP source to be configured on Call Bridge with users imported

• Webbridge service to enable WebRTC app. The WebRTC app works on HTML5-compliance browsers and uses the WebRTC standard for video and audio • It equivalent of VCS Jabber Guest solution • Allows for a guest to join via special link or full access to “web” version of desktop client • Based around Web sockets and WebRTC • Utilizes XMPP signaling (acts similar to desktop client between itself and Call Bridge) • Chrome, Firefox, and Opera supported, Chrome is preferred • Must use different port or IP from Web Admin if on the same server

• Automatically created when a Call Bridge is created • Stores information regarding spaces and their content • Supports clustering if desired for redundancy • When clustered, automatically elects a master which all Call Bridge servers will talk to • If 5 consecutive keepalives fail, new master is elected • A Call Bridge cluster requires a Database cluster • Database failover can take approx. 1 minute to become operational • Inter-database communication handled via SSL

• In a split deployment, the XMPP server is located on the core and the “loadbalancer” is located on the edge.

• The trunk provides the connection to the load balancer on the core side to funnel traffic internally to the xmpp server.

• The loadbalancer does not really distribute load, but rather provides one of potentially multiple points for traffic to be passed to the XMPP server. In Cisco terms, think of the loadbalancer (on the edge) as the traversal server, and the trunk (on the core) as the traversal client building a tunnel between the two.

• Multiple trunks and load balancers can be configured on a server via the MMP each with its own certs and trust bundle.

• Similar to the traversal server and client model, the load balancer never initiates connections, but listens both internally and externally. The associated ports and interfaces are customizable, but by default internal communication from the trunk is on port 4999 while external commination from clients is on 5222.

• The external side should also listen on the loopback interface if a Webbridge is on the same server as the loadbalancer.

lo:5222

Trunk

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 231 CMS Call Processing • CMS only looks at the domain in the SIP Request-URI field • If the SIP INVITE is destined to sip:[email protected], CMS only cares about the domain.com

Incoming Call Rules Forwarding Rules Outgoing Call Rules

• Is the call for this CMS ? • Should the call • Destination? • For spaces, users, IVR ? be forwarded? • Standards-based or • Is the call for Lync ? • If domain not Lync matched, by default trunk type • If no match for domain, reject the call check Forwarding rules • Any transformation?

Certificate can be Self-signed or CA Signed • To Generate Self-signed Certificates use “pki selfsigned ” • To Generate a Certificate Sign Request for CA signed Certificates, use command “pki csr ”

Certificates & Key files • cmscerts.cer • cmscerts.key • RootCA.cer

• Configure Webadmin listen interface, add certificate and key, and enable the service

• Check the Webadmin status • CMS> webadmin

• Set Webadmin listen interface and Port • CMS> webadmin listen a 445

• Set Webadmin Key, Certificate and CA Bundle • CMS> webadmin certs cmscerts.key cmscerts.cer RootCA.cer

• Enable Webadmin • CMS> webadmin enable

• Configure a Callbridge listen interface, add certificate and key, and restart the service

• Check the Callbridge status • CMS> callbridge

• Set Callbridge listen interface • CMS> callbridge listen a

• Set Callbridge Key, Certificate and CA Bundle • CMS> callbridge certs cmscerts.key cmscerts.cer RootCA.cer

• Restart Callbridge • CMS> callbridge restart

• Verify Callbridge status • CMS> callbridge

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 237 CMS XMPP Server Configuration • Configure XMPP listen interface, add certificate and key, add domain, enable the service and in the end add the callbridge • Set XMPP listen interface • CMS> xmpp listen a • Set XMPP Key & Certificate • CMS> xmpp certs cmscerts.key cmscerts.cer • Set XMPP domain • CMS> xmpp domain cmslab.com • Enable XMPP • CMS> xmpp enable • Add Callbridge to XMPP • CMS>xmpp callbridge add core1 (Copy the Secret)

• Log in to the CMS Web admin Interface using

• Configure the XMPP server settings as follows under “Configuration General configuration” (use the secret given using the xmpp callbridge add command)

• Check XMPP status under “Status”  “General”

• Configure the Webbridge with a listen interface, key and certificate, add a trust towards the callbridge, and enable the service • Check the Webbridge status • CMS> webbridge

• Set Webbridge listen interface • CMS> webbridge listen a

• Set Webbridge Key and Certificate • CMS> webbridge certs cmscerts.key cmscerts.cer

• Trust callbridge certificate • CMS> webbridge trust cmscerts.cer

• Enable Webbridge

• CMS> webbridge enable

• Log in to the webadmin Interface

• Go to “Configuration”  “General” configuration

• Configure Guest account URI and JID Domain under Web Bridge Settings

• Configure Web Bridge URI under External access

• Submit settings

• Import users from Active Directory, to login to CMA and WebRTC • Log in to the webadmin. Go to “Configuration”  “Active Directory” • Configure the following:

Address: 192.168.108.18 Port: 389 Username: [email protected] Password: cisco Base Distinguished name: CN=Users, DC=cmslab, DC=com Filter: (&(objectCategory=person)(objectCl ass=user)(!(cn=Administrator))(!(cn= Guest))(!(cn=krbtgt)))

• Display name: $cn$ • Username: [email protected] • Space name: $sAMAccountName$'s space • Space URI user part: $sAMAccountName$.cs • Press “Submit” and then “Sync now”

• Go to “Status”  “users” to verify that users have been imported

• Add Name: CoSpaceTest , URI user Part: 9001 , Call ID: 9001

• Click Add New

• New meeting room “CoSpaceTest” has been created

• CUCM registered endpoints directly dial into CMS Space by number / URI

• CUCM Configuration • Create a SIP trunk to CMS Callbridge (secure or non-secure) • Create a Route pattern or SIP route pattern • Upload the callbridge certificate as CUCM-trust • Create a Secure SIP profile with X.509 as callbridge FQDN

• CMS Configuration • Create a Incoming Rule to match CMS IP / domain

• Login to CUCM Web Interface

• Create a SIP trunk Security Profile in CUCM • System  Security  SIP trunk security Profile

• Click Add New

• Enter Name: Secure SIP Trunk Profile CMS

• Device security Mode : Encrypted

• X.509 Subject Name : callbridge.cmslab.com, Webadmin.cmslab.com

• Click Save

• Create a SIP trunk from CUCM to CMS server

• Click on Device  Trunk

• Click Add New

• Select Trunk Type: SIP Trunk

• Click Next

• Enter Name: CMS-Trunk

• Select Device Pool: Default

• Scroll Down to SIP Information

• Under SIP Information provide following:

• Enter Destination is IP of the CMS

• Destination Port: 5061

• Select SIP Trunk Security Profile Secure SIP Trunk Profile CMS

• Select SIP Profile Standard SIP Profile for TelePresence Conferencing

• Click Save and Reset

• Create a Route pattern 900X in CUCM to dial CMS Meeting

• Click on Call Routing  Route/Hunt  Route Pattern

• Click on Add new

• Enter Route Pattern: 900X

• Choose Gateway/Route List : CMS-Trunk

• Save

• Create an Inbound rule in CMS to receive calls from CUCM

• Click on Configuration  Incoming calls

• Keep domain name : CMS IP , Priority : 10 and click Add new

• Escalation of 1:1 call to add more participants

• Uses CMS as CUCM Media resource to escalate to conference calls

• CUCM uses CMS API to create / manage conferences (HTTPS Mandatory)

• CMS 2.0+ supports CUCM Adhoc calls • CA Signed certificates are required for CMS components

• Certificates should have Server and Client roles enabled

• CUCM Configuration • Create a SIP trunk to CMS Callbridge (secure or non-secure) • Upload the callbridge certificate as CUCM-trust • Create a Secure SIP profile with X.509 as callbridge FQDN • Upload CMS Webadmin certificate as tomcat-trust • Create a Conference bridge Media Resource as Cisco Meeting Server • Add Conference bridge to MRGL and assign it to Device pool and endpoints directly

• CMS Configuration • Create a Incoming Rule to match CMS IP

• Login to CUCM • Click on Media Resources  Conference Bridge • Click on Add new • Select conference Bridge Type : Cisco Meeting Server • Conference Bridge Name : CMS-adhoc • Select SIP Trunk as: CMS-Trunk • Check “Override SIP Trunk Destination as HTTP Address” • Hostname/IP address: webadmin.cmslab.com • Username: admin • Password: ciscolive • HTTPS Port : 445 • Click Save and Reset

• Create MRG

• Click on Media Resources  Media Resource Group

• Click on Add New

• Name: CMS-MRG

• Move CMS-adhoc from Available Media Resources to Selected Media Resources

• Click Save

• Create MRGL

• Click on Media Resources  Media Resource Group List

• Click on Add New

• Name: CMS-MRGL

• Move CMS-MRG from Available Media Resource Groups to Selected Media Resource Groups

• Click Save

• Assign MRGL to Phones

• Click on Device  Phone

• Click Find

• Select Jabber1

• Assign CMS-MRGL

• Click Save and Reset the phone

• Repeat Same steps to Jabber2 and Jabber3 Phones

• Verify Webadmin status  CMS> webadmin

Verify Callbridge status  CMS> callbridge

• Open a browser and login to the web page of webadmin service • We add :445 at the end of the address since we earlier added port 445 as the listening port for the web admin • https://CMS:445 • Use admin credentials to login

• Check Webbridge Status  CMS> webbridge

• Check SIP trunk Status • It should be Full Service

• Open a Chrome browser and type https://join.cmslab.com

• Click on Sign in

• Click on NEW to add NEW call

• Click on call

• Dial 9001@ and Press Enter, Select Video option to connect “CoSpaceTest” Meeting room

• It will be connected CoSpaceTest Meeting room

• Click on Cisco Meeting Icon to Launch the CMS App

• Sign in with user credentials

• Click on New call

• Dial 9001@ and Enter, It will be connected CoSpaceTest Meeting room

• CMS user1 (webRTC client), CMS user2 (CMS APP) and CUCM Jabber clients are connected CoSpaceTest Meeting Room • Click Status  Calls, Displays 3 active calls

• After test Disconnect All calls from Meeting Room

• Verify the Conference bridge Status

• Status should be “Registered with CUCMPub”

• Initiate Adhoc calls using Jabber clients registered to the UCM

• Verify the same by checking the active calls on CMS server

• Use the CCIE Collaboration Lab content blueprint on the CCIE webpage as your guide: https://learningnetwork.cisco.com/community/certifications/ccie_collaboration • Evaluate and determine your knowledge level and hands-on experience in the major topic areas • Formulate a realistic study plan according to you own work/personal schedule, also customize it according to your technical strength and weaknesses • Don’t spend all your time and focus on collecting the exact replica of the lab equipment • Seek advise, from other Collaboration certified engineers, on preparation plans and tips

https://learningnetwork.cisco.com/community/certifications/ccie_collaboration

• You don’t need the exact lab replica to learn • Virtual Machines are easier to build and maintain than hardware • Use what you have access to and learn each technology thoroughly • Form study groups to exchange ideas and share pods • Go beyond configuration, learn to debug and troubleshoot • Stay with real-world, applicable scenarios • Focus on learning the technologies instead of learning only what you think (or what you’ve been told) is on the lab exam • Stay aware and informed on up-coming new features

Before Your Lab Exam:

• Visit lab test site the day before (subject to site proctor availability)

• Don’t schedule flights too close to the end of the exam: you should be thinking about the exam instead of catching your flight

• Avoid last minute lab material cramp

• Get some sleep the night before the exam

• Calm

• Careful

• Confident

• Courteous

Practical Exam

TS DIAG CFG

TS: Don’t get stuck! DIAG: Find the MVI CFG: Anticipate-Implement-Verify!

• 100% Web-based

• No printed workbook

• Dual-monitor

• Qwerty keyboard

• Windows 7 Candidate PC

• Custom PuTTY

• Color pens + Scratch paper

• Open individual item or diagram in separate popup

• Open all items and diagrams in a unique popup

• Consult guidelines

• Provide Feedback on any item

• Confirmation required when clicking “End Session”…

Familiarize With Documentation Page

DO NOT Heavily Rely On Documentation

URL Filtering Deployed In The Lab

• Read the questions very carefully: every word is in there for a reason.

• Don’t assume requirements that aren’t mentioned in a question

• Some questions have multiple solutions, unless the test explicitly asked you to use one versus another, all are valid

• Excessive configurations are generally ignored during grading, unless they interfere with expected solution

• Ask the proctor for clarification

• Use question point values to judge time

• Know time-saving configuration techniques

• Know when to move on – don’t spend too much time on a single task, no matter how important you think it is

• If you suspect hardware issues, notify the proctor immediately

• Don’t make any drastic changes towards the end of lab exam

• Save your configuration frequently

• Verify, verify, verify, and verify again

• Some prefer to verify after each question, others like to verify until they finish the whole test. It’s a matter of personal preference

• Verify against all requirements – not just basic functionalities.

• Makes notes and check-lists

• Troubleshooting skill is often the difference between failing and passing • Know what and where to look for debugs and traces • Look out for those seemingly “invisible” typos • Remember the test lab is not your home lab – addressing scheme is different • Troubleshooting is important but don’t spend all your time on one problem • Don’t let a unresolved problem impact your confidence • Again, seek the proctor’s assistance

• Beware of rumors!

• Visit the CCIE web page at: https://learningnetwork.cisco.com/community/certifications

• Support: www.cisco.com/go/certsupport

• Post-lab Email: [email protected]

• Report Cheating: [email protected]

• Proctors are responsible for grading all lab exams • Automatic tools aid proctors with grading tasks; e.g. capturing candidate’s configuration in database, basic configuration verifications, etc. • Automatic tools enhance exam grading with speed, quality and consistency; but they are never solely responsible for lab exam grading. Proctors are. • The proctor completes the grading of the exam and submits the final score • Partial marks are not awarded for questions • Points are awarded for working solutions only • Some questions have multiple solutions

• Remember the knowledge you acquired while preparing for the exam is yours to keep – you have become a better and more well rounded engineer through preparation alone

• Old Chinese Proverbs: “From failures, success is born”

• Don’t compare with others

• Remember to enjoy the journey

• Tell us how we could improve, submit online feedbacks or write to us at: [email protected]

Collaborate and network Directly influence Cisco Career with other engineers Certifications (Design, Author, Review)

Use and sharpen Give back to community technical expertise

Join creativity with experience, Experience with knowledge and skills assessment techniques

cisco.com/go/certsme SME= Subject Matter Expert

We are ALWAYS exploring ways to enhance our exam portfolio. Keynote: You make Possible - KEYGEN-1001 Monday, June 10, 10:30 AM - 12:00 PM Please attend the following Chuck Robbins, Chairman & CEO sessions here at Cisco Live to learn more about our The making of tomorrow's expert: CCIE - BRKCRT-3100 future together! Tuesday, June 11, 8:30 AM - 10 AM

AND

Make sure to visit us at the certifications lounge in the World of Solutions this week.

#CLUS TECCCIE-3503 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 293 Complete your online session • Please complete your session survey after each session. Your feedback evaluation is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.

• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.

Demos in the Walk-in labs Cisco campus

Meet the engineer Related sessions 1:1 meetings

#CLUS #CLUS