CCIE Collaboration Rack Access Guide

1 | Page

Table of Contents

Introduction

Getting Access to the POD

Before you Begin (only for students using Phone Remote)

Let’s Lock and Load:

Starting Physical devices

Logical Topology

IP Addressing Details

Client Topology for L2VPN

Recommended Hardware list

Recommended Software list

Collab Kit Rental

Setting up Client Switch for L2TP

Setting up Client router for L2VPN

Testing the L2VPN configuration

Testing the router

How do I view and control my Cisco IP phones remotely:

Lab Shortcuts

Introduction

Dear Ms/Mr Future CCIE Collaboration,

The CCIE Collaboration Lab Access Guide inculcates the details on how to access all the functionalities of our Collaboration lab rack/s. To be precise, it describes how to connect securely to our CML cloud and connect to our state of the art CCIE Collaboration rack/s.

Your CCIE Collaboration rack has the following equipment:

●3X Cisco ISRG2 routers

●1X Cisco 3750 Switch

●6X Cisco IP Phones directly connected to the Collaboration Lab Rack

●1X Service Module Services-Ready Engine (SRE) for Cisco Unity Express

●3X Cisco Unified Communications Manager (CUCM) servers, 2 PUBLISHER servers & 1 SUBSCRIBER server.

●2X Cisco Unity Connection (CUC) servers

●2X Cisco IM and Presence (IMP) servers

●1X Cisco Unified Contact Center (UCCX) server

●1X Video Communications Server (VCS)

●1X Telepresence Management Suite (TMS) server

●3X Windows machines running Cisco Jabber/RTMT/…

●1X Microsoft Active Directory server (labeled “AD/DNS/TFTP/SFTP” in the diagram)

●1X access server (not shown) for console port access to routers and switches

PS: Additional infrastructure is not visible to you, nor configurable by you, to reduce complexity and let you concentrate on the Configurable Collaboration Topology.

The Lab Rack Diagram in the forthcoming sections shows how all these Collaboration LAB components picture together. The section, “How do I view and control my Cisco IP phones remotely?” describes how to use software to control IP Phones at the CML Cloud.

The summary of the VLANS, IP subnets, Routers and Ether Switch port connections, Digital Signal Processing resources, T1/E1 connections and PSTN access codes is available in the upcoming section.

Please note that in the past, the following site names were interchangeably used.

Corp HQ = HQ = SA = SiteA

Branch 1 = BR1 = SB = SiteB

Branch 2 = BR2 = SC = SiteC

Throughout this guide and subsequent labs, you should come to see everything referred to simply as:

CML-HQ

CML-SB

CML-SC

Getting Access to the POD

  1. There are two ways you may get access to the lab access details as mentioned below:

a.) Check for the Url and Port Number in the email from .

At the bottom of this email, you will also find the isakmp key if you are connecting your own phones

Figure 1:

b.) Check for the Url and Port Number in the email from

Figure 1

c.) You can alternately log in to your account and under my account Rack access, you will see the detail:

Figure 2

Note: We strongly recommend watching this video before you proceed with your lab:

  1. Login to your rack with the credentials provided using a remote desktop client:

Figure 3

  1. Once logged in you, will see a customized Desktop i.e. Candidate PC, from where you can access all the device command lines and GUIs.

Before you Begin (only for students using Phone Remote)

Please make sure that before you begin your lab you delete the CTL/ITL file from last candidate use.

Here is how to delete the CTL/ITL files:

Deleting ITL File on Cisco 7945 and 7965 IP Phone

Press the Settings button from the phone’s home screen and scroll down to “Security Configuration”. Press Select to enter the security configuration:

From the Security Configuration menu, scroll down to “Trust List” and press Select to enter the menu:

Note: By default, the Trust List security setting is locked. The lock icon on the upper right indicates indicates whether the setting is locked or open. To unlock this security setting, press star-star-pound signs (**#) on the keypad. If the Trust List is successfully unlocked, an open lock icon is displayed. Please skip this step if the lock is already open.

From the Trust List menu, choose “ITL File”. Please note that the Trust List is already unlocked but the ITL file is locked by default.

Once you press “Select” the “Unlock” option will appear. Press “Unlock” to access the ITL file:

Once the ITL file is unlocked, press “More” softkey to show the “Erase” softkey. To delete the ITL file, press “Erase”.

The system will delete the ITL file and will reboot. After the reboot, an updated Trust List will be present on the phone.

Deleting ITL File on Cisco 9971 IP Phone

Deleting the ITL file on Cisco 9971 is different compared to 7900 series which are a much older IP Phones. To erase the ITL file, you need to reset the settings. Below are the steps:

On the phone, press the “Settings” button and select “Administrator Settings”.

From the Administrator Settings Menu, select “Reset Settings”.

Under the Reset Settings, you can either select “Security Settings” or “All Settings”.

In this case, we selected All Settings. A dialogue box will appear to inform that resetting all settings will revert your phone to factory defaults. Select “Reset” to continue.

The phone will reboot and may restart a few times. When it comes back up, the old ITL file no longer exists.

PLEASE NOTE:

As courtesy to the next user, we strictly suggest that you delete CTL-ITL before you end your lab: Candidates need to delete the CTL/ITL files using UPLINX software so that the next candidate can easily work their way out through the phone registration process

- NTP HQ- 149.132.1.150

- NTP SC/SB- 142.1.64.254

You may find the UPLINX usage/guide on this link.

Let’s Lock and Load:

This opens an interface, which resembles the Cisco Collaboration Lab experience.

a.) Before you start your lab, you must reset the Lab configuration to a base configuration.

This can be achieved by navigating to the “BEGIN LAB” folder on the Candidate PC.

Figure 4

b.) Launch VMWare Vshpere client using the VMWare client shortcut available inside the “BEGIN LAB” folder:

Figure 5

Use the following user name and password to login to the VMWare client:

IP Address / 20.20.20.102
Username / Student
Password / cciecollab

Table 1

Figure 6

c.) Once inside the VMware VSphere client revert to base configuration using the Snapshot Manager for every machine in view as illustrated in the following two steps:

  1. For example, you need to get the Collab-HQ PUB to its based configuration.

Collab-HQ PUB – Right Click – Select Snapshot – Choose Snapshot Manager

Figure 7

  1. Once the available snapshots show up, select the snapshot named BASE Collab-HQ PUB and click “Go to”.

Figure 8

d.) Navigate to the Secure CRT shortcut available in the “BEGIN LAB” folder:

Starting Physical devices

Figure 9

e.) Launch the Secure CRT application to get to Command Lines of the ISRG2’s and switches:

Figure 10

f.) Next, bring all the routers and switches to their base configurations as under:

Open the physical device console → login → dir flash:

#copy flash:CMLRW1BASE.cfg startup

Reload

Check out the video:

NOTE: Sometimes the remote IOS device may refuse the connection.

Figure 11

Solution: Use the “Clear All Lines” or “Clear Line HQ/SB/SC” as mentioned in the snapshot below.

Figure 12

● Accessing the Devices console:

Physical Device Access – All the devices are pre-setup for console access and follow the screenshots for a quick access

● A1) List of devices and access details

Device / Rack-1
Port No / IP address / Username / Password
HQ / 2091 / 20.20.20.105 / cisco / cisco
SITEB / 2092 / 20.20.20.105 / cisco / cisco
SITEC / 2093 / 20.20.20.105 / cisco / cisco
SWITCH / 2095 / 20.20.20.105 / cisco / cisco
Terminal Server / 23 / 20.20.20.105 / Student / ccie123

Table 2

1 | Page

Logical Topology

This section represents the logical topology for the CCIE-Collaboration Rack.

Figure 13

1 | Page

IP Addressing Details

This section defines the IP addressing details of the unified communication servers mentioned in the logical topology above

RACK WEST – 1
Server/Device / Description / IP address / Username / Password
Collab-HQ PUB / HQ CUCM PUBLISHER / 142.100.64.11 / administrator / cciecollab
Collab-HQ SUB / HQ CUCM SUBSCRIBER / 142.100.64.12 / administrator / cciecollab
Collab-HQ CUC / HQ UNITY CONNECTION / 142.100.64.13 / administrator / cciecollab
Collab-HQ CCX / HQ CONTACT CENTRE EXPRESS / 142.100.64.14 / administrator / cciecollab
Collab-HQ IMP / HQ IM &PRESENCE / 142.100.64.15 / administrator / cciecollab
Collab-SB PUB / SB CUCM PUBLISHER / 142.100.65.11 / administrator / cciecollab
Collab-SB CUC / SB UNITY CONNECTION / 142.100.65.13 / administrator / cciecollab
Collab-SB IMP / SB IM &PRESENCE / 142.100.65.15 / administrator / cciecollab
Collab-WIN7-1 / HQ WIN PC for Cisco JABBER / 142.100.64.21 / administrator / cciecollab
Collab-WIN7-2 / SB WIN PC for Cisco JABBER / 142.100.65.21 / administrator / cciecollab
Collab-Candidate PC / Candidate WIN PC / 65.49.89.230 / CCIE-COLLAB\collabstudent / ccie123
Collab-Terminal Server / Collab TERM SERVER / NO ACCESS / NO ACCESS / NO ACCESS
Collab NTP Server / On HQ Site / 149.132.1.150 / NO ACCESS / NO ACCESS
Collab NTP Server / On SITEB and SITEC / 142.1.64.254 / NO ACCESS / NO ACCESS

Table 3

1 | Page

Client Topology for L2VPN

This section defines setup at your site for connecting the phones remotely. You can look at recommended hardware list. We do not support any other hardware other than cisco for this setup.

Figure 14

Physically cable the router/switch/phones as per the diagram and detailed steps are below:

  • Connect an Ethernet cable from DSL/Cable Modem LAN ---> Client Router Gigabit or Fastethernet 0/0
  • Connect an Ethernet cable from Client Router Gi 0/1 or Fa0/1 ---> Client POE Switch 0/8
  • Connect HQ Phone 1 --->Client Switch 0/1
  • Connect HQ Phone 2 --->Client Switch 0/2
  • Connect Site B Phone 1 --->Client Switch 0/3
  • Connect Site C Phone 1 --->Client Switch 0/4
  • Connect Site C Phone 2 --->Client Switch 0/5
  • Connect PSTN Phone --->Client Switch 0/6
  • Connect Client Laptop/PC --->Client Switch 0/7

Note: Click here to download the configuration for Client end router and switch.

Please make sure that you delete the ITL file from the phones. Click here to see how to delete ITL file

Recommended Hardware list

Routers / Cisco 1841/2801/2811/2821/2851/3845/2901/2911/2921/2951/3945
Switches / Cisco 2950/3560/3750/3650/3850
IP PHONES / 7962/7965/7975/8945/9951/9971

Table 4

Recommended Software list

ISR G1 ( Cisco 1800/2800/3800 Series) / 12.4(15)T15 (C2800NM-ADVENTERPRISEK9-M)
ISRG2 (Cisco 1900/2900/3900 Series) / 15.3(2)TX or higher with Security License
Switches ( POE Strongly Recommended) / 12.5 55 SE1/2 with IP base feature set
IP PHONES 9971 /9951 / SIP Phone: cmterm-9971.9-3-2-10/ SIP Phone: cmterm-9951.9-3-2-10
IP PHONE 79XX / SCCP 8.4.4

Table 5

**Note: You can download the phone firmware and IOS from here

CP-9971

CP-7942-62

CP-7945-65

Collab Kit Rental

You can also rent the following Kit from us, if you are based in United States or Canada. Look at table 6 for the configuration.

**Minimum Three months rental

Device / Quantity
Cisco 2800 Series Router / 1
Cisco 2900 Series 8 port POE Switch / 1
Cisco 7962 / 3
Cisco 9971 / 3
Total Rental Cost Per month / $70
Security / $600
Shipping / To be determined on the zip code
Return shipping / $50
Includes all cables Ethernet and power / $0

Table 6

Setting up Client Switch for L2TP

Configure your switch using the configuration file (Client Switch.txt) that has been emailed to you and always available for download from our site. Please ensure that you follow the topology and configuration notes.

  • You will be required to use specific MTU, which require you to reload the switch.

**Download link: Click here

Setting up Client router for L2VPN

Setting up the Client router is easy as piece of cake; we use DMVPN to connect you to our state of the art racks.

Once you download the configuration to the router from our site. You will be required to replace the authentication Ikev1 key before every session. Authentication key is sent to you in the email when you reserve the racks. It’s also available in your account under “my rack details”

Figure 15

Testing the L2VPN configuration

Testing the router

Once you complete the configuration of Client router, you should see the similar output as mentioned below.

CCIECOLLAB-CMLCR#sho crypto session
Crypto session current status
Interface: Tunnel22
Session status: UP-ACTIVE
Peer: 65.49.10.67 port 4500
IKE SA: local 192.168.1.221/4500 remote 65.49.10.71/4500 Active
IPSEC FLOW: permit 47 host 192.168.1.221 host 65.49.10.71
Active SAs: 2, origin: crypto map

Table 7

At this point, you should be able to ping 10.50.2.1

CCIECOLLAB-CMLCR#ping 10.50.2.1 so lo0
type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.50.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/20 ms

Table 8

Xconnect should be up as expected

CCIECOLLAB-CMLCR#sho xconnect all
Legend: XC ST=Xconnect State, S1=Segment1 State, S2=Segment2 State
UP=Up, DN=Down, AD=Admin Down, IA=Inactive, NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
------+------+--+------+--
UP ac Fa0/1(Ethernet) UP l2tp 10.50.1.1:111 UP
CCIECOLLAB-CMLCR#

Table 9

If any of the above outputs are not as expected, please do not proceed. Verify your config and ensure you can ping the public IP at cloudmylab.com provided you in the email as a tunnel end-point. Make sure your ISP or your modem is not blocking port UDP 500 and 4500.

Make sure you have the right authentication key without space. If you still have issues, please share the following outputs with our team and we will help you correct it.

a.) Debug crypto condition

b.) Debug crypto isakmp

c.) Debug crypto ipsec

d.) Testing the switch

Testing the switch

You should see the Backbone Switch at cloudmylab.

Device ID Local Intrfce Holdtme Capability Platform Port ID
TUNNEL_SWITCH Gig 0/8 139 R S I WS-C3750X Gig 1/0/1
CCIECOLLAB-CMLCR Gig 0/8 167 R S I 2811 Fas 0/1

Table 10

How do I view and control my Cisco IP phones remotely:

Welcome to one of the most important part of this practice lab, remotely viewing the phones (in case you are not using our L2-VPN based phone connection offering) to ensure you are able to test calls end-to-end. It is interesting to know how we are making our phones accessible to you. Unlike most of the providers, we really want to let you know how this piece works so that we will go systematically.

● SOFTWARE USED:

We are using one of the most easily usable and configurable remote phone control softwares called Phone Control Tool by Uplinx. You will see the following ICON on your Candidate PC to gain access to the software:

Figure 16

● CONCEPT USED BY THE SOFTWARE:

The software accesses the HTTP resource on the Cisco IP phone (SCCP/SIP) “ to access and return you the real time screenshot from the actual phone and keeps on refreshing the console to give you a real time usage experience of the phones.

Steps to view the registered phones on your Candidate PC for testing purposes:

1) Double click on the ICON, will load your software as follows:

Figure 17

2) You will get the Phone Control Tool Console as under:

Figure 18

3) Navigate to the individual Profile (BACKBONE/HQ/SB/SC) which we have custom configured for you as under and choose the Server TAB:

Example for Profile HQ: See Figure 19

IP Address: / 142.100.64.11
CUCM AXL User/Password / administrator/cciecollab
CTI Manager IP address / 142.100.64.11;142.100.64.12

Table 11

Application User for Phone Control Username/Password: uplinx_remote_user/cciecollab

Figure 19

NOTE: Ensure rest of the settings remain as configured in Figure …

How to discover phones:

Navigate to the Remote Phone Control Tab as under in Figure 20:

Figure 20

Click on the Find Phones on Cluster ICON as under in figure 21:

Figure 21

This will pop-up a window where you can discover all your REGISTERED PHONES (Note that unregistered phones SCCP/SIP will not be discoverable):

Figure 22

Click on the Find Phone ICON to get to the next Select Phones Window:

Figure 23

Figure 24

Select the Phone to which you wish to control by checking the check box on the table seen above:

Figure 25

and click on the Connect to the Selected Phones ICON:

Figure 26

If you can get to the following screenshot, which says Downloading Screenshot via HTTP, you should be almost good to go:

Figure 27

Finally, you should be able to see the phone screen as under in Figure28:

Figure 28

NOTES regarding Phone Control Tool by Uplinx:

1) Base Configuration for all the Cisco Unified Communication Managers have the application user “uplinx_remote_user” configured.

2) In order to make the CME leverage the Phone control tool functionality, we have provided a .txt file on the Candidate PC, which has commands to enable Phone Control Tool to access the requisite API, which renders Screenshots for Phones registered to the Cisco Unified Communications Manager Express. The Profile looks as follows:

Figure 29

If you have any queries, open a ticket on Support Page or send email to

CUCM BASE CONFIGURATION:

Base configuration for CUCM (HQ and Site B already have the following configured) to support Phone Control Tool by Uplinx to work.