Cisco Live – A Shared Experience

I’m not sure if you knew this, but I really love complex systems. Nothing gets much more complex than the human interactions and emotions we deal with every day.

Some days, when we work with our routers, switches and firewalls they’ll give us some unexpected feedback. What do you do with that feedback? Maybe you’ve written some automation tool or output processing program to figure out that specific output. Cool, nice, you want to not have that unexpected outcome to ever happen again. That’s the bubble computers fit in, don’t do this unless I told you to. Humans, not so much.

That’s one difference compared to when we are interacting with people. You never know what that response is going to look like to your input. Logic in – snark out? Snark in – logic out? Maybe both? How fast can you process that snark to escalate it to another level? Wow, where am I going with this.

Anyways – back to the part where I said I love complex systems. Human interaction is complex and I love observing it. I love being a part of it. I love people. I love shared experiences.

Shared experiences are part of living life. Why do you enjoy eating together? Maybe you don’t. Why do you enjoy watching movies together? Maybe you don’t. Why do you enjoy going to the lake or the beach? Maybe you don’t.

The point is – Cisco Live is a shared experience for the community of people that come there and socialize. Not everyone is there for that aspect and that’s OK. Go kill some sessions, bang out this incredible new automation workflow, awesome! However, that isn’t why I’m there and I know it’s not why several others are there. I’m there for the opportunity to enjoy a shared experience with those that have lived, loved, felt, bled, and cried the same things I have.

So back to this topic of “Why shared experiences”? Why Now Josh? Why wait until Cisco Live 2015 to start attending? The reason is – the community. I’ve been watching from afar for a really long time. When Cisco put real value ($$$) in the conference for reinforcing the social aspect is why I wanted to be there.

The social aspect, the shared experience, is why I’m there. The people are more important. Period. We all want these shared experiences in life and Cisco Live is one of the few, if only, places we can take a deep breath and make ridiculous jokes about subject matter only we’d get. You wouldn’t get it.

So where do we go from here? It’s an easy answer for me. I’ll be there, phone, lanyard, loin cloth, and backpack in tow. I’m there to talk to YOU and get to know YOU. We can share shop knowledge or not, I don’t care which, just join the conversation. Sit in the circle and say something snarky, ridiculous, super smart, or whatever.

I’m looking forward to meeting more people and watching the community expand. I’m hedging on, it’s not what you know, it’s who you know.

.. and this was train of thought.. not sure if I ended up where I wanted to.


Collaboration (insert nothing here)

I’ve been sitting here trying to think of a topic and I’m drawing a blank. So that’s what I’m going to talk about. Nothing. Zero. Null.

My current daily focus centers on connecting people to people, people to robots, and people to data. So it involves a fair amount knowledge of understanding networking principles, tools, and concepts. However, I also have to lean into the philosophical and the “being human” side. So how as a “Collaboration” guy do I get people disconnected? How do I build things in such a way you actually have a chance to get to zero? Silence. Nothing.

It really comes as a series of recommendations because the technology that exists today is focused on keeping you connected 24x7x365 to something. That something could be work, data, or media. Being “disconnected” isn’t a concept that is around much anymore. It used to be a prevalent part of working with technology. Remember the “bring your laptop in for updates” events? How about before laptops? Keeping workers functional when disconnected used to be a very real thing. Now you’re always on and the traditional work day has long drifted away.

The first recommendation is get in complete control of your notifications. Even if takes hours to figure this out you should stop and write down or type out all of the things that “notify” you. Figure out how they notify you, prioritize, and if it’s not priority then turn it off! Those little red notification bubbles on all those apps are not needed. Remember – if the product you’re using is free then you are the product. Some companies need you “plugged in” to operate. In “priority mode” there should only be 2 or 3 things that notify and interrupt you while working. In “flex mode” feel free to open up those notifications a little more.

The second recommendation is get in control of your calling and texting notifications. If you have a business number and a personal number are you using your business number? That’s one way of setting up a barrier between being on and off. You can text with your business number quite a few different ways and companies should really consider offering that. Business calls, texts, and voicemails flow and stay within the business. The side benefit is it makes it easier for other people to cover your work as needed. If you need to disconnect for vacation, family, or whatever you can redirect that flow of information. It’s not so easy if the flow of information is direct to your personal. I think this is hugely important for getting to zero.

The third recommendation has nothing to do with technology. It has to do with you as a human exercising some deep rooted control over yourself. Tell yourself you’re done with work between certain hours. Tell yourself you’re done with all screens for periods of time. I’ve learned some things firsthand watching my children. Creativity doesn’t fully realize itself when we are constantly connected and feeding our minds. We need to be bored. We need to be off. Zero. Nothing.

I’m not treading any new ground here in anything I’ve said. There are some really awesome articles and research available on these topics. I highly recommend making sure you know how to disconnect without interrupting your work streams. If you’re the single individual in a corporate IT department get on contract with a managed services company to back you up. Everyone needs a break. Take one.

Cisco Communications Manager – Why you no 12.0?

Alright. I can hear you yelling at the screen right now. @Warcop is back again trying to get me to run a dot zero release. Yes. Here I am and I come with reasons and cookies.

Let’s bust a couple of myths.
Myth #1: Dot zero releases are evil and should be sent back to the hell that they came from.
I at least have a couple of readers who feel that way. I know you and here’s the response. The call manager development team is not evil and they’re not out to get you. The code base that is call manager is very mature and portions of the call control code hasn’t changed in years. The team that works on dot zero releases is probably the same team that works on all the other releases. So I ask you a question in return. Why do you trust the person coding service updates more than the person coding the dot zero?

Myth #2: Call Manager dot zero releases should be considered a beta.
This myth is in an echo chamber outside of Cisco and within Cisco. Call manager releases come on schedule and if you notice there’s a predictable cadence. A dot zero release is what I consider a fork of an existing .5 release. If you browse the bug tool (yes I do this for fun) for any release you’ll likely notice fixes are published for a .5 and .0 release. So both release trains are getting the same bug fixes where applicable. So why do you trust 11.5SU5 more than 12.0SU1.

So if they contain some of the same bug fixes does that mean the code is the same? Don’t leave now! I have proof! The recent work on the Apple Push Notification service has required some fixes to the call manager service. So it’s no surprise that the APNS COP file to patch call manager applies to BOTH 11.5.1(SU3) and 12.0(1). The file that’s in this patch is the call manager binary and if it applies to both versions.. ZING! If you’ve applied CSCvf57440 to 11.5(su5) you’re running the same call manager binary as 12.0(1). Saying that a dot zero release is a beta is not accurate. A dot zero release is not described as beta software on the website or release notes.

There’s a wealth of reasons why you should be moving to version 12. I’m liking the security updates the most since that is top of mind with nearly everyone. Instead of listing all the features here the datasheet link is:

The CCIE Collaboration lab is also being upgraded to Communications Manger version 12. If it’s good enough for the lab it should be good enough for you!

There are production clusters in the world running version 12 and they’re humming right along. Let’s face the reality that software updates are being released faster than most of us can absorb. So why not change the echo chamber to “Why would you not run the latest code?”

Here’s a quote I remember and reference often: “Updates are evil. Updates are only OK when I don’t read the release notes and click install.” — @swiftonsecurity

Bring the feedback @Warcop on Twitter

Mixed Mode requires an Encryption License

With the release of Communications Manager 11.5SU3 there is a change in licensing specific to encryption. The reason for this change is the need to meet certain export and regulatory requirements. Since the license file will be issued from Cisco directly to a user/customer they’ll have better control and visibility who is enabling mixed mode. I think the visibility part will be important for Cisco to understand how few customers are running mixed mode. Maybe that will encourage them to make some needed changes?

So what happens when you upgrade to 11.5SU3 and you have mixed mode enabled? You’ll get a warning that’ll you need to add an encryption license to Prime License Manger. Mixed mode will not be disabled on your cluster by installing this patch.

How do you get the license? Over at the product upgrade tool at the Cisco site you can use your contract or Spark calling subscription to obtain the $0 license CUCM-PLM-ENC-K9=. Install the issued license on Prime License Manager and synchronize with Communications Manager.

I encourage you to comment on this post as other technical details are discovered. It’s still unknown if there is a time limit on running mixed mode without this installed license file. Thanks!

Cisco UCM Release Notes
CUCM Readme

Cisco Expressway – Exporting Certificates

There’s multiple reasons you might want to export the certificate from Cisco Expressway. Maybe you need to replace the server, move a certificate from one cluster node to another cluster node, back up the keys, or simply use it somewhere else.

Recently I was setting up a cluster and forgot to generate the key and CSR locally. Using OpenSSL locally the first time is the best way I’ve found to move, secure, and backup keys without needing an export. However, I forgot and generated the CSR on the Expressway node. I received the signed certificate from the CA and landed in this predicament. Expressway doesn’t have an export button so you have to go digging. Grab the shovel.

Fortunately you have root access to Cisco Expressway. (If we were only so lucky with Communications Manager.)

I’m not suggesting that any modifications be done with this method. Even though a quick poking around ssl.conf proves it’s not as complex as you’d think. We’re just looking at files.

SSH as root and you’ll find the certs in this directory.

cd /tandberg/persistent/certs

The two files server.pem and privkey.pem are the files you’re looking for. However, for sanity purposes I’ll show you how to verify this is the key you’re looking for. The public key modulus and the private key modulus should match.

If you want to verify the modulus block as part of the cert text then do this:

openssl x509 -in server.pem -text -noout

openssl rsa -in privkey.pem -text -noout

If you want to check it without the cert text:

openssl x509 -in server.pem -modulus -noout

openssl rsa -in privkey.pem -modulus -noout

And the real shortcut is using an md5 to match:

openssl x509 -in server.pem -modulus -noout | openssl md5

openssl rsa -in privkey.pem -modulus -noout | openssl md5

So now you’ve done the comparison, it matches and you want to grab the private key:

cat privkey.pem

Copy pasta the text block and save using your favorite editor. Now you have the files you need to upload to the other nodes using the GUI. Yes, there are ways to automate/move things around underneath without Expressway losing it’s mind, but this method is simple enough for everyone.

Communications Manager LDAP Groups Caveat

If you’re wanting to LDAP synchronize Active Directory distribution groups for use with Cisco Jabber you’ll want to pay close attention to the ‘Synchronize’ setting. This setting is found on the ‘LDAP Directory’ configuration page. TLDR – If you’re using different synchronization agreements for users and groups the user directory synchronization must also be selected for ‘Users and Groups’.

Why and what’s happening inside the DirSync service?

If the directory synchronization agreement is set for ‘Users Only’ the LDAP search filter looks like this:

If the directory synchronization agreement is set for ‘Users and Groups’ the LDAP search filter looks like this:

You’ll notice at the bottom of the second screenshot the ‘memberof’ attribute request. This is where the user synchronization agreement requests the all of the groups the user is a member of. This also means that if this is the first time you’re setting up the agreements you’ll have to synchronize groups and then users. If you’re adding groups you have to run a full sync on both agreements.

So again — if you’re using different synchronization agreements for users and groups because you’re looking in different containers both agreements need to be set for Synchronize: ‘Users and Groups’. Obviously if you’re using one synchronization agreement to import both users and groups in a single container you wouldn’t run into this little caveat.

I got tripped up on this recently because the setting would seemingly imply it’s what you’re importing and not the search filter. It took a couple of packet captures to figure it out. PCAP or didn’t happen!

CCM packet cap:
utils network capture eth0 file packetcap1 count 100000 size all