Cisco VG Trust List

Why?

When someone gets access to a company’s voice gateway, a door is opened to use this gateway to make calls to all over the world, which costs the company huge amount of money, in addition to reputation/security issues that may arise.
Cisco has introduced a security feature in IOS 15.1(2)T to combat this vulnerability, voice gateway Toll-Fraud, and to secure it against such behavior.

The Config

router1(config)#voice service voip
router1(conf-voi-serv)#ip address trusted list
router1(cfg-iptrust-list)#ipv4 x.x.x.x

Where x.x.x.x is your CUCM server, if there are more than 1 server/IP, just repeat the command for each IP address.

The default action in IOS 15.1(2)T and later is to deny access to voice services and drop any attempt made. So, it is mandatory to have such configuration to get a complete working voice gateway.

Network Time Protocol (NTP) setup and configuration

Introduction

Based on the previous NTP and Linux post, this will cover setting up any Cisco device to be a time server of your network.

Setup

Setting up the timezone of your area:

router1(config)#clock timezone AST 3 0

I am living in a UTC +3:00 zone thus my config reflects it, if you are living in UTC 0:00 use:

router1(config)#no clock timezone

more timezone setup is available at this Cisco page.

router1(config)#clock calendar-valid

configures the device as an authoritative time source for a network based on its hardware clock.

router1(config)#ntp master

configures the Cisco IOS software as a master clock (at default stratum 7) to which peers synchronize themselves when an external source is not available. Here, when the device cannot sync to an external NTP (no Internet connection as an example), it will rely on its internal clock (again at the default stratum number 7) to satisfy any request.

router1(config)#ntp update-calendar

periodically updates the hardware clock (calendar) from the configured time source(s).
Now, setup time source(s):

router1(config)#ntp server ip-address or hostname

if you use hostname in this command, IOS will resolve it to an IP address and then save it. Use as many as you need (I am using 3 sources).

A Working NTP

Leave the device working for around 10 minutes and then issue:

router1#sh ntp a

an output such as:

  address         ref clock       st   when   poll reach  delay  offset   disp
 ~127.127.1.1     .LOCL.           7     12     16   377  0.000   0.000  0.250
*~xxx.xxx.xxx.xxx .MSF.            1    434   1024   377 165.60  -6.331 14.827
+~yyy.yyy.yyy.yyy .PTB.            1    695   1024   377 170.05   7.694 14.834
+~zzz.zzz.zzz.zzz aaa.aaa.aaa.aaa  2    184   1024   377 173.38  -0.953 14.815
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

and:

router1#sh ntp s
Clock is synchronized, stratum 2, reference is xxx.xxx.xxx.xxx
nominal freq is 250.0000 Hz, actual freq is 249.9943 Hz, precision is 2**24
reference time is D6DC17CD.061F0269 (17:57:17.023 AST Tue Mar 25 2014)
clock offset is -6.3312 msec, root delay is 165.60 msec
root dispersion is 42.01 msec, peer dispersion is 14.82 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000022822 s/s
system poll interval is 1024, last update was 692 sec ago.

Finally

Setup all your internal devices to use this Cisco node as their master NTP clock.

If a USB device is needed to attached to a VM (I have tried it with ESXi host):

• install the USB device,
• from vSphere Client select Edit Settings of the VM itself,
• use Add New Hardware, the device will be in the menu.

After that the device will be detected and ready for use.

If anybody is trying to compile Sangoma’s WANPIPE for their U100 FXO device, it is a must to issue make command in dahdi source directory before compiling WINPIPE, just make without install.

I came across Ninite, a utility to keep your Windows PC updated. It is a good practice to run it every once in a while.

Back in the 80’s when I was using Commodore 64, cassette tapes were used to store data, and could typically store about 100 KBytes per 30 minute side, with an average speed of 50 bytes per second.

When I install a fresh CentOS VM, usually I select MINIMAL for packages. After installation, I issue the following commands:
rpm -Uvh http://ftp.riken.jp/Linux/fedora/epel/6/i386/epel-release-6-8.noarch.rpm
to install the EPEL yum package
yum -y install mailx openssh-clients fail2ban perl wget
to install utilities I need
yum -y update
to update the system. Finally,
shutdown -r now
to restart.

مقطع أجرى الدمع في عيني

Network Time Protocol (NTP) server setup and configuration

The Protocol

Network Time protocol (NTP) is a Transport Layer (4) protocol used to synchronize time across networked devices to have consistent and unified time. It uses UDP port 123, and resists the effect of variable latency of packet-switched networks. Time sync is done using UTC (no time zone or daylight saving is provided) and each device adds its time zone and daylight saving (if different) to it.

NTP and SNTP

Simple Network Time Protocol (SNTP) is a less complex time sync protocol. Basically, this protocol (SNTP) does not store information about previous communication, nor it require high accuracy timing.

NTP Servers

NTP is a hierarchical system in terms of servers or clock sources. A stratum(level) determines it distance from the real clock source (GPS, atomic, etc…). Stratum 0 is the clock source itself, while stratum 1 is the directly connected NTP server to stratum 0. Stratum 2 servers are directly querying time from stratum 1 servers and so forth.

Linux NTPd Service

Linux has a native support for NTP. To enable it, just make sure NTP package is installed (RH, CentOS, and others) or check for /etc/ntp.conf file. Shut down NTPd service first (if it is running) by typing (for RH, CentOS):

# /etc/init.d/ntpd stop

Then edit the /etc/ntp.conf file adding/replacing these lines to it (based on where are you located):

server 0.de.pool.ntp.org
server 1.de.pool.ntp.org
server 2.de.pool.ntp.org

You can substitute your 2-letter ISO country’s name (de, uk, fr, etc…). Please refer to http://www.pool.ntp.org/ for list of available servers in your area.
Before starting NTPd service execute the following:

# ntpdate 0.de.pool.ntp.org

to sync the time initially and make the time difference minimal, then, alter the run level of the service to 345:

# chkconfig --level 345 ntpd on

Start the service:

# /etc/init.d/ntpd start

Leave it for 1 hour and then issue this command:

# ntpq -p

and the result should be similar to this:
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+skywiley.com    173.14.47.149    2 u  851 1024  377  346.070    8.366 118.239
-mirror          128.105.39.11    3 u  763 1024  377  266.614   -9.626   3.613
+ntp2.csl.tjhsst 192.5.41.40      2 u  203 1024  377  266.569   -2.793   0.430
*barium.vps.bitf 193.190.230.66   2 u  869 1024  377  189.283   -2.613   0.287