xchg eax, eax

Networking | 2011-10-05 04:53:02

Recently I’ve upgraded my server hardware to support more RAM for the ever-expanding VM list that I’ve got. In the mix of doing this, I thought it would be a great time to install Cisco CallManager 7 in a virtual environment and get rid of CME from my 2621XM. I knew I wanted to move the host environment over to linux as it neatly allocates the 16GB of ram I put in it (rather than Win7 like previous) however I wasn’t sure on what I would use to run my VM’s. As the box I build was completely custom, ESXi wasn’t an option and I needed to run VMWare or (presumably) VirtualBox to get support of CallManager. VMWare haven’t released an update to their Server product in a long time so I was reluctant to load Server back on, so I gave VirtualBox a go. Before reading on, note, I have successfully installed and am currently running CallManager 7.1.3.10000-11 and Unity Connection 7.1.3.10000-11 (yes, its possible). I know 713 is old, I’m in the process of testing 8 and will post details shortly.

Here’s an overview of what I wanted to achieve.
– PSTN ADSL2 connection into modem/router
– PPPoE from 2621XM
– SIP trunk to provider
– IPSEC VPN Server
– Server running VirtualBox
– CCM7 with SIP trunk to 2621XM
– UC7 integrated with CCM7

Future plans are to have the new server run GNS to complete my CCIE R&S lab, so I’ll throw details up when I complete that.

The PSTN->MODEM->2621XM I have already preconfigured, but I’ll whack it here for shitsngigs anyway. It’s not a full config, but I’m sure most of it is self explanatory. NOTE, it also includes translations and dialpeers for the SIP trunk setup explained later.

2621XM+PPPoE+VPN

ip dhcp pool p100
network X.X.X.X 255.255.255.0
default-router X.X.X.X
dns-server 203.0.178.191
option 150 ip CCMIPADDR
!
ip dhcp pool p200
network X.Y.X.X 255.255.255.0
default-router X.Y.X.X
dns-server 203.0.178.191
!
!
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
l2tp tunnel receive-window 256
!
!
!
!
voice service voip
allow-connections sip to sip
sip
bind control source-interface FastEthernet0/1
bind media source-interface FastEthernet0/1
localhost dns:iinetphone.iinet.net.au
!
!
voice class codec 1
codec preference 1 g711ulaw
!
voice class codec 2
codec preference 1 g729r8
!
!
!
voice class h323 1
h225 timeout tcp establish 3
!
!
!
!
!
!
!
!
!
!
voice translation-rule 1
rule 1 /1000/ /02XXXXXXXX/
!
voice translation-rule 2
rule 1 /02XXXXXXXX/ /1000/
rule 2 /XXXXXXXX/ /1000/
!
voice translation-rule 3
rule 1 /^0*/ //
!
!
voice translation-profile sip-incoming
translate called 2
!
voice translation-profile sip-outgoing
translate calling 1
translate called 3
!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key XXX
dns 61.88.88.88
pool VPN_ADDRESSES
acl VPN
netmask 255.255.255.0
!
!
crypto ipsec transform-set VPN_SET esp-3des esp-md5-hmac
!
crypto dynamic-map VPN_MAP 1
set transform-set VPN_SET
reverse-route
!
!
crypto map VPN client authentication list LOCAL_AUTH
crypto map VPN isakmp authorization list LOCAL_AUTH
crypto map VPN client configuration address respond
crypto map VPN 100 ipsec-isakmp dynamic VPN_MAP
!
!
!
!
!
!
bba-group pppoe global
!
!
interface FastEthernet0/0
description LINK TO MODEM WAN SIDE
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description LINK TO SWITCH LAN SIDE
ip address X.X.X.X 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Virtual-Template1
mtu 1492
no ip address
ppp authentication chap
!
interface Dialer0
ip address negotiated
ip access-group WAN_IN in
ip access-group WAN_OUT out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXX
ppp chap password XXXX
ppp pap sent-username XXXX password XXXX
crypto map VPN
!
ip local pool VPN_ADDRESSES X.X.X.X X.X.X.X
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
!
ip access-list extended NAT
remark DENY LOCAL TO VPN
deny   ip X.X.X.X 0.0.0.255 X.Z.X.X 0.0.0.255
remark DENY VPN TO LOCAL
deny   ip X.Z.X.X 0.0.0.255 X.X.X.X 0.0.0.255
remark PERMIT ALL ELSE
permit ip any any
ip access-list extended VPN
remark PERMIT LOCAL TO VPN
permit ip X.X.X.X 0.0.0.255 X.Z.X.X 0.0.0.255
remark PERMIT VPN TO LOCAL
permit ip X.Z.X.X 0.0.0.255 X.X.X.X 0.0.0.255
!
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
!
!
!
control-plane
!
!
!
!
!
sccp local FastEthernet0/1
sccp ccm CCMIPADDR identifier 1
sccp
!
sccp ccm group 1
bind interface FastEthernet0/1
associate ccm 1 priority 1
!
!
dial-peer voice 1 voip
description iiNet incoming to ccm
translation-profile incoming sip-incoming
destination-pattern ....
voice-class codec 1
session protocol sipv2
session target ipv4:CCMIPADDR
incoming called-number .T
dtmf-relay sip-notify rtp-nte
!
dial-peer voice 2 voip
description ccm outgoing to iiNet
translation-profile outgoing sip-outgoing
destination-pattern 0T
voice-class codec 1
session protocol sipv2
session target dns:sip.nsw.iinet.net.au
dtmf-relay sip-notify rtp-nte
!
!
sip-ua
credentials username 02XXXXXXXX password XXXX realm iinetphone.iinet.net.au
authentication username 02XXXXXXXX password XXXX realm iinetphone.iinet.net.au
no remote-party-id
retry invite 4
retry response 3
retry bye 2
retry cancel 2
retry register 5
timers register 300
mwi-server dns:sip.nsw.iinet.net.au expires 3600 port 5060 transport udp unsolicited
registrar dns:sip.nsw.iinet.net.au expires 3600
sip-server dns:sip.nsw.iinet.net.au
!

VirtualBox
For the linux host, I ended up going with Ubuntu 64bit. I really wanted to get away from Ubuntu and try fedora, but in the end I had a need to get this up and running as soon as possible for work resources, so I defaulted back to Ubuntu.
Installing VirtualBox is relatively straightforward:

wget http://download.virtualbox.org/virtualbox/4.1.4/virtualbox-4.1_4.1.4-74291~Ubuntu~natty_amd64.deb
apt-get install virtualbox-4.1_4.1.4-74291~Ubuntu~natty_amd64.deb

or you can add it to it your sources list using the following url

deb http://download.virtualbox.org/virtualbox/debian natty contrib

CCM7
Installing CallManager into VirtualBox took a bit of research and the following articles were imperative to getting it working:

http://blog.chackraview.net/2010/01/03/gain-root-access-on-cisco-unified-communication-manager/
http://ubuntuforums.org/showthread.php?t=1029144
http://iddles.co.uk/blogs/index.php/2010/02/cisco-cucmcall-manager-running-on-suns-virtual-box/
http://www.davidrickard.net/2008/12/12/callmanager-in-vmware/
http://www.markholloway.com/blog/?p=543

To start the process, the first thing that must happen is for CallManager to be installed in VMWare. Server, player whatever, you just need to install it and copy the vmdk file afterwards. I built all my VM’s using 2048MB of RAM and 80GB SCSI HDD’s. The install process took a fair while but it does successfully complete – as opposed to VirtualBox where it does not find a valid hardware platform at the hardware verification phase and the installation halts.

Once you’ve got the VMDK files from VMWare, create a new VM in VirtualBox with the following specs:
– 2048MB RAM
– EF – IO APIC
– EF – HW clock in UTC time
– EF – PAE/NX
– HWV – VT-x/AMD-V (if your processor supports it. fyi im running on an i7)
– Mount the VMDK on a Lsilogic SCSI controller
– Mount the CentOS disk as outlined in Chackra Blog (note, I used CentOS-5.6-i386-bin-1of7.iso which worked fine)
– Enable Serial Port COM1 (this I found resolved kernel errors that were showing on the VM that I googled and found a link to the Cisco support forum (sorry can’t find link to give credit atm)

Boot the VM off of the CentOS disk follow the VirtualBox hardware config as outlined in the Ubuntu support forums, and then follow Chackra Blog’s guide to gaining root. The below is an except, full cred goes to those on the Ubuntu forums and Chackra’s blog.
– Issue from a root shell:

VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "6
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "VMware"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Phoenix Technologies LTD"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "VMware Virtual Platform"

– Once the VM has booted to the CentOS disk type linux rescue
– You don’t need to start networking
– Change to your CCM disk by issuing chroot /mnt/sysimage
– Issue chattr -i /etc/passwd /etc/group /etc/shadow /etc/gshadow
– useradd YOURUSER (NOTE, this user should NOT be the same as your platform or application username. For example my platform and application username is x90, but my linux user is x90root)
– passwd YOURUSER
– chmod 666 /etc/sudoers
– vi /etc/sudoers
– At the end of the file add:
YOURUSER ALL=(ALL) ALL
– chattr +i /etc/passwd /etc/group /etc/shadow /etc/gshadow
– chmod 444 /etc/sudoers
– Restart your VM

If you now SSH to you CCM, log in as the new user that you created and you will notice that it drops you to a regular bash shell instead of the CCM shell. You’re now free to edit files on the box, including those doing the HW verification 😉

Next we need to edit the hardware validation script. The below is an except, full cred goes to Kevster’s blog.
– vi /usr/local/bin/base_scripts/hardware_check.sh
– Look for the check_deployment function and edit accordingly:

function check_deployment()
{
local tmp_deployment

initProductLibrary
tmp_deployment="$deployment"

# Check the deployment
#    isHardwareValidForDeployment $tmp_deployment
#    rc=$?
#   if [ $rc -ne 0 ]; then
#         log info "$tmp_deployment deployment Not Supported"
#         return 1
#    fi
# Deployment is supported by this hardware
log info "$tmp_deployment deployment Is Supported"
return 0
}

Restart the VM. NOTE, both my CCM and UC do not shut down cleanly – they both get to a point and produce a massive amount of errors. Once it hits this stage, I force shut the VM. So far, I’ve never had a problem with doing this.

Once the VM restarts, it will take a long while before the services become ready (or at least for me). Unity Connection especially takes 15mins ish to fully start and register with CCM.

Now onto the CCM->2621XM SIP trunk.
Take a look at the config above to see how the dial-peers and translations work. NOTE, i’m using dummy internal numbers, that are translated to the real number at the SIP GW. This is why there are translation rules on the GW. I could probably achieve this in CUCM, but this is the way I’ve done it for now. Also note that I’m using 0 as my dialout code, so this is stripped through a translation too.

The SIP trunk in CUCM is actually one of the easiest parts of the setup. It’s really just a matter of building the RP, RL and RG information and adding a new SIP trunk with the local interface of the router as the SIP server. As long as you’ve got allow-connections sip to sip in your voice service, there shouldn’t be any reason why you can’t route calls out via the external SIP provider.

Using this config, I’ve successfully registered my 7940 handset and IP communicator locally and over VPN and been able to route calls. Voicemail works without a problem, however I haven’t done anything too funky yet, mainly just testing integration of the ports. From what I can see, processor usage is reasonably minimal and RAM usage against 16GB is negligible, so it should be able to handle the 10 DLU’s included with the VM copy without a problem. However if more is needed, I’m sure if you think about the way Cisco does it’s licensing you’ll be able to go past the 10 without a problem.