BRKCOL 2060b

#CiscoLive
Enabling Collaboration for

Your Remote Workforce with
Cisco Expressway
Part II
Luis Garcia
BRKCOL-2060b
#CiscoLive
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKCOL-2060b
by the speaker until June 17, 2022.
#CiscoLive BRKCOL-2060b © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• Introduction
• SIP-Base DoS Attack Protection
• SIP Registration Failover for Soft Clients
Agenda • Webex UCM Calling Enhancement

• IPv6 Support
• Serviceability Enhancements
• Conclusion
Introduction
Introduction
Expressway Deployments
B2B Calling
Mobile and Remote

Internal Network DMZ External Network Access
CMS WebRTC
Internet Interworking
Expressway-C Expressway-E XMPP Federation
Call Control
Webex Edge
Mobile and Remote Access
Internal Network DMZ External Network
Internet
UCM, IM&P Expressway-C Expressway-E

and Unity
X14 Upgrade Benefits
Security Resilience User Experience Serviceability
The #1 priority for each Registration failover Webex App Improved operational
release Enhancements efficiencies
SIP-Base DoS
Attack
Protection
SIP-Base DoS Attack Protection - Pre-X14
SIP INVITE
SYN
SYN,
ACK
ACK
CPL Expressway-E Firewall Internet
SIP 403 Forbidden
SIP-Base DoS Attack Protection - X14
• The “SIP Authentication Failure” category under System > Protection >
Automated Detection, will now match against 403 Forbidden reason
codes.
• Web GUI shows an example of the log message that will trigger the
protection.
SIP INVITE
SYN
SYN,
ACK
ACK
IntrusionCPL
Protection Expressway-E Firewall Internet
SIP 403 Forbidden
Exp-E will stop replying to any messages coming from an IP that is

blocked.
SIP Registration Failure Detection
• The regular expression for “SIP registration failure” was updated

to match more registration failures.
• All reasons for the event “Registration Rejected” will be matched.
Pre-X14
X14
Rate Limits for SIP
• SIP over TCP, only state NEW is considered as new connection.

• SIP over UDP, consider all the related and established connections
as new connections.
Rate Limits for SIP
• Connections per second range value is from 1 to 150 and default

value is 100.
• Burst limit range value is from 15 to 30 and default value is 20
SIP Registration
Failover
MRA SIP Registration Failover
Routing Feature Minimum Release required
Adaptive Routing 1. Expressway X12.7 (Feature Preview)

2. Cisco Jabber 12.9 MR
3. Cisco Webex App
STUN Keepalives 1. Expressway X12.7 (Feature Preview)
2. CUCM 14
3. Cisco Jabber 12.9 MR
4. Cisco Webex App
These features are not supported for IP Phones or Webex devices using MRA.
Adaptive Routing
Expressways can dynamically alter the routing path for SIP Registers
when an Exp-C node is detected to be down.
UCM1 Exp-C1 Exp-E1
UCM2 Exp-C2 Exp-E2
Internet
UCM3 Exp-C3 Exp-E3

and Unity
Adaptive Routing
Expressway C Down Scenario
UCM1 Exp-C1 Exp-E1
UCM2 Exp-C2 Exp-E2
Internet
UCM3 Exp-C3 Exp-E3

and Unity
Adaptive Routing FQDN IP Address
Expressway C Down Scenario Exp-C1 10.88.255.105

Exp-C2 10.88.255.106
Exp-C3 10.88.255.107
REGISTER sip:ucm3.ucdemolab.com
Route: <sip:ucm3.ucdemolab.com;...>
Path: <sip:10.8.255.105:7001;...>
Path: <sip:75.191.5.108:52122;...>
Register Keepalives are sent every 120
seconds by default.
UCM1 Exp-C1 Exp-E1
UCM2 Exp-C2 Exp-E2
Internet
UCM3 Exp-C3 Exp-E3
REGISTER sip:ucm3.ucdemolab.com REGISTER sip:ucm3.ucdemolab.com

Route: <sip:ucm3.ucdemolab.com;...> Contact: <sip:...>; x-cisco-mra-ha=AR_SK
Path: <sip:10.88.255.107:5060;...> Route: <sip:exp-e1.ucdemolab.com;...>
Path: <sip:10.8.255.105:7001;...> <sip:10.88.255.106:5061;...>
Path: <sip:75.191.5.108:52122;...> <sip:ucm3.ucdemolab.com;...>
Adaptive Routing FQDN IP Address
Expressway C Down Scenario Exp-C1 10.88.255.105

Exp-C2 10.88.255.106
Exp-C3 10.88.255.107
SIP/2.0 200 OK
Path: <sip:10.88.255.107:5060;...>,
<sip:10.8.255.105:7001;...>,
<sip:75.191.5.108:52122;...>
UCM1 Exp-C1 Exp-E1
UCM2 Exp-C2 Exp-E2
Internet
UCM3 Exp-C3 Exp-E3
SIP/2.0 200 OK SIP/2.0 200 OK

Path: <sip:10.88.255.107:5060;...>, Path: <sip:10.88.255.107:5060;...>,
<sip:10.8.255.105:7001;...>, <sip:10.8.255.105:7001;...>,
<sip:75.191.5.108:52122;...> <sip:75.191.5.108:52122;...>
Adaptive Routing– APNS
Cisco Cloud Apple/Google

PUSH contains active UCM
UCM1 Exp-C1 Exp-E1
UCM2 Exp-C2 Exp-E2
Internet
UCM3 Exp-C3 Exp-E3
WxA is moved to background
STUN Keepalives
This is enabled from the Exp-C only, under Unified Communications >
Configuration. Exp-E will automatically match the configuration of the Exp-C.
Exp-C
Exp-E
STUN Keepalives
• Webex app and Jabber clients will send STUN Binding request
messages to check the connection path.
• When running UCM 14 we can identify when a UCM node goes
down.
STUN Keepalives are sent every 30 seconds.
UCM1 Exp-C1 Exp-E1
UCM2 Exp-C2 Exp-E2
Internet
UCM3 Exp-C3 Exp-E3
STUN Keepalives
UCM Down Scenario
Message Header:
(type=BindRequest(0x0001)
Flow Token: a77317ec-ac7f-4e38-
9d03-4bceaae7ff8e:1
UCM1 Exp-C1 Exp-E1
UCM2 Exp-C2 Exp-E2
Internet
UCM3 Exp-C3 Exp-E3
Informing Neighbor zone that peer is STUN Binding request(1)

down/unresponsive zone="CEtcp- X_CISCO_PATH_FLOW_TOKEN : a77317ec-
ucm3.ucdemolab.com” ac7f-4e38-9d03-4bceaae7ff8e:1
TCP Connection Failed
STUN Keepalives
UCM Down Scenario
(type=BindErrorResponse(0x0111)
ErrorCode: (class=4, number=21,
reason=PATH IS DOWN)
Flow Token: a77317ec-ac7f-4e38-
9d03-4bceaae7ff8e:1
UCM1 Exp-C1 Exp-E1
UCM2 Exp-C2 Exp-E2
Internet
UCM3 Exp-C3 Exp-E3
(type=BindErrorResponse(0x0111) STUN Binding error request(273)

ErrorCode: (class=4, number=21, TID=0x3b6cee2c-41161ade-1a856a80
reason=PATH IS DOWN) X_CISCO_FLOW_PATH_STATUS : ucmLost:1,
Flow Token: a77317ec-ac7f-4e38- vcscLost:0, vcseLost:0 ERROR_CODE : class-
9d03-4bceaae7ff8e:1 code:4-21
stun response CUCM LOST!
STUN Keepalives
UCM Down Scenario
• WxA or Jabber client will select a new SIP registration route and
use it to failover to an active UCM server.
UCM1 Exp-C1 Exp-E1
UCM2 Exp-C2 Exp-E2

Internet
UCM3 Exp-C3 Exp-E3
MRA SIP Registration Failover
✓ Benefits without UCM version 14:

• Detection of UCM failure based on TCP timeout > 2 mins
• STUN Keepalives can detect Expressway failures
• Adaptive Routing selects an active Exp-C to prevent a Registration failure
✓ Benefits with UCM version 14:

• STUN KA allows a faster and more accurate detection of UCM failure (30
secs)
Webex App
Enhancements
MRA – UCM Calling
SIP TLS
HTTPS
Internal Network DMZ
UCM
Internet
Expressway-C Expressway-E
Unity Connection
Redirect URI for SSO/OAuth
• This feature enhances the security of Cisco Jabber/Webex Client
embedded browser support with following benefits:
• Provides protection against "Authorization Code Interception
Attack" using RFC7636
• Allows clients running on an Operating Systems other than iOS, to
use the Embedded Browser (For example: Android)
• Allows Jabber and Webex client to use the Embedded browser for
Unified Communications Manager (and MRA) OAuth flow.
• Improves the user experience when using Webex client and Unified
Communications Manager Calling.
Redirect URI for SSO/OAuth
IPv6 Support
IPv6 Support – X14.2 Preview
X14.2 will support MRA Jabber clients using an IPv6 address. Exp-E
is required to be setup in dual mode (IPv4/IPv6), Exp-C is setup as
IPv4 only.
UCM servers need to be running in dual mode.
IPv6
IPv4
UCM1 Exp-C1 Exp-E1
UCM2 Exp-C2 Exp-E2
Internet
UCM3 Exp-C3 Exp-E3
Serviceability
Enhancements
System Key Recovery
• Clustering can fail and generate a “Failed to update system key”
alert, to recover the system required a factory reset of the node
showing the alert.
• New CLI command “xcommand forcesystemkeyupdate” allow us to
recover from the error without a factory reset.
xstatus alarm
*s Alarm: /
1: Description: "Failed to update system key file due to inconsistent state"
ID: "40055"
Solution: "Restart the system. If that doesn't clear the problem, contact your Cisco
representative"
Title: "Failed to update key file”
xcommand forcesystemkeyupdate
OK
IP/Port Filter for tcpdump on Diagnostic Logging
• Filtering the packet capture will allow to prevent the pcaps from
overwriting in a short period of time. We also increased the amount
of data we collect from 40 MB per interface to 400 MB.
Conclusion
Highlights
• SIP DoS protections stops spam calls and toll fraud attempts.
• SIP Registration failover for Jabber and WxA takes only 30 seconds
to discover failures in the SIP path when using UCM 14.
• WxA enhancements make it easier to use UCM Calling.
• Limited support for IPv6 when the infrastructure is IPv4.
• Serviceability enhancements help simplify the troubleshooting
process.
Technical Session Surveys
• Attendees who fill out a minimum of four
session surveys and the overall event
survey will get Cisco Live branded socks!
• Attendees will also earn 100 points

in the Cisco Live Game for every
survey completed.
• These points help you get on the

leaderboard and increase your chances
of winning daily and grand prizes.
Pay for Learning with
Cisco Learning Credits
Cisco Learning and Certifications (CLCs) are prepaid training
vouchers redeemed directly
From technology training and team development to Cisco certifications and learning with Cisco.
plans, let us help you empower your business and career. www.cisco.com/go/certs
Learn Train Certify

Cisco U. Cisco Training Bootcamps Cisco Certifications and
IT learning hub that guides teams Intensive team & individual automation Specialist Certifications
and learners toward their goals and technology training programs Award-winning certification
program empowers students
Cisco Digital Learning Cisco Learning Partner Program and IT Professionals to advance
Subscription-based product, technology, Authorized training partners supporting their technical careers
and certification training Cisco technology and career certifications
Cisco Guided Study Groups
Cisco Modeling Labs Cisco Instructor-led and 180-day certification prep program
Network simulation platform for design, Virtual Instructor-led training with learning and support
testing, and troubleshooting Accelerated curriculum of product,
technology, and certification courses Cisco Continuing
Cisco Learning Network Education Program
Resource community portal for Recertification training options
certifications and learning for Cisco certified individuals
Here at the event? Visit us at The Learning and Certifications lounge at the World of Solutions
• Visit the Cisco Showcase
for related demos
• Book your one-on-one

Meet the Engineer meeting
• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs
your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand
BRKCOL-2060b © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Thank you
#CiscoLive
#CiscoLive

BRKCOL 2060b

Uploaded by

Copyright:

Available Formats

BRKCOL 2060b

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCOL 2060b

Uploaded by

Copyright:

Available Formats

#CiscoLive

Enabling Collaboration for

4 Enter messages/questions in the Webex space

Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKCOL-2060b

by the speaker until June 17, 2022.

Agenda • Webex UCM Calling Enhancement

Mobile and Remote

Expressway-C Expressway-E XMPP Federation

Internal Network DMZ External Network

UCM, IM&P Expressway-C Expressway-E

Security Resilience User Experience Serviceability

Exp-E will stop replying to any messages coming from an IP that is

• The regular expression for “SIP registration failure” was updated

• SIP over TCP, only state NEW is considered as new connection.

• Connections per second range value is from 1 to 150 and default

Routing Feature Minimum Release required

Adaptive Routing 1. Expressway X12.7 (Feature Preview)

UCM1 Exp-C1 Exp-E1

UCM2 Exp-C2 Exp-E2

UCM, IM&P Expressway-C Expressway-E

UCM1 Exp-C1 Exp-E1

UCM2 Exp-C2 Exp-E2

UCM, IM&P Expressway-C Expressway-E

Expressway C Down Scenario Exp-C1 10.88.255.105

UCM2 Exp-C2 Exp-E2

REGISTER sip:ucm3.ucdemolab.com REGISTER sip:ucm3.ucdemolab.com

Expressway C Down Scenario Exp-C1 10.88.255.105

UCM1 Exp-C1 Exp-E1

UCM2 Exp-C2 Exp-E2

SIP/2.0 200 OK SIP/2.0 200 OK

Cisco Cloud Apple/Google

UCM1 Exp-C1 Exp-E1

UCM2 Exp-C2 Exp-E2

WxA is moved to background

UCM1 Exp-C1 Exp-E1

UCM2 Exp-C2 Exp-E2

UCM1 Exp-C1 Exp-E1

UCM2 Exp-C2 Exp-E2

Informing Neighbor zone that peer is STUN Binding request(1)

TCP Connection Failed

UCM1 Exp-C1 Exp-E1

UCM2 Exp-C2 Exp-E2

(type=BindErrorResponse(0x0111) STUN Binding error request(273)

UCM1 Exp-C1 Exp-E1

UCM2 Exp-C2 Exp-E2

UCM3 Exp-C3 Exp-E3

✓ Benefits without UCM version 14:

✓ Benefits with UCM version 14:

Internal Network DMZ

UCM1 Exp-C1 Exp-E1

UCM2 Exp-C2 Exp-E2

• Attendees will also earn 100 points

• These points help you get on the

Learn Train Certify

• Book your one-on-one

• Attend the interactive education

your education • Visit the On-Demand Library

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.