Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2431
Views
0
Helpful
6
Replies

Failing to SRST mode without shutting CCM service

kadambari.beelwar
Level 1
Level 1

‎12-17-2008 08:52 AM - edited ‎03-15-2019 03:07 PM

I am trying to test out SRST mode for one site without shutting ccm service.

I got hold of this ACL.

access-list 111 deny tcp 10.111.70.1 255.255.255.255 host 10.10.10.1 eq 2000

access-list 111 deny tcp 10.111.70.1 255.255.255.255 host 10.10.10.1 eq 2428

access-list 111 deny udp 10.111.70.1 255.255.255.255 host 10.10.10.1 eq 2427

access-list 111 permit ip any any

where 10.10.10.1 is ccm and 10.111.70.1 is router ip addr.

The issue is when I apply this acl and check sh ccm fallback, the router does nto fail to srst mode.

I believe their remote site has

data----voice gtw--phone

voice gtw has 2 FE connections and 10.111.70.1 is ip of voice gtw towards data router.

Do you think this acl will work?

Labels:
0 Helpful
6 Replies 6

david-lima
Level 4
Level 4

‎12-17-2008 10:48 AM

Hi, try to shutdown the port where the CCM is connected or crate an ACL like: access-list 111 deny tcp IPT-Network host CUCM eq 2000

When the IP phones (not GW) lose 3 keepalives with the CCM, they try to register with the local gateway that is configured for SRST mode. When the WAN link is restored, the IP Phones are able to re-establish a TCP connection with the CCM.

Best regards

David

0 Helpful

allan.thomas
Level 8
Level 8

‎12-17-2008 02:30 PM

The simplest option to ensure that CUCM traffic is blocked would be to restrict the CallManager host completely:

ip access-list extended Block-CCM

deny ip host 10.10.10.1 any

permit ip any any

Apply the ACL to the inbound interface on the Voice gateway from the Data router, if you believe this is the route towards CallManager?

When you apply the ACL you should see that the Callmanager Agent status is down when you do a 'show ccm-manager'

Hope this helps

Allan.

0 Helpful

webstd.design
Level 1
Level 1

‎12-17-2008 11:38 PM

You should implement ACL on two sides of the WAN.

Why?

Beacause ACLs filter traffic that path THROUGH the gateway, but they didn't block access the gateway to the CCM.

I tested SRST like your ACL, and in this mode maximum that you can take - is to register phones on gateway, but gateway still be working in normal mode.

Also you can make static route to test SRST.

0 Helpful

mikram
Level 4
Level 4

‎12-18-2008 03:45 AM

Hi

You could also user static host route pointing to bin instead of shutting down CCM Service.

ip route xxx.xxx.xxx 255.255.255.255 null 0

works fine for me.

cheers

Ikram

0 Helpful

kadambari.beelwar
Level 1
Level 1
In response to mikram

‎12-18-2008 08:30 AM

I several acl without any luck.

This is their network

MPLS circuit--0/46--switch1-0/47-data-voicegtw

|

|--0/48---voice---voicegtw

voice:vlan2

data:vlan1

Does anyone has recommendation how to block the ccm access from voicegtw?

0 Helpful

kadambari.beelwar
Level 1
Level 1
In response to kadambari.beelwar

‎12-18-2008 08:33 AM

the switch has connections to 0/48--voice--voicegtw not the mpls circuit

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents