The Coming Cyber Cold War?

This week a couple of interesting tidbits landed in my security news feed.  The first comes from the Middle East where security researchers have uncovered a new infection known by the cutsy moniker of “The Flame”.  It’s a very advanced attack that seems to function more as a collection of infection vectors organized into scripted modules than a plain virus.  It’s notable for two things – first, the collection of files is almost 20MB, which is huge in terms of malware or spyware payloads.  Generally, the idea is that the smaller the package is, the less likely it is to be detected before delivery.  Also curious is that the writers of this nasty little bug decided to think outside the box and use the Lua scripting language.  This allows not only for some pretty high-level programming logic but also enables the writers to extend the functions of the program by utilizing C code at some point down the road.  Lua isn’t typically seen in malware today due to the complexity of writing code.  Even the ~3000 lines of Lua code in “The Flame” would take the average Lua programmer about a month to work out.  Most researchers are calling “The Flame” one of the most complicated pieces of malicious code ever encountered.

The second piece of news that caught my attention was the uncovering of a “backdoor” in some military Field Programmable Gate Array (FPGA) chips.  At first, many were scrambling to accuse the Chinese of putting this particular hole into the hardware.  However, a very detailed analysis by Robert David Graham (@ErrataRob) has shown that in all likelyhood the Chinese had nothing to do with this.  Instead, a debugging interface that is normally disabled when a device ships was instead found to have capabilities of accessing the system in an unintended way.  You know, kind of like the point of having a debugger in the first place?  Rob goes on to pick apart the other pieces of the released story, taking special consideration to downplay any involvement in the Chinese government may or may not have had in “planting” the backdoor in the first place.  This also isn’t the first time I’ve heard about the idea that the Chinese government was installing backdoors or other kinds of monitoring technology in things being shipped to the US.  I’ve also heard that even travelers headed behind the Great Wall take extra precautions not to expose too much information or technology while abroad.  It honestly sounded like something out of a James Bond film with all the formatting and burn phones.

After reading both of these items, I started thinking a bit more.  All of this discussion and rhetoric seems vaguely familiar.  To me, it sounds an awful lot like the Cold War-era that I heard as a kid.  Sure, I’ve seen Red Dawn a few times.  I can remember watching the Berlin Wall fall down.  I enjoy watching movies and reading books about when the Russkies were the bad guys.  All of the discussion about state-sponsored cyber espionage and discussions about the Chinese hacking everything in sight bring me back to those times.  I do believe that there will soon be a Cyber Cold War if it’s not already upon us.  However, instead of the interactions of spies in places like Berlin and the moves and countermoves from Langley and Moscow, all of the conflict in this Cold War will take place in the ether(net).  Information seems to be fairly accessible now to anyone that wants it.  Organized groups of malcontents seem to be amusing themselves with hacking every kind of database imaginable and spilling the contents far and wide in an attempt to make a name for themselves.  These people don’t really worry me.  As I said before when I talked about Stuxnet, the real concern in my mind comes from organized groups of state-sponsored agents that spend a large amount of time attacking cyber infrastructure quietly for the purpose of stealing and not getting caught.  It’s the kind of feeling you get when you read about old-schools spy stories like those of Aldrich Ames and Robert Hanssen.  The Advanced Persistent Threat (APT) technology of today allows programs to sit in place for months (if not years) and quietly exfiltrate data back to interested parties with little to no clue about what might be going on.  APTs don’t go out and buy fancy cars or new houses. APTs don’t make suspicious phone calls (usually) or get tailed by FBI agents hot on their trail.  They just collect data and send it away for someone else to look at.  APTs are low profile on purpose.  And they scare me a lot more than the worst spies in history.

At the rate things are headed right now, it won’t be long before the new Berlin Wall is instead a firewall doing a horrible job of separating your network from those that would seek to take all the data they can find.  Instead of the CIA looking for moles, it’s going to be security researchers and IT admins looking for all manner of programs lurking around, stealing data.  With access to big data technology, it wouldn’t take long for someone in the know to start crunching data and finding out things they aren’t supposed to know.  Yeah, it sure does sound like the plot of a TV show or some movie.  But back in 1985, the idea that the Russians would be our friends was pretty far-fetched as well.  I’m very interested to see what happens in the coming months in regards to advances in state-sponsored hacking.  I think things are only going to escalate from here.  The question is whether or not those of us in the private sector are in the crosshairs as well.  And if we are, how quickly we can adapt.

Now You Cius, Now You Don’t

Cisco had some pretty high hopes for the Cius tablet.  When it was first announced at Cisco Live 2010, it was positioned to unseat all manner of devices, including the vaunted iPad.  A year later at Cisco Live 2011, the mood had changed somewhat.  After watching vendor after vendor try to take down the 800-pound Cupertino Tablet Gorilla, Cisco realized that placing the Cius in the sights of the iPad may not be the way to sell it.  Instead, it became an enterprise collaboration endpoint.  The idea was to push it out to those that wanted to use their tablets as unified communications endpoints and enact a bit of control over what they could do.  Today, just before Cisco Live 2012, Cisco quietly announced through O.J. Winge that development on the Cius would effectively halt.  Essentially, what you Cius is what you get (I apologize in advance for all the puns.  I’ve been saving them.).

This really doesn’t come as a surprise to me.  The handwriting has been on the wall for many months, but around the time of Enterprise Connect 2012, that handwriting was outlined in bright neon letters.  Cisco has finally realized that unseating the iPad is all but impossible.  The primary drivers for BYOD in the enterprise come from the Cupertino Fruit Table.  People focus on writing software for the iPad.  Executives want them.  Executives and knowledge workers buy them and bring them into your environment.  The number of non-Apple table devices is shrinking by the day.  Besides Samsung, most other developers have either given up the dream of being the next big post-PC device or are very close to making that decision.  Instead, everyone is jumping on the Apple bandwagon and developing their software for the iPad.  This is what Cisco decided to do when it ported the Jabber IM/Presence/Softphone software from the PC and Mac to the iPad.  While Jabber for iPad won’t be released until sometime in June (my money is on the day of the Cisco Live 2012 Keynote from Chambers), I’ve seen a copy of it running on many Cisco employee’s iPads.  It does everything that you’d want a Cius to do.  More, in fact.  It’s funny that a single application can invalidate an entire device development.  Padma Warrior walked on stage at Enterprise Connect 2012 to show off Jabber.  On an iPad.  More than one person in my Twitter stream made a snarky mention about it, asking where her Cius was.  That was likely the final nail in the coffin of the Cius.  It just took a few months for the final hammer stroke to fall.  If the CTO of your company doesn’t have enough faith in your device to show it off as the gold standard for communication and collaboration on stage in front of thousands, that says more about it that any marketing slide can.

Software development on the Cius has quite frankly been a joke.  It took ten months to get Forced Authorization Codes (FAC) to work when dialing numbers.  That was a deal breaker to me.  The firmware is buggy at best.  It’s based on Android 2.2 (Froyo).  They’re already 2 major versions behind and the hope to get to ICS (or even Honeycomb or Gingerbread) was doubtful at best.  The AppHQ app store never really took off, as most people that I’ve talked to just went over to the Google App Store, or Google Play or whatever it’s called this week, and installed what they wanted.  If this had been the Cius that I had gotten last year at Cisco Live, I’d have had high hopes for it.  Instead, it’s taken a year to get it to the point of being semi-usable.  Assuming there may be one more firmware update in the pipeline, I still don’t think the device is stable enough for everyday use.  My Cius still sits on the side of my desk next to my EX90.  My day-to-day endpoint is still my 9971.  It’s rock solid.  It doesn’t reboot every two hours.  It plays video when I ask it to.  I don’t have to spend 30 seconds poking around the UI before I can make a phone call. Besides getting me a 50 GB Box.net storage account, I’ve used my Cius for very little.  I never felt it was going to replace my phone.  And as a VAR, I’ve never been asked to quote one.  Almost every Cius that I’ve seen has either been in a giveaway or been given to someone to test.  In fact, a couple of days ago my friend Amy Arnold (@amyengineer) asked what the best desktop video phone was.   The answers were basically “anything but the Cius”.  That’s not really a ringing endorsement of the flagship multifunction collaboration device.

Cisco has even tried to extend the reach of the Cius by allowing it to be used as a virtual desktop infrastructure (VDI) endpoint.  Cisco calls it Virtualization eXperience Infrastructure (VXI), but it’s pronounced “VDI”.  That’s a nice idea in theory…except that the Cius has some VDI/VXI issues.  It’s very under-clocked to crunch any real CPU cycles.  The resolution on the output monitor is locked to the resolution of the Cius, which is 1024×600.  That’s worse than my first SVGA monitor from 1994.  It’s great on a 7″ screen, but not on a 24″ LCD monitor.  Cisco should really be spending time concentrating on the plumbing that makes VDI/VXI work, not on providing an endpoint for it.  Look at HP and Dell.  Their latest numbers and guidance are showing weakness in the PC area thanks to things like VDI and tablets.  Do you really want to try to break into this market?  It’s going to be like showing up to the party while everyone is cleaning up the mess.  Spend more time working with the network folks and the server folks through things like UCS and Cisco Prime NCS and ISE.  You’ll make a lot more money than you would otherwise trying to hock tablets.

Tom’s Take

Alright, I’ll say it.  It took Cisco long enough to finally realize that there’s no money to be made in having your own “me too” tablet.  The Cius has been a curiosity.  It’s been a nice desk toy that can make phone calls and host the occasional Webex meeting.  But at the end of the day, another 50,000 Cius units wouldn’t have held off the executioner’s axe.  There aren’t lines around the corner to buy the next Cius.  No one waits with baited breath to hear about the new features that are going to be in the New Cius.  The tablet wars are all but over.  Apple won, and Samsung is waging a guerrilla partisan campaign.  Anyone that is smart will realize that the money is made by having your software ready to install when a shiny new iPad comes into the building.  Cisco is doing the right thing here by eliminating the distraction of developing for a platform no one wants.  Instead, by refocusing on the things they should be doing, like providing top notch network equipment and monitoring software, they’ll still get the pieces of the pie that they’ve been chasing all this time.  The Cius was never meant to be the hot new tablet.  It was meant to drive investment in phone systems and Webex and all the things that go along with VDI/VXI.  Those things will still be there tomorrow and even into the future.  That’ll be long after the Cius on the side of my desk has been relegated to the same pile as my Novell servers.  I highly doubt that anyone will mourn the passing of the Cius.  In fact, I’m pretty sure the only thing I’ll be hearing is “See ya.  Wouldn’t want to be ya.”

Why I Dislike Keynotes

I’d like to take a moment to talk about keynote presentations.  Anyone that has been to a major event in the last hundred years has had the privilege of hearing a keynote address.  Keynote comes from literature, where it describes something that sets an underlying theme.  Keynotes set the tone for everything that follows and serve as a framing mechanism.  At a conference or other gathering, a keynote is usually delivered by an important figure, either a high executive from the conference sponsor or a celebrity of some kind.  The celebrity can be used as a way to generate excitement or publicity about the conference, as people not otherwise interested might sign up just to see the keynote speaker.  Except, there’s just one issue…

I don’t like keynote addresses.

Nope.  None of them.  I’m not singling anyone out here.  I don’t like the idea of a keynote, period.  At most of the conferences and Tech Field Day events that I attend, we have a small mix of people listening to presentations and giving honest and real-time feedback about what they are hearing.  It’s not all that dissimilar from an honors class in college.  Smaller groups that debate topics and ask deeper, probing questions that might not be as welcome in a larger class.  I can specifically remember in my microeconomics class back in college spending two weeks building a utility-based theory of demand.  Once we thought we had our theory nailed down, the professor asked a couple of deceptively simple questions that pulled the rug out from under us and forced us to examine all the hard work that we had been doing for the last two weeks.  He gave us the rest of the day off to think about why we were wrong and when we came to class the next week, we started forming a proper demand theory that addressed all the shortcomings that had been brought up.  It was a fascinating exercise and we all learned a lot from it because we were allowed to take our own path and ask our own questions.  My friend in the larger non-honors section of the same class with the same teacher was simply told how the theory needed to be constructed on the first day of class.  No investigation, no construction.  This is how things are and how you will see them.

Keynote addresses, to me, are much the same as the large class sections.  We have a speaker who holds some importance, whether they be a CEO, CIO, or other famous celebrity.  They get to stand up and spend 45-60 minutes talking.  Their presentation is carefully constructed to display a certain message.  It feels like being in a car wash.  Things are happening around you, but you are locked in for the ride, unable to interact with anything going on.  Questions aren’t invited during a keynote.  You aren’t supposed to provide feedback to this important CxO/celebrity.  Your job as the audience is to sit there and accept what is being spoonfed to you.  That’s what I dislike the most.  I’m a vocal guy, especially when I disagree with something that’s being said.  At smaller gatherings, I can express my dissatisfaction.  Many times, we can have an interesting discussion about things, and often times I can either change my mind or at least see where the speaker is coming from.  In a keynote, I don’t get that opportunity.  I can lean over to the person sitting next to me and say something.  I can take to social media outlets and express my opinion, even if it is limited in character space.  Yet none of that will likely ever reach the person giving the speech.  If I disagree with their assessment or opinion of things, it’s a good chance that others do as well.  If we aren’t allowed to make our feelings on the matter known, then the speaker will likely never understand the dissension to their ideas.

Think about the definition of keynote for a moment.  It is something that is supposed to frame the discussion.  It’s a leading talk at the beginning to direct people to a goal.  What is the purpose of a closing keynote then?  These are usually the celebrity talks.  They involve an interviewer asking leading questions of someone not usually associated with the field in a way to make their opinions and observations relate to a topic at hand.  Almost as if to say “See?  Musicians and movie stars know about information technology too!”  Ask yourself this question: When’s the last time your heard someone exclaim, “I can’t wait to hear <celebrity>’s closing keynote!  I’m interested in their take on data center fabrics.”  Usually, the closing keynote will just serve as a way to generate interest and keep the attendees all the way to the end of the conference.  People want to see the movie star or the famous director talk.  They could care less if that person read numbers out of a phone book for a hour.

Tom’s Take

I can’t really stop keynotes.  I’m going to have to live with them at every conference I attend, with some notable exceptions.  What I can do is tell people how much I’d rather have a frank and open discussion about things.  It’s very easy for a CxO to stand in front of a captive audience and dictate policy and vision.  It’s an entirely different atmosphere when said CxO instead spends that time fielding questions and having frank discussions with people.  Would you rather hear about sweeping changes and visionary statements?  Or would you rather ask questions and get the chance to hear honest feedback?  I know which I’d rather have.  So while you might see me sitting in a keynote address from time to time, know that I’ve got something else on my mind entirely.

Cisco Live 2012 – The Place To Be Social

With less than a month to go until Cisco Live 2012 in San Diego, we’re learning more and more about the festivities every day.  From the closing keynote speakers to the Customer Appreciation Event (CAE) band, it’s shaping up to be a very exciting event.  One area that I’m particularly excited to learn more about is the social side of things.  Last year was the best Cisco Live event I’ve ever attended, due in large part to all the people that I interacted with from Twitter and other social media sites.  We spent so much time hanging out together outside the registration desk that our group of tables was nicknamed “Tom’s Corner”.  I still blush a little bit when I think of that moniker.  It was wonderful having a place for everyone to come and sit down for a bit and just hang out or discuss sessions or speakers.  Even if we did have to fight for table space or chairs from time to time, I feel that having a place set aside for everyone to meet is a wonderful idea.  For Cisco Live 2012, the great folks at Cisco that are behind social media realize that too.  That leads to a couple of exciting new opportunities this year.

Social Media Lounge

The first thing that I’m excited about is a specific area set aside in the World of Solutions (WoS) for social media!  I always hear about “blogger lounges” and other such places at other vendor events or trade shows.  Cisco must have heard about them too, because we’re going to have our own spot at Cisco Live.  Much like the NetVet Lounge or the Cisco Certified Lounge, social media will finally have a hangout to call our own.  Based on some information that I’ve seen, it’s going to be a nice place to congregate and relax.  Couches galore, TVs all around, and even perhaps some entertainment options like an XBox or two.  This will also be the place where Cisco’s social media team will likely be hanging out as well, so if you want to interact with them then this is the place to be.  I’m already planning on moving myself in the second the WoS opens up.  I wonder if they’ll let me hang a banner…?

CAE Tweetup

Since last year’s CAE Tweetup was such a rousing success, there’s going to be another one this year.  I’m excited for all the same reasons that I’m thrilled about the social media lounge.  The CAE Tweetup is going to be even better though.  I’ll give you a hint why:

That’s where we’re going to be!  Originally, the Western Metal Supply Company building was going to be torn down when Petco Park was being built in 2004.  Since it was such a historic piece of San Diego, the park designers found a way to incorporate it into the actual architecture of the park.  The Western Metal Building has now been converted into a section of luxury suites with balconies and even a viewing terrace on the roof.  During the CAE, one of those suites will house the Tweetup.  It’s going to be a great time for sure.  I’ll post more info about the CAE once my Cisco Live moles feed me more information.

Other Tweetups

Since the WoS (and social media lounge) will only be open from Monday evening to Thursday afternoon, there’s been discussion of what to do about meeting up with people around those hours.  It’s always great to get in and hang out with everyone on the first day, especially since many of us don’t get to see each other unless we run into one another at Cisco Live.  Since I’m arriving around lunchtime on Sunday, June 10, I was talking to the Cisco Live folks about having an impromptu tweetup that afternoon, say around 3 p.m. or so.  The event schedule for Sunday looks fairly light, so having a tweetup around that time would give us all a chance to stop by and say hello before wandering off to parts unknown.  There’s still not a firm place nailed down for the meeting, so once again I’ll be relying on my Bothan spies to get me the information as soon as possible.

Another idea being kicked around is a farewell tweetup sometime on Thursday.  The closing keynote runs from 2:00 to 3:00, but afterwards there are going to be many people that either don’t have sessions or just want to hang out one last time.  What would be a good time to have this last Twitter party of Cisco Live?  Last year we all hung out at Tom’s Corner until they came and took our tables away before heading off to dinner.  This year, I was thinking we could use the final meetup to take an awesome picture next to the Cisco Live sign like this one from last year:

The Cisco Live 2011 Twitter Army

There were a few folks that couldn’t make it to the photo session last year for various reasons.  This year, I figured it we got it all planned ahead of time no one would be left out. If you have any good ideas for the Thursday tweetup, either time or location, leave me a comment.  I’ll be sure to forward it on to the Cisco Live folks and make your voice heard.

Tom’s Take

Social media is a wonderful and powerful thing.  As you can see, Cisco is putting a lot of extra effort into social media and its participants this year.  From having our own lounge in the WoS to having a luxury box at the CAE, there’s no denying that it’s going to be a great time.  If you haven’t already, make sure you’re on the Cisco Live 2012 Twitter List.  That way, we can all link up easier and put names and faces to Twitter handles.  You should also log into your Cisco Live account and be sure your Twitter handle is there so it can be printed on your badge.  Let’s face it, most of us are more familiar by our handles and avatars than we are by our given names.  Hopefully, that will change with all the amazing opportunities that Cisco has given us to hang out together at Cisco Live 2012.  I can’t wait!

So Long To The CCIP

The Cisco Certified Internetwork Professional (CCIP) certification has always been the goal of those network professionals that wanted to march to the beat of a different drummer.  People like me that concentrate on the enterprise/campus side of things revel in our use of OSPF and EIGRP.  We live and die by IOS and get cold sweats at night when someone mentions IS-IS.  The ideal CCIP candidate, on the other hand, loves all of this service provider oriented talk.  They want to spend all their time talking about ingress QoS policies.  They cackle with glee when the subject of MPLS-TE comes up.  They think users are just a myth that exist on the other side of the mythical CPE Wall.

The problem, though, is that the CCIP hasn’t really been focused on the service provider arena for a while now.  While the other professional level exams have received overhauls in the recent past, no one touched the CCIP.  When the CCVP and CCSP became the CCNP: Voice and CCNP: Security, no one wanted to make the CCNP: Internetwork.  The coursework for the CCIP has always relied heavily on other tracks to exist.  QoS is a big part of the SP world, so the QoS exam was borrowed from the voice track.  Routing is another huge part, so the old Building Cisco Scalable Internetworks (BSCI) test was repurposed as well.  The only pure CCIP exams were over BGP and MPLS.  You could even take a composite exam if you were feeling up to the challenge of getting your teeth kicked in for twice as long.  However, the routing exam has caused some consternation.  When I originally studied for my CCNP three years ago, the BSCI book was a handbook of enterprise and service provider routing.  It contained a lot of information about every routing protocol.  While it focused on OSPF and EIGRP, there was a touch of BGP and IS-IS as well.  It served as the foundation for the CCNP, CCDP, and the CCIP.  This made sense with Cisco’s foundation being the router.  However, when Cisco changed the tests and courseware for the CCNP with their latest refresh, the new ROUTE test was a shell of its former self.  Based on the blueprint (login required), it still tests on OSPF, EIGRP, and BGP somewhat.  It even throws in IPv6 routing as well, which is a sorely needed topic.  However, there’s no IS-IS.  None. Nada. Zilch.  How’s that supposed to help the SP engineer that might use IS-IS all the time and never see EIGRP?  Something needed to be done.  And every passing day that the CCIP relied upon tests that didn’t fulfill the criteria of the people being certified was a day that it passed closer to irrelevance.

Thankfully, Cisco decided in May 2012 to overhaul the entire CCIP track.  Now known as the CCNP: Service Provider, it finally focuses on the things that service provider network professionals will be doing.  The four new tests are specific to the SP track.  There are no overlapping tests.  The prerequisite for the CCNP: SP is the CCNA: SP, which is two SP-specific tests of it’s own.  Cisco has finally figured out that most SP engineers exist in a world all their own with very little in common with enterprise/campus folks.  A quick glance at Mirek Burnejko’s excellent IT Certfication Master page for the CCNP:SP shows that the SPROUTE test will focus on IS-IS, OSPFv2 and v3, and BGP.  No EIGRP to be found.  It also tests these topics on IOS-XR and IOS-XE, the new flavors of IOS that run on the equipment that would be found in an SP environment.  If you’d like to see more about the ins and outs of IOS-XR, check out Jeff Fry’s (@fryguy_pa) IOS-XR posts.  The SPADVROUTE test focuses on BGP and multicast, the two odd ducks of routing.  This means that you can spend your time reading Jeff Doyle’s Routing TCP/IP Volume 2 and take a test basically over that whole book.  The SPCORE covers QoS and MPLS functionality such as MPLS-TE.  That’s where I’d expect to see the TE stuff, since it’s usually configured in the network core and not on the edges.  The SPEDGE test covers MPLS VPNs, as well as VPN technologies in general.  I like that Cisco chose to split the core and edge pieces of the CCNP: SP, as there are people that may spend their entire careers working on P routers and never see a piece of CPE equipment.  Conversely, there are those that want to stay as far away from the core as possible and would prefer to make the PE router their device of choice.

The CCNP: SP is available today at any Prometric/VUE testing center.  You can find out more about the certification from Cisco’s website or by visiting Mirek’s site above.

Tom’s Take

Cisco has done a great job of breaking the CCIP up into bite-sized chunks that have clearly defined topic boundaries.  I can choose to focus on interior routing without worrying about multicast.  I can focus on MPLS VPN without thinking too much about MPLS-TE.  I can focus on the important parts one at a time.  The new CCNP: SP also addresses the shortcomings I’ve seen with the old CCIP test.  By giving the SP track a dedicated testing platform all by itself, Cisco no longer has to worry that test changes in one area will carry over to a separate track and cause confusion and delay.  As well, with the new branding and focus on the service provider arena, Cisco has shown that it has not forsaken those that want to spend their time working behind the scenes at ISPs.

Switchport Voice VLAN – What Does It Do?

One of the more tedious parts of any phone system deployment is configuring the access layer switches to support said phones.  The configuration in and of itself isn’t complicated, but every port that may receive a phone needs to be setup correctly.  In Cisco parlance, this is accomplished with the switchport voice vlan <ID> command.  I’ve typed that into the CLI a thousand times and never really knew what it did besides “make the phones work”.  After a little research, I finally found some answers.  I thought I’d share them with you.

In the old days, before the Catalyst 2950, configuring a switch port for use by a phone involved creating an explicit 802.1q trunk.  This made sense from the perspective that it allowed traffic from multiple VLANs to pass on a single link.  It also allowed the 802.1p priority bits for Quality of Service (QoS) tagging to be sent with the frames.  The downside is that it was very difficult for phone mobility.  You either needed to provision every phone-facing switchport in your organization to be an 802.1q trunk or you had to leave the phones were they were.  While the latter is usually the case in most of my deployments, the mobility provided by the ability to plug a phone in anywhere in the network and not worry about extra configuration is key to some clients.  Thankfully, Cisco fixed this starting in the 2950 with a little concept known as the Auxiliary VLAN.

The Auxiliary VLAN (AUX VLAN) is a specialized VLAN that sits beside a regular access VLAN configured on a switch (sometimes called a “normal” VLAN).  The purpose of the AUX VLAN is to allow IP phones to transmit their payloads along with the untagged data coming from a PC that might be plugged into a switchport on the back of the phone.  The AUX VLAN allows these two devices to transmit on the same port without the need to use an explicit trunk on the link.  In addition, since the port is not configured explicitly as an 802.1q trunk, extraneous VLANs will not be flooded over the port.  In essence, the port becomes a two VLAN trunk.  All the phone traffic is tagged with the ID of the AUX VLAN and the PC traffic is untagged.  Curiously, according to this document, the traffic in the AUX VLAN must also carry a Class of Service (CoS) of 5 along with the AUX VLAN ID.  Otherwise, the traffic is dropped.  So how does the phone get the ID of the AUX VLAN so it can start sending the traffic?  Ah, that’s where CDP comes in.

Cisco Discovery Protocol (CDP) is very crucial in the operation of a Cisco IP phone.  It not only provides the AUX (Voice) VLAN ID for the phone to being sending traffic on the AUX VLAN, it also allows the phone to automatically negotiate power settings.  This allows the phone to use less than the maximum 15.4 watts of power under the 802.3af PoE standard.  If you disable CDP on the port facing the phone/PC you will likely start pulling your hair out.  Even though the phone might have already assigned itself in the Voice VLAN, removing CDP from the switchport in question causes it to forget where to find the voice VLAN.  You’ll need to re-enable CDP and reboot the phone.  You could also statically configure an 802.1q trunk to fix the issue, but where’s the fun in that?

One other curious note is that I’ve always been told that the connection between the phone and the switch when switchport voice vlan is configured is a “special 802.1q trunk”.  Not that I’ve ever been able to see that configuration, as show interface trunk seems to think that the port isn’t trunking and show interface switchport says that it’s an access port.  The key is in Cisco’s documentation.  The correct term for a port with switchport voice vlan configured is a “multi-VLAN access port”.  The distinction between the two is that only the two vlans (voice and access) configured on the switchport will be accepted on the link.  If you were to do something silly like, oh I don’t know, plug another switch into the back of the phone and configure an access port on that switch to be in a different VLAN than the voice or PC access VLAN, traffic will not pass through the phone port to the switch.  Once again, that’s because this isn’t a real trunk.  The switch will only accept tagged frames from the Voice (AUX) VLAN.


Tom’s Take

I hope this was a little more insight into what the magical command switchport voice vlan does on a switch.  I’m often asked by people new to voice why this must be configured each time.  Before I blindly regurgitated lines like “special 802.1q trunk” and “do it or it won’t work.”  Now I have a very interesting story to tell and threaten people with if they don’t do it.

Cisco Unified Communications Manager 8: Expert Administration Cookbook – Review

When you spend as much time configuring Cisco Unified Communications Manager (CUCM) servers as I do, you do one of two things.  Either you spend a lot of time reading through documentation, or you write down the important steps as concisely as possible for later use.  Documentation has uses.  When you are first learning something or you need the explanation for exactly what a partition does, documentation is your best friend.  However, when you’ve configured a ton of servers already and know the basics cold, wading through page upon page of prose to find the missing parameter of your Automated Alternate Routing (AAR) configuration is time consuming and frustrating.  If only there was some book that you could keep with you that has the basic configurations spelled out in short snippets.  A book that would allow you to quickly look up a function or feature and get it up and running without a fifteen page lead-in.  Thankfully, such a book does exist:

Tanner Ezell (@tannerezell) does a great job of condensing the mountain of documentation that Cisco has produced to support CUCM into 285 pages of tips and tricks on configuring important features that you’ll run across every day.  Unlike the Cisco Press CUCM guide I reviewed previously, Tanner’s book doesn’t step through the details of configuring a partition or a calling search space (CSS) for the first time.  Instead, this book assumes that you are a professional that has done tasks like that many, many times before.  Instead, this book concentrates on some of the newer features in CUCM 8 that may or may not be something that the reader has configured before.  Things like E.164 normalized dialing using the “+” symbol or Cross-Cluster Extension Mobility.  In fact, after reading the first three recipes in the book, I configured plus-dialing on my production cluster with no fuss.  That’s not something I was comfortable doing after reading through the tome of configuration on Cisco’s website or in the Solution Reference Network Design (SRND) document.

Think of this book as a reference guide for the 20% of features that you may configure once or twice every six months.  Sure, I can create a North American Numbering Plan (NANP) route pattern list in my sleep.  However, when it comes time for me to configure AAR or setup the Real Time Monitoring Tool (RTMT) to email me when something breaks, I’m going to have to look up how to do that.  Now, all I need to do is flip open this book to the appropriate chapter and get right to work without using CTRL + F to sort through to what I need to know.

Tom’s Take

CUCM 8 Expert Administration Cookbook was a pretty quick read for me.  That’s because I’ve seen many of the things in here before.  The problem is that I don’t remember them since they aren’t things I do every day.  It’s nice to know that I have a good reference book that I can rely on to help me in those times of need when I have to have a feature up and running quickly and my mind has gone totally blank on it.  I commend Tanner Ezell for taking the time to boil the feature configuration down to the bare necessities needed to get everything operational and then put it into printed form for us to enjoy.  I’m sure that my copy of this book is going to be well worn for many deployments to come.

Review Disclaimer

The copy of CUCM 8: Expert Administration Cookboook that was reviewed was purchased by me from Amazon.  It was not provided by the publisher.  As such, neither the publisher nor the author were granted any consideration in the writing of this review.  The opinions and analysis contained herein are mine and mine alone.