Fixing E-Rate – SIP

I was talking to my friend Joshua Williams (@JSW_EdTech) about our favorite discussion topic: E-Rate.  I’ve written about E-Rate’s slow death and how it needs to be modernized.  One of the things that Joshua mentioned to me is a recent speech from Commissioner Ajit Pai in front of the FCC.  The short, short version of this speech is that the esteemed commissioner doesn’t want to increase the pool of money paid from the Universal Service Fund (USF) into E-Rate.  Instead, he wants to do away with “wasteful” services like wireline telephones and web hosting.  Naturally, when I read this my reaction was a bit pointed.

Commissioner Pai has his heart in the right place.  His staff gave him some very good notes about his interviews with school officials.  But he’s missed the boat completely about the “waste” in the program and how to address it.  His idea of reforming the program won’t come close to fixing the problems inherent in the system.

Voices Carry

Let’s look at the phone portion for moment.  Commissioner Pai says that E-Rate spends $600 million per year on funding wireline telephone services.  That is a pretty big number.  He says that the money we sink into phone services should go to broadband connections instead.  Because the problems in schools aren’t decaying phone systems or lack of wireless or even old architecture.  It’s faster Internet.  Never mind that broadband circuits are part of the always-funded Priority One pool of money.  Or that getting the equipment required to turn up the circuit is part of Priority Two.  No, the way to fix the problem is to stop paying for phones.

Commissioner Pai obviously emails and texts the principals and receptionists at his children’s schools.  He must have instant messaging communications with them regularly. Who in their right mind would call a school?  Oh, right.  Think of all the reasons that you might want to call a school.  My child forget their sweater.  I’m picking them up early for a doctor’s appointment.  The list is virtually endless.  There are so many reasons to call a school.  Telling the school that you’re no longer paying for phone service is likely to get your yelled at.  Or run out of town on a rail.

What about newer phone technologies?  Services that might work better with those fast broadband connections that Commissioner Pai is suggesting are sorely needed?  What about SIP trunking?  It seems like a no-brainer to me.  Take some of the voice service money and earmark it for new broadband connections.  However, it can only be used for a faster broadband connection if the telephone service is converted to a SIP trunk.  That’s a brilliant idea that would redirect the funding where it’s needed.

Sure, it’s likely going to require an upgrade of phone gear to support SIP and VoIP in general.  Yes, some rural phone companies are going to be forced to upgrade their circuits to support SIP.  But given that the major telecom companies have already petitioned the FCC to do away with wireline copper services in favor of VoIP, it seems that the phone companies would be on board with this.  It fixes many of the problems while still preserving the need for voice communications to the schools.

This is a win for the E-Rate integrators that are being targeted by Commissioner Pai’s statement that it’s too difficult to fill out E-Rate paperwork.  Those same integrators will be needed to take legacy phone systems and drag them kicking and screaming into the modern era.  This kind of expertise is what E-Rate should be paying for.  It’s the kind of specialized knowledge that school IT departments shouldn’t need to have on staff.


Tom’s Take

I spent a large part of my career implementing voice systems for education.  Many times I wondered why we would hook up a state-of-the-art CallManager to a cluster of analog voice lines.  The answer was almost always about money.  SIP was expensive.  SIP required a faster circuit.  Analog was cheap.  It was available.  It was easy.

Now schools have to deal with the real possibility of losing funding for E-Rate voice service because one of the commissioners thinks that no one uses voice any more.  I say we should take the money he wants to save and reinvest it into modernizing phone systems for all E-Rate eligible schools.  Doing so would go a long way toward removing the increasing maintenance costs for legacy phone systems as well as retiring circuits that require constant attention.  That would increase the pool of available money in future funding years.  The answer isn’t to kill programs.  It’s to figure out why they cost so much and find ways to make them more efficient.  And if you don’t think that’s what’s needed Commissioner Pai, give me a call.  I still have a working phone.

Is It Time To Eliminate Long Distance?

“What’s your phone number?”

It seems like an innocuous question.  But what are you expecting?  Phone numbers in the US can vary in length greatly depending up on where you live.  I grew up in a small town.  My first telephone line was a party line.  Because there were four families on the same line, phone numbers didn’t mean much beyond getting you to the general location.  When we moved into town we finally got our own telephone line.  But the number was only four digits, like a PBX extension.  Since all phones in two had the same prefix, all calls were switched via the last four digits.  The day finally came when we all had to dial the prefix along with the four-digit number.  Now were were up to seven.

If you ask someone their phone number, you’re likely to get any one of several number combinations.  Seven digits, ten digits, or even eleven digits for those that do international business.  Computer systems can be coded to automatically fill in the area code for small stores that need contact information.  Other nationwide chains ask for the area code every time.  And those international business people always start their number with “+1″, which may not even be an option on the system.  How do we standardize?

Cracking The Code

Part of our standardization issues come from the area codes we’ve been using for sixty years.  Originally conceived as a way to regionalize telephone exchanges, area codes have become something of a quandary.  In larger cities, we use 10-digit phone dialing because of overlay area codes.  Rather than using one code for all the users in a given area, the dial plan has grown so large that more codes were needed to serve the population.  In order to insure these codes are used correctly you must dial all ten digits of the phone number.

In smaller locations still served by one area code, the need for 10-digit dialing is less clear. In my home area code of 405, I don’t need to dial ten digits to reach the Oklahoma City metro area.  If I want to dial outside of my area code, I need to use the long distance prefix.  However, there are some areas in the 405 area code that are not long distance but require dialing 405.  These are technically Inter-LATA Intrastate long distance calls.  And the confusion over the area codes comes down to the long distance question.

Going the Distance

The long distance system in America is the cause of all the area code confusion.  Users universally assume that they need to dial a 1 before any number to cross area codes.  That is true in places where a given area code covers all users.  But users also need to dial the long distance code to access users on different phone systems and in different towns.  It’s difficult to remember the rules.  And when you dial a 1 and it’s not needed, you get the reorder tone from your telco provider.

Now add mobile phones into the equation.  My friend from college still has the same mobile number he had ten years ago in this area code.  He lives in Seattle now.  If I want to call and talk to him, it’s a local call on my home phone.  If his next door neighbor wants to call him it will be a long distance call.  Many people still have their first mobile number even though they have moved to area codes across the country.

Mobile phone providers don’t care about long distance calls.  A call to a phone next to you is no different than a call to a phone in Alaska.  This reinforces the importance on 10-digit dialing.  I give my mobile number as ten digits all the time, unless I give the 11-digit E.164 globalized E.164 number.  It’s quick and easy and people in large areas are used to it.

It’s time to do the same for landline phones.  I think the utility for landlines would increase immensely if long distance was no longer an issue.  If you force all users to dial ten digits they won’t mind so long as the calls can be routed anywhere in any area code.  When you consider that most phone providers give users free long distance plans or even service for just a few cents, holding on to the idea of long distance calls makes little to no sense.


Tom’s Take

As a former voice engineer, long distance always gave me fits.  People wanted to track long distance calls to assign charges, even when they had hundreds of minutes of free long distance.  The need to enter a long distance access code rendered my Cisco Cius unusable.  I longed for the day that long distance was abolished.

Now, local phone companies see users evaporating before their very eyes.  No one uses their home phone any more.  I know I never answer mine, since most of the calls are from people I don’t want to talk to.  I think the last actual call I made was to my mother, which just happened to be long distance.

If telcos want users to use landlines, they should abolish the idea of long distance and make the system work like a mobile phone.  Calling my neighbor with a 212 area code would just require a 10-digit call.  No long distance.  No crazy rules.  Just a simple phone call.  People would start giving 10-digit numbers.  Billing would be simplified.  The world would be a better place.

The CoR Issue

Image from John Welsh.  Read his blog for more voice goodness.

Image from John Welsh. Read his blog for more voice goodness.

In my former life as a voice engineer, I spent a lot of my time explaining class of restriction (CoR) to users and administrators.  The same kinds of questions kept getting asked every time I setup a new system.  Users wanted to know how to make long distance calls.  Administrators wanted to restrict long distance calls.  In some cases, administration went to the extreme of asking if phones could be configured to have no dial tone during class periods or only have long distance enabled during break and lunch periods.

This kind of technology restriction leads to all kinds of behavioral issues.  The administrators may have had the best of intentions in the beginning.  Restricting long distance calls cuts down on billing issues.  Using access codes removes arguments about who dialed a specific number.  Removing dial tone from a handset during work hours encourages teachers and staff and employees to focus on their duties.  It all sounds great. Until the users get involved.

No Restrictions

Users are ingenious creatures.  Given a restriction, they will do everything they can to go around it.  Long distance codes will be shared around a department until an unrestricted one can be found and exploited.  Phones that have dial tone turned off will be ignored.  Worse yet, given a restrictive enough environment users will turn to personal devices to avoid complications.

I used to tell school officials the unvarnished truth.  If you disable a phone during class, teachers will just drag out their cell phone to make a call when needed.  They won’t wait for a break, especially if it is a disciplinary issue or an emergency.  Cell phones are pervasive enough now that most everyone carries one.  Do you think that an employee that has a restricted phone is going to accept it?  Or will they just use their own phone to make a long distance call or make a call during a restricted time?

Class of restriction needs to be rethought for phone systems in today’s environments.  We need to ensure that things like access codes are in place for transparency, not for behavior modification.  Given that we have options like extension mobility for user identification on a specific device, it makes sense that we should be abel to identify phone calls from a given user on a given extension with ease.  There should be no reason for a client matter code or forced authorization code.

Likewise, restricting dial tone on a phone should be discouraged.  Giving users a good reason to use non-controlled devices like cell phones isn’t really a good option.  Instead, you should be counseling the users to treat an in-room phone like any other corporate device.  It should be used when appropriate.  If direct inward dial (DID) is configured for the extension, users should be cautioned to only give the number to trusted parties.  DID is usually not configured for extensions in most of my deployments, so it’s not an issue.  That’s not to say it won’t come up in your deployment.


Tom’s Take

Class of restriction is a necessary evil in a phone system.  It prevents expensive toll calls like 900 numbers or international calls.  However, it should really on be used to curtail these kinds of problems and not to restrict normal user behavior, like long distance calls.  I can remember using my Cisco Cius for the first time only to discover that a firmware bug rendered it unusable due to CoR preventing me from entering a long distance code.  I had to shelve the unit until the bug was fixed.  Which just happened to be a few weeks before the device was officially killed off.  When you restrict the use of your device, users will choose to not use your device.  Giving users the largest number of options will encourage them to use everything at their disposal.  CoR shouldn’t create issues, it should allow users to solve them.

FaceTime Audio: The Beginning or The End?

BlackApple

The world of mobile devices is a curious one. Handset manufacturers are always raising the bar for features in both hardware and software in order to convince customers to use their device. Yet, no matter how much innovation goes into the handset the vendors are still very reliant upon the whims of the carriers. Apple knows this perhaps better than anyone

In Your FaceTime

FaceTime was the first protocol to feel the wrath of the carriers. Apple developed it as a way to facilitate video communication between parties. The idea was that face-to-face video communications could be simplified to create a seamless experience. And it did, for the most part. Except that AT&T decided that using FaceTime over 3G would put too much strain on their network. At first, they forced Apple to limit FaceTime to only work with wireless connections. That severely inhibited the utility of the protocol. If the only place that a you can video call someone is at home or in a coffee shop (or on crappy hotel wireless) that makes the video call much less useful.

Apple finally allowed FaceTime to operate over cellular networks in iOS 6, yet AT&T (and other carriers) restricted the use of the protocol to those customers on the most current data plans. This eliminated those on older, unlimited data plans from utilizing the service. The carriers eventually gave in to customer pressure and started rolling out the capability to all subscribers. By then, it was too late. Apple had decided to take a different track – replace the need for a carrier.

Message For You

The first shot in this replacement battle came with iMessage. Apple created a messaging protocol like the iChat system for Mac, only it ran on iPhones and iPads (and later Macs). It was enabled by default, which was genius. The first time you sent an Short Message Service (SMS) text to a friend, the system detected you were messaging another iPhone user on a compatible version of software. The system then flipped the messaging over to use iMessage instead of SMS and the chat bubbles turned blue instead of green. Now, you could send pictures of any size as well as texts on any length with no restrictions. 160-character limits were no longer a concern. Neither was paying your carrier for an SMS plan. So long as the people you spoke with were all iDevice users the service was completely free.

iMessage was Apple’s first attempt to sideline the carriers. It removed a huge portion of their profitability. According to an article published at the launch of iMessage, carriers were making $.20 per message outside of an SMS plan for data that would cost about $.0125 on a data plan. Worse yet, that message traversed a control channel that was always present for the user. There was no additional cost to the carrier beyond flipping a switch to enable message delivery to the phone. It was a pure-profit enterprise. Apple seized on the opportunity to erode that profitability.

Today, you can barely find a cellular plan that *doesn’t* include unlimited text messaging. The carriers can no longer reap the rewards of a high profit, low cost service like SMS because of Apple and iMessage. Carriers are instead including it as a quality of life feature that they make nothing from. Cupertino has eliminated one of the sources of carrier entanglement. And they’re poised to do it again in iOS 7.

You Can Hear Me Now

FaceTime Audio was one of the features of iOS 7 that got swept under the rug in favor of talking about flat design or parallax wallpaper. FaceTime Audio uses the same audio codec from FaceTime, AAC-ELD, to initiate a phone call between two iDevice users. Only it doesn’t use the 3G/LTE radio to make the call. It’s all done via the data connection.

I tested FaceTime Audio for the first time after my wife upgraded her phone to iOS 7. The results were beyond astonishing. The audio quality of the call was as crisp and clear as any I’d every heard. In fact, I would compare it to the use of Cisco’s Wideband G.722 codec on an enterprise voice system. My wife, a non-technical person even noticed the difference by remarking, “It’s like you’re right next to me in the same room!” I specifically tried it over 3G/LTE to make sure it wasn’t blocked like FaceTime video. Amazingly, it wasn’t.

The Mean Opinion Score (MOS) rating that telephony network use to rate call clarity runs from 1 to 5. A 1 means you can’t hear them at all. A 5 means there is no difference between talking on the phone and talking in the same room. Most of the “best” calls get a MOS rating in the 4.1-4.3 range. I would rate FaceTime audio at a 4.5 or higher. Not only could I hear my wife clearly on the calls we made, but I also heard background noise clearly when she turned her head to speak to someone. The clarity was so amazing that I even tweeted about it.

FaceTime Audio calling could be poised to do the same thing to voice minutes that iMessage did to SMS. I’ve already changed the favorite for my wife’s number to dial her via FaceTime Audio instead of her mobile phone number. The clarity makes that much of a difference. It also helps that I’m not using any of my plan minutes to call her. Yes, I realize that many carriers make mobile-to-mobile calls free already. However, I was also able to call my wife via FaceTime Audio from my iPad as a test that worked perfectly. Now, I not only don’t use voice minutes but have the flexibility to call from a device that previously had no capability to do so.

Who Needs A Phone?

Think about the iPod Touch. It is a device that is very similar to the iPhone. In fact, with the exception of the cellular radio one might say they’re identical. With iMessage, I can get texts on an iPod touch using my Apple ID. So long as I’m around a wireless connection (or have a 3G MiFi device) I’m connected to the world. With FaceTime audio, the same Apple ID now allows me to take phone calls. The only thing the carriers now have to provide is a data connection. You still can’t text or call non-Apple devices with iMessage and FaceTime. However, you can reduce the amount of money you are paying for their services due to a reduction in the amount of minutes and/or texts you are sending. That should have the mobile carriers running scared.


Tom’s Take

I once said I would never own a cellular phone because sometimes I didn’t want to be found. Today, I get nervous if mine isn’t with me at all times. I also didn’t get SMS messaging at first. Now I spend more time doing that than anything else. Mobile technology has changed our lives. We’ve spent far too much time chained to the carriers, however. They have dictated what when can do with our phones. They have enforced how much data we use and how much we can talk. With protocols like FaceTime Audio, the handset manufacturers are going to start deciding how best to use their own devices. No carrier will be able to institute limits on minutes or texts. I think that if FaceTime Audio takes off in the same way as iMessage, you’ll see mobile carriers offering unlimited talk plans alongside the unlimited text plans within the next two years. If 50% of your userbase is making calls on their data plans, they need for all those “rollover” minutes becomes spurious. People will start reducing their plans down to the minimum necessary to get good data coverage. And if a carrier decides to start gouging for data service? Just take your device to another carrier. Or drop you contact in favor of a MiFi or similar data-only connection. FaceTime Audio is the beginning of easy Voice over IP (VoIP) calling. It’s the end of the road for carrier dominance.

Glue Peddlers

IntegrationGlue

There’s an old adage that says “A chain is only as strong as the weakest link.”  While people typically use this in terms on saying that teams are only as strong as their weakest member, I look at it through a different lens.  In my former life as a Value Added Reseller (VAR) engineer, I spent a lot of my time working with technologies that needed to be linked together like a chain.

You have probably seen the lamentations of a voice engineer complaining about fax machines.  If you haven’t, you should count yourself lucky.  Fax machines are the bane of the lives of many telecom folks.  They aren’t that difficult when you get right down to it.  They’re essentially printers with a 9600 baud modem attached for making phone calls.  Indeed, fax machines are probably one of the most robust pieces of technology that I’ve encountered.  I’ve seen faxes covered in dust and grime from a decade or more of use still dutifully churning out page after page of low resolution black-and-white print.

Faxes themselves aren’t the issue.  The problem is that their technology has been eclipsed to the point where interfacing them in the modern world is often difficult and time consuming.  I usually counsel my customers to leave their fax machines plugged directly into an analog landline to avoid issues.  For those times where that can’t be done, I have a whole bag of tricks to make it work with a voice over IP (VoIP) system.  Adaptors and relays and other such tricks help me figure out how to make this decades-old tech work with a modern PRI or SIP connection.  And don’t even get me started on interfacing a fire alarm with an IP phone system.

The best VARs in the world don’t make their money from reselling a pile of hardware to a customer.  The profits aren’t found in a bill of materials.  Instead, they make money in the glue business.  Tying two disparate technologies together via custom programming or knowledge of processes needed to make dissimilar technology work the right way is their real trade.  This is their “glue.”  I can remember having discussions with people regarding the hardest parts of an implementation.  It’s not in setting up a dial plan or configuring a VM cluster with the right IP address.  It’s usually in making some old piece of technology work correctly.  A fire alarm or a Novell server or an ancient wireless access point can quickly become the focus area of an entire project and consume all your time.

If you really want to differentiate yourself from the pack of “box pushers” out there just reselling equipment you need to concentrate on the point where the glue needs to be the stickiest.  That’s where the customer’s knowledge is the weakest.  That’s the point that will end up causing the most pain.  That’s where the money is waiting for the truly dedicated.  VARs have already figured this out.  If you want to make yourself valuable to a customer or to a VAR, be the best a gluing these technologies together.  Understand how to make old technology work with new tech.  There’s always going to be new technology coming out to replace what’s being used currently.  And there will always be a customer or two that want to keep using that old technology far past the expiration date.  If you are the one that can tie those too things together with a minimum of effort, you’ll find yourself the most popular peddler in the market.

CCIE Loses Its Voice

ccievThe world we live in is constantly adapting and changing to new communications methods.  I can still remember having a party line telephone when I was a kid.  I’ve graduated to using landlines, cellular phones, email, instant messaging, text messaging, and even the occasional video call.  There are more methods to contact people than I can count on both hands.  This change is also being reflected in the workforce as well.  People who just a few years ago felt comfortable having a desk phone and simple voice mail are now embracing instant messaging with presence integration and unified voice mail as well as single number reach to their mobile devices.  It’s a brave new world that a voice engineer is going to need to understand in depth.

To that end, Cisco has decided to retire the CCIE Voice in favor of an updated track that will be christened the CCIE Collaboration.  Note that they aren’t merely changing the blueprint like they have in the past with the CCIE SP or the CCIE R&S.  This is like the CCIE Storage being moved aside for the CCIE Data Center.  The radical shift in content of the exam should be a tip-off to the candidates that this isn’t going to be the same old voice stuff with a few new bells and whistles.

Name That Tune

The lab equipment and software list (CCO account required) includes a bump to CUCM 9.1 for the call processor, as well as various 9.x versions of Unity Connection, Presence, and CUCME.  There’s also a UCS C460, which isn’t too surprising with CUCM being a virtualized product now.  The hardware is rounded out with 2921 and 3925 routers as well as a 3750-X switch.  The most curious inclusion is the Cisco Jabber Video for Telepresence.  That right there is the key to the whole “collaboration” focus on this exam.  There is a 9971 phone listed as an item.  I can almost guarantee you’re going to have to make a video call from the 9971 to the video soft client in Cisco Jabber.  That’s all made possible thanks to Cisco’s integration of video in CUCM in 9.1.  This has been their strategy all along.

The CCIE Voice is considered one of the hardest certifications to get, even among the CCIE family.  It’s not that there is any one specific task to configure that just wrecks candidates.  The real issue is the amount of tasks that must be configured.  Especially when you consider that a simple 3-point task to get the remote site dial plan up and running could take a couple of hours of configuration.  Add in the integrated troubleshooting section that requires you to find a problem after you’ve already configured it incorrectly and you can see why this monster is such a hard test.  One has to wonder what adding video and other advanced topics like presence integration into the lab is going to do to the amount of time the candidate has to configure things.  It was already hard to get done in 8 hours.  I’m going to guess it’s downright impossible to do it in the CCIE Collaboration.  My best guess is that you are going to see versions of the test that are video-centric as well as ones that are voice-centric.  There’s going to be a lot of overlap between the two, but you can’t go into the lab thinking you’re guaranteed to get a video lab.

Hitting the Wrong Notes

There also seems to have been a lot of discussion about the retirement of the CCIE Voice track as opposed to creating a CCIE Voice version 4 track with added video.  In fact, there are some documents out there related to the CCIE Collaboration that reference a CCIE Voice v4.  The majority of discussion seems to be around the CCIE Voice folks getting “grandfathered” into a CCIE Collaboration title.  While I realize that the change in the name was mostly driven about the marketing of the greater collaboration story, I still don’t think that there should be any automatic granting of the Collaboration title.

The CCIE Collaboration is a different test.  While the blueprint may be 75% the same, there’s still the added video component to take into account (as well as cluster configuration for multiple CUCM servers).  People want an upgrade test to let the CCIE Voice become a CCIE Collaboration.  They have one already: the CCIE Collaboration lab exam.  If the title is that important, you should take that lab exam and pass it to earn your new credential.  The fact that there is precedent for this with the migration of the Storage track to Data Center shows that Cisco wants to keep the certifications current and fresh.  While Routing & Switching and Security see content refreshes, they are still largely the same at the core.  I would argue that the CCIE Collaboration will be a different exam in feel, even if not in blueprint or technology.  The focus on IM, presence and video means that there’s going to be an entirely different tone.  Cisco wants to be sure that the folks displaying the credential are really certified to work on it according to the test objectives.  I can tell you that there was serious consideration around allowing Storage candidates to take some sort of upgrade exam to get to the CCIE Data Center, but it looks like that was ultimately dropped in favor of making everyone go through the curriculum.  The retirement of the CCIE Voice doesn’t make you any less of a CCIE.  Like it or not, it looks like the only way to earn the CCIE Collaboration is going to be in the trenches.

It Ain’t Over Until…

The sunsetting officially starts on November 20th, 2013.  That’s the last day to take the CCIE Voice written.  Starting the next day (the 21st) you can only take the Collaboration written exam.  Thankfully, you can use either the Voice written or the Collaboration written exam to qualify for either lab.  That’s good until February 13, 2014.  That’s the last day to take the CCIE Voice lab.  Starting the next day (Valentine’s Day 2014), you will only be able to take the Collaboration lab exam.  If you want to get an idea of what is going to be tested on the lab exam, check out the document on the Cisco Learning Network (CCO account required).

If you’d like to read more about the changes from professional CCIE trainers, check out Vik  Malhi (@vikmalhi) on IPExpert’s blog.  You can also read Mark Snow’s (@highspeedsnow) take on things at INE’s blog.


Tom’s Take

Nothing lasts forever, especially in the technology world.  New gadgets and methods come out all the time to supplant the old guard.  In the world of communications and collaboration, Cisco is trying to blaze a trail towards business video as well as showing the industry that collaboration is more than just a desk phone and a voice mailbox.  That vision has seen some bumps along the way but Cisco seems to have finally decided on a course.  That means that the CCIE Voice has reached the apex of potential.  It is high time for something new and different to come along and push the collaboration agenda to the logical end.  Cisco has already created a new CCIE to support their data center ambitions.  I’m surprised it took them this long to bring business video and non-voice communications to the forefront.  While I am sad to see the CCIE Voice fade away, I’m sure the CCIE Collaboration is going to be a whole new barrel of fun.

Restricted CUCM – Rated R

R-rated
If you’ve gone to download Cisco Unified Communications Manager (CUCM) software any time in the past couple of years, you’ve probable found yourself momentarily befuzzled by the option to download one of two different versions – Restricted and Unrestricted.  On the surface, without any research, you might be tempted to jump into the Unrestricted version. After all, no restrictions is usually a good thing, right?  In this case, that’s not what you want to do.  In fact, it could cause more problems than you think it might solve.

Prior to version 7.1(5), CUCM was an export restricted product.  Why would the government care about exporting a phone system?  The offending piece of code is in fact the media and signaling encryption that CUCM can provide in a secure RTP (SRTP) implementation.  Encryption has always been a very tightly controlled subject.  Initially developed heavily in World War II, the government needed to be sure to regulate the use of encryption (and cryptography) afterwards.  Normally, technology export is something that is controlled by the U.S. Department of Commerce.  However, since almost all applications for cryptography were military in nature it was classified as a munition by the military and therefore subject to regulation via the State Department.  And regulate it they did.  They decreed that no strong encryption software would be available to be exported out of the country without a hearing and investigation.  This usually meant that companies created “international versions” that contained the maximum strength encryption key that could be exported without a hearing – 40 bits.  This affected many programs in the early days of the Internet Age, such as Internet Explorer, Netscape Navigator, and even Windows itself.

In 1996, President Bill Clinton signed an order permitting cryptography software export rulings to be transferred to the Department of Commerce.  In fact, the order said that software was no longer to be treated as “technology” for the purposes of determining restrictions for export.  The Department of Commerce decided in 2000 to create new rules governing the export of strong encryption.  These restrictions were very permissive and have allowed encryption technology to flourish all over the world.  There are still a few countries on the Export Restriction list, such as those that are classified as terrorist states or rogue states as classified by the U.S. Government.  These countries may not be the recipient of strong encryption software.  In addition, even those countries that can receive such software are subject to inspection at any time by the U.S. Department of Commerce to ensure that the software is being used in line with the originally licensed purpose.  When you think of how many companies today have a multi-national presence, this could be a nightmare for regulatory compliance.

Cisco decided in CUCM 7.1(5) to create a version of software that eliminated the media and signaling encryption for voice traffic in an effort to avoid the need to police export destinations and avoid spot audits for CUCM software.  These Export Unrestricted versions are developed in parallel with other CUCM versions so all users can have the same functionality no matter their location.  CUCM Unrestricted versions do have a price when you install them, however.  Once you have upgraded a cluster to an Unrestricted version of CUCM, you can never go back to a Restricted (High Encryption) version.  You can’t migrate or insert any Restricted servers into the cluster.  The only way to go back is to blow everything away and reload from scratch.  Hence the reason you want to be very careful before you install the software.

If you’ve been running CUCM prior to version 7.1(5), you are running the Restricted version.  Unless you find yourself in a scenario where you need to install CUCM in a country that has Department of Commerce export restrictions or has some sort of import restriction on software (Russia is specifically called out in the Cisco release notes), you should stay on the Restricted version of CUCM.  There’s no real compelling reason for you to switch.  The cost is the same.  The licensing model is the same.  The only things you lose are the media encryption and the ability to ever upgrade to Restricted version.  Just like when going to the movies, all the good stuff is in the R-rated version.


Tom’s Take

I still get confused by the Restricted vs. Unrestricted thing from time to time.  Cisco needs to do a better job of explaining it on the download page.  I occasionally see references to the Unrestricted version being for places like Russia, but those warnings aren’t consistent between point releases, let along minor upgrades and major versions.  I think Cisco is trying to do the right thing by making this software as available to everyone in the world as they can.  With the rise of highly encrypted communications being used to launch things like command and control networks for massive botnets and distributed denial of service campaigns, I don’t doubt that we’ll see more restriction on cryptography and encryption coming sooner or later.  Until that time, we’ll just have to ensure we download the right version of CUCM to install on our servers.

On Demand Auto Attendant for CallManager Express

pushbutton

I’ve done my fair share of CallManager Express (CME) installations over the years, many of which were for small businesses.  I usually get to try and replace an old battleship of a phone system that has been running for a long time but has either finally given up the ghost or can’t be repaired due to the company being out of business.  When I do replace these units, the usual desire is to make it behave the same way as the old system.  For the most part, this is a pretty easy proposition.  That is, until it comes to auto attendants.  The automated recording that helps callers find the correct extension or leave a message is becoming an important part of the small business as employers start cutting back on expenses and use fewer people and more technology.  One case recently that had me baffled was a request for an on-demand auto attendant.

This particular customer had an old phone system that had finally failed.  They had decided on a CME system to replace it.  One feature they said they could not live without was the ability to toggle on a recording to handle calls.  This usually happened during lunch or during a meeting when all people at the office would be involved in some manner or another.  The receptionist wanted to push a button and enable the recording until the meeting or lunch had passed, then come back and toggle off the recording to allow calls to be answered by a human being again.  I nodded along slowly as the wheels started turning, because to my knowledge there was no feature inherent to the system that would do this.

After some thinking and planning and more than a few failed lab mockups, I finally found the answer in a combination of unlikely related features.  The first involved handling incoming calls to multiple phones in a manner that would allow redirection of calls.  This isn’t possible with parallel hunt groups in CME, as logging a phone into a hunt group changes all the forwarding behaviors of the phone.  It will only obey the hunt list settings and ignore almost everything else, include call-forward all.  The second issue was finding a way to have the auto attendant answer the call when invoked, as the standard method of using auto attendants either involve enabling it for all calls at all times or using a schedule to enable specific greetings after hours or on holidays.  As an aside, this is the real value in a solutions integrator.  It’s easy enough to check a few boxes and type a few lines to get something to work the way it says it will on the box.  A real integrator will make a system behave how the user wants it to behave, regardless of whether or not there’s a checkbox to do it.

Step 1: Fix Incoming Call Behavior

This ended up being the most technology-dependent part of the equation.  CME used to have a hard time handling a parallel (or broadcast) hunt group that rang a group of phones at one time.  Prior to CME 4.3, this feature was only available for SIP phones.  After 4.3, Cisco finally ported the parallel hunt group to SCCP phones (my preferred method for configuring phones in CME).  The only catch was that the phone hunting behavior followed the rules for hunt groups.  In order to make the incoming calls do something else, I had to find a way to make the calls ring multiple phones without a hunt group.  The answer actually came to me when I found an old page referencing a hacked together broadcast hunt group prior to CME 4.3.  This ingenious solution used a group of overlaid directory numbers (DNs) to mimic a broadcast hunt group.  A group of DNs was necessary because a DN in CME can only be single or dual-line.  With a dual line phone, two calls can hit the phone at once.  The third call is forced off to voice mail or some other behavior as dictated by the call forwarding configuration.  The second part of this solution was delivered in CME 4.0 – the octo line.

For those not familiar, the octo line creates a special DN capable of handling eight simultaneous incoming and outgoing calls across multiple extensions.  This looks to me like an attempt to create a basic form of call queuing in CME.  By creating a construct to handle more than two calls at once, you’ve in effect created something to can do basic call center call routing.  In this case, I created one octo-line DN and put it on the two phones used by reception at this business:

ephone-dn  1 octo-line
  number 100
  description Outside Call
  name Outside Call

Now I can make the calls ring on two phones without creating a hunt group.  That also means I can call-forward the phones as needed.

Step 2: Invoke Auto Attendant On Demand

This one was a bit trickier.  Enabling an auto attendant for a dialed number is easy.  How do we make that number only work when toggled?  Time schedules were out for this customer, as they were never sure when they were going to need to enable the auto attendant.  That means I have to find a way to call the auto attendant DN when needed.  But how to do that on CME?  The answer came to me in a flash of insight – night service.

Night service is a configuration setting that allows a system to be configured for a time schedule when the participating phones will ring in a special manner or pattern.  The idea is that when a business is closed, a designated phone can be monitored by personnel, such as janitorial staff or second shift, and be answered without modifying the open hours configuration.  In this case, we’re going to use the night service code to invoke the night service configuration when needed.  Normally, this command would be used when night service is active in order to disable it.  Here, we’re doing the exact opposite.  Also one more thing to note – the night service code command requires the code to be prefixed with an asterisk.  That works well, as the asterisk isn’t usually dialed as part of a number, so this signals that it’s something special.  I usually use either the extension number (as below) or the last four digits of the main telephone number as a mnemonic trigger.  The first part of the config is easy:

telephony-service
  night-service code *100

Now, we need to go back to the octo-line DN that we previously configured and add an additional setting to control the night service function.  In this instance, I’m using 501 as the pre-configured auto attendant dial-in number:

ephone-dn 1 octo-line
  call-forward night-service 501

The only remaining task to make this a true “push button” service is to enable a speed dial on the ephone itself.  That part is also easy:

ephone 1
  speed-dial 1 *100 label Auto Attendant

Now all the user needs to do is push the button on their phone labeled “Auto Attendant” and it will enable night service for all incoming calls.  Pushing the button again will disable it.  You can also add the command night-service bell to the ephone-dn in order to display a message that night service is active.

There are a number of other tricks that you can do with the basic building blocks presented by CME to make it behave just like a customer’s old phone system.  This should allow you to ease any transition and allay any fears they might have.  After all the users are comfortable with the new phones and phone behavior, you can start introducing new features to them like unified messaging or single number reach.  People are very open to change once they figure out nothing has really changed.

Cisco – Borderless Speed Dating

The first presentation of the final day of Network Field Day 4 brought us to the mothership on Tasman Drive.  The Cisco Borderless team had a lineup of eleven different presenters ready to show us everything they had.  For those of you not familar with the term, Borderless Networks inside Cisco essentially means “everything that isn’t data center or voice.”  Yeah, that means routing and switching and security and wireless and everything else.  That also meant that we got a very diverse group of people presenting to us and a lot of short twenty minute videos of their products.  In a way, it’s very much like speed dating. With little time to get the point across, you tend to shed the unnecessary pleasantries and get right to the important stuff.

First up was the UCS team with new E-series servers.  These are blades that are designed to slide into a ISR G2 router and provide a full-featured x86 platform.  It’s a great idea in search of an application.  I can still remember the AxP modules and how they were going to change my life.  That never really materialized.  The payoff use case that you are looking for is the second video above.  Cisco is starting to push for the idea that you can contain a whole branch office in a single router and run not only the phone system and networking routing and VPN, but now a light-duty server as well.  I’m not sure how many people will be looking to do that with virtualized server resources residing in the data center, but there was some discussion of using this a temporary failover type of environment to push the branch server to the edge in the event of some kind of disaster or outage.  That might work better to me that running the entire branch on the router.  Of course, as you can tell, the demo gremlins found Cisco as well.

The next presentation was the new darling Cloud Services Router (CSR) 1000v.  This little gem got some face time on stage with John Chambers at Cisco Live this year.  It’s a totally virtualized router (hence the “v”) that can move workloads into the cloud when needed.  I’m really curious as to why this is included with Borderless, as this is a very data center specific play right now.  I know that Cisco is pushing this device currently as a VPN concentrator or MPLS endpoint for WAN aggregation.  It makes more sense from some of their diagrams to have it running inside a cloud provider network carving up user space.  I’m going to keep an eye on this one to see where the development goes.

Now, we get to something fun.  Cisco FlexVPN is what happens when someone finally took a look at all the different methods for configuring VPNs on the various Cisco devices and said “WTF?!?”  FlexVPN utilizes IKEv2 to help speed configuration.  You can watch the short video and see all the stuff that we have to deal with to configure a VPN today.  Cisco finally took our complaints to heart and made things a lot more simple.  Of course there are drawbacks, and with FlexVPN that means it only works with IKEv2.  There’s no backwards compatibility.  Of course, if you’re going to have to be migrating everything anyway, you might as well make a clean break and rebuild it right.  That’s going to make things like hub-and-spoke VPN configuration a whole lot less painful in the near future.  Props to Cisco for fixing a pain point for us.

Okay, so maybe a I lied just a bit.  Since Cisco Unified Border Element runs on a router (even though it’s technically voice), we got a presentation about it!  I was in hog heaven here.  If you are looking at deploying a SIP trunk, you had better be looking at a CUBE box to handle the handoff.  Don’t think, just do it.  Listen to the voice of Amy Arnold (@amyengineer) and Erik Peterson (@ucgod).  You need this.  You just don’t know how much until you start banging your head against a wall.

More Voice!!!  By this point, I was practically crying tears of joy.  Two voice presentations in one day.  At a networking event no less!  This presentation on enhanced SRST shows how big of kludge SRST really is.  I’m not a huge fan of it, but I have to configure it to be sure that the phone systems work correctly in the event of a WAN outage.  It’s all still CLI and very annoying to configure and keep in sync.  Thankfully, with the ESRST manager highlighted in the video above, we can keep those configurations in sync and even have it automagically pull the necessary configurations out of CUCM.  This software runs on a Service Engine right now in the router, but I can’t wait to see if Cisco ports it to a virtual setup to run under a CUCMBE 6000 server or even on a UCS-E blade down the road.  Anything that I can do to make SRST less painful is a welcome change.

Okay, this had to be one of the more interesting presentations I’ve been involved in at an NFD event.  We got our AppNav presentation over Webex from a remote resource.  I know this a hot thing to do at Cisco offices to make sure we have the most talented people giving us the most up-to-date info about a particular subject.  However, I expect this when I’m in the middle of nowhere Oklahoma, not at the mothership in San Jose.  The Webex cut out now and then and there were times when we had to strain to hear what was being said in the room.  Looking back at the video, I marvel that the room mikes picked up as much as they did.  As for AppNav itself, it’s a virtual DC version of the Wide Area Application Services (WAAS).  My grasp of WAN acceleration isn’t as good as it should be, even from Infineta back at NFD3.  There’s some good info in here I’m sure.  I’m just going to have to go back and digest it to see where it fits into my needs.

Now it’s time for some switching talk.  We got a roadmap on the Catalyst line.  There are some interesting tidbits in the slides, such as a monster 9000W power supply for the 4500 to support UPoE (more on that in a minute).  The 4500 is also going to get VSS support and ISSU support.  Those two things alone are going to make me start considering the use of the 4500 in the core of most of my smaller networks.  The fixed configuration Catalyst switches also have some nice roadmaps, including UPoE support and lots of IPv6 enhancements.  As I move forward in 2013, I’m planning on doing a lot with IPv6, so knowing that I’m going to have switching support behind me is a nice comfort.  Of all the updates, the most talked about one was probably the Catalyst 6500.  A switch that has been rumored to be on the chopping block for many years now, the venerable Cat6K is getting more updates, including FabricPath support and 100Gig module support.  I think this switch may outlast my networking career at this rate.  There are lots of rumors as to why Cisco is renovating this campus core stalwart once more, but it’s clear that they are attempting to squeeze as much life out of it as they can right now.  To me, the idea of stretching FabricPath down into the campus presents some very tantalizing opportunities to finally get rid of spanning tree on all but the user-facing links.  Let’s hope that the Cat6k sticks around long enough to get a gold watch and a nice pension for all the work it’s given us over the years.

Our next discussion was around security and using Cisco TrustSec to do things a little differently that we’re used to.  By now, I think everyone has talked your ear off about BYOD.  Even I’ve done it a couple of times.  It’s a real issue for people in the dark security caves because our traditional methods of access lists and so forth don’t work the same way when you’ve got employees bringing their own laptops or asking you to give them access to data from tablets or phones.  What this has morphed into is a need to do more role-based authorization.  That’s what TrustSec means to me.  Of course, a lot of previous attempts to do this, like NAC, haven’t really hit the mark or have been so convoluted that it was almost impossible to get them working correctly.  Today, Cisco has rolled all the functionality of NAC and ACS into the Identity Services Engine (ISE).  I’ve had a very brief encounter with ISE, so I know it has a lot of potential.  I want to see how Cisco will incorporate it into the bigger TrustSec picture to make everything work across my various platforms.

Time to turn up the juice.  Cisco brought out Universal Power over Ethernet (UPoE), which is their solution to pump up to 60 watts of power across a standard Ethernet cable to power…well, whatever it is that eats 60w of power.  Cisco’s doing this by taking 802.3at PoE+, which can pump 30w down the cable, and pushing an additional 30w of power down the other unused pairs.  Interestingly, Cisco talked to the people behind the ISO and EIA/TIA standards and found that when you have a bunch of unstructured cables running about around 50 watts (which is the 60w number above minus cable loss), you get a temperature in the cable bundle about 8-10 degrees above the ambient room temperature.  In reality, this means that 60w is the max amount of power you’re likely to ever get out of a Cat5e cable unless you chill it or have some kind of new material that can reduce the heating effect.  Cisco seems to be targeting UPoE to drive things like monitors, thin client desktops, and even those crazy command center touch pads that you see littered across the floor of a trading house or stock exchange.  This last item really makes me believe that UPoE is going to be positioned in the same vein as the ultra-low latency Nexus 3548 – financial markets.  Thin clients and command center touch panels are likely to be the kind of mission-critical devices these companies are willing to pay big buck to power.  With the above-mentioned 9000w PS for the Catalyst 4500, you can see why we’re going to soon need to put a nuclear reactor in to drive these things.

Cisco Smart Operations dropped by to talk to us about Cisco Smart Install.  This is the feature that I tend to turn off when I see it by the telltale sign of “Error opening tftp://255.255.255.255/network-config.”  The Smart Operations team is doing its best to create an environment where an IT department that doesn’t have the headcount to send technicians to deploy remote site switches can leverage software tools to have those devices auto-provision themselves.  You can also configure them to automatically configure things like Smartport roles, which has never really been one of my favorite switch features.  Overall, I can appreciate where Cisco is wanting to go with this technology.  But, as a CLI jockey, I’m still a bit jaded when it comes to having part of my job replaced by a TFTP script.

The final Cisco NFD4 presentation was about application visibility and control.  This is a lot of the intelligence that is built into the Cisco Prime monitoring software that was demoed for us back at NFD3.  If you can identify the particular fingerprints of a given application, such as Telepresence, you can better determine when those fingerprints are out of whack.  I’m also excited because fingerprinting apps is going to be a huge part of security in the near future, as evidenced by Palo Alto’s app-based firewall and the others like Sonicwall and Watchguard that have followed along.  Even the Cisco ASA-CX is starting to come around to the idea of stopping apps and not protocols.

If you’d like to learn more about Cisco Borderless Networks, check them out at http://www.cisco.com/en/US/netsol/ns1015/index.html.  You can see an archive of the presentations and associated data sheets at http://blogs.cisco.com/borderless/networking-field-day-4-at-cisco-nfd4/.  You should also follow the Cisco Borderless team on Twitter as @CiscoEnterprise and @CiscoGeeks.


Tom’s Take

There you have it.  Lots of presenters.  Hours of video.  A couple of thousand words from me on all of it.  It’s almost exhausting to see that much information in a short span of time.  Some of the things that Cisco did with this presentation were great.  There were technologies that only needed a bit of time.  There were others that we could have spent an hour or more on.  I think that the next NFD presenters that want to try something along these lines should setup the first three hours with rapid fire presentations and reserve the last hour for us to call back to earlier presenters and hit them with additional questions.  That way, we don’t run out of time and we get to talk about the things that interest us the most.  Bravo overall to the Cisco Borderless team for breaking out of the mold and trying something new to keep the NFD delegates hooked in.

Tech Field Day Disclaimer

Cisco was a sponsor of Network Field Day 4.  As such, they were responsible for covering a portion of my travel and lodging expenses while attending Network Field Day 4.  In addition, they provided me with an 8GB USB drive with marketing collateral and data sheets. They did not ask for, nor where they promised any kind of consideration in the writing of this review.  The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone.

What’s My Cisco ATA Second Line MAC Address?

In the world of voice, not everything is wine and roses.  As much as we might want to transition everything over to digital IP phones and soft clients, the fact remains that there are some analog devices that still need connectivity on a new phone system.  The more common offender of this is the lowly fax machine.  Yes, even in this day and age we still need to rely on the tried-and-true facsimile machine to send photostatic copies of documents across the PSTN to a waiting party.  Never mind email or Dropbox or even carrier pigeon.  Fax machines seem to be the most important device connected to a phone system.  Normally, I leave the fax connections and their POTS lines intact without touching anything.  However, there are times when I don’t have that luxury.

In the case of the Cisco VoIP systems, that means relying on the Analog Terminal Adapter, or ATA.  The ATA allows you to connect an analog device to the unit, whether it be a fax machine or a cordless analog phone or even a fire alarm or postage machine.  It has many uses.  The configuration of the ATA is fairly straightforward under any CUCM system.  However, if you have a multitude of analog devices that you need to connect, you might opt to use the second analog port on the ATA.  The ATA 186 of the past and its current replacement, the ATA 187, both have 2 analog ports on the back.  There’s only one Ethernet port, though.  This is where the interesting part comes in to play.  If there are two analog ports but only one Ethernet port, how to I configure the MAC address for the second port?  All phone devices in CUCM must be identified by MAC address.  On an ATA, the primary MAC address printed on the bottom or the side of the box is the address for the first port.

If you want to use the second port, you’re going to have to do a little bit of disassembly.  Cisco uses a standard method to create a new MAC address:

1.  Take the MAC address for port 1.  For example, 00:00:DE:AD:BE:EF.

2.  Drop the first two digits from the MAC address.  In the example, 00:DE:AD:BE:EF.

3.  Append “01″ to the end of the 10-digit address.  Example, 00:DE:AD:BE:EF:01.

Once you’ve completed those steps, take the MAC address you’ve just created and plug it into CUCM as a new ATA device.  Once you’ve completed the necessary steps to create the new device, it will register with the DN you’ve assigned to it.  Then you can start calling or faxing it to your heart’s content.

There’s no mention of the secondary MAC address anywhere on the web interface.  You’d figure it wouldn’t be hard to write some HTML function to read the MAC address and do the above operation.  The Cisco documentation buries this information deep inside the setup document.  I’ve even search Cisco’s very own support forums and found all manner of advice that doesn’t work correctly.  I decided that it was time to jot this information down in a handy place for the next time I need to remember how to configure the ATA’s second port.  I hope you find it useful as well.