Tech Field Day – HP Wireless

Posted on by
1

Day two of Wireless Tech Field Day started off with HP giving us a presentation at their Executive Briefing Center in Cupertino, CA.  As always, we arrived at the location and then immediately went to the Mighty Dirty Chai Machine to pay our respects.  There were even a few new converts to the the Dirty Chai goodness, and after we had all been properly caffeinated, we jumped into the HP briefing.

The first presenter was Rich Horsley, the Wireless Products and Solutions Manager for HP Networking.  He spoke a bit about HP and their move into the current generation of controller-based 802.11n wireless networks through the acquisition of Colubris Networks back in 2008.  They talked at length about some of the new technology they released that I talked about a couple of weeks ago over here.  Rather than have a large slide deck, they instead whiteboarded a good portion of their technology discussion, fielding a number of questions from the assembled delegates about the capabilities of their solutions.  Chris Rubyal, a Wireless Solutions Architect, helped fill in some of the more technical details.

HP has moved to a model where some of the functions previously handled exclusively by the controller have been moved back into the APs themselves.  While not as “big boned” as a solution from Aerohive, this does give the HP access points the ability to segment traffic, such as the case where you want local user traffic to hop off at the AP level to reach a local server, but you want the guest network traffic to flow back to the controller to be sent to a guest access VLAN.  HP has managed to do this by really increasing the processor power in the new APs.  They also have increased antenna coverage on both the send and receive side for much better reception.  However, HP was able to keep the power budget under 15.4 watts to allow for the use of 802.3af standard power over Ethernet (PoE).  I wonder if they might begin to enable features on the APs at a later date that might require the use of 802.3at PoE+ in order to fully utilize everything.  Another curious fact was that if you want to enable layer 3 roaming on the HP controller, you need to purchase an additional license.  Given the number of times I’ve been asked about the ability to roam across networks, I would think this would be an included feature across all models.  I suppose the thinking is that the customer will mention their desire to have the feature up front, so the license can be included in the initial costs, or the customer will bring it up later and the license can be purchased for a small additional cost after the fact.  Either way, this is an issue that probably needs some more visiting down the road as HP begins to get deeper into the wireless market.

After some more discussion about vertical markets and positioning, it was time for a demo from Andres Chavez, a Wireless Solutions Tester.  Andres spends most of his time in the lab, setting up APs and pushing traffic across them.  He did the same for us, using an HP E-MSM460 and iPerf.  The setup worked rather well at first, pushing 300Mbits of data across the AP while playing a trailer for the Star Wars movie on Blu-Ray at full screen in the background.  However, as he increased the stream to 450Mbits per second, Mr. Murphy reared his ugly head and the demo went less smooth at that point.  There were a few chuckles in the audience about this, but you can’t fault HP for showing us in real time what kinds of things their APs are capable of, especially when the demo person wasn’t used to being in front of a live video stream.  One thing that did make me pause was the fact that the 300Mbit video stream pushed the AP’s processor to 99% utilization.  That worried me from the aspect that we were only pushing traffic across one SSID and had no real policies turned on at the AP level.  I wonder what might happen if we enable QoS and some other software things when the AP is already taxed from a processor perspective, not to mention putting 4-clients on at the same time.  When I questioned them about this, they said that there were actually two processor cores in the AP, but one was disabled right now and would be enabled in future updates.  Why disable one processor core instead of letting it kick in and offload some of the traffic?  I guess that’s something that we’ll have to see in the future.

After a break, the guys from HP sat down with the delegates and had a round table discussion about challenges in wireless networking today and future directions.  It was nice to sit down for once and have a discussion with the vendors about these kinds of topics.  Normally, we would have a round table like this if a session ended early, but having it scheduled into our regular briefing time really gave us a chance to explore some topics in greater depth than we might have been able to with only a 5-10 minute window.  Andrew vonNagy brought up an interesting topic about needed better management of user end-node devices.  The idea that we could restrict what a user could access based on their client device is intriguing.  I’d love to be able to set a policy that restricted my iPhone and iPad users to specific applications such as the web or internal web apps.  I could also ensure that my laptop clients had full access even with the same credentials.

Tom’s Take

HP is getting much better with their Field Day presentations.  I felt this one was a lot better than the previous one, both from a content perspective and from the interaction level.  Live demos are always welcome, even if they don’t work 100%.  Add to that the ability to sit down and brainstorm about the future of wireless and you have a great morning.  I think HP’s direction in the wireless space is going to be interesting to watch in the coming months.  They seem to be attempting to push more and more of the functions of the APs back into the APs themselves.  This will allow for more decisions to be made at the edge of the network and keep traffic from needing to traverse all the way to the core.  I think that HP’s transition to the “fatter” AP at the edge will take some time, both from a technology deployment perspective and to ensure that they don’t alienate any of their current customers by reducing the effectiveness of their currently deployed equipment.  I’m going to be paying attention in the near future to see how these things proceed.

If you’d like to learn more about HP Wireless Networking, you can check them out at http://h17007.www1.hp.com/us/en/products/wireless/index.aspx.  You can also find them on Twitter as @HP_Networking.

Disclaimer

HP was a sponsor of Wireless Tech Field Day, and as such they were responsible for a portion of my travel expenses and hotel accommodations.  In addition, they provided lunch for the delegates, as well as a pen and notepad set and a travel cooler with integrated speakers.  At no time did they ask for nor where they promised any kind of consideration in the writing of this review.  The analysis and opinions presented here are given freely and represent my own thoughts.

Tech Field Day – Aerohive

Posted on by
5

Our third presentation at Wireless Tech Field Day was from Aerohive.  We arrived at their office in the afternoon to round out day one.  Once at the front door, we were greeted by Devin Akin.  He warmly greeted everyone and shook our hands as we walked in.  Once inside our meeting room, we were presented with a package containing an Aerohive polo shirt, notebook, chocolate bar, and a plastic shamrock necklace to wear in honor of St. Patrick’s Day.  As soon as we all were seated and settled, Devin jumped right into a special presentation before we got started properly.  In honor of Andrew von Nagy’s recent success on the CCIE Wireless lab exam, Devin and the Aerohive crew presented him with a sash in Aerohive gold bearing his CCIE number in glitter.  Andrew was a great sport and accepted his special gift proudly.

After the very special presentation, we dove headlong into Aerohive.  I’d like to mention a few words about Devin.  His energy during our visit was off the charts.  He seems to enjoy the world of wireless networking, and based on conversations I’ve had with the other delegates, his name carries quite a bit of weight in the wireless world.  I read some of his blog posts before I left for Tech Field Day, and he strikes me as a person who isn’t afraid to put his opinion out there for the world to see.  He also “gets” Tech Field Day.  When we walked into the room, he had the Twitter stream for the #TechFieldDay hashtag projected on the wall of the room for everyone to see.  That way, the presenters could glance over and get instant feedback about how things were going.  They could also get immediate feedback from the audience not directly in front of them.  These kinds of little touches go a long way toward making a successful presentation at Tech Field Day.

We got to hear from Bob O’Hara, who is a legend in the wireless area.  He is the founder of Airespace, which was snatched up by Cisco and he is generally credited with creating the whole movement behind controller-based access points (APs).  Bob talked for a few minutes about some of the history he helped create, as well as why he has worked with Aerohive to move away from the controller-based AP model and into something different.

After Bob, Mr. Energy Devin Akin jumped in and sped through the perfunctory intro/framing slides.  He talked about the market position of Aerohive and what differentiates them from the competition in the market.  While the other vendors in the market are using relatively “dumb” radios that send traffic back toward the controller for processing, Aerohive has taken a very different approach.  Using merchant silicon, they have made their APs much smarter while keeping their price reasonable.  This means that there is no need for a controller to direct the APs.  Instead, the management software can be loaded on a small appliance, a virtual machine (VM) or even…the cloud.  The APs themselves have a great feature set to allow things like mesh operation, fast layer 3 roaming across subnets, and even some layer 2 MAC routing.  The management software for the APs allows for some additional interesting features, such as private pre-shared keys (PPSK) which give you the ability to issue a PSK per user that has an expiration date and allows a certain number of devices per AP.  That way, your laptop, iPhone, and iPad can all join from a single key.  There is also support for a teacher based view that allows instructors to lock out all or a portion of access to network and Internet resources.  This is a great feature for the K-12 education environment, as it ensures the teacher determines exactly where the students can go, and due to the granularity of the controls, even allowing students a reward of some additional Internet surfing after their work is completed.

One of the more impressive features involved a full setup demo.  All of the APs were set back to defaults and removed from the manager.  Then, in front of the delegates, a new highly secure network was built in about 15 minutes.  It was very straight forward, and once the details of the network were provisioned the configurations were pushed out the members of the “hive”, which is the Aerohive term for the collection of APs in the network.

After the demos were over, it was time for a delegate demo.  Devin informed us that there was an AP somewhere in the building broadcasting an SSID of “Find Me” at 1 mW, which made it practically invisible.  Under that AP was an “Oprah Moment” for the delegates.  Devin suggested we use our newly-acquired MetaGeek Wi-Spy scanners to see if we could find the AP.  This again was a great touch.  Devin had been paying attention and knew what we were now capable of doing, so he decided to build on it and make us work for it.  Having only brought lightweight devices like my ChromeOS CR-48 and my iPad, I couldn’t participate in this little Easter egg hunt, but after a few minutes the delegates located the prize – an Aerohive HiveAP110 and 3 years of access to the cloud-based Hive Manager software to provision it.

Tom’s Take

I was quite impressed with Aerohive.  They have a great product and a wonderful staff developing it.  While it appears that their primary vertical right now is in the education space, I have no doubt that their feature set has appeal to medical and other verticals as well.  I think they with the industry focusing right now on the controller-based architecture, Aerohive can carve itself a very comfortable niche for the controller-less technology they have created.  Other information that I’ve encountered leads me to believe that some vendors are beginning to look at locating more intelligence in the AP/edge once again, which means that when they finally move back toward that strategy they will no doubt find Aerohive staring back at them as a leader in that particular space.  I’m going to spend some more time evaluating the HiveAP capabilities thanks to Devin and his team.  I hope to have more to write about it in the near future.

If you would like to learn more about Aerohive, you can check out their website at http://www.aerohive.com.  You can also follow them on Twitter as @Aerohive

Disclaimer

Aerohive was a sponsor of Wireless Tech Field Day, and as such they were responsible for paying a portion of my travel expenses and hotel accommodations.  In addition, they provided the delegates a package including an Aerohive polo shirt, note book, candy bar (which was consumed during the writing of this review and was delicious), and St. Patrick’s Day themed button and necklace.  The delegates were also provided with an Aerohive HiveAP 110 and 3 years access to the cloud-based Hive Manager software for evaluation.  At the conclusion of the session, Aerohive provided all attendees a selection of beers with Irish themes, such as Guinness, Harp, and Smithwick’s.  At no time did they ask for nor were they granted any kind of consideration in this review.  The analysis and conclusions outlined here are mine and mine alone.  They are offered freely and willingly.

Tech Field Day – Cisco

Posted on by
3

The second company to present at Tech Field Day was Cisco.  This is the company that I’ve had the most experience with in my wireless career, so getting to hear from them in this setting held some wonderful appeal.  While I was fairly familiar with the product line, I hoped that Cisco would give me some insight into things.

Upon arrival at the Cisco campus on Tasman Drive, we started walking through the building to our meeting room.  The wireless people were taking pictures of all the antennas in the area and geeking out about all the equipment around the building.  After we reached our briefing room, we got seated and started listening to our first presenter, Jim Florwick, who was remote and presenting over Webex.  As he went over the basic outline of Cisco wireless strategy and philosophy, it started to dawn on me that I’d seen much of this material before.  I followed along as we talked about the congestion in the 2.4 GHz spectrum and the need to start moving clients into the 5GHz range for additional throughput gains.  We got a quick overview of Cisco’s CleanAir technology, which is the technology acquired from the Cognio purchase embedded into the 3502 access point (AP) line.  This overview felt a little more like marketing, which is not necessarily the thing to bring to a Field Day.

Around about the time the first presenter started wrapping up, there were murmurs amongst the wireless delegates.  I asked Jennifer Huber what all the fuss was about, and she told me, “Do you know where we are?  This is THE Building 14!” The importance of our location was quickly apparent when someone pulled up a screenshot of the Wireless Control Server from Cisco’s website and just as plain as day, there was the third floor of the building we were currently occupying.  Since building 14 is where the bulk of the wireless development and testing occurs, it makes total sense the the majority of the example screenshots on Cisco’s website would be of that building.  For the wireless nerds, I suppose it was really like returning home.

The next presentation was from David Stiff, who is the Senior Product Manager for the Wireless Networking Business Unit for Cisco.  He went over a lot of the same material that we had just discussed, only more in depth.  He talked about technologies such as Client Link and CleanAir.  The only problem with this type of presentation is that it loses the delegates attention.  Compared to the MetaGeek or Aerohive presentations, this one felt more like a lecture.  I don’t doubt the that the information was great and wonderful to know, but since it was a lot of the same as what I’ve seen before, it didn’t hold as much appeal as the MetaGeek demo or the Aerohive show-and-tell.  In some ways, it felt more like a presentation that would be given to people less familiar with the ins and outs of wireless networking.  As Jennifer remarked to me later, “Not only have I heard that presentation before several times, I’ve given it several times as well.”

After lunch, we got to hear about the in-building cellular technology that Cisco is partnering to bring to the market.  This presentation felt a little out of place for this crowd.  A couple of the delegates mentioned that they had looked at it before, but the need for it was spotty at best and the market was pretty thin.  To me, this is the explanation for why Cisco is partnering to bring it to the market rather than developing it in house or buying the developer outright.  The idea behind in-building cellular is using the existing category 5/6 cabling in the building to help amplify cellular signals in areas where there is severe signal degradation.  I’m betting that this technology is designed to be marketed to healthcare, where the wireless spectrum is congested and cell phones barely work as it is.  Another possible option is a rural areas where cell coverage is spotty at best, like the second floor of my house only on a larger scale.  All in all, I think in-building cellular is a little too much of a niche product to be useful to me in the near future.

Next up was David Stephenson talking about next generation hotspots.  David was one of the people responsible for the 802.11u amendment, and it was apparent that he knew his stuff.  802.11u deals with scenarios where the user isn’t necessarily authorized for access to a given wireless network.  Think about being at the airport and seeing that there are tons of wireless networks to join, but you don’t know any of the keys to join them.  This is where the free hotspot idea comes in.  But since free hotspots are not necessarily available everywhere, a different idea must be considered.  802.11u addresses this by creating what looks to me like a hotspot federation or roaming agreement.  Similar to the agreements that allow cellular coverage across different provider towers, 802.11u would allow users to log in using credentials for the networks they are authorized for, and in return gain the ability to access certain services on a given network.  For instance, a user authorized to use AT&T hotspots may be able to use some internet services on a Boingo network.  For those that wish to restrict things much more, you can limit access to very basic things like emergency services.  One of the use cases that David talked about was using this next generation hotspot to allow users to log into wireless networks in a retail environment and receive coupons on their smartphones based on their login credentials.  Exciting stuff to hear about, and lots to look forward in the future.

The last presenter was Jameson Blandford, a Cisco TME who is somewhat famous for a competitive analysis video on Youtube:

Jameson’s portion of the presentation was NDA’d due to a lot of restricted competitive analysis.  Based on what he said and things that I observed later during Tech Field Day, I’ve got a lot of thinking and analysis to do about the current state of the arms race amongst the various wireless vendors.

Tom’s Take

As a Cisco partner engineer, I get to hear from Cisco quite a bit.  Their presentation methodology is polished and crisp.  However, in the case of Tech Field Day I think they were just a bit off the mark.  As I’ve said before , Tech Field Day delegates aren’t your usual group of decision makers and slightly technical people.  We’re nerds and geeks.  We like seeing how things work and hearing about the gory details.  Cisco has always presented good opportunities in the past to get into the nuts and bolts of how things work.  Maybe a demo of CleanAir healing a network, similar to the video above.  Or perhaps an opportunity for us to see even a canned demo of a next generation hotspot.  Something to keep our attention rather than the endless parade of Powerpoint slides.  I never want presenters at Tech Field Day to have a bad outing, so I’m hoping that my words here will help encourage Cisco to step up next time and hit one out of the park.  Most of the info was great, but knowing how to reach your captive Tech Field Day audience is just as key.

If you’d like to learn more about Cisco and their wireless technology, head on over to http://www.cisco.com/go/wireless.  In addition, you can follow their wireless information on Twitter at @cisco_mobility

Disclaimer

Cisco was a sponsor of Tech Field Day, and as such was responsible for a portion of my travel expenses and hotel accommodations.  In addition, they provided lunch for the delegates on Thursday afternoon.  They were not promised, nor were they offered any consideration in the writing of this review.  All of the opinions and analysis offered here are mine and mine alone and are given freely and without reservation.

Tech Field Day – MetaGeek

Posted on by
4

The first Tech Field Day presenter that we heard from was MetaGeek.  I’ve been a fan of their free InSSIDer product for a while now.  At the time, my needs were fairly simple when it came to wireless spectrum scanning.  I simply looked for the SSID network names and used a little interpolation to help me find access points.  However, the 2.4 GHz spectrum where most client devices now operate has become congested with devices and sources of non-WiFi interference, so little tricks aren’t going to cut it any longer.  You need a serious tool to help you make sense of things.  MetaGeek offers a solution to help you find out a little more about the space around you.

The presentation started out with a quick recap about the founding of the company.  Once nice thing that I saw was that the head geek and founder, Ryan Woodings, saw a need and capitalized on it.  His original device was designed to scan wireless mice for interference.  He expanded it to include more and more sources of wireless transmission.  Much like any geek or nerd I know, he started peeling back the layers and diving deeper into the problem.  A couple of fun pictures about the first MetaGeek offices and their exposure on Engadget leading to their success today had me feeling a little nostalgic.  It’s always nice to see a company come from humble beginnings and enjoy great success.

Once the short and fun history lesson was out of the way, it was time for the real payoff – a demonstration of the flagship Wi-Spy DBx analyzer tool and the associated Chanalyzer Pro analysis software.  The Tech Field Day delegates also recieved a Wi-Spy and copy of Chanalyzer Pro so that we could follow along with the geeks as they laid out their program and it’s capabilities.

WiSpy DBx (Image courtesy of MetaGeek)

The Wi-Spy DBx is a very unassuming piece of hardware, a USB adapter with an RP-SMA connector on the end.  The small form factor allows it to be plugged in just about anywhere quickly and easily.  The DBx model allows you to scan both the 2.4 GHz spectrum where 802.11b and 802.11g networks operate and the 5 GHz spectrum where 802.11a networks are prevalent.  Note that the Wi-Spy can’t scan both network simultaneously, so if you want to do captures on both at the same time you’ll need two DBx units, or one DBx and one 2.4GHz-only unit like the Wi-Spy 2.4x.  There is also a patch antenna option that allows you to be a little more specific about the direction of the signal detection.

Chanalyzer Pro (Image courtesy of MetaGeek)

The Chanalyzer Pro application is where you are going to spend most of your time.  It gives you a great visual representation of the information the Wi-Spy will be passing along to you.  The application packs a lot of information into a small space.  The line graph at the top center shows you the utilization for the spectrum currently being scanned.  There are options to turn on/off the average and peak utilization, as well as the intensity of signals in color.  This is where you will notice the utilization of a given frequency or channel.  The middle pane show the ‘waterfall’ view, which is the representation of the top pane over time.  This gives you the opportunity to see any sources of interference as they appear and persist.  The bottom pane gives you more specific detail to drill into, such as SSID overlay or duty cycle information.  This is painted in both a specific graph on the bottom and in the case of the SSID, overlaid on the top graph to allow you to see that there are too many access points (APs) on the same channel in your vicinity.  The large graph on the left side of the window extends the waterfall view over time, but also allows you to move the graph to any point during the time of the packet capture.  This is a great feature for sources of interference that are transient.  You can rewind and fast forward much like a DVR.  This is great if you were preoccupied when the interference happened or you need to review it again to profile the specifics for later classification.

During our great demo, Ryan and Trent Cutler were showing us some of the more interesting interference sources they have seen and classified.  Much like any good investigator, they can recognize things like the difference between 802.11b and 802.11g APs on sight, as well as being able to tell you the difference between a microwave and a cordless phone.  For those of us not as gifted in the art of interference profiling, the Chanalyzer application includes preset waveforms that allow you to overlay them on the graph to tell you the difference between your cordless phone and a wireless video camera.  Very handy for nerds like me that need a little more time in the saddle before we can spot the trouble from the line graph itself.  You can also take captures of interference sources and send them to Trent and he’ll help identify them if it’s something that hasn’t been seen before.  He keeps a collection of the odd and interesting captures he’s gotten, like a fun version of a stamp collection.  I think my favorite was the ceiling fan mounted audio system.

Tom’s Take

The MetaGeeks really knocked it out of the park for the first batter up at the plate.  They looked a little nervous at first, but once into their element, they really shined at showing the delegates what their tool was capable of doing.  I was very impressed by the power of their software along with the ease of use.  So much so that after I returned from Tech Field Day, I spent a whole evening running around my house with my Wi-Spy turning on microwaves and cordless phones and being amazed at what I saw.  The other spectrum analyzers I’ve seen run in the thousands of dollars, which makes the Wi-Spy an incredible value for those wanting to jump into the spectrum analysis arena without needed to sacrifice a kidney in the process.  I plan on giving the Wi-Spy a real run for it’s money in the near future to see how well I can integrate it into what I do every day.  I even plan on getting some interesting spectrum captures to see if I can stump Ryan and Trent.

If you’d like to learn more about MetaGeek and their product lines, you can check them out at http://www.metageek.net.  You can also follow them on twitter as @metageek.

Disclaimer

MetaGeek was a sponsor of Tech Field Day, and as such they were responsible for paying a portion of my travel costs and hotel expenses.  In addition, they provided a package to the delegates containing a Wi-Spy DBx with Chanalyzer Pro as well as Chanalyzer Lab and a Device Finder patch antenna option.  There was also a WiFi Interference Detection Kit (a bag of microwave popcorn) included in the black lunchbox that housed the rest of the equipment.  This package was provided to the delegates for evaluation purposes and was in no way intended to curry favor.  They did not ask for, nor were they promised any consideration in any review.  Any and all opinions and conclusions in this review were provided freely and clearly and reflect my own thoughts on the product.

PKI Uncovered – My Review

Posted on by
Reply

Security is a very important element in today’s network. The number of people trying to penetrate and disrupt you network is growing by the day, both internally and externally. The consolidation of servers into the data center is especially bothersome, as it tends to place your high-priority targets into one location.  It’s very important to find a way to keep that data secure from as many intruders as possible.

The trend recently has been to use virtual private networks (VPNs) to secure communications between users and critical data sources. Whether it be a remote access VPN for teleworkers or an internal VPN for HIPAA or PCI compliance, securing data with an encrypted tunnel is the fastest and easiest method of protection. However, in many cases the administrators use inherently insecure on non-scalable methods of VPN authentication, such as pre-shared keys (PSK). PSK works well with very small deployments or with very static equipment that requires few changes or little turnover/replacement. The main problem with using PSK is that it doesn’t scale very well, plus the method of distribution leaves a lot be desired.  You write the PSK down in a file for someone to configure and it’s just as insecure as writing it down on a sticky note. In order to really have a secure and scalable design, you must involve a public key infrastructure (PKI) at some point. I was somewhat familiar with PKI from my security training, but my depth of knowledge at implementing it on Cisco equipment was rather shallow.

As luck would have it, Cisco Press asked for volunteers to review books and I jumped at the chance. Imagine my surprise when a shiny new book showed up on my desk. PKI Uncovered is a new book from Cisco Press that looks to give the average Cisco enginee….rock star a crash course in PKI and the many implementations it has in the networking space. What follows is my review of this book.

PKI Uncovered Cover - Image courtesy of Cisco Press

The first section is an overview of PKI basics for the non-security people. If you are a CISSP, CCSP, or any other conglomeration of security acronyms, these chapters will be review.  The importance of using PKI, along with the differentiations between it and symmetric key encryption are laid out. As well, the hierarchy of certification authorities (CA) are laid out with great detail. Once we get past the review, it’s time to delve into the nuts and bolts of implementation.

The second section of the book looks at specific deployment scenarios where PKI would be useful. Chapter 5 is the generic model that the other chapters build on, so the most basic ideas of deployment and chaining CAs are presented. In the following chapters, more specific needs are addressed, from large scale implementations of PKI used with GETVPN in site-to-site design to remote access with ASAs and IOS VPN. As well, more application focused examples on 802.1x NAC and CUCM phone security are presented. These chapters give great examples to follow along with as well as detailed output of the process at each step. The troubleshooting sections at the end of each chapter are also well written, and could be very useful if you find yourself staring down a real head scratcher.   The final two chapters are presented more as a case study where the previous examples are used to illustrate deployments with Cisco Virtual Office or Cisco Security Manager.  They help tie everything together and allow you to see the building blocks in action.

Tom’s Take

Overall, I found this book a very quick and easy read. It clocks in at less than 250 pages, which is practically a white paper.  It never assumes that you are a PKI expert and does a great job of letting you wade in before you get to the real meat of the example deployments.

The middle of the book will be the most used section, dog-eared and well-worn from hours of reference. I think this will be how I use it the most, as a quick reference guide for my future PKI deployments.  It’s a simple matter to work through the configuration examples and make sure your output matches the generous output examples. The case studies at the end are less compelling, as I doubt I’ll find myself in those kinds of deployment scenarios any time soon.

Overall, I’d recommend this as one to pick up if you have any desire to learn about PKI and its implementation on Cisco devices or feel that you’ll be implementing it any time in the immediate future.

If you’d like to pick up a copy, you can find it on http://www.ciscopress.com or at http://www.amazon.com.

Disclaimer

This book was provided to me by Cisco Press at no cost for evaluation. It came with no promise of consideration for a review. The ideas and opinions expressed in this review are mine and mine alone and provided freely for the use and consideration of my audience.

Tech Field Day Recap: Day 2

Posted on by
2

Group pictures always take longer when you use cameras with film

The mythical HP Dirty Chai machine brings pilgrims from far and wide

iPerf is a great way to cause AP meltdown

Roundtables are great, even if they take place at square tables

AirMagnet needs a laptop with a minimum of 8 USB ports to really rock it

Do not underestimate the power of Diet Snapple Peach Iced Tea

Hands-on demos rock the party

Fountain pens hold the key to my future lottery success

The Underhill account is alive and well at Antonella’s

Picking up the Tech Field Day tab is an expensive proposition at best

And so ends another fine day of tech-y fieldness in partly cloudy California.  Good times were had by all.  New friends were made.  Old friends were rekindled.  Alcohol was consumed on occasion.  Last but not least, knowledge was disseminated and consumed by all the delegates to be digested slowly over the course of the next few days, like a fine meal of gnocchi and cannolis.

I have a lot to write about and a lot to catch up on.  Thanks to the graciousness of the crew from Wireless Tech Field Day, I have the opportunity to learn more about something that interests me and can be useful to many.  I will spend the next few weeks talking about all the things I’ve learned in the past 48 hours and hopefully giving you some insights and discussion topics.

Tom’s Take

Tech Field Day isn’t about technology, or vendors, or fine Italian dining.  It’s about people.  Meeting great people and talking about topics ranging from wireless spectrum analyzation to animated GIF manufacturing is what really makes this event so special.  If you are at all interested in being involved, get over to the Gestalt IT website and let us know.  It’s the first step into a much more connected community and the kind of comradery that makes our little industry so much fun to be involved in.

Wireless Tech Field Day Recap: Day 1

Posted on by
1

Greg is unfamiliar with a substance known as “gravy”

Orville Redenbacher makes a tasty Wi-Fi interference detector

Metageek has the lunchbox all the kids at school want

Eating your own dogfood can be rough in beta

802.11u is something I need to research more

Devin Akin should be the new spokesman for Red Bull

Andrew looks stunning in gold and glitter

AP hide-and-seek works even better when the AP is turned on

One day, I will get to see the computers in the History Museum

Claire and Matthew love taking the scenic route

Tech Field Day Wireless Day 1 is in the books.  Lots of good info, amped presenters, and engaging demos all around.  I once again learned that I have a lot to learn, even about something I thought I was comfortable with.  The amount of knowledge that I am osmosing from the excellent delegates is going to give me a lot to think about and chew on for a while to come.  It’s a very different feel here versus TFD #5, what with all the wireless knowledge concentrated into one room.  Vertical Field Days are a hoot.

If you would like to follow along with the rest of the gang, there are several ways to get engaged.  You can head over to http://www.techfieldday.com and watch the live video stream to see if I’ve lost any more hair this time around.  You can also follow the official Tech Field Day twitter account @TechFieldDay for updates about what’s going on.  If you search for the hastag #TechFieldDay on Twitter, you can see the delegates discussing the presentations in real time as well as seeing the feedback from the presenting companies.  If you have any questions or comments about what you see, don’t hesitate to use the #TechFieldDay hastag to get our attention.  Don’t forget the Tech Field Day is as much about you as it is anything else.  The more knowledge that you can contribute to the gestalt, the better it gets.

Tips for Virtualizing Cisco Unified Communications Manager

Posted on by
5

I’ve seen a lot of chatter lately about virtualizing Cisco Unified Communications Manager (CUCM) and other applications on Twitter.  It seems that installing CUCM in a VM for the purposes of study or replicating a customer environment is a popular option, since the CUCM software can be powered up at will and doesn’t require a rack full of application servers.  However, when attempting to install CUCM in a VM, there are some things that need to be taken into consideration.  This isn’t necessarily going to be a step-by-step guide to the installation of a virtual CUCM system.  If you’re looking for that, I suggest you head over to http://www.blindhog.net and check out some of their excellent resources.  They even have some play-by-play videos that you can follow along with.  That being said, here are some things to keep in mind when virtualizing your CUCM cluster.

1.  Make sure your VM specs match the requirements. The biggest roadblock to the installation of CUCM in VMware is matching your server specs to the requirements.  For the installation of CUCM or Unity Connection, you are going to need to reserve a minimum of 2GB of RAM and a 72 GB hard disk.  Note that the RAM requirement is in addition to the RAM requirement of your workstation if you are installing your VM in VMware Workstation.  If the CUCM installer can’t see 2GB of RAM when it checks your hardware specs, it will quit and notify you that you don’t appear to be installing on a supported system.  Once you have completed the installation of CUCM, you can reduce the RAM of the VM to 1GB with no serious effects besides things running a little bit slower inside your CUCM environment.  If your laptop only has 2GB of RAM, it’s probably time for an upgrade if you want to try and run CUCM in VMware Workstation.  The hard disk requirements are just as strict.  72GB is the minimum needed for installation.  I’ve never really had any luck with using thin provisioning on the volume, so I always pre-allocate the space when I create the VM in order to be sure to not have any errors during installation.  For the record, if you are trying to install a CUCM Business Edition (CUCMBE) system in a VM, the minimum specs required are 6GB of RAM and 147GB of disk space.  Anything less will cause the installer to think you are installing on something other than a 7828 server and only offer you the choice of CUCM or Unity Connection, not the combined CUCMBE.  For the purposes of VM labbing and learning, it’s actually slightly more efficient to run CUCM and Connection in two separate VMs and integrate them together rather than using CUCMBE.

2.  Know the licensing caveats. Ever since CUCM 5.x was released, the reality of licensing has been present with us.  As I previously talked about, there are three types of licensing on a CUCM server.  Each of these licenses are tied to a MAC address.  In the versions of CUCM from 5.x all the way up to 7.0, this MAC address was the physical MAC address of the first NIC in the CUCM server.  If you wanted to install new licenses on the system, you had to ensure they were tied to the MAC of the first node, usually the publisher.  Once people started installing CUCM in a VM, which wasn’t officially supported in the 7.x train but was possible, it became apparent that a simple MAC licensing scheme wasn’t going to cut it any more, since a VM can be programmed with a specific MAC address fairly easily.  Around the time 7.1(2) was released, Cisco changed their licensing structure to use something called a “License MAC address”.  To prevent unscrupulous users from simple changing the MAC address of their VM and moving the system to new hardware, the License MAC performs a hash calculation of the following user-defined settings at install time:

  • Time zone
  • NTP server 1 (or “none”)
  • NIC speed (or “auto”)
  • Hostname
  • IP Address (or “dhcp”)
  • IP Mask (or “dhcp”)
  • Gateway Address (or “dhcp”)
  • Primary DNS (or “dhcp”)
  • SMTP server (or “none”)
  • Certificate Information (Organization, Unit, Location, State, Country)

Once these values are determined, a 12-character MAC-like address is kicked out and used for the MAC in the license files.  If you want to see what address is generated after installation time, you can run the show status command from the server CLI.  You can also use this handy answer file generator on Cisco’s website ahead of time.  That way, you can have your license MAC ready ahead of time in case you need to move your hardware.  In a lab scenario, however, you’re probably best to either do with the demo license files that are installed with the basic CUCM system or have some other licenses rehosted on the new CUCM VM.  The demo license includes one node license and 150 Device License Units (DLUs) for phone registration, so they should cover most small deployments.  The only side effect is the presence of red text on the home page alerting you to the fact you are running your cluster on demo licensing.  If you want to implement a customer’s environment in a VM for testing, I’m not sure how you would do that if they have more than one CUCM node or more than 150 DLUs.  I’ve been asking Cisco about this for quite some time, but I haven’t found any answers yet.

3.  Be ready for the support issues. If you are trying to virtualize CUCM on any version prior to 8.x, you are going to find support hard to come by.  When the VM boots up, you need to agree to a notice telling you that this is not a supported scenario and no TAC assistance is available.  The SNMP service doesn’t work properly on the pre-8.x versions in VMware, so that function will be unavailable.  Most of the hardware related issues or strange error messages are hard to decode, and since most people doing this are learning CUCM for the first time, it can be mystifying to figure out if this message is something normal or something caused by VMware.   The best resource I’ve found is at the aforementioned http://www.blindhog.net website.  The comments on their virtualizing CUCM posts are almost like a set of forums for some of the error messages you might see.

As long as you keep these things in mind when going through your installation, you shouldn’t run into any premature issues.  Those can be saved for all the fun you’re going to run into once you get the server installed and are trying to figure out calling search spaces and media resource group lists.  If you have any questions about virtualizing CUCM, don’t hesitate to leave a comment.  I’m going to work on more scenarios for virtualizing CUCM, so hopefully I’ll have some more posts on this in the future.

Fruit Company Console: My Review of the Cisco Console Companion for iPad/iPhone

Posted on by
8

One of the major advantages to owning an iPad, or in some cases an iPhone, is that you have a mobile computer at your fingertips that is quite easy to carry around the datacenter or networking closet.  I have an iPad myself, and I find it very useful for documentation purposes.  Whether it be taking notes about the configuration of a specific device or looking up the PDF of a particular feature from Cisco’s website, the iPad has many uses.  However, if I find myself in need of connecting to a device such as a switch or a router, my iPad/iPhone options are limited.  I can use a telnet or SSH client to remote into the system, but if I don’t know the management IP or the username/password combination I can be sunk.  Or worse yet, if the switch has never been properly configured for remote access it becomes a moot point.  If I want to be able to use my trusty Cisco rollover console cable to get into the switch the old fashioned way, I have to lug out my behemoth Lenovo W701 laptop and get it ready, which can be quite an endeavor depending on the amount of room I have to work with or the amount of time that I’m going to spend consoled in, since my laptop has about 1.5 hours of battery life under the best of circumstances.  Add in the difficulties that I’ve faced with USB-to-serial adapters under Windows 7 64-bit and you can see why I’m reluctant to use the console.  However, there is hope for the best of these two worlds.

A company called Redpark has started selling a rollover cable with a 30-pin iDevice connector.  Engadget had a story about it HERE.  Naturally, I decided that I just had to have one of these.  You know…for work and stuff.  Anyway, I jumped right over to the Redpark website.  Hello sticker shock.  This baby is going to set you back a cool $69.  Add in more if you want shipping and handling (whatever that is), so expect to shell out about $80 to get it to your neck of the woods, more if you need to have one tomorrow.  That’s not all, folks!  Even if you do manage to get your hands on one of these little jewels, you still need an app to access the console.  Now those of you that looked at this excellent blog post by Ruhann about console access on a jailbroken iPad are all set.  The rest of us poor saps that haven’t jailbroken our iPads yet are in a bit of a lurch.  Fear not, because the company also has an official app on the App Store called Get Console (or Cisco Console Companion) that will give you console access.  For a measly $9.99.  After all, you’ve already spent $80 already, what’s a few dollars more?

Once my console cable arrived in the mail, I was a little underwhelmed by the packaging:

Not much to look at.  The contents of the box were even worse.  The console cable lovingly encased in bubble wrap, and this instruction sheet:

Bravo for making it straightforward and easy to read.  Off to the App Store to download my new app.  Except…”Cisco Console Companion” isn’t the official title of the app.  It’s “Get Console”, along with a big disclaimer that it is in no way associated with Cisco.  I’m guessing they had to use an alternate title in the app store because of some wonky trademark issues that Uncle John wasn’t too pleased about.  At any rate, it was a fast download and then I was off and running.

For the purposes of this test, I’m consoling into a Cisco Catalyst 3560 8-port switch.  Once I fired up the program, it popped up with a one-time reminder that it was only for Cisco devices and that it would check each device to ensure that it was a genuine Cisco product.  My best guess is this is there to prevent people from trying to use it as an Ethernet cable or something, because most reports I’ve seen says that it works just fine with any kind of device that uses a rollover cable, like Juniper, or HP, or what have you.  I didn’t test this out during my first run, but I will be testing it down the road of some of those devices.  Note that since it is an RJ-45 rollover cable, it can’t be used on RS-232 or null modem devices.  Oh well, time to upgrade those old switches anyway.  The cable itself feels rather thin, almost like a fiber patch cable rather than a flat rollover cable or even a UTP cable.  It’s about 6 feet long, so you don’t have to be right next to the device you’re trying to console into, but don’t expect to be programming from across the room.  Here’s a picture of the cable on top of my test switch:

My first encounter with the Get Console program led me to this screen:

Fairly utilitarian, but that’s fine by me.  I’m not really a “bells and whistles” kind of guy.  The bottom section of the screen is dominated by the on-screen keyboard, but that’s to be expected.  Just above that is a collapsible keyboard bar that lists some very useful control keys.  First is the all-important TAB key, which I’ve found sorely lacking on some of the telnet clients I’ve used.  TAB saves me a ton of time.  Next is the CTRL key, which when tapped toggles on and allows you to use CTRL+ shortcuts for moving around the command line or sending a CTRL+C or CTRL+Z to end.  Next is the BRK key, which sends an immediate break signal to the console.  Useful for those times when you need to enter ROMMON on bootup.  Next is everyone’s favorite question mark key.  Having it here is really helpful so that I don’t have to waste a keystroke getting to the number/symbol keyboard on the iPad.  This is followed by the up and down error keys, which are used to cycle through your command history forward and backward.  Lastly is a Return key, which I didn’t really use, since the iPad keyboard has one built in.

The upper right corner of the app replicates many of the same keys as the collapsible keyboard, along with a paper clip icon.  When you tap this, it pulls out a drawer that contains the contents of the clipboard.  You can paste those contents directly onto the command line.  So if you find yourself typing the same commands in over and over, this is a handy shortcut (there are others we’ll get to in a second).  As a quick note, while you can type in this clipboard, if you don’t copy the contents before pasting it will simply paste what was in the box before.  So be sure to copy before you paste.

The upper left includes the Settings button, the session button, the keyboard show/hide button, a button to show/hide the collapsible keyboard with the TAB and CTRL keys, and a file drawer for storing config files.  The settings button is very feature rich. You can choose to have the program automatically connect when it launches or wait for you to connect manually.  There are also settings to change the baud rate and stop bits, which really helps when you are connecting to some non-standard gear.  You can have the system log all of your console sessions, which can be stored in the filing cabinet for later examination.  You can change the number of columns and rows, as well as the amount of scrollback in the window.  Be aware that adding too many columns will mean you need to scroll the screen left or right to see the output, as it looks like the main window is about 80 columns wide.  You can change the bell that dings when you do something you aren’t supposed to, as well as changing the color scheme to something other than white-on-black text.  The font size slider doesn’t correspond to actual point sizes, so you might need to play around with it to find a comfortable setting.

The session button allows you to disconnect a console session manually as well as offering one of the added benefits of this program.  By signing up at http://www.get-console.com, you can add an option under settings to connect to a remote console server at that website.  You can then tap the session button and obtain a 7-digit access code that allows someone to access your console session from the Get Console webpage.  This is fairly handy if you have a junior administrator on site and need to walk them through a configuration.  Or if that same junior admin is in a network that is down, you can use a 3G iPad to connect to their console session and do some troubleshooting.  I had to play around with the settings in order to test this feature.  It looks like the app connects to the remote console server when you choose to share the session, and the access code allows the user on the website to connect in like a type of reverse telnet connection.  I couldn’t get the app to connect using the North America servers, but the Europe and Asia servers worked just fine.  However, the latency on these connections was pitiful.  Redraw on my screen could be measured in seconds.  I tried entering some commands on the webpage, but careful typing was enough to overrun the keyboard buffer for the app.  And if you’re going to try and look at live debugs, you might as well forget about it.  By the time you could send a break or “un all”, you’d be swamped in messages.  Better to use the web app as a mirroring device for training or for simple troubleshooting.  You can also choose to encrypt the sessions if you want, which is a pretty good idea if you don’t want everyone on the Internet up in your business.

The filing cabinet is another interesting piece.  By uploading configs to the Get Console website, you can store them in your filing cabinet to copy onto the device locally.  That way, if you have a template for your switches, you don’t need to worry about copying and pasting it out of an e-mail, where it may get buggered up by some strange formatting issues.  You can also have those pesky junior admins share an account and copy the configs to the filing cabinet for them, so all they have to do is walk out and plug in to setup the switch with enough config for you to be able to telnet to it.  There is local shortcut storage as well, so you can keep some of your more clever commands on your own iPad safe from those that could use them to do harm.  You can also store console logs for later upload or email.

Out of the box, the font size was downright tiny.  I had to bump the slider up to about 3/4ths of the way just to read it comfortably, and I was holding the iPad less than a foot from my face.  The keyboard was quite responsive, and the scrolling of the information was smooth and easy to follow.  The app is setup to beep at you when you try to use a key that isn’t supported, such as a down arrow at the prompt when there are no more commands to replay.  This feature is nice because it gives some feedback so you know when you’re beating your head against a brick wall.

In case you’re curious, this app is universal for both iPad and iPhone/iPod Touch.  But other than just glancing at the console I’m not sure how useful it’s going to be.  There isn’t much screen real estate to start with, and all the extra pieces don’t give you much room to look at things.  Here’s a screen shot to give you and idea of what I’m talking about:

Tom’s Take

It all comes down to money.  Is there enough utility in this cable and app for you to justify spending $100 on it?  Do you often find yourself in a network room with only your iPad and a switch that won’t respond to any other method of input?  I wouldn’t dream of trying to do any kind of heavy duty debugging on this device.  I’d rather have my full laptop with multiple apps and notepad windows to drag around to interpret console spam.  As well, any kind of programming that would require lots of time at the keyboard would probably get uncomfortable after a while, unless you’re one of those people that happens to like typing on the iPad on-screen keyboard.  I suppose you could haul along a wireless keyboard, but at that point you’re dragging along an awful lot of devices for simple console access.

I could see this being a useful tool for training or for an emergency tool kit.  Throw an iPad and a cable in your kit and you have instant access to the console of a device from anywhere in the world.  You could send the less-skilled network admins out on site and a more senior person could stay in the office and do some simple troubleshooting or configuration in order to get to the equipment through SSH or telnet.  The web piece, in my mind, is just too unresponsive to spend a lot of time on.  Plus, if you are fast typist like I am, you’re going to get rather frustrated with the delay in command execution, if you don’t outright lock the system up with all the characters you’re throwing at it.

The app does what it says, there’s no denying that.  I find it very useful to have on my iPad and I’ll probably use it going forward for many of my walkthroughs and audits.  However, I think the $100 price tag is a little steep for something like this.  I hope that the price of the console cable will come down at some point, because $69 dollars for this is a bit of a stretch, even by Apple standards.  If there is enough demand, we may even see some other vendors get into the market and offer something like this.  If that happens, hopefully the Get Console people will support them as well.  I had hoped that maybe the software people could offer a gift card with the purchase of the cable, but I believe that they are two different companies so that’s probably out of the question.  Redpark could always throw in a $10 iTunes gift card if the want to soften the blow of needing the additional app to use the cable, but marketing isn’t my department.

All in all, I think I’m going to be able to find some use out of this app.  However, you really need to think twice about whether or not a C-note is worth giving up for this type of functionality.  If you want to learn more about these products, you can check out the console cable at http://redpark.myshopify.com/products/console-cable and you can check out the software program at http://www.get-console.com/

9.911 Ain’t A Joke In This Town

Posted on by
5

As one of those icky voice engine…rock stars that everyone always hears about then snickers quietly about, I spend a lot of time implementing phone systems all over the place.  I’m a firm believer in creating my own route patterns/dial peers instead of trying to untangle the knot of evil that is 9.@.  One of the questions that I bring up when talking about design with my customers is “How do you want to handle emergency calls?”.  For those in the USA, this corresponds to 911.  For my friends across the pond, this is 999.  I’m going to use 911 here, but feel free to replace it with 999 or whatever your emergency calling number happens to be.

When I ask this question, more often than not it is met with a reply of “What do you mean?” They’ve never really put any thought into emergency services.  My next question usually sounds like “How do you dial emergency services today?”  Usually people will rattle off ‘911’.  The smarter ones usually respond with, “Oh.  I see.”  They picked up on the fact that dialing emergency services in a PBX environment isn’t always straight forward.

911 is easy enough to program into the phone system.  However, I’ve been asked to leave it out sometimes.  People in certain cases have a tendency to start dialing and forget what the number they were trying to call was.  They dial ’91’ then look back at the paper the telephone number was written on.  As soon as they realize it is a long distance telephone call, they dial an additional ‘1’.  When that happens, before they can dial any additional numbers, they dial peer for ‘911’ is matched and immediately sends those digits to the PSTN, where a friendly emergency services operator answers even if the customer hangs the phone up immediately.  In these cases, if the “Urgent Priority” checkbox is marked in the route pattern, the interdigit timeout is ignored and the call completes immediately.  You can’t hang up fast enough to avoid calling emergency services. I bolded that statement because it’s very important.  If you hang up the phone, the 911 operator will still get your Automatic Number Identification (ANI) information.  What they do with it is up to the policy set by the individual emergency department.  You can see the National Emergency Number Association (NENA) guidelines HERE (PDF Warning).  Many operators will attempt to call you back right away.  Others will dispatch emergency services to the address listed in the Public Safety Answering Point (PSAP) database for the given ANI information.  At any rate, they operator has to ensure the call wasn’t genuine and they work from the assumption it was an emergency call.  As a quick aside, if you do accidentally dial 911/999, stay on the line and explain what you did.  If you fess up, they will be much less grumpy.

With ‘911’ removed from the system as a route pattern because of the above situation, that leaves ‘9.911’ as the access code for emergency services.  Most people feel more comfortable with this solution, since people will avoid the accidental 911 call if they have to press ‘9’ twice to get there.  And in 90% of the cases, this is effective.  However, allow me to paint a hypothetic picture:

I have a young son.  I’ve taught him that if he ever needs the police or if someone is very badly hurt he should dial 911 on the telephone.  Imagine I bring my son to work with me one Saturday morning for some reason.  As we are sitting in the office, I fall over suffering from a heart attack or stroke or some other malady the prevents me from telling my son what to do.  He realizes that Daddy is hurting and needs to dial ‘911’ to get an ambulance.  However, in this office ‘911’ isn’t a valid route pattern due to accidental calls.  My son tries and tries to get the doctors to come help Daddy, but the amount of time that elapses is just to great for help to arrive…

Depressing, isn’t it?  My son isn’t alone.  A great number of people are unreliable when it comes to stress.  They break down and start crying when faced with a stressful situation.  Or they freeze up and don’t act.  Or worse, they lose their minds and start acting on bad instincts, or training for something from 20 years ago.  As a rule, you can never count on what people are going to do in a stressful situation.  In addition, is there additional liability in this case for the company that impeded the ability for me to be saved by restricting the availability of emergency services?  Laugh if you will, but it has come up in courts of law before, so there is precedent for a civil suit if not a criminal case. So what’s the answer?

Tom’s Take

In all my phone systems, I configure both 911 and 9.911.  Being the eternal optimist, I leave nothing to chance and don’t rely on anyone’s bad judgment or stress to prevent the possibility of help reaching those most in need of care.  I look at accidental 911 calls as a training issue to be dealt with.  I train my users to stay on the phone and inform the emergency personnel that they made a mistake.  Usually, there will be a couple of questions asked to verify the identity of the caller, and in some rare cases even non-emergency personnel may be dispatched at a later time to confirm everything.  But that is a small price of time to pay versus the possibility of a fine, which has been suggested by emergency departments in many cases where there have been repeated accidental 911 calls followed by hang-ups.

Should I ever find myself hauled before a judge and jury to testify as an expert witness or worse, the implementer of the system in question, I want to be able to answer truthfully that I configured every possible avenue for support to arrive to assist those who needed it.  I don’t want to think that my actions or inactions caused someone to suffer grave harm or even death.

So if you find yourself having a conversation with someone about implementing a 911 dial peer or route pattern, make sure to bring up all the ramifications and repercussions of leaving off one pattern or the other.  If they make the decision to leave one out anyway, make absolutely sure it is documented in writing somewhere so any later investigation shows that you as the provider/implementer raised all the possible objections first.  You’ll save yourself a ton of headaches down the road.

And those vendors that tell that physical phones are long dead and that soft clients rule the landscape now?  Just ask them this question: “How am I supposed to dial 911 at Fred’s desk if I don’t know the password to unlock his workstation and use his softphone?  How will my 5-year-old do it when he doesn’t know how to type?”  Chances are you’ll be met with silence.  Ain’t no joke there.