Here is a quick template you can use to slap into your systems on the router side.
So this works with Cisco ACS v4.2. I have not yet tried with Cisco ACS 5.0. If I do, I will surely post another update on how-to:

Cisco ACS v4.2 Setup Required:
————————————————
Step 1: Interface Configuration
Step 2: TACACS+ (CISCO IOS)
Step 3: New Services, Fill in an empty box. Put text under SERVICE [junos-exec], PROTOCOL is blank. Check box User, Group, or both if you wish.
Step 4: Click Group or User (whatever you want to select to access and pass the attribute).
Step 5: Scroll all the way down, find your custom attribute. Usually it is right below “PIX SHELL” and “COMMAND AUTHORIZATION SET”.
Step 6: Check box [x] Junos-Exec
Step 7: Check box [x] Custom Attributes
Step 8: In blank box type “local-user-name=tier3″
(Or whatever username configured with the permissions you desire. In my example, I’m giving a group called “Network Engineering” inside ACS v4.2 and binding to a username called “tier3″ configured locally in JUNOS which will give full permissions.)
Step 9: Click Submit, you’re done!

JunOS Configuration:

-------------------------------------
Configuration for JUNOS, in set-based command syntax: (easier to copy/paste)
-------------------------------------
set system domain-name siriuspackets.com
set system time-zone PST8PDT
set system no-redirects
set system authentication-order tacplus
set system authentication-order password
set system location country-code US
set system diag-port-authentication encrypted-password "$1$Q5ws2ZU6$2SM3LYp.SofK8L0F2x9JB0"
set system root-authentication encrypted-password "$1$qgiq97UM$ZN4N2juIsk3Bzc9gKj7z10"
set system tacplus-server 10.56.0.35 secret "$9$PfQnCtuORSk.1hcyW8Ndbs2oJZU"
set system tacplus-server 10.56.0.35 timeout 3
set system tacplus-server 10.56.0.35 single-connection
set system tacplus-server 10.56.0.35 source-address 10.56.48.252
set system tacplus-server 10.59.32.26 secret "$9$vhv87d2gJjkPuO87VbaJFn6/p0"
set system tacplus-server 10.59.32.26 timeout 3
set system tacplus-server 10.59.32.26 single-connection
set system tacplus-server 10.59.32.26 source-address 10.56.48.252
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus server 10.56.0.35 secret "$9$lHneMX-VwYoGcygJZU.mQFn/Cp0O1"
set system accounting destination tacplus server 10.56.0.35 timeout 3
set system accounting destination tacplus server 10.56.0.35 single-connection
set system accounting destination tacplus server 10.56.0.35 source-address 10.56.48.252
set system accounting destination tacplus server 10.59.32.26 secret "$9$RLzESeWLxNb2O1dsYgUDqmfTzn/9A"
set system accounting destination tacplus server 10.59.32.26 timeout 3
set system accounting destination tacplus server 10.59.32.26 single-connection
set system accounting destination tacplus server 10.59.32.26 source-address 10.56.48.252
set system login message "+-------------------------------------------------------------------------------+\n|This system contains confidential and copyrighted information and is for the |\n|use of authorized users only. |\n| |\n|Users are subject to all applicable laws, regulations, and policies, including |\n|intellectual property laws and affiliate compliance rules. |\n| |\n|Any person using this system acknowledges that all information on the system, |\n|including e-mail,instant messages, and personal files, constitute property |\n|belonging to the company. Users are subject to having any of their activities |\n|on this system monitored and recorded. Anyone using this system expressly |\n|consents to such monitoring and recording. |\n| |\n|Users are advised that any activity, improper or not, may be investigated, and |\n|acted upon by the company. This may RESULT IN DISCIPLINE INCLUDING TERMINATION |\n|OF EMPLOYMENT; and may be provided to the appropriate outside authorities for |\n|prosecution or other action. \n+-------------------------------------------------------------------------------+\n;;"
set system login class tier1 idle-timeout 15
set system login class tier1 permissions configure
set system login class tier1 permissions firewall
set system login class tier1 permissions interface
set system login class tier1 permissions network
set system login class tier1 permissions routing
set system login class tier1 permissions snmp
set system login class tier1 permissions system
set system login class tier1 permissions trace
set system login class tier1 permissions view
set system login class tier2 idle-timeout 15
set system login class tier2 permissions admin
set system login class tier2 permissions clear
set system login class tier2 permissions configure
set system login class tier2 permissions firewall
set system login class tier2 permissions firewall-control
set system login class tier2 permissions interface
set system login class tier2 permissions interface-control
set system login class tier2 permissions maintenance
set system login class tier2 permissions network
set system login class tier2 permissions reset
set system login class tier2 permissions rollback
set system login class tier2 permissions routing
set system login class tier2 permissions routing-control
set system login class tier2 permissions secret
set system login class tier2 permissions snmp
set system login class tier2 permissions snmp-control
set system login class tier2 permissions system
set system login class tier2 permissions system-control
set system login class tier2 permissions trace
set system login class tier2 permissions trace-control
set system login class tier2 permissions view
set system login class tier3 idle-timeout 15
set system login class tier3 permissions all
set system login user admin full-name Administrator
set system login user admin uid 2000
set system login user admin class tier3
set system login user admin authentication encrypted-password "$1$M/mNXiic$d.kTXwN73Gqax9KCfIeeY/"
set system login user tier1 uid 2001
set system login user tier1 class tier1
set system login user tier2 uid 2002
set system login user tier2 class tier2
set system login user tier3 uid 2003
set system login user tier3 class tier3
set system login password minimum-length 6
set system login password maximum-length 20
set system login password minimum-changes 2
set system services ssh root-login deny
set system services ssh protocol-version v2
set system services ssh connection-limit 5
set system services ssh rate-limit 10
set system services telnet
set system services netconf ssh
set system syslog archive size 1m
set system syslog archive files 10
set system syslog user * any emergency
set system syslog host 10.56.97.10 any info
set system syslog host 10.56.97.10 log-prefix JuniperJunOS
set system syslog host 10.56.97.10 explicit-priority
set system syslog file messages any notice
set system syslog file messages authorization none
set system syslog file messages firewall none
set system syslog file messages interactive-commands none
set system syslog file messages explicit-priority
set system syslog file interactive-commands interactive-commands any
set system syslog file snmp-critical-traps daemon critical
set system syslog file security authorization info
set system syslog file firewall firewall any
set system syslog file default-log-messages any any
set system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE"
set system syslog file default-log-messages structured-data
set system syslog source-address 10.56.48.252
set system commit synchronize
set system ntp boot-server 192.43.244.18
set system ntp server 192.43.244.18
set system ntp source-address 10.56.48.252

WS-X6708-10G-3C:

 wrr-queue bandwidth 30 40 30 0 0 0 0
 priority-queue queue-limit 30
 wrr-queue queue-limit 70 20 10 0 0 0 0
 wrr-queue random-detect min-threshold 1 80 80 80 80
 wrr-queue random-detect min-threshold 2 80 80 80 80
 wrr-queue random-detect min-threshold 3 80 80 80 80
 wrr-queue random-detect max-threshold 1 100 100 100 100
 wrr-queue random-detect max-threshold 2 100 100 100 100
 wrr-queue cos-map 1 1 0 1
 wrr-queue cos-map 2 1 2 3
 priority-queue cos-map 1 4 5
 mls qos trust dscp

WS-X6704-10GE:

 wrr-queue bandwidth 30 40 30 0 0 0 0
 priority-queue queue-limit 30
 wrr-queue queue-limit 70 20 10 0 0 0 0
 wrr-queue random-detect min-threshold 1 80 80 80 80 80 80 80 80
 wrr-queue random-detect min-threshold 2 80 80 80 80 80 80 80 80
 wrr-queue random-detect min-threshold 3 80 80 80 80 80 80 80 80
 wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
 wrr-queue random-detect max-threshold 2 100 100 100 100 100 100 100 100
 wrr-queue cos-map 1 1 0 1
 wrr-queue cos-map 2 1 2 3
 priority-queue cos-map 1 4 5
 mls qos trust dscp

More to follow…

Packet Tracer 5.1 is the latest version of Cisco’s simulation software. The main objective of Packet Tracer is to serve as a support tool for the Cisco Academy. This tool is extremely useful for both students and teachers. Basically, Packet Tracerallows you to build a network with a range of simulated “real-life” equipment (Cisco equipment, of course), so different configuration options can be tested. You get a range of routers, switches, end-client systems and connections to build the simulated network. The operating systems of the routers and even some portions of PC’s are also simulated. This way, users can learn to configure routers and see the changes they make on the networks.

Teachers can even make an interactive test using the program, which can be graded immediately by the program. It is one of the most complete tools for network learning; however, it can also help simulate and assess equipment options for real networks. It is really a tool to have; however, in order to download it from the original site, you need a Cisco Academy account, but the program has a free license.

packettracer51_setupexe educational purposes only. download

Global Commands:

ip dhcp snooping vlan 200,500,502,648,652-653,700-716,720-736,750-766,770-786
ip dhcp snooping

Interface Commands (Applied on UPLINKS to other switches ONLY):

!
interface GigabitEthernet2/1
 switchport
 switchport nonegotiate
 switchport mode trunk
 switchport trunk encapsulation dot1q
 ip dhcp snooping trust
!

Everyone says EIGRP metric is based off bandwidth (BW) and delay (DLY), which are values determined “per-interface” as shown below in bold:

EIGRP Algorithm / Formula:
Composite Metric = 256 * ([K1 * BW + K2 * BW/(256-Load) + K3 * DLY] * [K5/(RELY + K4)])

Default EIGRP K-Values are K1=1, K2=0, K3=1, K4=0, K5=0.  To modify the or change the K values for calculation to include the other non-default variables you input the command below:

What they don’t really emphasize and its important for the formula!

The bandwidth (BW) and delay (DLY) values are based on a “scaled average”.

Bandwidth for EIGRP = (10⁷ / Interface Bandwidth)
Delay for EIGRP = (Interface Delay in usec / 10)

So the formula ends up being Metric = 256( (10,000,000/ BW) + (DELAY/10)).
To modify any EIGRP K-values to use more variables, enter command shown below:

CRNARVSDRR02(config-router)#metric weights ?
<0-8>  Type Of Service (Only TOS 0 supported)

CRNARVSDRR02(config-router)#metric weights 0 ?
<0-255>  K1

CRNARVSDRR02(config-router)#metric weights 0 1 ?
<0-255>  K2

CRNARVSDRR02(config-router)#metric weights 0 1 0 ?
<0-255>  K3

CRNARVSDRR02(config-router)#metric weights 0 1 0 1 ?
<0-255>  K4

CRNARVSDRR02(config-router)#metric weights 0 1 0 1 0 ?
<0-255>  K5

CRNARVSDRR02(config-router)#metric weights 0 1 0 1 0 0 ?
<cr>

CRNARVSDRR02(config-router)#metric weights 0 1 0 1 0 0

After a few hours of thinking in my private office with a magazine, I realized… crap, this is an MPLS-enabled data center… from source IP: 10.10.12.0/24 to destination: 10.20.20.0/24 is applied an MPLS label and switched instead of IP routed towards the destined network.

MPLS Shim Header

So that means there is an extra SHIM HEADER between L2 and L3… if WCCP gets redirected based on IP, then uhh… crap, it never will see the IP header because the CORE is reading the MPLS LABEL when the ACCESS pushed a label as the IP packet came ingress into VLAN12 on ACCESS switches. Bingo!!! This was the reason why WCCP wasn’t redirecting anything behind my CORE switches in the data center.

Solution: I had to remove MPLS-TE paths from source 10.10.12.0/24 towards 10.20.20.0/24 with a special policy, everything else gets label switched as usual. I really hate doing these “one-off” type configurations but it was the only way I could get WCCP working to the WAAS units in an MPLS enabled data center environment.  I really do hope Cisco IOS supports MPLS labels in WCCP in the future…. After my fix, I was successfully seeing “optimized” connections in both source/destination WAAS boxes. No more MPLS shim header, so WCCP was able to read the IP header to redirect transparently.

WAAS with MPLS-enabled Data Center

Please make sure to setup all of the local functionality of the CME before trying to setup the SIP Trunks.

When you are ready to setup the SIP trunks, the first thing you wll need to do is setup a translation rule. The translation rule will help you structure how outbound calls are dialed and sent to any 3rd Party SIP provider for trunking services. Read on…

Translation Rule:

voice translation-rule 3
rule 1 /^9\(…….\)$/ /+1626\1/
!– Local Calling “626″ is the local area code
rule 2 /^9\(……….\)$/ /+1\1/
!– 10 Digit Calling adds “+1″
rule 3 /^9\(.*\)$/ /+\1/
!– 11 Digit Dialing adds “+”
rule 4 /^9\(………..\)$/ /+\1/
!– Catch-all
rule 5 /^9011\(.*\)$/ /+\1/
!– International Dialing strips the “011″ and adds “+”

Configuration of a translation-profile that ties a multiple translation-rule behavior

Translation-Profile:
(I’m still testing this. there is a difference between “translation-rule” and “voice translation-rule” commands for voip-to-voip vs. voip-to-pots)

voice translation-profile SIP-OUTBOUND
translate calling 2
translate called 1
translate redirect-target 3
translate redirect-called 3

The Dial-Peer is next. It is where the acctual trunk information is setup.

Dial-Peer:

dial-peer voice 1 voip
description ** Outgoinging call to SIP trunk **
translation-profile outgoing SIP-OUTBOUND
destination-pattern 9[2-9]……T
voice-class codec 1
!– force dial-tones to pass inband in the SIP control channel, otherwise the tones don’t get sent across properly for IVRs –!
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target ipv4:216.82.224.202
!– This is the IP address of your SIP provider’s server (bandwidth.com, etc) –!
dtmf-relay rtp-nte
ip qos dscp cs5 media
ip qos dscp cs4 signaling
clid network-number 6265551212
!– This is how you setup for a global outbound callerID, only if your SIP provider allows –!
no vad

Now here is a sample of how to configure a user phone:

ephone-dn 1 dual-line
number 1212 secondary +16265551212
!– Make sure you insert the “+1″ into the number in order to recognize inbound calls. –!
label 6265551212
description Temp User
name Temp User
call-forward noan 6000
!– timeout 10 This is to call FWD no Answer to VM @ extension 6000 –!
corlist incoming user900-international

SIP User Agent:
Registration to the SIP proxy server –

sip-ua
! — authentication to for SIP registration –!
credentials username password realm
! — authentication for SIP proxy when connecting calls –!
authentication username password realm
no remote-party-id
! — optional: this line below tells your SIP server the caller-id to send to the called number –!
calling-info sip-to-pstn number set
! — optional: what is received on YOUR IP phone’s caller-id display for incoming calls from SIP server –!
! — note: if you set these calling-info commands, it rewrites the caller-id info so you won’t see who’s the original caller –!
calling-info pstn-to-sip from number set
retry invite 2
retry register 10
timers connect 100
registrar dns:sip3.voipvoip.com expires 3600
sip-server dns:sip3.voipvoip.com
notify telephone-event max-duration 500
host-registrar
presence enable

aaa-server cisco protocol ldap
aaa-server cisco host 192.168.10.100 (#1)
  ldap-base-dn DC=yourdomainname,DC=com (#2)
  ldap-scope subtree
  ldap-naming-attribute samAccountName
  ldap-login-password adminpass (#3)
  ldap-login-dn CN=Administrator,CN=users,DC=yourdomainname,DC=com (#4)
tunnel-group mytunnelgroup general-attributes
  authentication-server-group cisco (#5)

#1 – replace 192.168.10.100 with the ip address of your aaa-server
#2 – this is where the asa is going to start its search for users it needs to authenticate. In my example we start at the top of the heirarchy (yourdomainname.com)
#3 – you need to have an administrative user setup on you AD so that we can bind with the AD and send user authentication requests. This is the password the admin user has.
#4 – This is the complete string of the admin user. To get the complete string go to the AD box, open a command prompt and run the dsquery command on the admin username (the asterisks broaden the search) dsquery user -name *Administrator*
#5 – replace mytunnelgroup with the name of your vpn tunnel-group
Now authentication is done via group attributes in AD in most instances via the dialin attributes msallowdialin attribute and using tunneling protocols attribute but I have some customers that would like to use the memberof attribute instead so that they can prevent members of other AD groups from connecting to the ASA…this can be done using LDAP schema 65 attribute mapping…for instance…the ASA/PIX uses the Cisco LDAP attribute
ASA5505-IETF-Radius-Class to enforce policies from a specific group-policy for Remote Access VPN sessions (IPSec, SVC, WebVPN or Clientless). The LDAP attribute (65) is equivalent to Radius Class (25) attribute.
On the ASA create an ldap-attribute-map with  the minimum mapping and associate it with the ldap aaa-server.

5500-1(config-aaa-server-host)# show runn ldap
!
ldap attribute-map Map1
map-name  memberOf ASA5505-IETF-Radius-Class
map-value memberOf CN=AD-Group1,CN=Users,DC=CompanyA,DC=com ASA-Group1-Allow-Access
map-value memberOf CN=AD-Group2,CN=Users,DC=CompanyA,DC=com ASA-Group2-Deny-Access
!
5500-1(config-aaa-server-host)# 

OK so what is being enforced with the above mapping?
1) user1 in AD group AD-Group1 will be placed-landed on ASA group-policy ASA-Group1-Allow-Access. In this ASA group then you can set vpn-tunnel-protocol to allow only svc and webvpn types for example.
2) user2 in AD group AD-Group2 will be placed-landed on ASA group-policy ASA-Group2-Deny-Access. In this ASA group then you can set vpn-tunnel-protocol to allow only ipsec types for example. Therefore svc/webvpn types would be disallowed.
Note: If the AD user is part of multiple AD groups, make sure the AD user’s memberof/group of interest is at the top of the list ,since as of 7.2.x , the appliance only enforces the 1st memberOf attribute that is parsed. The single AD group (memberOf) limitation has been removed in 8.0 where the ASA is able to make policy decisions based on multiple AD groups.

So since I am not consulting there anymore, I wasn’t able to get IP phone service anymore. My connection to their Cisco Call Manager box was about to be terminated… what do I do now I ask myself. I still want to use Cisco VoIP at home because I had a nice intercom and paging system so I didn’t have to scream for my girlfriend across the house to bring my food over to the office.  So I did some research and seen some things about low cost or even free SIP service.  I ended up going with a SIP provider from “voipvoip.com” because they were offering $6.95/month BYOD (bring your own device) which I had my trusty Cisco 2811 that included unlimited incoming minutes and 1.9 cents/minute outbound.  The KEY part I wanted was having simultaneous channels inbound and outbound so I can have conference bridges with my Cisco MeetingPlace Express server I will be setting up later.  I was allowed up to 2 channels incoming and 4 channels outgoing. Cool right?  So its a typical pay-as-you-go plan… I will start off with this and see how my monthly bills are later.

Heres the problem…. as I was browsing the company support pages, I noticed there weren’t any configuration guides for CISCO. There was stuff for Asterisk, TrixBox, 3CX, and a few others such as SIP phones, etc.   Then I thought, no problem… I will google this and find some sample configurations to a 3rd party SIP proxy server with some sample dial-peer templates and Im good to go.   A few hours later, I discovered that (1) this sample config does not exist or (2) it is really difficult to find perhaps because not many people do this? or (3) I just really stink in googling.  I like to think it is #1 and #2.

So here is my sample configuration that I have implemented to help those that are looking for or wanting a similar setup with Call Manager Express.
I am running CME 7.1 and am in process of setting up my Cisco Unity Express NM (NM-CUE) module with a Cisco MeetingPlace Express server. I will definitely write about that as I configure those in the weeks ahead.

SIP VoIP Network

Current configuration : 15683 bytes
!
! Last configuration change at 17:27:51 PDT Sun Mar 22 2009
! NVRAM config last updated at 17:27:52 PDT Sun Mar 22 2009
!
version 12.4
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service linenumber
!
hostname CME-2811-ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 32768
enable secret 5
!
no aaa new-model
clock timezone PDT -7
!
dot11 syslog
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.11.1 192.168.11.64
ip dhcp excluded-address 192.168.11.240 192.168.11.255
ip dhcp excluded-address 192.168.10.1 192.168.10.64
ip dhcp excluded-address 192.168.10.240 192.168.10.255
!
ip dhcp pool WIRELESS-DHCP
import all
network 192.168.11.0 255.255.255.0
update dns both
default-router 192.168.11.1
dns-server 68.238.64.12 68.238.128.12
option 150 ip 10.1.231.1
!
ip dhcp pool INTERNAL-DHCP
import all
network 192.168.10.0 255.255.255.0
update dns both
default-router 192.168.10.1
option 150 ip 10.1.231.1
dns-server 68.238.64.12 68.238.128.12
!
!
ip domain name siriuspackets.com
ip name-server 4.2.2.4
ip name-server 68.238.64.12
ip multicast-routing
ip multicast multipath
no ipv6 cef
ntp source FastEthernet0/1
ntp update-calendar
ntp server ntp-01.caltech.edu
ntp server time7.apple.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback cisco
!
!
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
codec preference 3 g711alaw
codec preference 4 g729br8
!
!
!
!
!
!
!
!
!
!
!
!
!
voice hunt-group 1 parallel
final 6000
list 801,802,803,804,805,806,807,808
timeout 20
pilot 800
!
!
!
voice translation-rule 1
rule 1 /^911$/ /911/
rule 2 /^9(.*)/ /1/
!
voice translation-rule 2
rule 1 /^.*/ /5551234567/
!
!
voice translation-profile PSTN-FORWARDING
translate redirect-target 3
translate redirect-called 3
!
voice translation-profile PSTN-OUTGOING
translate calling 2
translate called 1
translate redirect-target 3
translate redirect-called 3
!
!
voice-card 0
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto ipsec transform-set TS-IPSEC-SET esp-aes esp-sha-hmac
!
!
!
!
ip telnet source-interface FastEthernet0/1
ip ftp source-interface FastEthernet0/1
ip tftp source-interface FastEthernet0/1
ip ssh version 2
!
class-map match-any CM-CRITICAL-APPS
match access-group 2000
class-map match-any CM-VOICE-CONTROL
match dscp cs3
match dscp cs5
match ip dscp af31
match ip dscp af32
class-map match-any CM-CRITICAL-DATA1
match dscp af42
match protocol ipsec
class-map match-any CM-CRITICAL-DATA2
match dscp af43
class-map match-any CM-NETWORK-MGMT
match protocol icmp
match protocol telnet
class-map match-any CM-VOICE
match dscp ef
match ip dscp cs5
match ip dscp ef
!
!
policy-map PM-WAN-EDGE-OUT
class CM-VOICE
priority percent 30
class CM-VOICE-CONTROL
bandwidth percent 10
class CM-CRITICAL-DATA1
bandwidth percent 20
random-detect dscp-based
class CM-CRITICAL-DATA2
bandwidth percent 36
random-detect dscp-based
class class-default
fair-queue
random-detect
policy-map PM-LAN-EDGE-IN
class CM-NETWORK-MGMT
set dscp af42
class CM-CRITICAL-APPS
set dscp af43
class CM-VOICE
class CM-VOICE-CONTROL
class class-default
set dscp default
!
!
translation-rule 3
Rule 1 ^91……. 1
Rule 2 9…… 1626
Rule 3 6000 6265551212
!
!
!
!
!
interface Loopback0
ip address 10.1.231.1 255.255.255.255
ip pim sparse-mode
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip flow ingress
ip pim sparse-mode
ip nat inside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
service-policy input PM-LAN-EDGE-IN
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.11.1 255.255.255.0
ip flow ingress
ip pim sparse-mode
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
bandwidth 25000
ip address dhcp
no ip proxy-arp
ip nbar protocol-discovery
ip pim sparse-mode
ip nat outside
ip virtual-reassembly
ip igmp query-interval 5
load-interval 30
duplex auto
speed auto
max-reserved-bandwidth 100
service-policy output PM-WAN-EDGE-OUT
!
router rip
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/0.10
network 192.168.1.0
network 192.168.10.0
network 192.168.11.0
maximum-paths 16
no auto-summary
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
ip http access-class 10
no ip http secure-server
ip http path flash:/gui
!
!
no ip pim dm-fallback
ip pim send-rp-announce Loopback0 scope 16
ip pim send-rp-discovery Loopback0 scope 16
ip nat inside source list INTERNAL-NET interface FastEthernet0/1 overload
!
!
ip access-list extended INTERNAL-NET
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.11.0 0.0.0.255 any
!
access-list 2000 remark //PERMIT-QOS-CRITICAL-APPS//
access-list 2000 permit tcp any any eq 3389
access-list 2000 permit tcp any any eq telnet
access-list 2000 permit tcp any any eq 22
access-list 2500 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 2500 permit ip 192.168.10.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 2500 permit ip 192.168.10.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 2500 permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 2500 permit ip 192.168.10.0 0.0.0.255 172.200.0.0 0.0.255.255
access-list 2500 permit ip 192.168.10.0 0.0.0.255 224.0.0.0 15.255.255.255
access-list 2500 permit ip 192.168.11.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 2500 permit ip 192.168.11.0 0.0.0.255 224.0.0.0 15.255.255.255
!
!
!
!
!
tftp-server flash:apps75.8-4-1-23.sbn
tftp-server flash:cnu75.8-4-1-23.sbn
tftp-server flash:cvm75sccp.8-4-1-23.sbn
tftp-server flash:dsp75.8-4-1-23.sbn
tftp-server flash:jar75sccp.8-4-1-23.sbn
tftp-server flash:SCCP75.8-4-2S.loads
tftp-server flash:term61.default.loads
tftp-server flash:WLAN-1.2.1.SBN
tftp-server flash:TNUX-1.2.1.SBN
tftp-server flash:TNUXR-1.2.1.SBN
tftp-server flash:APPS-1.2.1.SBN
tftp-server flash:GUI-1.2.1.SBN
tftp-server flash:SYS-1.2.1.SBN
tftp-server flash:term75.default.loads
tftp-server flash:CP7921G-1.2.1.LOADS
tftp-server flash:Desktops/320x212x12/List.xml
tftp-server flash:Desktops/320x212x12/CampusNight.png
tftp-server flash:Desktops/320x212x12/CiscoFountain.png
tftp-server flash:Desktops/320x212x12/MorroRock.png
tftp-server flash:Desktops/320x212x12/NantucketFlowers.png
tftp-server flash:Desktops/320x212x12/TN-CampusNight.png
tftp-server flash:Desktops/320x212x12/TN-CiscoFountain.png
tftp-server flash:Desktops/320x212x12/TN-Fountain.png
tftp-server flash:Desktops/320x212x12/TN-MorroRock.png
tftp-server flash:Desktops/320x212x12/TN-NantucketFlowers.png
tftp-server flash:Desktops/320x212x12/Fountain.png
tftp-server flash:Desktops/320x212x12/CiscoLogo.png
tftp-server flash:Desktops/320x212x12/TN-CiscoLogo.png
tftp-server flash:Desktops/320x216x16/List.xml
tftp-server flash:Desktops/320x212x16/List.xml
tftp-server flash:gui/admin_user.html
tftp-server flash:gui/admin_user.js
tftp-server flash:gui/CiscoLogo.gif
tftp-server flash:gui/Delete.gif
tftp-server flash:gui/dom.js
tftp-server flash:gui/downarrow.gif
tftp-server flash:gui/ephone_admin.html
tftp-server flash:gui/logohome.gif
tftp-server flash:gui/normal_user.html
tftp-server flash:gui/normal_user.js
tftp-server flash:gui/Plus.gif
tftp-server flash:gui/sxiconad.gif
tftp-server flash:gui/Tab.gif
tftp-server flash:gui/telephony_service.html
tftp-server flash:gui/uparrow.gif
tftp-server flash:gui/xml-test.html
tftp-server flash:gui/xml.template
tftp-server flash:apps37sccp.1-2-1-0.bin
tftp-server flash:APPSH-1.3.1.SBN
tftp-server flash:GUIH-1.3.1.SBN
tftp-server flash:CP7925G-1.3.1.LOADS
tftp-server flash:SYSH-1.3.1.SBN
tftp-server flash:TNUXH-1.3.1.SBN
tftp-server flash:WLANH-1.3.1.SBN
tftp-server flash:Analog1.raw
tftp-server flash:Analog2.raw
tftp-server flash:AreYouThere.raw
tftp-server flash:AreYouThereF.raw
tftp-server flash:Bass.raw
tftp-server flash:CallBack.raw
tftp-server flash:Chime.raw
tftp-server flash:Classic1.raw
tftp-server flash:Classic2.raw
tftp-server flash:ClockShop.raw
tftp-server flash:DistinctiveRingList.xml
tftp-server flash:Drums1.raw
tftp-server flash:Drums2.raw
tftp-server flash:FilmScore.raw
tftp-server flash:HarpSynth.raw
tftp-server flash:Jamaica.raw
tftp-server flash:KotoEffect.raw
tftp-server flash:MusicBox.raw
tftp-server flash:Piano1.raw
tftp-server flash:Piano2.raw
tftp-server flash:Pop.raw
tftp-server flash:Pulse1.raw
tftp-server flash:Ring1.raw
tftp-server flash:Ring2.raw
tftp-server flash:Ring3.raw
tftp-server flash:Ring4.raw
tftp-server flash:Ring5.raw
tftp-server flash:Ring6.raw
tftp-server flash:Ring7.raw
tftp-server flash:RingList.xml
tftp-server flash:Sax1.raw
tftp-server flash:Sax2.raw
tftp-server flash:Vibe.raw
!
control-plane
!
!
!
!
mgcp fax t38 ecm
!
!
!
dial-peer voice 4 voip
description ==INTERNATIONAL CALL TO SIP TRUNK==
translation-profile outgoing PSTN-CALLFORWARDING
destination-pattern 9011T
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
dtmf-relay rtp-nte
no vad
!
dial-peer voice 5 voip
description ==STAR CODE TO SIP TRUNK==
translation-profile outgoing PSTN-CALLFORWARDING
destination-pattern *..
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
dtmf-relay rtp-nte
no vad
!
dial-peer voice 1 voip
description ==OUTGOING CALL TO SIP TRUNK==
translation-profile outgoing PSTN-OUTGOING
destination-pattern 9[0-1][2-9]..[2-9]……
translate-outgoing called 3
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
dtmf-relay rtp-nte
ip qos dscp cs5 media
ip qos dscp cs5 signaling
no vad
!
dial-peer voice 2 voip
description ==OUTGOING CALL TO SIP TRUNK=
translation-profile outgoing PSTN-OUTGOING
destination-pattern 9[2-9]..[2-9]……
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
dtmf-relay rtp-nte
no vad
!
!
num-exp 5551234567 800
sip-ua
! — for authenticating to the SIP server to do initial registration –!
credentials username 5551234567 password 7
realm sip3.voipvoip.com
! — for SIP proxy authentication while making outbound calls –!
authentication username 5551234567 password 7
realm sip3.voipvoip.com
! — optional: to hard code your caller-id when you call outbound –!
calling-info sip-to-pstn number set 5551234567
! — optional: to hard code caller-id received from incoming calls –!
calling-info pstn-to-sip from number set 5551234567
no remote-party-id
retry invite 2
retry register 10
timers connect 100
! — specifying sip registration server here –!
registrar dns:sip3.voipvoip.com expires 3600
! — specifying the actual SIP server you are registering to for calls –!
sip-server dns:sip3.voipvoip.com
notify telephone-event max-duration 500
host-registrar
presence enable
!
!
!
telephony-service
max-ephones 12
max-dn 32
ip source-address 10.1.231.1 port 2000
auto assign 1 to 12
calling-number initiator
timeouts interdigit 5
timeouts ringing 120
load 7921 CP7921G-1.2.1
load 7960-7940 term75.default
time-zone 5
dialplan-pattern 1 62655512.. extension-length 2 no-reg
voicemail 6000
max-conferences 8 gain -6
call-forward system redirecting-expanded
moh music-on-hold.au
multicast moh 239.100.100.5 port 2010
web admin system name admin password <web passwd>
dn-webedit
time-webedit
transfer-system full-consult dss
secondary-dialtone 9
create cnf-files version-stamp 7960 Mar 22 2009 13:17:17
!
!
ephone-template 1
! — option to interrupt someone while they are on a call –!
softkeys remote-in-use CBarge Newcall
softkeys hold Resume Newcall Join
! — digital display buttons on your IP phone — !
softkeys connected TrnsfVM Park Confrn Endcall Trnsfer Hold
max-calls-per-button 3
busy-trigger-per-button 2
!
!
ephone-dn 1
number 801 no-reg primary
allow watch
call-forward busy 6000
call-forward noan 6000 timeout 18
!
!
ephone-dn 2
number 802 no-reg primary
allow watch
call-forward busy 6000
call-forward noan 6000 timeout 18
!
!
ephone-dn 3
number 803 no-reg primary
allow watch
call-forward busy 6000
call-forward noan 6000 timeout 18
!
!
ephone-dn 4
number 804 no-reg primary
allow watch
call-forward busy 6000
call-forward noan 6000 timeout 18
!
!
ephone-dn 5
number 805 no-reg primary
allow watch
call-forward busy 6000
call-forward noan 6000 timeout 18
!
!
ephone-dn 6
number 806 no-reg primary
allow watch
call-forward busy 6000
call-forward noan 6000 timeout 18
!
!
ephone-dn 7
number 807 no-reg primary
allow watch
call-forward busy 6000
call-forward noan 6000 timeout 18
!
!
ephone-dn 8
number 808 no-reg primary
call-forward busy 6000
call-forward noan 6000 timeout 18
!
!
ephone-dn 30
number 889 no-reg primary
park-slot timeout 10 limit 5 recall
!
!
ephone-dn 31
number 800 no-reg primary
label 800
name PRIMARY HUNT
call-forward busy 6000
call-forward noan 6000 timeout 18
!
!
ephone-dn 32
number 888 no-reg primary
paging ip 239.255.255.6 port 2009
!
!
ephone 1
device-security-mode none
mac-address 000D.ED6C.43B7
ephone-template 1
paging-dn 32
codec g729r8
type 7960
button 1:1 2:31
!
!
!
ephone 2
device-security-mode none
mac-address 0021.553E.0D65
ephone-template 1
max-calls-per-button 4
paging-dn 32
type 7921
button 1:2 2:31
!
!
!
ephone 3
device-security-mode none
mac-address 0013.C428.640F
ephone-template 1
paging-dn 32
type 7960
button 1:3 2:31
!
!
!
ephone 4
device-security-mode none
mac-address 0021.553E.043E
ephone-template 1
max-calls-per-button 4
paging-dn 32
type 7921
button 1:4 2:31
!
!
!
ephone 5
device-security-mode none
mac-address 0014.F276.4428
ephone-template 1
paging-dn 32
type 7960
button 1:5 2:31
!
!
!
ephone 6
device-security-mode none
mac-address 0013.C427.F8FC
ephone-template 1
paging-dn 32
type 7960
button 1:6 2:31
!
!
!
ephone 7
device-security-mode none
mac-address 0013.C427.F5E0
ephone-template 1
paging-dn 32
type 7960
button 1:7 2:31
!
!
!
ephone 8
device-security-mode none
!
!
!
ephone 9
no phone-ui speeddial-fastdial
no phone-ui snr
no multicast-moh
device-security-mode none
!
!
!
ephone 10
no phone-ui speeddial-fastdial
no phone-ui snr
no multicast-moh
device-security-mode none
!
!
!
ephone 11
no phone-ui speeddial-fastdial
no phone-ui snr
no multicast-moh
device-security-mode none
!
!
!
ephone 12
no phone-ui speeddial-fastdial
no phone-ui snr
no multicast-moh
device-security-mode none
!
!
alias exec siib show ip interface brief
!
line con 0
exec-timeout 120 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 120 0
password 7 <password here>
logging synchronous
login
!
scheduler allocate 20000 1000
process cpu threshold type total rising 90 interval 10 falling 50 interval 10
end

So I will finish up by explaining what this does. If you call the PSTN incoming phone number (555)123-4567, “num-exp” will convert to digits 800. Then I have a parallel hunt-group configured where 800 will ring all my extensions 801,802,803, etc.  If no one answers in the hunt-group… go to voicemail at ext: 6000.

For outbound, I have “dial-peer voice 1 voip” and “dial-peer voice 2 voip”, this will match #1 when I dial 9,16505551212, I created the #2 for people who come to my house and need to use the phone just in case they forget to push 1+ before area code + phone number. In CA, we have to dial +1+area code+7-digit number at all times now.   So it matches dial-peer voice 1 voip map when I call 9,16505551212 right and then my call gets sent out to the SIP trunk right? Wrong… I need to strip the “9″ digit out of the string otherwise it will be included in my called number. So for that I have “translation-outgoing called 3″ in there to strip out the 9.  I am still working on E911 and stuff so that doesn’t work yet. But what I can do is make outbound calls and send my SIP provider the correct numbers so my call completes successfully!

What I have discovered was that there were 2 different types of translation-rules.
#1 Command: voice translation-rule <#>     is different from
#2 Command: translation-rule <#>

What #1 does is translate your called/calling number when you are going voip-to-analog. #2 translates your voip-to-voip called/calling string!
So you will see in the configuration “translation-profile outgoing PSTN-OUTGOING” which doesn’t really do anything in my situation because I don’t have any analog/digital cards in my router such as an FXO or PRI. But I kept the config line in there some day I decide to get a backup analog line.

There are still some rules and destination-patterns I need to tweak so I will be updating this later. But overall, this configuration works. I am able to make outbound US calls, receive incoming calls… page all the house phones when I dial 888, park my calls at ext: 889, and have voicemail at ext: 6000.

WCCPv2:
————————
1. Supports multiple routers can redirect to clusters and devices, allows for load balancing.
2. Support for non HTTP and HTTPS protocols such as other TCP or UDP packets.
3. Capable of MD5 authentication.
4. Notification capabilities for web cache overloading to the router
5. Load Balancing based on hashing or masking algorithms

The device (eg: WAE or ACNS) needs to have layer 2 adjacency with the 6500 switch in order to take advantage of hardware redirection. If you do not have layer 2 direct adjacency, then most likely you will have to use the GRE tunneling method of WCCP to redirect transparently.

OSPF Packet Types

Step 1: Hello packet received from a neighbor router causes an OSPF interface to be in INIT STATE regardless of other variables at this point. Hello packet contains things like (a) router-id (b) area id (c) AuthType (d) authentication (e)Netmask (f)Hello Int (g)Dead Int (h)DR (i)BDR (g) Neighbor IP
Step 2 (optional):  If its a broadcast/multiaccess environment, the interface will go into TWO-WAY state to see who will be the DR (designated router) and BDR (backup designated router) based on the info provided in the HELLO packet. This can also be triggered by receiving a DBD packet.
Step 3 (optional): EXSTART state on the interface is when its OK to start exchanging topological databases between neighbors after DR/BDR is determined.
Step 4: EXCHANGE state is the actual “exchange” of databases using the database descriptor packet.
Step 5: LOADING state, based on the DBD packets received. Some parts of the database might be out-of-date so then the Router sends link-state requests, updates, and acknowledgements to make sure everything is all synchronized between the two neighbors and databases match up. The meaning is pretty straight forward, request is a request for an LSA-type 1,2,3,4,5, or 7. Update is when the router provides the actual route prefix/mask/area info, and Acknowledgement is when it tells the neighbor “OK I received your packet in good condition”.
Step 6: FULL state, databases are all up to date and synchronized with all the other routers in the area topology, good to go for inserting routes into the forwarding table now!