Interview question: Cisco Voice Engineer: CUCM Database replication value, do you know what you are talking about?

This is a helpful reminder note for all who manages CUCM on day-to-day basis and one of the favorite Voice/IPTel Engineer interview questions. I think I was asked this question in almost every voice Engineer role interviews. Good luck with your next interview!

Q1. What does CUCM database replication value mean to you (CM Administrator)? 

2 = Good, excellent, no behind pain

Other than 2 = Behind pain begins

Value Meaning Description
0 Initialization State This state indicates that replication is in the process of trying to  setup. Being in this state for a period longer than an hour could  indicate a failure in setup.
1 Number of Replicates not correct This state is rarely seen in 6.x and 7.x but in 5.x can indicate its  still in the setup process. Being in this state for a period longer than  an hour could indicate a failure in setup.
2 Replication is good Logical connections have been established and tables match the other servers on the cluster.
3 Tables are suspect Logical connections have been established but we are unsure if tables match.
In 6.x and 7.x all servers could show state 3 if one server is down in  the cluster.
This can happen because the other servers are unsure if  there is an update to a user facing feature that has not been passed  from that sub to the other device in the cluster.
4 Setup Failed / Dropped The server no longer has an active logical connection to receive  database table across. No replication is occurring in this state.

Source: CCO

Q2. How to check?

Option 1: On CUCM OS CLI, run show command

admin:show perf query class “Number of Replicates Created and State of Replication”
==>query class :

– Perf class (Number of Replicates Created and State of Replication) has instances and values:
ReplicateCount -> Number of Replicates Created = 427
ReplicateCount -> Replicate_State = 2 <<< Life is Good

Option 2: On CUCM Unified Reporting 

Cisco Unified Reporting > System Reports > Unified CM Database Status >> Run report



Option 3: Real Time Monitoring Tool (RTMT)

Install RTMT plugin on your desktop. Launch RTMT and then go to “Call Manager > Service > Database Summary”

Q3. How to repair a broken db replication issue?

I have come acorss a very good blog and it shows you on how to repair a broken db replication. Click here.





CCNA Security 210-260: Module 2: Virtual Private Networks (VPNs), Lesson 4: Fundamentals of IP Security


Lesson 4: Fundamentals of IP Security
4.1 IPsec Concepts, Components, and Operations
4.2 IKE version 1 Fundamentals
4.3 IKE version 2 Fundamentals


4.1 IPsec Concepts, Components, and Operations

The Internet Key Exchange (IKE) Protocol
– IPsec uses IKE protocol to negotiate and establish secured site-to-site or remote access virtual private network (VPN) tunnels.

– IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols, namely Oakley and Secure Key Exchange Mechanism (SKEME).

– In IKE Phase 1: IPsec peers negotiate and authenticate each other. In Phase 2, they negotiate keying materials and algorithms for the encryption of the data being transferred over the IPsec tunnel.
Two versions of IKEs.
IKE v1: Defined in RFC 2409
IKE v2: Defined in RFC 4306

IKE Protocol Details:
– IKE v2 enhances the function of performing dynamic key exchange and peer authentication.
– IKE v2 simplifies the key exchange flows and introduces measures to fix vulnerabilities present in IKEv1.
– Both IKEv1 and IKEv2 protocols operate in two phases.
– IKEv2 provides a simpler and more efficient exchange.


4.2 IKE version 1 Fundamentals

IKEv1: Who begins the negotiation?
– The initiator sends over all of its IKE Phase 1 policies, and the other VPN peer looks at all of those policies to see whether any of its own policies match the ones it just received.
– If there is a matching policy, the recipient of the negotiations sends back information about which received policy matches, and they use that matching policy for the IKE Phase 1 tunnel.

IKEv1 Phase 1
A handy way to recall the five pieces involved in the negotiation of the IKE Phase 1 tunnel, you might want to remember that the two devices HAGLE over IKE Phase 1:

H: Hash
A: Authentication Method
G: DH group (a stretch, but it works)
L: Lifetime of the IKE Phase 1 tunnel
E: Encryption algorithm to use for the IKE Phase 1 tunnel
The DH (Diffie-Hellman) Exchange
– Now having agreed to the IKEv1 Phase 1 policy of the peer, the two devices run the DH key exchange.
– They use the DH group (DH key size for the exchange) they agreed to during the negotiations, and at the end of this key exchange they both have symmetrical keying material (which is a fancy way of saying they both have the same secret keys that they can use with symmetrical algorithms).
– DH allows two devices that do not yet have a secure connection to establish shared secret keying material (keys that can be used with symmetrical algorithms, such as AES).
Authenticating the peer (last step in IKEv1 phase 1)
– The last step of IKE Phase 1 is to validate or authenticate the peer on the other side.
– For Authentication, they use whatever they agreed to in the initial proposal/policy, and if they successfully authenticate with each other, we now have an IKE Phase 1 tunnel in place between the two VPN gateways.
– The authentication could be done either using a PSK or using RSA digital signatures.


Phase 1:
– The next step is to complete the IKEv1 Phase 2 negotiation.
– The entire conversation and negotiation of the IKEv1 Phase 2 tunnel are completely done in private because of the IKEv1 Phase 1 tunnel protection the negotiated traffic.
– The IKE Phase 2 tunnel includes the hashing and encryption algorithms.
– The name of the mode for building the IKE Phase 2 tunnel is called “Quick Mode“.
4.3 IKE version 2 Fundamentals

What’s different in IKEv2?

* IKEv2 does not consume as much bandwidth as IKEv1.
* IKEv2 supports EAP authentication while IKEv1 doesn’t.
* IKEv2 supports the Mobility and Multi-homing (MOBIKE) protocol while IKEv1 doesn’t.
* IKEv2 has built-in NAT traversal while IKEv1 doesn’t.

** UDP port 4500 is used.
*** Protocol 50 (ESP) or 51 (AH)
*** NAT Transversal need to be used on UDP port 4500

IKEv2 Phase 2
* Phase 2 in IKEv2 is CHILD_SA (Child Security Association)
* The first CHILD_SA is the IKE_AUTH message pair.
* This phase is comparable to IKEv1 Phase 2.
* Additional CHILD_SA message pairs can be sent for rekey and informational messages.
* The CHILD_SA attributes are defined in the Data Policy.



CCNA Security 210-260: Module 2: Virtual Private Networks (VPNs), Lesson 3: Fundamentals of VPN Technology and Cryptography

Lesson 3: Fundamentals of VPN Technology and Cryptography
3.1 Understanding VPNs and Why We Use Them
3.2 Cryptography Basic Components
3.3 Public Key Infrastructure
3.4 Putting the Pieces of PKI to Work

3.1 Understanding VPNs and Why We Use Them

What is a Virtual Private Network (VPN)?
“A virtual private network that allows connectivity between two or more devices.”

Those two devices could be computers on the same local-area network or could be connected over a wide-area network.

Two major types of VPNS:
1. Remote access: uses SSL or IPSec VPN tunnel, terminates tunnel at either IOS/ASA and then can access corporate network from anywhere on the internet, as if it is directly connected to the network.
2. Site-to-Site : This is between two routers across WAN, terminate IPSec tunnel so the site A devices can access resources at site B and visa versa.

Examples of VPN Technologies
2. SSL

The main benefits of using either remote-access or site-to-site VPNs include the following:
Confidentiality: – Only the intended parties can understand the data that is sent.
– Any party that eavesdrops may see the actual packets, but the contents of the packet or the payload are encrypted (also called cipher text)
Data integrity: – Ensuring that the data is accurate from end to end
Authentication: – Peer authentication done in many ways. E.G.) Pre-shared keys, public and private key pairs, certificates, and user authentication in remote-access VPNs
Antireplay protection: – This just means that once a VPN packet has been sent and accounted for, that exact same VPN packet is not valid the second time in the VPN session.
3.2 Cryptography Basic Components

A Cipher is a set of rules, which can also be called an algorithm, about how to perform encryption or decryption.
Common methods that ciphers use
Substitution: substitutes one character for another. For example, substituting each letter from the alphabet with the previous letter of the alphabet.

Polyalphabetic: similar to substitution, but instead of using a single alphabet, it could use multiple alphabets and switch between them by some trigger character in the encoded message.

Transposition: uses many different options, including the rearrangement of letters.



– A one-time pad (OTP) is a good example of a key that is only used once.
– Using this method, to encrypt a 32-bit message, a 32-bit key is also used. This is also called the pad, which is used one time only.
– Each bit from the pad is mathematically computed with a corresponding bit from our message, and the results are our cipher text, or encrypted content.
– The pad must also be known by the receiver if he wants to decrypt the message.

Note: Another use of the acronym OTP is for a user’s one-time password, which is a different topic than the OTP (one-time pad).
A block cipher is a symmetric key cipher (same key to encrypt and decrypt) that operates on a group of bits called a block.

– Advanced Encryption Standard (AES)
– Digital Encryption Standard (DES)
– Triple Digital Encryption Standard (3DES)
– Blowfish
– International Data Encryption Algorithm (IDEA)

A stream cipher is a symmetric key cipher (same key to encrypt as decrypt), where each bit of plain-text data to be encrypted is done 1 bit at a time against the bits of the key stream, also called a cipher digit stream.
Symmetric vs Asymetirc Encryption Algorithm:

Symmetric Encryption Algorithms
– a.k.a a symmetric cipher, uses the same key to encrypt the data and decrypt the data.
– Two devices connected via a VPN, both need the key or keys to successfully encrypt and decrypt the data that is protected using a symmetric encryption algorithm.

– 3DES
– RC2, RC4, RC5, RC6
– Blowfish

Symmetrical encryption algorithmmms are used for most of the data that we protect in VPNs today.
Asymmetirc Encryption Algorithms
An example of an asymmetric algorithm is public key algorithms. Instead of using the same key for encrypting and decrypting, we use two different keys that mathematically work together as a pair. These are called the public and private keys. Together they make a key pair.

– RSA – named after “Rivest, Shamir and Adleman” (investors)
– Diffie-Hellman (DH)
– ElGamal – based on the DH exchange
– Digital Signature Algorithm (DSA) – created by the NSA
– Elliptic Curve Cryptography (ECC)
Hashing is a method used to verify data integrity.

4 most popular types of hashes:
1. Message digest 5 (MD5): This creates a 128-bit digest.
2. Secure Hash Algorithm 1 (SHA-1): This creates a 160-bit digest.
3. Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.
4. Secure Hash Algorithm 3 (SHA-3): Options include a digest between 224 bits and 512 bits.

Hashed Message Authentication Code (HMAC)
– Instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type.
– Then only the other party who also knows the secret key can calculate the resulting hash that can correctly verify the hash.
– An attacker who is eavesdropping and intercepting packets cannot inject or remove data because he does not have the key or keys used for the calculation.
When you sign something, it often represents a commitment to follow through, or at least prove that you are who you say you are. In cryptography a digital signature provides three core benefits:

1. Authentication
2. Data Integrity
3. Nonrepudiation
Key management deals with:
– Generating keys
– Verifying keys
– Exchanging keys
– Storing keys
– at the end of their lifetime, destroying keys
3.3 Public Key Infrastructure

PKI and Public and Private Keys
A key pair is a set of two keys (a private and a public key) that work in combination with each other as a team.
The public key may be shared with everyone, but the private key is not shared with anyone.
Certificate Authorities
A certificate authority (CA) is a system that creates an issues digital certificates.

Inside of a digital certificate is information about the identity of a device, such as:
– its IP Address
– Fully Qualified Domain Name (FQDN)
– The public key of that device

Root and Identity Certificates
A digital certificate can be thought of as an electronic document that identifies a device or person.
– A root certificate contains the public key of the CA server and the other details about the CA server.
– An identity certificate is similar to a root certificate, but it describes the client and contains the public key of an individual host (the client).


3.4 Putting the Pieces of PKI to Work

1. Authenticate CA Server by downloading “Root Cert” from the CA server to Client
2. Client can request its own identity certificate, CA server generating the public and private key pair. ID certificate can be for a device or a person, the client can be a PC/firewall/router.

Simple Certificate Enrollment Protocol (SCEP) is used to generate the ID certificate. SCEP is most popular certification method.

Certificate Revocation:
Certificate revocation List (CRL): list of certificate which should be no longer trusted.
Online Certificate Status Protocol (OSCP): Newer certification revocation method. Revoked – irreversible or Hold status – temporary.



CCNA Security 210-260: Module 1: Fundamentals of Network Security, Lesson 2: Common Security Threats

Source: Safaribooksonline training,

Lesson 2: Common Security Threats
2.1 Network Security Threat Landscape
2.2 Distributed Denial of Service (DDoS) Attacks
2.3 Social Engineering Methods
2.4 Man-in-the-middle Attacks
2.5 Malware Identification Tools
2.6 Data Loss and Exfiltration Methods


Explores different types of threats discussed in CCNA Security.

2.1 Network Security Threat Landscape

Facts learnt in Lesson 1:
“Over 75% of attackers start extracting data within minutes”
“Over 50% of attacks are left undetected for months, if at all”

Current threat landscape
– Custom malware is being created and deployed at the victim’s side
– Multiple bad actors are present simultaneously
– Attacked infrastructure is a platform for the next attack
– Many are blind to network malfeasance
– Some are conceding loss of control
– denial of Service can be a precursor to damage
– Undetected communication to embargoed countries

Motivations behind threat actors
– Financial
– Disruption – several reasons:
– To protest the actions, decisions, or behaviors of a given organization
– To serve as a distraction while the malicious actors plant something within the network to be leveraged at a future point in time
– To gain media attention

– Geopolitical – nation states (Referred to as “The cyber war”)

2.2 Distributed Denial of Service (DDoS) Attacks

DDoS is when the attack source is more than one and often thousands of IP Addresses and hosts.
E.G.) Attack on a web site: The main intent of DDoS attack is to consume all the network resources to deny services to legitimate users to the site.

3 General Categories of DDoS attacks

Direct   Reflected   Amplification
The source of the attack generates the packets, regardless of protocol, application that are sent directly to the victim.
As explained in above example.
The sources of the attack are sent spoofed packets that appear to be from the victim, and then the sources become unwitting participants by sending the response traffic back to the intended victim.

UDP is often used as the transport mechanism because it is more easily spoofed due to the lack of a three-way handshake.

Example: NTP

A form of reflected attacks in which the response traffic (sent by the unwitting participants) is made up of packets that are much larger than those that were initially sent by the attacker (spoofing the victim).

Example: DNS Amplication Attacks

2.3 Social Engineering Methods

What is Social Engineering?
– Bad actors use social engineering by relying on the human element to steal information and/or create holes in the victim’s organization
– Social engineering is evolving so rapidly that technology solutions, security policies, and operational procedures alone cannot protect critical resources.
Not a technical attack but attacking human weakness.

Social Engineering Tactics
Phishing: elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution. The e-mail message may ask the user to reply with the sensitive data, or to access a website to update information such as a bank account number.
Malvertising: malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.
Phone scams: not uncommon for someone to call up an employee and attempt to convince employees to divulge information about themselves or others withing the organization. An example is a miscreant posing as a recruiter asking for names, e-mail addresses, and so on for members of the organization and then using that information to start building a database to leverage for a future attack, reconnaissance mission, and so forth. Another example is a job interview.

Defenses against Social Engineering
Security policies and procedures take the guesswork out of operations and help employees make the right security decisions.

* Education A huge part depending against Social Engineering. SE is not a technical attack, it targets human behaviors.
* Password Management Use complex password and password guidelines.
* Two-factor Authentication
* Antivirus/Antiphishing Defenses
* Change management
* Information Classification Refer to Lesson 1 discussion.
* Physical Security
2.4 Man-in-the-middle Attacks

A man-in-the-middle attack results when attackers place themselves in line between two devices or people that are communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between them.

2.5 Malware Identification Tools

Packet Captures – collect, store and analyse traversing the network
Netflow – does not provide the same level of information as packet capture but is a great tool for malware identification tools, extracting information to traceback the packet.
Cisco Advanced Malware Protection (AMP) – provides visibility and control to protect against highly sophisticated attacks such as zero day, persistent advanced malware threats in the network.
Cisco Firepower Next-generation Intrusion Prevention System (NGIPS) – provides multi-layer advanced protection that can help identify and mitigate malware attacks in the network.


2.6 Data Loss and Exfiltration Methods

Data Loss and Exfiltration

There are several types of data that are particularly attractive to the miscreants:
– Intellectual Property (IP)
– Personally Identifiable Information (PII)
– Credit/debit cards

Examples of Data Loss and Exfiltration techniques:
– HTTP(s) tunneling
– DNS tunneling



CCNA Security 210-260: Module 1: Fundamentals of Network Security, Lession 1: Networking Security Concepts and Common Principles

Source: CCNA Security 210-260,

Lesson 1: Networking Security Concepts and Common Principles
1.1 Understanding Network and Information Security Basics
1.2 Confidentiality, Integrity, and Availability
1.3 Classifying Assets
1.4 Types of Security Vulnerabilities
1.5 Classifying Countermeasures
1.6 Attack Methods & Vectors
1.7 Applying Fundamental Security Principles To Network Design
1.8 Understanding the Security Attack Surface in Different Network Typologies


1.1 Understanding Network and Information Security Basics
– Attacks are more targeted and sophisticated
– Custom malware created even at the victim’s site
– More organized attack campaigns

Every organization, individual or system is a target. Doesn’t matter the size/country/who.
You are a target, attackers are always target to steal:
– Intellectual Property
– Personal Information
– Distributed Development (source code)

Recent evolution of threats:
– Custom malware is being deployed
– Multiple bad actors are present simultaneously
– Attached infrastructure is a platform for the next attack
– Many are blind to network malfeasance
– Some are conceding loss of control
– Denial of Service can be a precursor to damage
– Undetected communication to embargoed countries

Today’s reality:
– Over 75% of attacks start extracting data within minutes.
– Over 50% of attacks are left undetected for months, if at all
– Detection and response capabilities must change
Security professionals must understand what they are trying to protect… and from WHOM?
We need to think like actors and bad guys, try to understand all the threats happening now days.

The Industrialization of hacking: Cyber crime as a business. Often the criminals know about your network that you know.
Threats grow more sophisticated every day.
1990 – 2000 Viruses
1997 – Phishing, low sophistication,
2000 – 2005 Worms
2005 – Hacking becomes an Industry
2005 – today: Spyware and rootkits
2015 – APTs cyber ware
2016 – Sophisticated attacks, attack as service
2020 – ???

“Criminals know more about your network than you do”
Initial malware may remain dormant for months to learn vulnerabilities and network custom malware developed to attack after learning your vulnerabilities.

Typical stages of a data breach:


What is a vulnerability?
A vulnerability is an exploitable weakness in a system or its design. Vulnerabilities can be found in protocols, operating systems, applications, and system designs.

What is a threat?
A threat is any potential danger to an asset. If a vulnerability exists but has not yet been exploited or, more importantly, it has not yet publicly known, the threat is not yet realized.
If someone is actively launching an attack against your system and successfully accesses something or compromises your security against an asset, the threat is realized.

What is a countermeasure?
A countermeasure is a safeguard that somehow mitigates a potential risk. It does so by either reducing or eliminating the vulnerability, or at least reduces the likelihood of the threat agent to actually exploit the risk.


1.2 Confidentiality, Integrity, and Availability

CIA concept:


Confidentiality means that only the authorized individuals/systems can view sensitive or classified information. This also implies that unauthorized individuals should not have any type of access to the data.

Integrity applies to systems and data. For data means that changes made to data are done only by authorized individuals/systems. Corruption of data is a failure to maintain data integrity.

Availability also applies to systems and to data. If the network or its data is not available to authorized users the impact may be significant to organizations and users who rely on that network as a business tool. The failure of a system, to include data, applications, devices, and networks, generally equates to loss of revenue.


1.3 Classifying Assets

What is an Asset?

An asset is an item that is to be protected and can include property, people and information/data that have value to the company.

This includes intangible items such as proprietary information or trade secrets and the reputation of the company.

The data could include company records, client information, proprietary software, and so on.

Asset classifications:

Type of classification Calssification
Governmental classifications * Unclassified
* Sensitive but unclassified (SBU)
* Confidential
* Secret
* Top secret
Private sector classifications * Public
* Sensitive
* Private
* Confidential
Classification criteria * Value
* Age
* Replacement cost
*Useful lifetime
Classification roles * Owner (the Group ultimately responsible for the data, usually senior management of a company)

* Custodian (the group responsible for implementing the policy as dictated by the owner)

* User (those who access the data and abide by the rules of acceptable use for the data)

1.4 Types of Security Vulnerabilities

Understanding the weaknesses and vulnerabilities in a system or network is a huge step toward correcting the vulnerability or putting in appropriate countermeasures to mitigate threats against those vulnerabilities.

Different types of security vulnerabilities

  • Policy flaws
  • Design errors
  • Protocol weaknesses
  • Misconfiguration
  • Software vulnerabilities
  • Human factors (weakest link, social engineering)
  • Malicious software
  • Hardware vulnerabilities
  • Physical access to network resources


Buffer overflows

  • Buffer
    • Data Container
  • Buffer overflow:
    • Stuffing too much data into a data container
    • Data written beyond the container overwrites other data and/or control information


Instruction Pointer (EIP)

  • Holds address of next instruction to execute
  • Is impacted by jumps, branches and returns
  • Is only valid if pointing to an executable memory region


What is the stack?

  • Holds all local variables and parameters used by any function
  • Remembers the order in which functions are called so the function returns correctly
  • When a function is called, local variables and parameters are “pushed” onto the stack
  • When the function returns, these locals and parameters are “popped” off of the stack


What does main’s frame look like on the stack?

What happens when we put more than 512 bytes in mybuffer[]?

What does main’s frame look like on the stack? We overwrite saved EBP, EIP, and more.


Target: EIP

Goal: Control execution flow

  • locate saved EIP
  • place a favorable address in the saved EIP
  • Don’t crash


Cross Site Scripting (XSS)

  • XSS is the ability to execute Javascript code within the Browser’s Document Object Model (DOM)
    • In non-web-tech-speak: Run scripts in the user’s context
    • The web application does not “taint” the data before it is stored and/or reflected back to the end user
  • Stored SSX:
    • Web application stores the attack in the database for later display
    • Common to attack multiple users on forums, etc
  • Reflected XSS:
    • Immediately attack the user based on input
    • Typically performed with social engineering when an XSS vulnerability is discovered on a trusted website

What is the threat from XSS?

  • Cookie stealing
  • Browser control
  • Forced actions (CSRF)
  • Enhanced social engineering


XSS “Cousin”: CSRF

  • Cross site request forgery
  • Exploits the trust a site has in a users browser
    • Typically uses social engineering or XSS to lure a user
  • Some mitigation:
    • Don’t allow “blind submissions” — Use a secret token
    • Check the refer header

<img src=””&gt;


SQL Injection

  • Dynamic web applications require database back ends
  • Developers don’t always sanitize user input before using it in SQL Queries


Additional Vulnerability categories


1.5 Classifying Countermeasures

        Classifying controls & countermeasures


Administrative Controls

  • These consist of written policies, procedures, guidelines and standards
    • Examples:
      • written acceptable use policy (AUP)
      • change control process that needs to be followed when making changes to the network
  • Administrative controls could involve items such as background checks for users


Physical Controls

Physical security for the network servers, equipment, and infrastructure.


  • Door locks, gates, badge access
  • Cameras
  • a redundant system like an uninterruptible power supply


Logical Controls

  • These consist of passwords, firewalls, intrusion prevention systems, access lists, VPN tunnels, and so on.
  • Logical controls are often referred to as technical controls.


1.6 Attack Methods & Vectors

Attack methods

Most attackers do not want to be discovered and so they use a variety of techniques to remain in the shadows when attempting to compromise a network.

Attack methods: Reconnaissance

Used to find information about the network and the victim: Passive or Active

  • Passive: Studying user behaviors, social media etc.
  • Active: scans of the network to find out which IP addresses respond, and further scans to see which ports are open and what vulnerabilities are present.

This is usually the first step taken, to discover what is on the network and to determine potential vulnerabilities.

Attack methods: Social Engineering

  • Targets the weakest link: the user.
  • If the attacker can get the user to reveal information, it is much easier for the attacker than using some other method of reconnaissance.


  • Phishing presents a link that looks like a valid trusted resource to a user. When the user clicks it, the user is prompted to disclose confidential information such as usernames/passwords.
  • Pharming is used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the valid site to the user. From there, an attempt is made to extract confidential information from the user.

Attack methods: Privilege Escalation

The process of taking some level of access (whether authorized or not) and achieving an even greater level of access.

Example: an attacker who gains user mode access to a router and then uses a brute-force attack against the router, determining what the enable secret is for privilege level 15 access.

Attack methods: Backdoors

An application can be installed to either allow future access or to collect information to use in further attacks.

Many back doors are installed by users clicking something without realizing the link they click or the file they open is a threat. Back doors can be also be implemented as a result of a virus or a worm (often referred to as malware).

Attack methods: Remote code execution

  • One of the most devastating actions available to an attacker is the ability to execute code within a device.
  • Code execution could result in an adverse impact to the confidentiality (attacker can view information on the device), integrity (attacker can modify the configuration of the device), and availability (attacker can create a denial of service through the modification of code) of a device.

Attack methods: Man-in-the-Middle Attacks

  • A man-in-the-middle attack results when attackers place themselves in line between two devices that are communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between them.
  • This can happen at Layer 2 or Layer 3.
  • The main purpose is eavesdropping, so the attacker can see all the traffic.

Attack methods: Denial-of-service (DoS) and Distributed Denial-of-Service (DDoS) Attacks

  • When numerous or hundreds/thousands of systems send traffic to a victim and this produces a denial of service condition where the genuine users cannot access the site and unable to use the service. Covered in depth in lesson 2.

Attack methods: Botnet & Command & Control (CnC)

  • A botnet is group of private computers that are infected by malware and controlled by attacker, performing malicious activities. Some activities include, sending spams, carry on denial of service attacks from these private computers.
  • Bots are controlled by CnC (Command & Control) server. Historically the CnC control is operated over IRC (Internet Relay Chat), in recent times, CnC control can be done through TLS/SSH/IPSec tunnels. Also, twitter is used for CnC control environment. Infected machines are controlled by the bad actors to carry out specific attacks. Sending spam or steal information from victims.


1.7 Applying Fundamental Security Principles To Network Design

Examples of guidelines for secure network architecture:

  • Rule of least privilege – give a user or a system just enough privilege to carry out certain tasks
  • Defense in depth –  a layer approach on how to apply security within an organization
  • Separation of duties – a concept of having more than one person completing a task to prevent fraud, malicious activities or errors


Improving Security Posture:



1.8 Understanding the Security Attack Surface in Different Network Typologies

  • We need to understand security attack surface in different network typologies and environments, including BYOB (Bring Your Own Device), firewalls, Mobile device Management (MDM), Identity Management Systems (IDS) and other devices within security network environment. Different technologies covered in detail in later chapters.
  • DC environment – it is also important to understand different types of threats in DC’s. Example, The North-South traffic is the traffic carried to and from the data center and other parts of the network. On the other hand, the East-West traffics is referred to as lateral movement within the data center. Whenever there is a security compromise, it is important to know how traffics flow as often the traffic from the compromised machine traverses both from/to North-South and East-West directions.




CIPT2: 300-075 Taming the beast and my study note

Wow, what an experience it was, trying to pass Cisco CIPT2 300-075 exam during the last 5 weeks. So much was on the line as if I did not pass this exam by 17th of June, 2016, all my CCNP R&S and CCNP Voice was expiring, so I would be facing 7 exams to re-certify as CCNP in both technologies. Unfortunately, I had to tackle it 3 times to pass this exam, and got lucky on 3rd attempt. My first attempt was a lame attempt as I failed by 7 questions, the second attempt was a little bit more decent, failing by a SINGLE question. The passing mark for CIPT2 300-075 exam is 860/1000, which makes one question valued somewhere between 13 pts to 17 pts depending on the weight of the question Cisco is throwing at you. But today, I passed the exam and what a Roller Coaster ride this exam was, I’ve passed the exam with the exact passing score! Finally, the lady luck is on my side. After two failures, trying to tame the beast, I’ve studied so many hours trying to understand the VCS components and finally got a full grasp of the concept and basic configuration. Over 3 days of long weekend, I cranked out 30 hours of study time for VCS C and E studies (no pain, no gain! I am thankful that I’ve failed the second time by one question. I was forced to try my best). Oh, what a feeling!


I want to share some of my study notes with you so, you don’t have to do it the hard way like me, but I urge you to spend some time reading Cisco documentations, watch videos from CiscoLive and read the official study books front-to-end before jumping into the full study drive mode. I hope my notes will help someone on their way to becoming a CCNP-Collaboration. My notes are based on Cisco documents but also comes from the live environment and my experience, so it might not be 100%, but if you disagree with me on those questions, then show me your proof that you are in the right and I am in the wrong with a live Cisco documentations referencing the page and line number. As always, if you cannot avoid it, try to face it with a dignity or try to enjoy it!!! I would choose the latter…. 🙂



1. Regional configuration of Cisco VoIP environment
Note: Cisco Best practice, (G.729/24K) to compress BW for regions. Hardware MTP only supports G.711 a-law and G.711 u-law. Also regions will need transcoders if multiple codecs are deployed, NOT hardware MTP.
2. While using Query wizard to configure the trace and log central feature to collect install logs.
“The time zone of the client machine provides the default setting for the Select Reference Server Time Zone field. All the standard time zones, along with a separate set of entries for all time zones that have Daylight Saving settings, display in the Select Time Zone drop-down list box.”
“Trace and Log Central downloads the file with a time range that is based on your Selected Reference Server Time Zone field. If you have servers in a cluster in a different time zone, TLC will adjust for the time change and get files for the same period of time. For example, if you specify files from 9:00 AM to 10:00 AM and you have a second server (server x) that is in a time zone that is one hour ahead, TLC will download files from 10:00 AM to 11:00 AM from server x.”
3. Standardization of caller addresses between H.323 and SIP endpoints. 800eadee.html (Page 17)
“The pre-search transform configuration described in this document is used to standardize destination aliases originating from both H.323 and SIP devices. ”
“The following transform modifies the destination alias of all call attempts made to destination aliases which do not contain an ‘@’. The old destination alias has appended to it. This has the effect of standardizing all called destination aliases into a SIP URI format.”
From VCS and CUCM Deployment guide:
“Thus, a transform is needed to ensure that the dialed number is transformed into a consistent form, in this case to add the domain (vcs.domain) if required.”
4. CUCM Extension Mobility characteristics

“Able to adopt a user profile even when no user is logged in”
“Almost same attributes as a physical device”
5. A globalized dial plan, 3 ways enabling ingress gateways to process calls.

Configure the called-party transformation settings for incoming calls on H.323 gateways.
Configure translation patterns in the partitions used by the gateway calling search space
Configure the gateway with prefix digits to add necessary country and region codes.
“Localized Call Ingress on Gateways
The called and calling numbers delivered into the Unified Communications system by external networks (for example, the PSTN) are typically localized. The form of the numbers may vary, depending on the service provider’s configuration of the trunk. As a gateway is connected to a PSTN trunk, the system administrator must work with the PSTN service provider to determine the applicable signaling rules to be used for this specific trunk. As calls are delivered into the system from the trunk, some of the information about the calling and called numbers will be provided explicitly and some of it will be implied. Using this information, the system must derive the calls’ globalized calling and called party numbers.
The globalization of the called party number can be implemented through one of the following methods:
In the gateway configuration, configure Call Routing Information > Inbound Calls, where the quantity of significant digits to be retained from the original called number and the prefix digits to be added to the resulting string are used to globalize the called number. The prefix digits should be used to add the applicable + sign and country, region, and city codes.
Place translation patterns in partitions referenced by the gateway’s calling search space. The translation patterns should be configured to match the called party number form used by the trunks connected to the gateway, and should translate it into the global form. The prefix digits should be used to add the applicable + sign and country, region, and city codes.
Use the incoming call’s called party transformation settings available on the gateway and on the gateway’s device pool. There you can define strip and prefix digit instructions or alternatively configure a called party transformation calling search space per numbering type.
The globalization of the calling party number should be implemented by using the Incoming Calling Party Settings configured either on the gateway directly or in the device pool controlling the gateway.”
6. 2 types of devices are affected when an engineer changes the DSCP for Video Calls service parameter
Read “Set DSCP Values”.
7. Cisco VCS uses 3 Presence status of endpoints for monitoring status_endpoints_kb_186.html
8. 3 steps configure Cisco Unified Survivable Remote Site Telephony for SIP phones

1. configure an SRST reference
2. Configure the SIP registrar
3. Configure voice register pool



voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip


registrar server expires max 600 min 60


voice register pool 10
id network mask
dtmf-relay rtp-nte cisco-rtp sip-notify
codec g711ulaw
no vad
voice register pool 11
id network mask
dtmf-relay rtp-nte cisco-rtp sip-notify
codec g711ulaw
no vad

registrar ipv4: expires 600

( is the SRST gateway IP address).

Don’t forget on UCM SRST reference configuration for gateway:

On UCM SRST reference configuration for gateway

SIP Network/IP Address

SIP Port 5060
9. Device Mobility – overlapping parameters for roaming
Network Locale

“The overlapping parameters for roaming-sensitive settings are Media Resource Group List, Location, and Network Locale. The overlapping parameters for the Device Mobility-related settings are Calling Search Space (called Device Mobility Calling Search Space at the device pool), AAR Group, and AAR Calling Search Space. Overlapping parameters configured at the phone have higher priority than settings at the home device pool and lower priority than settings at the roaming device pool.”
10. VCS Control routing configuration, user dial brchoi and call gets routed to
search rule 800eadee.html (Page 17)
“The pre-search transform configuration described in this document is used to standardize destination aliases originating from both H.323 and SIP devices. The following transform modifies the destination alias of all call attempts made to destination aliases which do not contain an ‘@’. The old destination alias has appended to it. This has the effect of standardizing all called destination aliases into a SIP URI format.”
From VCS and CUCM Deployment guide:
“Thus, a transform is needed to ensure that the dialed number is transformed into a consistent form, in this case to add the domain (vcs.domain) if required.”
11. Configure VG310/VG350 and enable call pickup feature
SCCP gateway
You must check this on a running CUCM. Check CUCM configuration and VG350 gets configurred as SCCP only and then the endpoints can be configured to do a call pick-up.
Check CUCM configuration and VG350 gets configurred as SCCP only and then the endpoints can be configured to do a call pick-up.
12. Intracluster URI dialing configuration

URI Dialing within the same cluster, follow these steps:
Step 1: Configure the URIs to the users
Step 2: Associate the directory URIs to directory numbers
Step 3: Assign the default directory URI (Configure the directory URI partition and calling search space)
Step 4: Configure the SIP profile in your network. (Configure a setting for the Dial String Interpretation drop-down list box and apply the setting for all the SIP profiles in your network. Check the Use Fully Qualified Domain Name in SIP Requests check box for all the SIP profiles in your network.)
13. Enabling video desktop sharing between CUCM video endpoint and Cisco VCS video endpoint.
BRKCOL-2540 – Video call control and management migration to CUCM (2015 Cancun) – 90 Mins

Table 76-1 SIP Profile Configuration Settings
Allow Presentation Sharing using BFCP
If the box is checked, Cisco Unified Communications Manager is configured to allow supported SIP endpoints to use the Binary Floor Control Protocol to enable presentation sharing.
The use of BFCP creates an additional media stream in addition to the existing audio and video streams. This additional stream is used to stream a presentation, such as a PowerPoint presentation from someone’s laptop, into a SIP videophone.
If the box is unchecked, Cisco Unified Communications Manager rejects BFCP offers from devices associated with the SIP profile by setting the BFCP application line and associated media line ports to 0 in the answering SDP message. This is the default behavior.
Note BFCP is only supported on SIP networks. BFCP must be enabled on all SIP trunks, lines, and endpoints for presentation sharing to work. BFCP is not supported if the SIP line or SIP trunk uses MTP, RSVP, TRP or Transcoder.
For more information on BFCP, refer to the Cisco Unified Communications Manager System Guide.
14. “Src-port=”25723″ Detail=”Incorrect authentication credential for user”” error
The Expressway-C Traversal Client username/password do not match the Expressway-E Traversal Server username/password.

The Expressway-C is a Client and the Expressway-E is the server. They have client to server relationship. Expressway-C is a Traversal Client.


Traversal Zone

When the peer address is configured as an IP address or the peer address does not match the Common Name (CN), you see this in the logs:

Event=”Outbound TLS Negotiation Error” Service=”SIP” Src-ip=”″
Src-port=”25697″ Dst-ip=”″ Dst-port=”7001″ Detail=”Peer’s TLS
certificate identity was unacceptable” Protocol=”TLS” Common-name=”″
When the password is incorrect, you see this in the Expressway-E logs:

Module=”network.ldap” Level=”INFO”: Detail=”Authentication credential found in
directory for identity: traversal”

Module=”developer.nomodule” Level=”WARN” CodeLocation=”ppcmains/sip/sipproxy/
SipProxyAuthentication.cpp(686)” Method=”SipProxyAuthentication::
checkDigestSAResponse” Thread=”0x7f2485cb0700″: calculated response does not
match supplied response, calculatedResponse=769c8f488f71eebdf28b61ab1dc9f5e9,

Event=”Authentication Failed” Service=”SIP” Src-ip=”″
Src-port=”25723″ Detail=”Incorrect authentication credential for user”
Protocol=”TLS” Method=”OPTIONS” Level=”1″
15. An effective backup method to access TEHO destinations in case the call limit triggers
“If TEHO is configured, the appropriate TEHO Gateway is used for the PSTN call. The TEHO route list can include the Default Local Route Group setting as a backup path. In this cas, if the primary (TEHO) path is not available, the gateway taht is referenced by the local route group of the applicable device pool will be used for the backup path. If the device pool selection is not static, but Cisco Unified device mobility is used, the gateway of the roaming site will be used as a backup for the TEHO path. …”
16. Functionalities of subzones in a Cisco VCS deployment
Apply registration, authentication, and media encryption policies
Manage bandwidth to restrict standard definition endpoints from using more than 2 Mb of bandwidth. (Page 127) (Page 154)

Bandwidth management
The Local Zone’s subzones are used for bandwidth management. After you have set up your subzones you can apply
bandwidth limits to:
– individual calls between two endpoints within the subzone
– individual calls between an endpoint within the subzone and another endpoint outside of the subzone
– the total of calls to or from endpoints within the subzone

For full details of how to create and configure subzones, and apply bandwidth limitations to subzones including the
Default Subzone and Traversal Subzone, see the Bandwidth control section.

Registration, authentication and media encryption policies
In addition to bandwidth management, subzones are also used to control the VCS’s registration, authentication and
media encryption policies.
17. Enabling SAF Call Control Discovery cm/fscallcontroldiscovery.pdf
1. the SIP or H.323 trunk
2. hosted DN patterns
3. Hosted DN groups
18. Cisco VCS Expressway traversal call licenses
According to the document VCS, Gatekeepers and Border Controllers. SIP Trunk is treated as a device by Cisco, but it is not a real device, so not used for licensing.
19. Devices or applications support call preservation _00_cucm-system-guide-90/CUCM_BK_CD2F83FA_00_system- guide_chapter_01011.html#CUCM_RF_C98194B0_00

The following devices and applications support call preservation. If both parties connect through one of the following devices, Cisco Unified Communications Manager maintains call preservation:
Cisco Unified IP Phones
SIP trunks
Software conference bridge
Software MTP
Hardware conference bridge (Cisco Catalyst 6000 8 Port Voice E1/T1 and Services Module, Cisco Catalyst 4000 Access Gateway Module)
Transcoder (Cisco Catalyst 6000 8 Port Voice E1/T1 and Services Module, Cisco Catalyst 4000 Access Gateway Module)
Non-IOS MGCP gateways (Catalyst 6000 24 Port FXS Analog Interface Module, Cisco DT24+, Cisco DE30+, Cisco VG200)
Cisco IOS H.323 gateways (such as Cisco 2800 series, Cisco 3800 series)
Cisco IOS MGCP Gateways (Cisco VG200, Catalyst 4000 Access Gateway Module, Cisco 2620, Cisco 3620, Cisco 3640, Cisco 3660, Cisco 3810)
Cisco VG248 Analog Phone Gateway

The following devices and applications do not support call preservation:
H.323 endpoints such as NetMeeting or third-party H.323 endpoints
CTI applications
TAPI applications
JTAPI applications
Call Preservation Scenarios
20. Global Dial Plan Replication prevent the local cluster from routing VIP number 6666666666 to the remote cluster.
Create a block learned pattern.
Learned pattern can be configured but there is no mentioning of transformation pattern configuration. “Create a block learned pattern” can be used to prevent Global Dial Plan Replication within local cluster.
21. URI calling within the same cluster configuration

URI Dialing within the same cluster, follow these steps:
Step 1: Configure the URIs to the users
Step 2: Associate the directory URIs to directory numbers
Step 3: Assign the default directory URI (Configure the directory URI partition and calling search space)
Step 4: Configure the SIP profile in your network. (Configure a setting for the Dial String Interpretation drop-down list box and apply the setting for all the SIP profiles in your network. Check the Use Fully Qualified Domain Name in SIP Requests check box for all the SIP profiles in your network.)
22. 2 steps must you take when implementing TEHO in your environment
Implement local failover
Implement centralized failover
23. Globalization dialing functions enhancement since CUCM 7.X and later (benefits of new design approach)
24. 2 commands verify Cisco IP Phone registration
show ephone registered
show sip-ua status registrar (see the steps)

Step 3 show sip-ua status registrar

Use this command to display all the SIP endpoints currently registered with the contact address.

Router# show sip-ua status registrar

Line destination expires(sec) contact
============ =============== ============ ===============
91021 227
91011 176
95021 419
95012 419
95011 420
95500 420
94011 128
94500 129

I have cross checked with my Voice Gateway and found that ‘show ephone registered’ and ‘show sip-ua status registrar’.

Router#show ephone registered

ephone-1[0] Mac:6C30.4D57.8CD5 TCP socket:[1] activeLine:0 whisperLine:0 REGISTERED
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 debug:0
IP: * 7962 keepalive 4929 music 0 1:101 CM Fallback
sp1:01800008584 sp2:01800654112 sp3:00362456600

ephone-2[1] Mac:555D.0608.45B6 TCP socket:[-1] activeLine:0 whisperLine:0 UNREGISTERED
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 debug:0
IP: * 6921 keepalive 7 music 0

ephone-3[2] Mac:448D.0407.6BE9 TCP socket:[4] activeLine:0 whisperLine:0 REGISTERED
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 debug:0
IP: * 6921 keepalive 4938 music 0 1:103 CM Fallback

ephone-4[3] Mac:544D.0907.532C TCP socket:[12] activeLine:0 whisperLine:0 REGISTERED
mediaActive:0 whisper_mediaActive:0 startMedia:0 offhook:0 ringing:0 reset:0 reset_sent:0 debug:0
IP: * 6921 keepalive 4931 music 0 1:2 CM Fallback
25. Enalbe presence and extension mobility to branch office phones during a WAN failure. Cisco Unified Communications Manager Express in SRST mode
Cisco Unified SRST does not support enhanced features, such as Presence or Cisco Extension Mobility. Message Waiting Indicator (MWI) is also not supported in fallback mode.


26. Configured a Cisco EX60 to register with a Cisco VCS Control, but phone is not registering with VCS C. What’s missing in the configuration.

EX60 (uses H.323 and SIP protocol)
H.323 ID
H.323 E.164 7654321
Gatekeeper IP Address
SIP Proxy1
EX90 (uses SIP protocol)
SIP Proxy1
27. Your company’s internal number is 4 digit dialing, how to present this as 10-digit number to external clients?
Use “calling party transformation pattern”
“An advantage of using Calling Party Transformation Mask is that it allows you to change the Calling party number for a bunch of phones easily. Lets say you have a 100 phones that you need to change the 10 digit number. Rather than going to each phone and change the setting individually, you can do it at the Calling Party tranformation mask.”
“Another advantage is that if you want to change Calling Party number that gets displayed to external users, you can modify that easily with the transformation masks. It also gives you the flexibility of sending different calling party numbers to differnt destinations. For example, for local calls you can dislay the 7 digit number; for long distance you can display 10 digits and for international you can display country code +10 digits.”
28. Default region configurable items on CUCM? cm/b02regio.html#wp1077135
Audio Codec
Video Call Bandwidth
Link Loss Type
29. During Intercluster URI dialing, an error message “Local cluster cannot connect to the ILS network” comes up, what could be possible issues? (Page. 8)
The Tomcat certificates do not match.
The ILS authentication password does not match.
One cluster is using TLS certificate, and the other is using Password.
30. 2 technologies not utilising MTP.

DTMF inband RTP-NTE (rfc2833)

SIP Delay Offer

Note 1: H.323 fast start:
DTMF inband RTP-NTE (rfc2833) requires MTP only in CM 4.0, 5 and in later versions of CUCM, and lMTP requirement was removed when supporting RFC 2833 DTMF)

Note 2: If both endpoints support NTE, then no MTP is required.

VCP6 : 2V0-621 Exam helpful vocabulary

If you are studying for VCP6 (2V0-261) exam, please review the vocabulary list below and study on these technologies. Dig deeper and you will be OK and pass the exam with a flying colors. Good luck!

DCUI Direct Console User Interface
VMCA VMware Certificate Authority
APD All Paths Down
APD All Paths Down
CAAdmins Certificate Authority Administrators
DirectPath I/O Direct Path Input / Output
DPM Distributed Power Management
DRS Distributed Resource Scheduler
EVC Enhanced vMotion Compatibility
IWA Integrated Windows Authentication
LACP Link Aggregation Control Protocol
LLDP Link Layer Discovery Protocol
NIOC3 Network I/O Control 3
NUMA Non-Uniform Memory Access
PDL Permanent Device Loss
PDL Permanent Device Loss
PSC Platform Services Controller
SAML Security Assertion Markup Language
SPN Service Principal Name
SSO Single Sign-On
VCSA vCenter Server Appliance
vDS vSphere Distributed Switch
VMCP Virtual machine Component Protection
VMCP Virtual Machine Component Protection
vNUMA Virtual non-Uniform Memory Access
VOMA VMware Ondisk Metadata Analyser
vSMP Virtual Symmetric Multi-Processing


Also, if you have enough time to study, review the following technologies and concepts:

Single Sign-on Token Configuration
Clock tolerance=Time difference, in milliseconds, that vCenter Single Sign-On tolerates between a client clock and the domain controller clock. If the time difference is greater than the specified value, vCenter Single Sign-On declares the token invalid.

Content Library Subscription, Subscription URL

vCloud Air

Domain’s NetBIOS name

Attack vectors for a virtual machine

iSCSI multipathing (software)



P.S.: Yesterday, I’ve passed 2V0-261 exam and renewed VCP5 to VCP6. Preparation was about 1 week and too much time spent in-front of my PC. All the best to you!