Re: [cisco-voip] CUCM DNS/CTL configuration - follow-up
Brian, since it's a trust cert you shouldn't need to upload it to every node. The certificate replication process I talked about previously in this thread handles putting the trust cert on all CUCM servers. Also - since it's a trust cert you're right - no resets of phones anywhere. Since this is a trust cert for CallManager to talk to an external party (specifically the SIP process) you will probably need to restart the CCM process before SIP TLS calls will complete between the VCS and CUCM. Certs need to be validated when the SIP TLS session is established, and this trust database in the CCM process is not dynamic as far as I know. It loads the trust certs on process start and that's it. Although - I might be wrong on this.. I've done SIP TLS to gateways and I don't remember if we always needed to restart CCM. Let us know if calls work without restarting CCM! On Thu, May 28, 2015 at 10:45 AM, Brian Meade bmead...@vt.edu wrote: I've seen it work most of the time just adding the CallManager-trust. On one occasion, I did have to restart the CallManager service for it to take affect. Make sure to upload to every node. You also shouldn't see any phone reboots for adding a CallManager-trust. That would only be in the case you end up having to restart the CallManager service. On Thu, May 28, 2015 at 10:37 AM, Ed Leatherman ealeather...@gmail.com wrote: It's not a tomcat-trust cert though, the docs (and expressway) say it needs to go in the callmanager-trust On Thu, May 28, 2015 at 10:25 AM, Charles Goldsmith wo...@justfamily.org wrote: Just restart Tomcat On Thu, May 28, 2015 at 8:21 AM, Ed Leatherman ealeather...@gmail.com wrote: Good morning! Cert related question - think I know the answer but I dont see it explicitly stated so figured I'd ask. I need to add the CA cert for my expressway-C to call manager as a callmanager-trust cert - do I need to reboot the call manager service for this to take effect? No forced phone reboots since this is just a trust cert, correct? I think the answer is no and no phone reboots. Thanks! Ed On Mon, May 18, 2015 at 10:46 AM, Brian Meade bmead...@vt.edu wrote: Ed, All phones re-registering is expected behavior for when any CallManager, CAPF, or TVS certificate on any node in the cluster is regenerated. This is to allow phones to download an updated ITL before another certificate change is made. This is also the same reason all phones re-register when adding a new node to a cluster. Tomcat-trusts usually automatically get updated via the Certificate Change Notification process. There has been a few times I've seen conflicts that caused this not to work right though. Brian On Sun, May 17, 2015 at 10:06 AM, Ed Leatherman ealeather...@gmail.com wrote: Good morning, This morning I enabled DNS servers, domain name on our CUCM Cluster, which involved regenerating all the certs on the cluster. Note I have cluster mixed mode. Everything appears to have gone smoothly, but I had 2 odd things happen that I did not expect.. tossing them out here in case it helps someone else, or if someone has commentary on why :) Reference: CUCM v9.1, mixed mode, never had dns servers or domain set before. - After setting primary, secondary DNS and domain name, and the subsequent reboot on each node ALL my phones on the cluster restarted or at least re-registered each time, even for phones that do not use that node as a CM. Is this CM process restarting everywhere each time or ? I didnt think to check runtime on the CM process while I was working. - I expected to have to import tomcat certificates back and forth to the publisher at each node once the certs were regenerated, as this was necessary in the past. Apparently now they automagically download them from each other? I went in to do it and the tomcat-trust was already there with the new domain name. Cheers! Ed -- Ed Leatherman ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip -- Ed Leatherman ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip -- Ed Leatherman ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] CUCM DNS/CTL configuration - follow-up
Ed. All changes that cause an ITL file to update, such as regenerating certain certificates or changing host or domain names (which cause cert regens themselves) cause an Enterprise Phone Reset. Changing names (certs) on multiple CUCM servers causes multiple enterprise resets. This is by design to stop people from locking themselves out of their ITL. The enterprise phone resets cause the phones to go get the new ITL file and new certificates when there is a change, preventing the accidental case where all valid certs in the ITL on the phone no longer exist on the servers. I think this was an 8.6 enhancement. Second, yeah - the certs have been shipped around by the Certificate Replication service or a similar named service for quite some time. Run utils service list and you'll see it in there. This makes sure all nodes in the cluster share their trust certs with each other. -- Burns On 05/17/2015 10:06 AM, Ed Leatherman wrote: Good morning, This morning I enabled DNS servers, domain name on our CUCM Cluster, which involved regenerating all the certs on the cluster. Note I have cluster mixed mode. Everything appears to have gone smoothly, but I had 2 odd things happen that I did not expect.. tossing them out here in case it helps someone else, or if someone has commentary on why :) Reference: CUCM v9.1, mixed mode, never had dns servers or domain set before. - After setting primary, secondary DNS and domain name, and the subsequent reboot on each node ALL my phones on the cluster restarted or at least re-registered each time, even for phones that do not use that node as a CM. Is this CM process restarting everywhere each time or ? I didnt think to check runtime on the CM process while I was working. - I expected to have to import tomcat certificates back and forth to the publisher at each node once the certs were regenerated, as this was necessary in the past. Apparently now they automagically download them from each other? I went in to do it and the tomcat-trust was already there with the new domain name. Cheers! Ed -- Ed Leatherman ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Hardware for UC
Scott, (Disclaimer: I work for Nutanix now) The specs based server support as documented on the Cisco DocWiki gives a world of flexibility when choosing infrastructure. A hyperconverged solution like Nutanix that Brian mentioned could provide a lot of the benefits of shared storage while serving hot data from a local flash and memory tier to provide blazing fast storage performance. It would eliminate the SAN controller bottleneck you mentioned. Each Nutanix node is a local storage controller. We've had Nutanix customers provisioning Cisco UC (and contact center) clusters with stellar performance. Take a look at some blog posts I wrote as well as a best practices guide for Cisco UC on Nutanix: Best Practices Guide with example deployments: http://go.nutanix.com/bpg-cisco-unified-communications.html Personal blog posts: http://urns.com/blog/2014/12/nutanix-and-uc-part-1-introduction-and-overview/ http://urns.com/blog/2015/01/nutanix-and-uc-part-2-cisco-virtualization-requirements/ http://urns.com/blog/2015/01/nutanix-and-uc-part-3-cisco-uc-on-nutanix/ http://urns.com/blog/2015/02/nutanix-and-uc-part-4-vm-placement-and-system-sizing/ On Tue, Mar 31, 2015 at 3:49 AM, Heim, Dennis dennis.h...@wwt.com wrote: It all depends on the layer 8 of your environment and the size of your environment. If your environment is more than say 3-4 physical servers, then I would make a push for UCSM (UCS Manager). I think a compelling case could be made for the virtual san stuff that Brian mentioned coupled with UCS Fabric Interconnects and C-series with single connect (vic 1225 cards). Cons: Cost of Fabric Interconnects Pros: Ease of Management vSAN is under your control just like local disks Flexibility of shared storage 2-4 10gb uplinks instead of 4-6 per physical server. Centralized Management platform I personally am not a big fan of the TRCs for larger installs, as the TRC’s limit flexibility which is sometimes needed. Booting esxi via flash card is not supported under TRC, but under spec’s based is. However, despite my dislike UCS C-series server sprawl, that is the most common option deployed today. UCS-mini does bring a lot of cool options with it too. I have never touched a UCS mini. I contend you could create a RAID 5 or 6 array on SSD’s and never ever have to worry about IOPS again. *Dennis Heim | Emerging Technology Architect (Collaboration)* World Wide Technology, Inc. | +1 314-212-1814 [image: twitter] https://twitter.com/CollabSensei [image: chat][image: Phone] +13142121814[image: video] Innovation happens on project squared -- http://www.projectsquared.com *Click here to join me in my Collaboration Meeting Room https://wwt.webex.com/meet/dennis.heim* *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] *On Behalf Of *Brian Meade *Sent:* Monday, March 30, 2015 11:16 AM *To:* Scott Voll *Cc:* cisco-voip@puck.nether.net *Subject:* Re: [cisco-voip] Hardware for UC C series with local storage is definitely the most popular for UC. If you still want enterprise storage features, Nutanix has a nice solution for utilizing your local storage- http://urns.com/blog/2014/12/nutanix-and-uc-part-1-introduction-and-overview/ On Mon, Mar 30, 2015 at 11:42 AM, Scott Voll svoll.v...@gmail.com wrote: What hardware is everyone using to upgrade there UC enviroment to? We have UCS Blades with netapp storage, but have had some limitations on IO (prior to the upgraded controllers) that I'm a little concerned about. I like the idea of vmotion. But I'm thinking if it's my back side on the line with my UC environment, Maybe the rack mount UCS might be a better bet? We (UC Team) have also been thinking about the UCS mini with storage blade. What our others doing? What is Cisco suggesting these days? Thanks Scott ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip