[cisco-voip] CUCM - separating management traffic

Matthew Saskin msaskin at gmail.com
Thu Jan 19 09:54:41 EST 2012


I knew Lelio was going to chime in ;)

It's an interesting note that while none of my financial customers have
done this, or use features like secure voice, I have one Edu whose policy
is "everything on the network must be encrypted, end of story".  The net of
this is vastly more time spent troubleshooting security/encryption issues,
and a significant extra workload in terms of additional servers/development
work to "Secure" things that aren't secured by their nature (eg; ODBC
access to UCCX via informix drivers.  While ODBC can be secured/encrypted,
the informix connectivity to UCCX can't be encrypted)

I digress.  While I agree with Lelio that it's not a difficult thing for
Cisco to implement, I've yet to see the real-world call for it barring very
specific circumstances...and we all know the reality, until it's clamored
for by a collective of customers spending 10's of millions of dollars, it's
not likely to happen.

-matthew

On Thu, Jan 19, 2012 at 9:48 AM, Scott Voll <svoll.voip at gmail.com> wrote:

> except Lelio ;-)
>
> Scott
>
>
> On Thu, Jan 19, 2012 at 6:11 AM, Matthew Saskin <msaskin at gmail.com> wrote:
>
>> Who knows?  It's not something that I've ever heard of on the roadmap
>> from CIsco.  Technically speaking, I can't imagine it would be terribly
>> difficult to have the various CCM services operate on one interface/IP and
>> the management (HTTP/HTTPS) on another address, but that's just me thinking
>> about it.
>>
>> Speaking realistically, I've never seen anyone care enough to implement
>> ACL's or application layer filtering to "protect" the admin interface in
>> the real world.
>>
>> -matthew
>>
>>
>>
>> On Thu, Jan 19, 2012 at 6:21 AM, FrogOnDSCP46EF <ciscoboy2006 at gmail.com>wrote:
>>
>>> Thanks Mathew. Would this be difficult to do? Given Cisco has inhouse UC
>>> developers.
>>>
>>>
>>>
>>> On Thu, Jan 19, 2012 at 5:52 AM, Matthew Saskin <msaskin at gmail.com>wrote:
>>>
>>>> You can't.  Virtual or physical, CUCM only operates using a single
>>>> interface and single IP address.  Closest you're going to get is firewall
>>>> rules to disallow certain access based on source, and that may not even
>>>> work as things like authentication URL's are on the same IP/port on the
>>>> CUCM - you'd have to do some application layer filtering of URL's.
>>>>
>>>>
>>>> On Wed, Jan 18, 2012 at 11:21 AM, FrogOnDSCP46EF <
>>>> ciscoboy2006 at gmail.com> wrote:
>>>>
>>>>> Have anyone figured out yet how to separate CUCM management  in VMware
>>>>> or physical deployment?
>>>>>
>>>>> It's kind of weird, Cisco's all deployment templates are still putting
>>>>> mgmt and traffic packets on the same eth0 interface.
>>>>>
>>>>> I bet this is in Cisco's todo list.
>>>>>
>>>>> thanks
>>>>>
>>>>> _______________________________________________
>>>>> cisco-voip mailing list
>>>>> cisco-voip at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Smile, you'll save someone else's day!
>>> Frog
>>>
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120119/e0c39ab8/attachment.html>


More information about the cisco-voip mailing list