[cisco-voip] Question about enabling DNS on CUCM cluster(s)

Brian Meade bmeade90 at vt.edu
Thu Mar 26 13:57:00 EDT 2015


The phones that support ITL/SBD pull both.  I'm just talking about old
phones like 7960s/40s that only pull CTLs since they don't support SBD.

On Thu, Mar 26, 2015 at 1:22 PM, Ed Leatherman <ealeatherman at gmail.com>
wrote:

> Thanks Brian,
>
> Is it normal for phones to only use CTL's? it seems like they pull both
>
> On Thu, Mar 26, 2015 at 12:44 PM, Brian Meade <bmeade90 at vt.edu> wrote:
>
>> Phone config files are signed by the CallManager.pem from the node
>> serving up the files.
>>
>> Phones with SBD using ITLs will be able to authenticate the new
>> certificates right away using TVS.  I would just make sure the phones get
>> the new ITL before moving onto the next node.
>>
>> For phones only using CTLs, they are not going to trust config files
>> until the CTL client is re-ran, TFTP service restarted, and new CTL
>> downloaded.  The phones are probably fine to use the cached configs for a
>> little bit until you finish the whole cluster and run the CTL client once
>> assuming you're doing it all in one window.
>>
>> On Thu, Mar 26, 2015 at 11:34 AM, Ed Leatherman <ealeatherman at gmail.com>
>> wrote:
>>
>>> Sorry for resurrecting this old thread, now that I have some spare
>>> cycles to devote to this I wanted to follow up about it..
>>>
>>> - The node names are not changing, just adding DNS servers and domain
>>> name to each node
>>>
>>> - Call Manager servers are defined by IP address, and IP's are also not
>>> changing.
>>>
>>> - with respect to database replication, it seems configuring DNS and
>>> setting a domain name should take care of itself just with rebooting each
>>> node one at a time
>>>
>>> - production cluster is mixed-mode security. Currently no domain name is
>>> setup, and in the certificates this is reflected in the CN. On my test
>>> cluster, which already has dns and a domain name configured, I see that the
>>> CN has the domain as part of it - so when I add a domain name to my
>>> production cluster all the certs will need to be regenerated, requiring a
>>> CTL update
>>>
>>> My initial thoughts on this were just to update the dns info and reboot
>>> one at a time on each node (pub first), letting dbrep settle down between
>>> reboots, and then run the CTL client to update that, then restart CM and
>>> TFTP services on each node.
>>>
>>> So, do I just need to do one CTL update after I have made the change and
>>> rebooted all my nodes, or will I have to update the CTL after each reboot?
>>> I'm picturing in my head getting halfway into the process and having phones
>>> unable to pull config files until I update the CTL at the end, but does TVS
>>> take care of this interim case?
>>>
>>> Thanks!!
>>> Ed
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Aug 11, 2014 at 9:43 AM, Ryan Ratliff (rratliff) <
>>> rratliff at cisco.com> wrote:
>>>
>>>>  Kind of makes me want to enable mixed-mode on the 2nd cluster.
>>>>
>>>>
>>>> If you've got the eTokens handy then it will certainly make you life a
>>>> lot easier when it comes to SBD and endpoints.
>>>>
>>>> -Ryan
>>>>
>>>>  On Aug 11, 2014, at 8:41 AM, Ed Leatherman <ealeatherman at gmail.com>
>>>> wrote:
>>>>
>>>>  Thanks Matt,
>>>>
>>>>  So it sounds like purely from database replication perspective
>>>> enabling DNS by itself isn't an issue.
>>>>
>>>>  If I do need to change the domain or hostnames on the cluster then it
>>>> becomes a certificate operation of some variety depending on the security
>>>> state of the particular cluster - in addition to minding replication. Kind
>>>> of makes me want to enable mixed-mode on the 2nd cluster.
>>>>
>>>>  Thanks!
>>>>
>>>> Ed
>>>>
>>>>
>>>> On Mon, Aug 11, 2014 at 8:19 AM, Matthew Loraditch <
>>>> MLoraditch at heliontechnologies.com> wrote:
>>>>
>>>>>
>>>>> https://supportforums.cisco.com/document/68701/communications-manager-security-default-and-itl-operation-and-troubleshooting#Changing_Host_Names_or_Domain_Names
>>>>>
>>>>>
>>>>>
>>>>> Take a look there, pretty much covers every scenario, I just did a
>>>>> multi-node with ITL only for the same reasons as you and it worked like a
>>>>> charm.
>>>>>
>>>>>
>>>>>
>>>>> Rebuild definitely not necessary.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> <image001.jpg>
>>>>>
>>>>> Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
>>>>>
>>>>> 1965 Greenspring Drive
>>>>> Timonium, MD 21093
>>>>>
>>>>> direct voice. 443.541.1518
>>>>> fax.  410.252.9284
>>>>>
>>>>> Twitter <http://twitter.com/heliontech>  |  Facebook
>>>>> <http://www.facebook.com/#!/pages/Helion/252157915296>  | Website
>>>>> <http://www.heliontechnologies.com/>  |  Email Support
>>>>> <support at heliontechnologies.com?subject=Technical%20Support%20Request>
>>>>>
>>>>> Support Phone. 410.252.8830
>>>>>
>>>>> <image002.png>
>>>>>
>>>>>
>>>>>
>>>>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On
>>>>> Behalf Of *Ed Leatherman
>>>>> *Sent:* Monday, August 11, 2014 8:00 AM
>>>>> *To:* Cisco VOIP
>>>>> *Subject:* [cisco-voip] Question about enabling DNS on CUCM cluster(s)
>>>>>
>>>>>
>>>>>
>>>>> Good morning!
>>>>>
>>>>>
>>>>>
>>>>> Was hoping someone with a little more experience on the jabber/collab
>>>>> edge side could point me in the right direction here.
>>>>>
>>>>>
>>>>>
>>>>> I have 2 CUCM clusters that I am researching configuring jabber and/or
>>>>> collab edge for. Up till now I've never had a need for DNS resolution on
>>>>> the either. One of them has been operational since version 3 dot something
>>>>> and back then it seemed the recommendation to stay away from DNS in general
>>>>> on CUCM unless there was a good reason otherwise.
>>>>>
>>>>>
>>>>>
>>>>> I see there are just a few commands to enable it and setup servers etc
>>>>> - are there any gotchas with database replication or security that I need
>>>>> to be aware of? I don't plan on changing the hostname of the servers
>>>>> themselves or their IP addresses.
>>>>>
>>>>>
>>>>>
>>>>> The old cluster has CTLs/USB tokens. The "slightly" newer cluster is
>>>>> just running in security-by-default mode. Both clusters are @ version 9.1.
>>>>>
>>>>>
>>>>>
>>>>> My research thus far seems to say turning DNS up on earlier versions
>>>>> of CUCM required rebuilds but seems to not be the case now, but I haven't
>>>>> turned up anything in the official docs. I have a TAC case open to ask
>>>>> about it but I'm still at the explain DNS and what my business case is
>>>>> stage ;)
>>>>>
>>>>>
>>>>>
>>>>> Appreciate any tips!
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Ed
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Ed Leatherman
>>>>>
>>>>
>>>>
>>>>
>>>>  --
>>>> Ed Leatherman
>>>>  _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>
>>>>
>>>
>>>
>>> --
>>> Ed Leatherman
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>>
>>
>
>
> --
> Ed Leatherman
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150326/e54b21f9/attachment.html>


More information about the cisco-voip mailing list