<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Verdana; font-size: 10pt; color: #000000'>Thanks Nick. <br><br>I'm guessing after 15.1(2)T has those parameters that the Field Notice talked about enabled by default where you have to list specific hosts that can do that SIP to H323 or whatever? Trusted hosts I think they called it?<br><span><br><span name="x"></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>Cooking with unix is easy. You just sed it and forget it. <br> - LFJ (with apologies to Mr. Popeil)<br><span name="x"></span><br></span><br><hr id="zwchr"><b>From: </b>"Nick Matthews" <matthnick@gmail.com><br><b>To: </b>"Lelio Fulgenzi" <lelio@uoguelph.ca><br><b>Cc: </b>"Jonathan Charles" <jonvoip@gmail.com>, "Cisco VOIP" <cisco-voip@puck.nether.net><br><b>Sent: </b>Wednesday, January 25, 2012 2:39:32 PM<br><b>Subject: </b>Re: [cisco-voip] CUBE not requesting codec... call fails... need to force SDP in invite...<br><br>While MGCP is active it doesn't apply. And usually MGCP will be<br>active while internet/WAN connectivity is up. If you had both<br>internet and MPLS circuits, and MGCP depended on the MPLS, and the<br>internet was unsecured (TCP/UDP 5060 open), and were before 15.1(2)T,<br>you would be vulnerable.<br><br>-nick<br><br>On Wed, Jan 25, 2012 at 2:33 PM, Lelio Fulgenzi <lelio@uoguelph.ca> wrote:<br>> We've got MGCP with SRST/H323 failover so I guess that vulnerability is<br>> there.<br>><br>> The thought of moving to H323 over MGCP was also considered so we could do<br>> some call processing first.<br>><br>> Thanks, Lelio<br>><br>><br>> ---<br>> Lelio Fulgenzi, B.A.<br>> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>> (519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>> Cooking with unix is easy. You just sed it and forget it.<br>> - LFJ (with apologies to Mr. Popeil)<br>><br>><br>> ________________________________<br>> From: "Nick Matthews" <matthnick@gmail.com><br>> To: "Lelio Fulgenzi" <lelio@uoguelph.ca><br>> Cc: "Jonathan Charles" <jonvoip@gmail.com>, "Cisco VOIP"<br>> <cisco-voip@puck.nether.net><br>> Sent: Wednesday, January 25, 2012 2:25:50 PM<br>><br>> Subject: Re: [cisco-voip] CUBE not requesting codec... call fails... need to<br>> force SDP in invite...<br>><br>> It's actually really hard to hijack MGCP via SIP. You would need dial<br>> peers pointing toward CUCM, and CUCM would have to route via MGCP.<br>> MGCP takes control of that entire PRI and won't allow calls through<br>> unless they're sent by CUCM.<br>><br>> Now H.323 is extremely easy. If you set up a router with a public IP<br>> address not behind a firewall, and then put a PRI and some dial peers<br>> that allow international dialing with 9011T and you're on IOS before<br>> 15.1(2)T it's just a matter of time before you're sending calls to<br>> Cuba/Russia/Eastern Europe etc.<br>><br>> -nick<br>><br>> On Wed, Jan 25, 2012 at 10:49 AM, Lelio Fulgenzi <lelio@uoguelph.ca> wrote:<br>>> I also like the idea of having it separate so if we do still maintain MGCP<br>>> gateways, I'm assuming there would be some protection involved, i.e. SIP<br>>> hijacking of our MGCP gateways.<br>>><br>>><br>>> ---<br>>> Lelio Fulgenzi, B.A.<br>>> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>>> (519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>>> Cooking with unix is easy. You just sed it and forget it.<br>>> - LFJ (with apologies to Mr. Popeil)<br>>><br>>><br>>> ________________________________<br>>> From: "Nick Matthews" <matthnick@gmail.com><br>>> To: "Lelio Fulgenzi" <lelio@uoguelph.ca><br>>> Cc: "Jonathan Charles" <jonvoip@gmail.com>, "Cisco VOIP"<br>>> <cisco-voip@puck.nether.net><br>>> Sent: Wednesday, January 25, 2012 10:28:03 AM<br>>><br>>> Subject: Re: [cisco-voip] CUBE not requesting codec... call fails... need<br>>> to<br>>> force SDP in invite...<br>>><br>>> It's just an ISR, so the deployment is up to you. Usually depends on<br>>> the scale. If it's a pilot, whatever you have around. It's really<br>>> what else you want to manage on your side and if you'll get confused<br>>> with so many things on one router. When you get higher towards the<br>>> CPU capacity of the box in sessions you'll want to have a mostly<br>>> dedicated box to prevent other things from hogging the CPU. There<br>>> really isn't a best practice but many organizations decide to put it<br>>> on dedicated hardware to keep it simple.<br>>><br>>> -nick<br>>><br>>> On Wed, Jan 25, 2012 at 9:43 AM, Lelio Fulgenzi <lelio@uoguelph.ca> wrote:<br>>>> Speaking of CUBE, just wondering what the common practice is for physical<br>>>> deployment. We have two routers which will eventually house our MGCP<br>>>> gateways in HQ and one router at each of our remote sites, again, MGCP.<br>>>><br>>>> If I want to deploy CUBE, is it usually installed separately from the<br>>>> main<br>>>> campus router?<br>>>><br>>>> ---<br>>>> Lelio Fulgenzi, B.A.<br>>>> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>>>> (519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>>>> Cooking with unix is easy. You just sed it and forget it.<br>>>> - LFJ (with apologies to Mr. Popeil)<br>>>><br>>>><br>>>> ________________________________<br>>>> From: "Roger Wiklund" <roger.wiklund@gmail.com><br>>>> To: "Jonathan Charles" <jonvoip@gmail.com><br>>>> Cc: "Cisco VOIP" <cisco-voip@puck.nether.net><br>>>> Sent: Wednesday, January 25, 2012 3:27:19 AM<br>>>> Subject: Re: [cisco-voip] CUBE not requesting codec... call fails... need<br>>>> to<br>>>> force SDP in invite...<br>>>><br>>>><br>>>> On Wed, Jan 25, 2012 at 3:54 AM, Jonathan Charles <jonvoip@gmail.com><br>>>> wrote:<br>>>>> Because, as far as I can tell, Cisco does not support SIP to SIP on the<br>>>>> CUBE... and it doesn't work.<br>>>>><br>>>>> You need to be H.323 to the CUBE, then SIP to the provider.<br>>>><br>>>> Hi,<br>>>><br>>>> SIP-SIP is definitely the way to go, should be easier on the CPU to<br>>>> not have to convert between the two, and also easier to troubleshoot.<br>>>><br>>>> I'm running SIP-SIP with DO-EO and RTP flow-around.<br>>>><br>>>> I wrote some notes about it that may be useful (even if you are not<br>>>> running flow-around)<br>>>><br>>>><br>>>><br>>>> http://wiklunds.wordpress.com/2012/01/02/sip-delayed-offer-to-early-offer-with-rtp-flow-around-support-in-cube-8-6/<br>>>><br>>>> Regards<br>>>> Roger<br>>>> _______________________________________________<br>>>> cisco-voip mailing list<br>>>> cisco-voip@puck.nether.net<br>>>> https://puck.nether.net/mailman/listinfo/cisco-voip<br>>>><br>>>> _______________________________________________<br>>>> cisco-voip mailing list<br>>>> cisco-voip@puck.nether.net<br>>>> https://puck.nether.net/mailman/listinfo/cisco-voip<br>>>><br></div></body></html>