Monday, September 16, 2013


Lately I had to recreate a MPLS network.  I used to use GNS3 as it's user friendly and can use vanilla IOS (i.e. you may download IOS from and throw it into GNS3).  GNS3 can also emulate other devices such as PIX, ASA, IDS, Juniper, and even a host (with simple ping command).

GNS3 is almost perfect except for performance.  With a couple routers turned on, GNS3 is pegging about 90% of the CPU. So I look for alternatives.

IOU (IOS on Unix) is a Cisco-Internal-Only tool that emulate IOS devices.  It has quite a few drawbacks:

  • Cisco Internal Only
  • Has to run proprietary IOS
  • Not user friendly - You'll have to build your network topology from a text editor instead of drag-and-drop.  You'll have to do a lot of thing from Unix/Linux command line.
However, IOU has one, big advantage - performance.  You may run tens (if not hundreds) of routers at the same time with minimal CPU/memory consumption.

Drawback #1 and #2 are no longer problems in the era of Google.  For #3, Andrea Dainese built "IOU Web" - a web interface to manage labs on IOU.

Just think of IOU as a back end process running on Linux.  'IOU Web' is the front end interface.  Like "CallManager Service" is the back end and "CCMAdmin web" is the front end.

One other thing I like about IOU Web is - you may make your own 'clickable' network diagrams.  You make your own network diagram, save it as jpg, make the routers/switches clickable.  When you click on a router on the drawing, it'll open up a telnet session to that router.

You may also copy the lab content (in rich format) and paste it into the 'Description' tab.  Then edit it the way you like.  Very convenient on building your home lab (and carry it anywhere you go).

Tuesday, July 30, 2013

Running UC Labs on a laptop

Not everyone has the luxury of running a Cisco UCS server at home.  Even if you do, it's a little bit heavy to drag the UCS around.  It would be convenient to have the UC lab built on your laptop.

I myself am using VMware Workstation 9.0.2 on a ThinkPad T430 with 16G RAM/1TB HDD.  Some of the laptops (such as ThinkPad W-series) allow you go for 32G RAM, which is really helpful if you need to run multiple boxes (such as UCM, UCCX, UCXN, CUPS, CER, AD) at the same time.

Personally, I prefer creating the VM spec myself instead of importing the OVA file from Cisco.  Some of the spec in OVA doesn't make sense in a lab environment.  (For example, what good would it do to have 2 vCPU in the VM while you're running it on a laptop?)

For the VM hard drive, I always use thin provisioning and use one single file.

For VM network, I'd prefer "host-only network" unless you have other external components need to talk to the UC lab.

Depending on your UC version, you might run into strange problems that the UC box can't ping anywhere in "host-only network" (not even the VMs in the same network).  For example, I ran into this problem with UCCX 8.5.1 while UCM 8.6.2 was fine.  The solution is to upgrade VMTools on the UC box.

In later versions, NTP and DNS become mandatory.  You may set up those on your Windows 7 desktop (your host OS), so you don't need a dedicated Windows server to do that.  For NTP, it's built in Win7.  Just follow the procedure on  For DNS, you may google for some freeware or shareware.

In a "host-only network", you have the option to have a host adapter connects to the network.  So you may connect to the UC boxes from your host OS (e.g. run CIPC from your Win7 desktop).  By default, the "host-only network" is in the network (or a random class-C in the 192.168 range).  You may change it.  You may also change the host adapter (default is VMnet1) IP address.  If the change didn't seem to take effect, please check the 'Advanced' button in the TCP/IP bindings.  You might have multiple IP addresses bound to the VMnet1 adapter.

Saturday, April 13, 2013

Correction to the Cisco UC rooting process

I got a lot of feedback regarding the problem after rooting Cisco UC products (CUCM/UCCX, etc.).  The symptom was that every service is in [STARTING] state and you get 'Database Communication Error' while trying to log into the GUI (as the 'A Cisco DB' service was not able to start).

It's strange as I never ran into any problem.  I reviewed the process today and ran some tests.  I think I found the problem.  There's an unnecessary section in the instructions:

For version 8.6 or later, Cisco use SeLinux for additional security.  You need the following:

vi /etc/pam.d/su, comment the following:
    #auth   sufficient      /lib/security/$ISA/ debug
    #auth   required        /lib/security/$ISA/ group=priviledged_grp

 This section was added to the blog based on a reader's feedback.  I didn't verify it myself and thought it wouldn't do any harm even if it's unnecessary.

Evidently, this unnecessary step broke the system.  If you already performed this, you may undo it by removing the # signs. So the two lines should read like this:

auth    sufficient      /lib/security/$ISA/ debug
auth    required        /lib/security/$ISA/ group=priviledged_grp

Reboot the system after making the changes.  View service status with command 'utils service list page'.  You should see 'A Cisco DB' service is [STARTED].  Wait for a while, other services should be in [STARTED] state.

I've removed the section from original post.  Sorry for the inconvenience caused.