Cisco Unified IP Phone 7906G and 7911G Administration Guide for Cisco Unified CM 8.0 (SCCP and SIP)
An Overview of the Cisco Unified IP Phone
Downloads: This chapterpdf (PDF - 699.0KB) The complete bookPDF (PDF - 3.08MB) | Feedback

An Overview of the Cisco Unified IP Phone

Table Of Contents

An Overview of the Cisco Unified IP Phone

Understanding the Cisco Unified IP Phones 7906G and 7911G

What Networking Protocols are Used?

IPv6 Support on Cisco Unified IP Phones

What Features are Supported?

Feature Overview

Configuring Telephony Features

Configuring Network Parameters Using the Cisco Unified IP Phone

Providing Users with Feature Information

Understanding Security Features for Cisco Unified IP Phones

Overview of Supported Security Features

Understanding Security Profiles

Identifying Authenticated, Encrypted and Protected Phone Calls

Establishing and Identifying Secure Conference Calls

Establishing and Identifying Protected Calls

Call Security Interactions and Restrictions

Supporting 802.1X Authentication on Cisco Unified IP Phones

Overview

Required Network Components

Best Practices—Requirements and Recommendations

Security Restrictions

Overview of Configuring and Installing Cisco Unified IP Phones

Configuring Cisco Unified IP Phones in Cisco Unified Communications Manager

Checklist for Configuring the Cisco Unified IP Phones 7906G and 7911G in Cisco Unified Communications Manager

Installing Cisco Unified IP Phones

Checklist for Installing the Cisco Unified IP Phones 7906G and 7911G


An Overview of the Cisco Unified IP Phone


The Cisco Unified IP Phone 7906G and 7911G provide voice communication over an Internet Protocol (IP) network. It functions much like a standard digital business telephone, allowing you to place and receive phone calls and to access features such as mute, hold, transfer, and speed dial. In addition, because the phone is connected to your data network, it offers enhanced productivity features, including access to network information, XML applications, and customizeable features.

A Cisco Unified IP Phone, like other network devices, must be configured and managed. These phones encode G.711a, G.711u, G.722, G.729a, G.729ab, iLBC, and decode G.711a, G.711u, G.722, iLBC, G.729, G.729a, G.729b, and G.729ab. These phones also support uncompressed wideband (16 bits, 16 kHz) audio.

This chapter includes the following topics:

Understanding the Cisco Unified IP Phones 7906G and 7911G

What Networking Protocols are Used?

What Features are Supported?

Understanding Security Features for Cisco Unified IP Phones

Overview of Configuring and Installing Cisco Unified IP Phones


Caution Using a cell, mobile, or GSM phone, or two-way radio in close proximity to a Cisco Unified IP Phone might cause interference. For more information, refer to the manufacturer documentation of the interfering device.

Understanding the Cisco Unified IP Phones 7906G and 7911G

The Cisco Unified IP Phones 7906G and 7911G are basic IP phones designed for cubicles, classrooms, factory floors, warehouses, lobbies, and any other location where the phone either complements the user's set of communication devices or is seldom used. The Cisco Unified IP Phones 7906G and 7911G:

Provide a graphical display with dynamic softkeys, icons, and scrollable directories for easy access to a core set of business features

Support up to six calls on one directory number

Support inline power for both Cisco inline power or IEEE 802.3af Power over Ethernet

Support enhanced security features including:

Manufacturing and field installable certificates

Secure Media and Signaling

Authenticated Configuration

Support enhanced calling features plus audio and text XML applications

Include an integrated 10/100 Mbit Ethernet switch for connecting a PC, thereby preserving the advantage of one cable pull per location (applies to Cisco Unified IP Phone 7911G only)

Figure 1-1 shows the main components of the Cisco Unified IP Phones 7906G and 7911G.

Figure 1-1 Cisco Unified IP Phones 7906G and 7911G

Table 1-1 describes the buttons on the Cisco IP Phones 7906G and 7911G.

Table 1-1 Features on the Cisco Unified IP Phone 7906G and 7911G

1

Phone screen

Displays phone features such as phone number, call status, and softkeys.

2

Cisco Unified IP Phone series

Indicates your Cisco Unified IP Phone model series.

3

Softkeys

Each softkey activates a softkey option displayed on your phone screen.

4

Navigation button

Allows you to scroll through menu items and highlight items. When the phone is on-hook, displays your Speed Dials.

5

Applications menu button

Displays the Applications menu that provides access to a voice messaging system, phone logs and directories, settings, and services.

6

Hold button

Places the active call on hold, resumes a call on hold, and switches between an active call and a call on hold.

7

Keypad

Allows you to dial phone numbers, enter letters, and choose menu items.

8

Volume button

Controls the handset, headset, speaker, and ringer volume.

9

Handset

Functions like a traditional handset. The light strip at the top of the handset blinks when the phone rings and stays lit if there is a new voice message (depending on your voice messaging system).

10

Footstand

Allows the phone to stand at a convenient angle on a desk or table. Also may be removed for wall mounting to mounting screws or to a Cisco Unified IP Phone wall mount kit.

What Networking Protocols are Used?

Cisco Unified IP Phones support several industry-standard and Cisco networking protocols required for voice communication. Table 1-2 provides an overview of the supported networking protocols on the Cisco Unified IP Phones 7906G and 7911G.

Table 1-2 Supported Networking Protocols on the Cisco Unified IP Phone 

Networking Protocol
Purpose
Usage Notes

Bootstrap Protocol (BootP)

BootP enables a network device such as the Cisco Unified IP Phone to discover certain startup information, such as its IP address.

If you are using BootP to assign IP addresses to the Cisco Unified IP Phone, the BOOTP Server option shows "Yes" in the network configuration settings on the phone.

Cisco Discovery Protocol (CDP)

CDP is a device-discovery protocol that runs on all Cisco-manufactured equipment.

Using CDP, a device can advertise its existence to other devices and receive information about other devices in the network.

The Cisco Unified IP Phone uses CDP to communicate information such as auxiliary VLAN ID, per port power management details, and Quality of Service (QoS) configuration information with the Cisco Catalyst switch.

Cisco Peer-to-Peer Distribution Protocol (CPPDP)

CPPDP is a Cisco proprietary protocol used to form a peer-to-peer hierarchy of devices. CPPDP is also used to copy firmware or other files from peer devices to neighboring devices.

CPPDP is used by the Peer Firmware Sharing feature.

Dynamic Host Configuration Protocol (DHCP)

DHCP dynamically allocates and assigns an IP address to network devices.

DHCP enables you to connect an IP phone into the network and have the phone become operational without your needing to manually assign an IP address or to configure additional network parameters.

DHCP is enabled by default. If disabled, you must manually configure the IP address, subnet mask, gateway, and a TFTP server on each phone locally.

Cisco recommends that you use DHCP custom option 150. With this method, you configure the TFTP server IP address as the option value. For additional information about DHCP configurations, refer to the Dynamic Host Configuration Protocol and Cisco TFTP in the Cisco Unified Communications Manager System Guide.

HyperText Transfer Protocol (HTTP)

HTTP is the standard way of transferring information and moving documents across the Internet and the World Wide Web.

The Cisco Unified IP Phones use HTTP for the XML services and for troubleshooting purposes.

Hypertext Transfer Protocol Secure (HTTPS)

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of servers.

Web applications with both HTTP and HTTPS support have two URLs configured. Cisco Unified IP Phones that support HTTPS choose the HTTPS URL out of the two URLs.

IEEE 802.1X

The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

The Cisco Unified IP Phone implements the IEEE 802.1X standard by providing support for the following authentication methods: EAP-FAST, EAP-TLS, and EAP-MD5.

When 802.1X authentication is enabled on the phone, you should disable the PC port and voice VLAN. See Supporting 802.1X Authentication on Cisco Unified IP Phones for additional information.

Internet Protocol (IP)

IP is a messaging protocol that addresses and sends packets across the network.

To communicate using IP, network devices must have an assigned IP address, subnet, and gateway.

IP addresses, subnets, and gateways identifications are automatically assigned if you are using the Cisco Unified IP Phone with Dynamic Host Configuration Protocol (DHCP). If you are not using DHCP, you must manually assign these properties to each phone locally. The Cisco Unified IP Phone supports concurrent IPv4 and IPv6 addresses. Configure the IP addressing mode (IPv4 only, IPv6 only, and both IPv4 and IPv6) in Cisco Unified Communications Manager Administration. For more information, refer to Internet Protocol Version 6 (IPv6) in the Cisco Unified Communications Manager Features and Services Guide.

Link Layer Discovery Protocol (LLDP)

LLDP is a standardized network discovery protocol (similar to CDP) that is supported on some Cisco and third-party devices.

The Cisco Unified IP Phone supports LLDP on the PC port.

Link Layer Discovery Protocol-Media Endpoint Devices (LLDP-MED)

LLDP-MED is an extension of the LLDP standard developed for voice products.

The Cisco Unified IP Phone supports LLDP-MED on the SW port to communicate information such as:

Voice VLAN configuration

Device discovery

Power management

Inventory management

For more information about LLDP-MED support, see the LLDP-MED and Cisco Discovery Protocol white paper:

http://www.cisco.com/en/US/tech/tk652/tk701/technologies_white_paper0900aecd804cd46d.shtml

Real-Time Transport Protocol (RTP)

RTP is a standard protocol for transporting real-time data, such as interactive voice and video, over data networks.

Cisco Unified IP Phones use the RTP protocol to send and receive real-time voice traffic from other phones and gateways.

Real-Time Control Protocol (RTCP

RTCP works with RTP to provide QoS data (such as jitter, latency, and round trip delay) on RTP streams.

RTCP is disabled by default, but you can enable it on a per phone basis by using Cisco Unified Communications Manager. For more information, see Network Configuration.

Secure Real-Time Transport Protocol (SRTP)

SRTP is available in addition to RTP. SRTP adds security by encrypting media streams during data transport.

For SRTP to work, the phone or phones being called must also support SRTP or else those phones cannot decrypt the secure media stream.

Session Initiation Protocol (SIP)

SIP is the Internet Engineering Task Force (IETF) standard for multimedia conferencing over IP. SIP is an ASCII-based application-layer control protocol (defined in RFC 3261) that can be used to establish, maintain, and terminate calls between two or more endpoints.

Like other VoIP protocols, SIP is designed to address the functions of signaling and session management within a packet telephony network. Signaling allows call information to be carried across network boundaries. Session management provides the ability to control the attributes of an end-to-end call.

You can configure the Cisco Unified IP Phone to use either SIP or Skinny Client Control Protocol (SCCP). Cisco Unified IP Phones do not support the SIP protocol when the phones are operating in IPv6 address mode.

Skinny Client Control Protocol (SCCP)

SCCP includes a messaging set that allows communications between call control servers and endpoint clients such as IP Phones. SCCP is proprietary to Cisco Systems.

Cisco Unified IP Phones use SCCP for call control. You can configure the Cisco Unified IP Phone to use either SCCP or Session Initiation Protocol (SIP).

Session Description Protocol (SDP)

SDP is the portion of the SIP protocol that determines which parameters are available during a connection between two endpoints. Conferences are established by using only the SDP capabilities that are supported by all endpoints in the conference.

SDP capabilities, such as codec types, DTMF detection, and comfort noise, are normally configured on a global basis by Cisco Unified Communications Manager or Media Gateway in operation. Some SIP endpoints may allow these parameters to be configured on the endpoint itself.

Transmission Control Protocol (TCP)

TCP is a connection-oriented transport protocol.

Cisco Unified IP Phones use TCP to connect to Cisco Unified Communications Manager and to access XML services.

Transport Layer Security (TLS)

TLS is a standard protocol for securing and authenticating communications.

When security is implemented, Cisco Unified IP Phones use the TLS protocol when securely registering with Cisco Unified Communications Manager.

For more information, refer to the Cisco Unified Communications Manager Security Guide.

Trivial File Transfer Protocol (TFTP)

TFTP allows you to transfer files over the network.

On the Cisco Unified IP Phone, TFTP enables you to obtain a configuration file specific to the phone type.

TFTP requires a TFTP server in your network, which can be automatically identified from the DHCP server. If more than one TFTP server is running in your network, you must manually assign a TFTP server to each phone locally.

For more information, refer to Cisco TFTP in the Cisco Unified Communications Manager System Guide.

User Datagram Protocol (UDP)

UDP is a connectionless messaging protocol for delivery of data packets.

Cisco Unified IP Phones receive and process UDP messages.


Related Topics

Understanding Interactions with Other Cisco Unified Communications Products

Understanding the Phone Startup Process

Network Configuration Menu

IPv6 Support on Cisco Unified IP Phones

The Cisco Unified IP Phone uses the internet protocol to provide voice communication over the network. Previous to Cisco Unified Communications Manager release 7.1, only the internet protocol version 4 (IPv4) was supported. However because IPv4 uses a 32-bit address, it cannot meet the increased demands for unique IP addresses for all devices that can connect to the internet. Therefore, Internet Protocol version 6 (IPv6), an updated version of the current Internet Protocol, IPv4 is now supported. IPv6 uses a 128-bit address and provides end-to-end security capabilities, enhanced Quality of Service (QoS), and increased number of available IP addresses.

The Cisco Unified IP Phone supports IPv4 only addressing mode, IPv6 only addressing mode, as well as an IPv4/IPv6 dual stack addressing mode. In IPv4, you can enter each octet of the IP address on the phone in dotted decimal notation; for example, 192.240.22.5. In IPv6, you can enter each octet of the IP address in hexadecimal notation with each octet separated by a colon; for example, 2005:db8:0:1:ef8:9876:ba72:dc9a. The phone truncates and removes leading zeros when it displays the IPv6 address.

Cisco Unified IP Phones support both IPv4 and an IPv6 address transparently, so users can handle all calls on the phone to which they are accustomed. Cisco Unified IP Phones support the use of IPv6 only with Cisco Unified Communications Manager release 7.1 and only with the Skinny Call Control Protocol (SCCP).

Cisco Unified IP Phones do not support URLs with IPv6 addresses in the URL. This affects all IP Phone Service URLs, including services, directories, messages, help, and any restricted web services that require the phone to use the HTTP protocol to validate the credentials with the Authentication URL. If you configure Cisco Unified IP Phone services for Cisco Unified IP Phones, you must configure the phone and the servers that support the phone service with IPv4 addresses.

If you configure IPv6 Only as the IP Addressing Mode for phones that are running SIP, the Cisco TFTP service overrides the IP Addressing Mode configuration and uses IPv4 Only in the configuration file.

For more information on deploying IPv6 in your Cisco Unified Communications network, refer to Internet Protocol Version 6 (IPv6) in Cisco Unified Communications Manager Features and Services Guide and Deploying IPv6 in Unified Communications Networks with Cisco Unified Communications Manager.

What Features are Supported?

Cisco Unified IP Phones 7906G and 7911G function much like traditional analog phones, allowing you to place and receive phone calls. In addition to traditional telephony features, each Cisco Unified IP Phone includes features that enable you to administer and monitor the phone as a network device.

This section includes the following topics:

Feature Overview

Configuring Telephony Features

Configuring Network Parameters Using the Cisco Unified IP Phone

Providing Users with Feature Information

Feature Overview

Cisco Unified IP Phones provide core business features, such as call forwarding and transferring, redialing, speed dialing, conference calling, and voice messaging system access. Cisco Unified IP phones also provide a variety of other features. For an overview of the telephony features that the Cisco Unified IP Phone supports, see Telephony Features Available for the Cisco Unified IP Phone.

As with other network devices, you must configure Cisco Unified IP Phones to prepare them to access Cisco Unified Communications Manager and the rest of the IP network. Using DHCP, you have fewer settings to configure on a phone, but if your network requires it, you can manually configure an IP address, TFTP server, subnet information, etc. For instructions on configuring the network settings on the Cisco Unified IP Phones, see Configuring Settings on the Cisco Unified IP Phone.

Cisco Unified IP Phones can interact with other services and devices on your IP network to provide enhanced functionality. For example, you can integrate Cisco Unified Communications Manager with the corporate Lightweight Directory Access Protocol 3 (LDAP3) standard directory to enable users to search for co-workers contact information directly from their IP phones. Or, you can also use XML to enable users to access information such as weather, stocks, quote of the day, and other web-based information. For information about configuring such services, see Configuring Corporate and Personal Directories and Setting Up Services.

Finally, because the Cisco Unified IP Phone is a network device, you can obtain detailed status information from it directly. This information can assist you with troubleshooting any problems users might encounter when using their IP phones. See Viewing Model Information, Status, and Statistics on the Cisco Unified IP Phone, for more information.

Related Topics

Configuring Settings on the Cisco Unified IP Phone

Configuring Features, Templates, Services, and Users

Troubleshooting and Maintenance

Configuring Telephony Features

You can modify certain settings for the Cisco Unified IP Phone from the Cisco Unified Communications Manager Administration application. Use this web-based application to set up phone registration criteria and calling search spaces, to configure corporate directories and services, and to modify phone button templates, among other tasks. See Telephony Features Available for the Cisco Unified IP Phone and Cisco Unified Communications Manager Administration Guide for additional information.

For more information about the Cisco Unified Communications Manager Administration application, refer to Cisco Unified Communications Manager documentation, including Cisco Unified Communications Manager System Guide. You can also use the context-sensitive help available within the application for guidance.

You can access Cisco Unified Communications Manager documentation at this location:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html

You can access Cisco Unified Communications Manager Business Edition documentation at this location:

http://www.cisco.com/en/US/products/ps7273/tsd_products_support_series_home.html

Related Topic

Telephony Features Available for the Cisco Unified IP Phone

Configuring Network Parameters Using the Cisco Unified IP Phone

You can configure parameters such as DHCP, TFTP, and IP settings on the phone itself. You can also obtain statistics about a call or firmware versions on the phone.

For more information about configuring features and viewing statistics from the phone, see Configuring Settings on the Cisco Unified IP Phone and see Viewing Model Information, Status, and Statistics on the Cisco Unified IP Phone

Providing Users with Feature Information

If you are a system administrator, you are likely the primary source of information for Cisco Unified IP Phone users in your network or company. To ensure that you distribute the most current feature and procedural information, familiarize yourself with Cisco Unified IP Phone documentation. Make sure to visit the Cisco Unified IP Phone web site:

http://www.cisco.com/en/US/products/hw/phones/ps379/tsd_products_support_series_home.html

From this site, you can view and order various user guides, including wallet cards. For complete ordering information, see Document Conventions.

In addition to providing users with documentation, it is important to inform them of available Cisco Unified IP Phone features—including features specific to your company or network—and of how to access and customize those features, if appropriate.

For a summary of some of the key information that phone users need their system administrators to provide, see "Providing Information to Users."

Understanding Security Features for Cisco Unified IP Phones

Implementing security in the Cisco Unified Communications Manager system prevents identity theft of the phone and Cisco Unified Communications Manager server, prevents data tampering, and prevents call signaling and media stream tampering.

To alleviate these threats, the Cisco Unified Communications network establishes and maintains authenticated and encrypted communication streams between a phone and the server, digitally signs files before they are transferred to a phone and encrypts media streams between Cisco Unified IP phones.

If you configure security-related settings in Cisco Unified Communications Manager Administration, the phone configuration file will contain sensitive information. To ensure the privacy of a configuration file, you must configure it for encryption. For detailed information, refer to Configuring Encrypted Phone Configuration Files in Cisco Unified Communications Manager Security Guide.

Table 1-3 shows where you can find additional information about security in this and other documents.

Table 1-3 Cisco Unified IP Phone Security Topics 

Topic
Reference

Detailed explanation of security, including set up, configuration, and troubleshooting information for Cisco Unified Communications Manager and Cisco Unified IP Phones

Refer to the Troubleshooting Guide for Cisco Unified Communications Manager.

Security features supported on the Cisco Unified IP Phone

See Overview of Supported Security Features.

Restrictions regarding security features

See Security Restrictions.

Identifying phone calls for which security is implemented

See Identifying Authenticated, Encrypted and Protected Phone Calls.

Transport Layer Security (TLS) connection

See What Networking Protocols are Used?.

See Understanding Phone Configuration Files.

802.1X authentication for Cisco Unified IP Phones

See these sections:

Supporting 802.1X Authentication on Cisco Unified IP Phones.

Security Configuration Menu.

802.1X Authentication and Status.

Troubleshooting Cisco Unified IP Phone Security.

Security and the phone startup process

See Understanding the Phone Startup Process.

Security and phone configuration files

See Understanding Phone Configuration Files.

Changing the TFTP Server 1 or TFTP Server 2 option on the phone when security is implemented

See Network Configuration Menu.

Understanding security icons in the Communications Manager 1 through Communications Manager 5 options in the Device Configuration Menu on the phone

See Unified CM Configuration Menu.

Items on the Security Configuration menu that you access from the Device Configuration menu on the phone

See Security Configuration Menu.

Items on the Security Configuration menu that you access from the Settings menu on the phone

See Security Configuration Menu.

Unlocking the Certificate Trust List (CTL) and Identity Trust List (ITL) files

See Unlocking the CTL and ITL files.

Disabling access to a phone's web pages

See Disabling and Enabling Web Page Access.

Deleting the CTL and ITL files from the phone

See Resetting or Restoring the Cisco Unified IP Phone.

Resetting or restoring the phone

See Resetting or Restoring the Cisco Unified IP Phone.

Extension Mobility HTTPS Support

See What Networking Protocols are Used?.

802.1X Authentication for Cisco Unified IP Phones

See these sections:

Supporting 802.1X Authentication on Cisco Unified IP Phones.

802.1X Authentication and Status.

Troubleshooting Cisco Unified IP Phone Security.

Trust List Menu.


Overview of Supported Security Features

This section provides an overview of the security features that the phone supports. For more information about these features and about Cisco Unified Communications Manager and Cisco Unified IP Phone security, refer to Cisco Unified Communications Manager Security Guide.

For information about current security settings on a phone, look at the Security Configuration menus (press the Applications Menu button and choose Settings > Security Configuration or Settings > Device Configuration > Security Configuration). For more information, see Configuring Settings on the Cisco Unified IP Phone.


Note Most security features are available only if a CTL or ITL file or both are installed on the phone. For more information about the CTL and ITL files, refer to Cisco Unified Communications Manager Security Guide.


Table 1-4 Overview of Security Features 

Feature
Description

Image authentication

Signed binary files (with the extension .sbn) prevent tampering with the firmware image before it is loaded on a phone. Tampering with the image causes a phone to fail the authentication process and reject the new image.

802.1X Authentication

The Cisco Unified IP Phone can use 802.1X authentication to request and gain access to the network. See Supporting 802.1X Authentication on Cisco Unified IP Phones for more information.

Customer-site certificate installation

Each Cisco Unified IP Phone requires a unique certificate for device authentication. Phones include a manufacturing installed certificate (MIC), but for additional security, you can specify in Cisco Unified Communications Manager Administration that a certificate be installed by using the Certificate Authority Proxy Function (CAPF). Alternatively, you can install an Locally Significant Certificate (LSC) from the Security Configuration menu on the phone. See Configuring Security on the Cisco Unified IP Phone for more information.

Device authentication

Occurs between the Cisco Unified Communications Manager server and the phone when each entity accepts the certificate of the other entity. Determines whether a secure connection between the phone and a Cisco Unified Communications Manager should occur, and, if necessary, creates a secure signaling path between the entities by using transport layer security (TLS) protocol. Cisco Unified Communications Manager does not register phones configured in authenticated or encrypted mode unless they can be authenticated by the Cisco Unified Communications Manager.

File authentication

Validates digitally signed files that the phone downloads. The phone validates the signature to make sure that file tampering did not occur after the file creation. Files that fail authentication are not written to Flash memory on the phone. The phone rejects such files without further processing.

Signaling Authentication

Uses the TLS protocol to validate that no tampering has occurred to signaling packets during transmission.

Manufacturing installed certificate

Each Cisco Unified IP Phones 7906G and 7911G contains a unique MIC, which is used for device authentication. The MIC is a permanent unique proof of identity for the phone, and allows Cisco Unified Communications Manager to authenticate the phone.

Secure SRST reference

After you configure a SRST reference for security and then reset the dependent devices in Cisco Unified Communications Manager Administration, the TFTP server adds the SRST certificate to the phone cnf.xml file and sends the file to the phone. A secure phone then uses a TLS connection to interact with the SRST-enabled router.

Media encryption

Uses SRTP to ensure that the media streams between supported devices proves secure and that only the intended device receives and reads the data. Includes creating a media master key pair for the devices, delivering the keys to the devices, and securing the delivery of the keys while the keys are in transport.

Signaling Encryption

Ensures that all SCCP and SIP signaling messages that are sent between the device and the Cisco Unified Communications Manager server are encrypted.

CAPF (Certificate Authority Proxy Function)

Implements parts of the certificate generation procedure that are too processing-intensive for the phone, and interacts with the phone for key generation and certificate installation. The CAPF can be configured to request certificates from customer-specified certificate authorities on behalf of the phone, or it can be configured to generate certificates locally.

Optional disabling of the web server functionality for a phone

You can prevent access to a phone's web page, which displays a variety of operational statistics for the phone.

Phone hardening

Additional security options, which you control from Cisco Unified Communications Manager Administration:

Disabling PC port (applies to 7911G only)

Disabling Gratuitous Address Resolution Protocol (GARP)

Disabling PC Voice VLAN access (applies to 7911G only)

Disabling access to the Setting menus, or providing restricted access that allows access to the User Preferences menu and saving volume changes only

Disabling access to web pages for a phone

Note You can view current settings for the PC Port Disabled, GARP Enabled, and Voice VLAN enabled options by looking at the phone's Security Configuration menu. For more information, see Device Configuration Menu.


Related Topics

Identifying Authenticated, Encrypted and Protected Phone Calls

Supporting 802.1X Authentication on Cisco Unified IP Phones

Security Restrictions

Device Configuration Menu

Understanding Security Profiles

All Cisco Unified IP Phones that support Cisco Unified Communications Manager 5.0 and later use a security profile, which defines whether the phone is nonsecure, authenticated, or encrypted. For information about configuring the security profile and applying the profile to the phone, refer to the Cisco Unified Communications Manager Security Guide.

To view the security mode that is set for the phone, look at the Security Mode setting in the Security Configuration menu. For more information, see Security Configuration Menu.

Related Topics

Identifying Authenticated, Encrypted and Protected Phone Calls

Security Restrictions

Identifying Authenticated, Encrypted and Protected Phone Calls

When security is implemented for a phone, you can identify authenticated or encrypted phone calls by icons on the LCD screen on the phone. You can also determine if the connected phone is secure and protected if a security tone plays at the beginning of the call.

In an authenticated call, all devices participating in the establishment of the call are trusted devices, and authenticated by Cisco Unified Communications Manager. When a call in progress is authenticated end-to-end, the call progress icon to the right of the call duration timer in the phone LCD screen changes to the following icon:

In an encrypted call, all devices participating in the establishment of the call are trusted devices, and authenticated by the Cisco Unified Communications Manager. In addition, call signaling and media streams are encrypted. An encrypted call offers a high level of security, providing integrity and privacy to the call. When a call in progress is being encrypted, the call progress icon to the right of the call duration timer in the phone LCD screen changes to the following icon:


Note If the call is routed through a non-IP call leg, for example, PSTN, the call will be nonsecure even though it is encrypted within the IP network and has a lock icon associated with it.


In a protected call, a security tone plays at the beginning of a call to indicate that the other connected phone is also receiving and transmitting encrypted audio and video (if video is involved). If your call is connected to a non-protected phone, the security tone does not play.


Note Protected calling is supported for connections between two phones only. Some features, such as conference calling, shared lines, Extension Mobility, and Join Across Lines are not available when protected calling is configured. Protected calls are not authenticated.


Related Topic

Understanding Security Features for Cisco Unified IP Phones

Supporting 802.1X Authentication on Cisco Unified IP Phones

Security Restrictions

Establishing and Identifying Secure Conference Calls

You can initiate a secure conference call and monitor the security level of participants. A secure conference call is established using this process:

1. A user initiates the conference from a secure phone (encrypted or authenticated security mode).

2. Cisco Unified Communications Manager assigns a secure conference bridge to the call.

3. As participants are added, Cisco Unified Communications Manager verifies the security mode of each phone (encrypted or authenticated) and maintains the secure level for the conference.

4. The phone displays the security level of the conference call. A secure conference displays (encrypted) or (authenticated) icon to the right of "Conference" on the phone screen. If icon displays, the conference is not secure.


Note There are interactions, restrictions, and limitations that affect the security level of the conference call depending on the security mode of the participant's phones and the availability of secure conference bridges. See Table 1-5 and Table 1-6 for information about these interactions.


Establishing and Identifying Protected Calls

A protected call is established when your phone, and the phone on the other end, is configured for protected calling. The other phone can be in the same Cisco IP network, or on a network outside the IP network. Protected calls can only be made between two phones. Conference calls and other multiple-line calls are not supported.

A protected call is established using this process:

1. A user initiates the call from a protected phone (protected security mode).

2. The phone displays the icon (encrypted) on the phone screen. This icon indicates that the phone is configured for secure (encrypted) calls, but this does not mean that the other connected phone is also protected.

3. A security tone plays if the call is connected to another protected phone, indicating that both ends of the conversation are encrypted and protected. If the call is connected to a non-protected phone, then the secure tone is not played.


Note Protected calling is supported for conversations between two phones. Some features, such as conference calling, shared lines, Cisco Extension Mobility, and Join Across Lines are not available when protected calling is configured.


Call Security Interactions and Restrictions

Cisco Unified Communications Manager checks the phone security status when conferences are established and changes the security indication for the conference or blocks the completion of the call to maintain integrity and also security in the system. Table 1-5 provides information about changes to call security levels when using Barge.

Table 1-5 Call Security Interactions When Using Barge     

Initiator's Phone Security Level
Feature Used
Call Security Level
Results of Action

Non-secure

Barge

Encrypted call

Call barged and identified as non-secure call

Secure (encrypted)

Barge

Authenticated call

Call barged and identified as authenticated call

Secure (authenticated)

Barge

Encrypted call

Call barged and identified as authenticated call

Non-secure

Barge

Authenticated call

Call barged and identified as non-secure call


Table 1-6 provides information about changes to conference security levels depending on the initiator's phone security level, the security levels of participants, and the availability of secure conference bridges.

Table 1-6 Security Restrictions with Conference Calls 

Initiator's Phone Security Level
Feature Used
Security Level of Participants
Results of Action

Non-secure

Conference

Encrypted or authenticated

Non-secure conference bridge

Non-secure conference

Secure (encrypted or authenticated)

Conference

At least one member is non-secure

Secure conference bridge

Non-secure conference

Secure (encrypted)

Conference

All participants are encrypted

Secure conference bridge

Secure encrypted level conference

Secure (authenticated)

Conference

All participants are encrypted or authenticated

Secure conference bridge

Secure authenticated level conference

Non-secure

Conference

Encrypted or authenticated

Only secure conference bridge is available and used

Non-secure conference

Secure (encrypted or authenticated)

Conference

Encrypted or authenticated

Only non-secure conference bridge is available and used

Non-secure conference

Secure (encrypted or authenticated)

Conference

Secure or encrypted

Conference remains secure

When one participant tries to Hold the call with MOH, the MOH does not play.

Secure (encrypted)

Join

Encrypted or authenticated

Secure conference bridge

Conference remains secure (encrypted or authenticated)

Non-secure

cBarge

All participants are encrypted

Secure conference bridge

Conference changes to non-secure

Non-secure

MeetMe

Minimum security level is encrypted

Initiator receives message "Does not meet Security Level", call rejected.

Secure (encrypted)

MeetMe

Minimum security level is authenticated

Secure conference bridge

Conference accepts encrypted and authenticated calls

Secure (encrypted)

MeetMe

Minimum security level is non-secure

Only secure conference bridge available and used

Conference accepts all calls


Supporting 802.1X Authentication on Cisco Unified IP Phones

These sections provide information about 802.1X support on the Cisco Unified IP Phones:

Overview

Required Network Components

Best Practices—Requirements and Recommendations

Overview

Cisco Unified IP phones and Cisco Catalyst switches have traditionally used Cisco Discovery Protocol (CDP) to identify each other and to determine parameters such as VLAN allocation and inline power requirements. However, CDP is not used to identify any locally attached PCs; therefore, Cisco Unified IP Phones provide an EAPOL pass-through mechanism, whereby a PC locally attached to the IP phone may pass through EAPOL messages to the 802.1X authenticator in the LAN switch. This capability prevents the IP phone from having to act as the authenticator, yet allows the LAN switch to authenticate a data end point prior to accessing the network.

In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a proxy EAPOL-Logoff mechanism. If the locally attached PC is disconnected from the IP phone, the LAN switch would not see the physical link fail, because the link between the LAN switch and the IP phone is maintained. To avoid compromising network integrity, the IP phone sends an EAPOL-Logoff message to the switch on behalf of the downstream PC, which triggers the LAN switch to clear the authentication entry for the downstream PC.

The Cisco Unified IP phones contain an 802.1X supplicant in addition to the EAPOL pass-through mechanism. This supplicant allows network administrators to control the connectivity of IP phones to the LAN switch ports. The current release of the phone 802.1X supplicant uses the EAP-FAST, EAP-TLS, and EAP-MD5 options for network authentication.

Required Network Components

Support for 802.1X authentication on Cisco Unified IP Phones requires several components, including:

Cisco Unified IP Phone—The phone acts as the 802.1X supplicant, which initiates the request to access the network.

Cisco Secure Access Control Server (ACS) (or other third-party authentication server)—The authentication server and the phone must both be configured with a shared secret that is used to authenticate the phone.

Cisco Catalyst Switch (or other third-party switch)—The switch must support 802.1X so it can act as the authenticator and pass the messages between the phone and the authentication server. When the exchange is completed, the switch grants or denies the phone access to the network.

Best Practices—Requirements and Recommendations

Enable 802.1X Authentication—If you want to use the 802.1X standard to authenticate Cisco Unified IP Phones, make sure that you have properly configured the other components before enabling it on the phone. See 802.1X Authentication and Statusfor more information.

Configure PC Port—The 802.1X standard does not take into account the use of VLANs and thus recommends that only a single device be authenticated to a specific switch port. However, some switches (including Cisco Catalyst switches) support multi-domain authentication. The switch configuration determines whether you can connect a PC to the phone PC port.

Enabled—If you are using a switch that supports multi-domain authentication, you can enable the PC port and connect a PC to it. In this case, Cisco Unified IP Phones support proxy EAPOL-Logoff to monitor the authentication exchanges between the switch and the attached PC. For more information about IEEE 802.1X support on the Cisco Catalyst switches, refer to the Cisco Catalyst switch configuration guides at:

http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

Disabled—If the switch does not support multiple 802.1X-compliant devices on the same port, you should disable the PC Port when 802.1X authentication is enabled. See Security Configuration Menu for more information. If you do not disable this port and subsequently attempt to attach a PC to it, the switch will deny network access to both the phone and the PC.

Configure Voice VLAN—Because the 802.1X standard does not account for VLANs, you should configure this setting based on the switch support.

Enabled—If you are using a switch that supports multi-domain authentication, you can continue to use the voice VLAN.

Disabled—If the switch does not support multi-domain authentication, disable the Voice VLAN and consider assigning the port to the native VLAN. See Security Configuration Menu for more information.

Enter MD5 Shared Secret—If you disable 802.1X authentication or perform a factory reset on the phone, the previously configured MD5 shared secret is deleted. See 802.1X Authentication and Status for more information.

Security Restrictions

A user cannot barge into an encrypted call if the phone that is used to barge is not configured for encryption. When barge fails in this case, a reorder tone (fast busy tone) plays on the barge initiator's phone.

If the initiator phone is configured for encryption, the barge initiator can barge into an authenticated or nonsecure call from the encrypted phone. After the barge occurs, Cisco Unified Communications Manager classifies the call as nonsecure.

If the initiator phone is configured for encryption, the barge initiator can barge into an encrypted call, and the phone indicates that the call is encrypted.

A user can barge into an authenticated call, even if the phone that is used to barge is nonsecure. The authentication icon continues to appear on the authenticated devices in the call, even if the initiator phone does not support security.

Overview of Configuring and Installing Cisco Unified IP Phones

When deploying a new Unified Communications system, system administrators and network administrators must complete several initial configuration tasks to prepare the network for Unified Communications service. For information and a checklist for setting up and configuring a complete Cisco Unified Communications network, refer to System Configuration Overview in the Cisco Unified Communications Manager System Guide.

After you have set up the Unified Communications system and configured system-wide features in Cisco Unified Communications Manager, you can add IP phones to the system.

The following topics provide an overview of procedures for adding Cisco Unified IP Phones to your network:

Configuring Cisco Unified IP Phones in Cisco Unified Communications Manager

Installing Cisco Unified IP Phones

Configuring Cisco Unified IP Phones in Cisco Unified Communications Manager

To add phones to the Cisco Unified Communications Manager database, you can use:

Auto-registration

Cisco Unified Communications Manager Administration

Bulk Administration Tool (BAT)

BAT and the Tool for Auto-Registered Phones Support (TAPS)

For more information about these choices, see Adding Phones to the Cisco Unified Communications Manager Database.

For general information about configuring phones in Cisco Unified Communications Manager, refer to the following documentation:

Cisco Unified IP Phone, Cisco Unified Communications Manager System Guide

Configuring Cisco Unified IP Phone Configuration, Cisco Unified Communications Manager Administration Guide

Autoregistration, Cisco Unified Communications Manager Administration Guide

Cisco Unified Communications Manager Bulk Administration Guide

Checklist for Configuring the Cisco Unified IP Phones 7906G and 7911G in Cisco Unified Communications Manager

Table 1-7 provides an overview and checklist of configuration tasks for the Cisco Unified IP Phones 7906G and 7911G in Cisco Unified Communications Manager. The list presents tasks in a suggested order to guide you through the phone configuration process. Some tasks are optional, depending on your system and user needs. For detailed procedures and information, refer to the sources in the list.

Table 1-7 Checklist for Configuring the Cisco Unified IP Phones 7906G and 7911G in Cisco Unified Communications Manager 

Task
Purpose
For More Information

1.

Gather the following information about the phone:

Phone Model

MAC address

Physical location of the phone

Name or user ID of phone user

Device pool

Calling search space and location information (if used)

Number of lines, associated directory numbers (DNs), and partitions to assign to the phone

Cisco Unified Communications Manager user to associate with the phone

Phone usage information that affects phone button template, softkey template, phone features, IP Phone services, or phone applications

Provides list of configuration requirements for setting up phones.

Identifies preliminary configuration that you need to perform before configuring individual phones, such as phone button templates or softkey templates.

Refer to the Cisco Unified Communications Manager System Guide, Cisco Unified IP Phone.

See Telephony Features Available for the Cisco Unified IP Phone 

2.

Customize phone button templates (if required).

Adds Privacy feature to meet user needs.

Refer to the Cisco Unified Communications Manager Administration Guide,
Phone Button Template Configuration.

See Modifying Phone Button Templates.

3.

Add and configure the phone by completing these required fields in the Phone Configuration window:

Phone type

MAC address

Device pool

Button template

Product Specific Configuration

Softkey template (if customized)

Adds the device with its default settings to the Cisco Unified Communications Manager database.

Refer to the Cisco Unified Communications Manager Administration Guide, Cisco Unified IP Phone Configuration chapter.

For information about Product Specific Configuration fields, refer to ? Button Help in the Phone Configuration window.

Note If you want to add both the phone and user to the Cisco Unified Communications Manager database at the same time, refer to Cisco Unified Communications Manager Administration Guide, User/Phone Configurations.

4.

Add and configure the directory number on the phone by completing these required fields in the Directory Number Configuration window.

Directory number

Multiple Calls and Call Waiting

Call Forwarding and Pickup (if used)

Voice Messaging (if used)

Adds primary and secondary directory numbers and features associated with directory numbers to the phone.

Refer to the Cisco Unified Communications Manager Administration Guide:

Directory Number Configuration

See Telephony Features Available for the Cisco Unified IP Phone.

5.

Customize softkey templates (optional).

Adds, deletes, or changes order of softkey features that display on the user's phone to meet feature usage needs.

Refer to the Cisco Unified Communications Manager Administration Guide, Softkey Template Configuration.

See Configuring Softkey Templates.

6.

Configure speed-dial buttons and assign speed-dial numbers (optional).

Adds speed-dial numbers.

Note Users can change speed-dial settings on their phones with Cisco Unified CM User Options.

Refer to the Cisco Unified Communications Manager Administration Guide, Cisco Unified IP Phone Configuration chapter, Configuring Speed-Dial Buttons section.

7.

Configure Cisco Unified IP Phone services and assign services (optional).

Provides IP Phone services.

Note Users can add or change services on their phones by using the Cisco Unified CM User Options.

Refer to the Cisco Unified Communications Manager Administration Guide, Cisco Unified IP Phone Services Configuration chapter.

See Setting Up Services.

8.

Assign services to phone buttons (optional).

Provides single button access to an IP phone service or URL.

Refer to Cisco Unified Communications Manager Administration Guide, Cisco Unified IP Phone Configuration, Adding a Cisco Unified IP Phone Service to a Phone Button.

9.

Add user information by configuring required fields (optional).

Name (last)

User ID

Password (for User Options web pages)

PIN (for use with Extension Mobility

Adds user information to the global directory for Cisco Unified Communications Manager.

Note To search for a user in the Corporate Directory, you must add users to Cisco Unified Communications Manager.

Refer to the Cisco Unified Communications Manager Administration Guide, End User Configuration.

See Adding Users to Cisco Unified Communications Manager.

Note If your company uses a a Lightweight Directory Access Protocol (LDAP) directory to store information on users, you install and configure Cisco Unified Communications to use your existing LDAP directory, refer to Configuring Corporate and Personal Directories.

Note If you want to add both the phone and user to the Cisco Unified Communications Manager database at the same time, refer to Cisco Unified Communications Manager Administration Guide, User/Phone Configurations.

10.

Add a user to a user group.

Assigns users a common list of roles and permissions that apply to all users in a user group. Administrators can manage user groups, roles, and permissions to control the level of access (and, therefore, the level of security) for system users. For example, you must add users to the standard Cisco CCM End Users group so users can access Cisco Unified CM User Options.

Refer to the Cisco Unified Communications Manager Administration Guide, User Group Configuration, Adding Users to a User Group.

11.

Associate a user with a phone (optional).

Provides users with control over their phone such as forwarding calls or adding speed-dial numbers or services.

Note Some phones, such as those in conference rooms, do not have an associated user.

Refer to the Cisco Unified Communications Manager Administration Guide,
End User Configuration, Associating Devices to a User.


Installing Cisco Unified IP Phones

After you have added the phones to the Cisco Unified Communications Manager database, you can complete the phone installation. You (or the phone users) can install the phone at the users's location. The Cisco Unified IP Phone Installation Guide, which is available on Cisco.com, provides directions for connecting the phone footstand, handset, cables, and other accessories.


Note Before you install a phone, even if it is new, upgrade the phone to the current firmware image. For information about upgrading your phone, see the Readme file for your phone model located at:

http://www.cisco.com/cgi-bin/tablebuild.pl/ip-7900ser


After the phone is connected to the network, the phone startup process begins, and the phone registers with Cisco Unified Communications Manager. To finish installing the phone, configure the network settings on the phone depending on whether you enable or disable DHCP service.

If you used auto-registration, you need to update the specific configuration information for the phone such as associating the phone with a user, changing the button table, or directory number.

Checklist for Installing the Cisco Unified IP Phones 7906G and 7911G

Table 1-8 provides an overview and checklist of installation tasks for the Cisco Unified IP Phone 7906G and 7911G. The list presents tasks in a suggested order to guide you through the phone installation process. Some tasks are optional, depending on your system and user needs. For detailed procedures and information, refer to the sources in the list.

Table 1-8 Checklist for Installing the Cisco Unified IP Phones 7906G and 7911G 

Task
Purpose
For More Information

1.

Choose the power source for the phone:

Power over Ethernet (PoE)

External power supply

Determines how the phone receives power.

See Providing Power to the Cisco Unified IP Phone 7906G and 7911G.

2.

Assemble the phone, adjust phone placement, and connect the network cable.

Locates and installs the phone in the network.

See Installing the Cisco Unified IP Phone.

3.

Monitor the phone startup process.

Verifies that phone is configured properly.

See Verifying the Phone Startup Process.

4.

If you are configuring the network settings on the phone , you can set up an IP address for the phone by using of the following methods:

Using DHCP—To enable DHCP and allow the DHCP server to automatically assign an IP address to the Cisco Unified IP Phone and direct the phone to a TFTP server, choose Settings > Network Configuration> IPv4 Configuration and:

To enable DHCP, set DHCP Enabled to Yes. DHCP is enabled by default.

To use an alternate TFTP server, set Alternate TFTP Server to Yes, and enter the IP address for the TFTP Server.

Note Consult with the network administrator if you need to assign an alternative TFTP server instead of using the TFTP server assigned by DHCP.

Without DHCP—You must configure the IP address, subnet mask, TFTP server, and default router locally on the phone, choose Settings > Network Configuration> IPv4 Configuration:

To disable DHCP and manually set an IP address:

a. To disable DHCP, set DHCP Enabled to No.

b. Enter the static IP address for phone.

c. Enter the subnet mask.

d. Enter the default router IP addresses.

e. Set Alternate TFTP Server to Yes, and enter the IP address for TFTP Server 1.

Note Choose Settings > Network Configuration and enter the domain name where the phone resides.

See Configuring Startup Network Settings.

See Network Configuration Menu.

5.

Set up security on the phone.

Provides protection against data tampering threats and identity theft of phones.

See Configuring Security on the Cisco Unified IP Phone.

6.

Make calls with the Cisco Unified IP Phone.

Verifies that the phone and features work correctly.

Refer to the Cisco Unified IP Phones 7906G and 7911G Guide.

7.

Provide information to end users about how to use their phones and how to configure their phone options.

Ensures that users have adequate information to successfully use their Cisco Unified IP Phones.

See "Providing Information to Users."