Media and Signaling Authentication and Encryption Feature on Cisco IOS MGCP Gateways

Table Of Contents

Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Contents

Prerequisites for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Restrictions for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Information About Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Benefits of Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Feature Design of Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

MGCP Gateway Behavior and Voice Security Features

Voice Security Features Interoperability with Endpoints

How to Configure Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Installing Cisco CallManager

Configuring IPSec on Cisco CallManager

Configuring Voice Security Features on Cisco IOS MGCP Gateways

Prerequisites

Configuring Secure IP Telephony Calls

Certificate Trust Lists

Prerequisites

Verifying Voice Security Features on Cisco IOS MGCP Gateways

Configuration Examples for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Voice Security Features Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

codec complexity

mgcp package-capability

mgcp validate call-agent source-ipaddr

show mgcp

show mgcp srtp

show mgcp statistics

show voice dsp

Glossary

Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

The Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways feature provides support for Cisco Secure Survivable Remote Site Telephony (SRST) and voice security features that include authentication, integrity, and encryption of voice media and related call control signaling.

Feature History for the Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways Feature

Release

Modification

12.3(11)T2

This feature was introduced.

12.3(14)T

This feature was integrated into Cisco IOS Release 12.3(14)T and support was added for the Cisco Secure SRST feature and the NM-HDV network module.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

•Restrictions for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

•Information About Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

•How to Configure Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

•Configuration Examples for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

•Additional References

•Command Reference

•Glossary

Prerequisites for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Make sure that the following tasks have been completed before configuring the Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways feature:

•Cisco IOS Media Gateway Control Protocol (MGCP) is configured.

•Cisco CallManager 4.1(2) or a later release is running.

•Cisco Secure SRST is configured on the router. For more information on configuring secure SRST on the router, refer to the document Setting up Secure SRST.

•Cisco IOS gateways have the prerequisite Cisco IOS images installed. Voice security features are delivered on Advanced IP Services or Advanced Enterprise Services images.

It is recommended that IP security (IPSec) be configured on the Cisco IOS gateway. Both software and hardware-based IPSec connections are supported.

For more information on configuring Cisco IOS-based (software) IPSec, refer to the following:

•Cisco IOS Security Configuration Guide, Release 12.3

•Cisco IOS Security Command Reference, Release 12.3

For more information on configuring hardware-based IPSec on the gateway, refer to the following:

•Cisco 2621 Modular Access Router with AIM-VPN/BP Security Policy

•Cisco 2651 Modular Access Router with AIM-VPN/BP Security Policy

•Cisco 3640 Modular Access Router with AIM-VPN/BP Security Policy

•Cisco 3660 Modular Access Router with AIM-VPN/BP Security Policy

It is recommended that IPSec be configured on the Cisco CallManager. For more information, refer to the Microsoft Knowledge Base article "Configuring IPSec Between a Microsoft Windows 2000 Server and a Cisco Device."

If you want to interoperate with Cisco IP phones, make sure that the following tasks have been completed before configuring the Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways feature:

•Cisco CallManager is set up for secure mode operation, and certificate trust list (CTL) client is installed. For more information on CTL client setup, refer to Cisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1), "Authentication, Integrity and Encryption" chapter.

•The phones are configured to support secure calls if the gateways will interoperate with Cisco IP phones. For more information on Cisco IP phone configuration, refer to the following:

–Cisco IP Phone Model 7960G and 7940G Administration Guide for Cisco CallManager Release 4.1, "Security Configuration Menu" section.

–Cisco IP Phone 7970 Administration Guide for Cisco CallManager, Release 4.x and later, "Understanding Security Features for Cisco IP Phones" section.

Restrictions for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

The Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways feature is supported on the Cisco IOS MGCP 0.1 only.

Cisco IOS MGCP gateways support voice security features on the following endpoints only: T1, E1, FXS, and FXO.

When a Cisco IOS MGCP voice gateway is used in conjunction with the Cisco CallManager, the automatic download feature that allows you to complete the gateway configuration on the Cisco CallManager server by downloading the configuration to that gateway through a TFTP server is not supported with voice security features.

Voice security during conferencing, transcoding, and music-on-hold is not supported.

Note If one component in the voice gateway path is not secure, the entire call falls back to non-secure mode.

Table 1 provides a list of supported IP phones, gateways and network modules for voice security features.

Table 1 Supported IP Phones, Gateways and Network Modules for Voice Security Features

Supported Cisco IP Phones

Supported Gateways

Supported Network Modules

•Cisco IP Phone 7940

•Cisco IP Phone 7960

•Cisco IP Phone 7970

•Cisco 2600XM

•Cisco 2691

•Cisco 2811

•Cisco 2821

•Cisco 2851

•Cisco 3640A

•Cisco 3660

•Cisco 3700

•Cisco 3825

•Cisco 3845

•Cisco VG224

•EVM-HD

•NM-HDV2

•NM-HDV2-1T1/E1

•NM-HDV2-2T1/E1

•NM-HD-1V

•NM-HD-2V

•NM-HD-2VE

•PVDM2

Voice security features impact quality of service (QoS) as follows:

•The Secure Real-Time Transport Protocol Control Protocol (SRTCP) packet size increases by an 80-bit authentication tag, a 31-bit index field, and a 1-bit encryption flag.

•The bandwidth of Real-Time Transport Protocol (RTP) streams increases slightly with the introduction of the 32-bit authentication tag on every Secure RTP (SRTP) packet sent. Additional bandwidth is required for supported SRTP codecs as shown in Table 2.

Table 2 SRTP Codec Bandwidth Requirements

Codec

Packetization Period (milliseconds)

RTP Bandwidth (kbps)

SRTP Bandwidth (kbps)

G.711 mu-law, G.711 A-law

10—20

96—80

99.2—81.6

G.729, G.729A

10—220

40—9.454

43.2—9.6

Only G.711 and G.729 codecs support voice security features.

Voice security features support channel density on the TI-5510 digital signal processor (DSP) as shown in Table 3.

Table 3 TI -5510 DSP Channel Density

Codec

Number of Nonsecure Calls

Number of Secure Calls

G.711

16

10

G.729

6

6

G.729A

8

8

Use the codec complexity command in voice-card configuration mode to specify secure codec complexity and call density per DSP.

Information About Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

To configure the Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways feature, you should understand the following concepts:

•Benefits of Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

•Feature Design of Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Benefits of Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

•Provides privacy and confidentiality for voice calls

•Protects against voice security violations

Feature Design of Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

The Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways feature implements voice security features that include signaling authentication along with media and signaling encryption on MGCP gateways. The feature provides secure VoIP calls by addressing security requirements for privacy, integrity, and confidentiality of voice conversations. The Cisco IP telephony network establishes and maintains authenticated communications using authentication and encryption technology. Signaling authentication validates that no tampering has occurred to signaling packets during transmission. Encryption, the process of converting clear-text data into enciphered data, provides data integrity and authentication. IPSec, a standards-based set of security protocols and algorithms, ensures that signaling information, that is, DTMF digits, passwords, personal identification numbers (PINs), encryption keys, and so forth., that is sent between the gateway and Cisco CallManager is encrypted. Media encryption using standards-based SRTP ensures that media streams between supported devices are secure.

Voice security features support the following capabilities between gateways and from gateways to IP phones that support the encryption feature:

•Gateway to Cisco CallManager call control authentication and encryption using IPSec

•Media encryption and authentication of voice RTP streams using SRTP

•Exchange of RTP Control Protocol (RTCP) information using SRTCP

•SRTP to RTP fallback for calls between secure and nonsecure endpoints

•Secure to clear-text fallback for new calls during SRST operation

Figure 1 shows a typical topology where voice security features are deployed.

Figure 1 Voice Security Features in the Telephony Network

MGCP Gateway Behavior and Voice Security Features

To implement voice security features in Cisco CallManager networks, the MGCP gateway communicates with Cisco CallManager over a secure IPSec connection that provides encryption of IP packets. To ensure that your signaling information is secure, an IPSec connection must be established between the CallManager and the gateways, as described in the section "Prerequisites for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways." You can verify that the IPSec tunnel is secure using the commands listed in the "Verifying Voice Security Features on Cisco IOS MGCP Gateways" section.

Note While you may enable media authentication and encryption without signaling encryption, this practice is discouraged. If the gateway to Cisco CallManager connection is not secure, media keys will be sent in clear-text and your voice call will not be considered secure.

After the IPSec tunnel is established, all call control and signaling of MGCP packets between the gateway and Cisco CallManager go through the secured IPSec tunnel, with the Cisco CallManager directing the MGCP gateway to set up and tear down SRTP streams. SRTP media keys are distributed by Cisco CallManager through the secured IPSec tunnel.

Cisco implements voice security features on MGCP gateways by supporting the SRTP package and SRTP Session Description Protocol (SDP) extensions, as defined in the Internet Engineering Task Force (IETF) specification, draft-ietf-mmusic-sdescriptions-02.txt, Security Descriptions for Media Streams. SRTP package capability is disabled by default. Use the Cisco IOS command line interface (CLI) to enable the feature. For more information, see the section "Configuring Voice Security Features on Cisco IOS MGCP Gateways."

Cisco uses the Internet Key Exchange (IKE) standard to implement IPSec. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and IPSec security associations (SAs). An IPSec SA describes how two or more entities will use security services to communicate securely. For example, an IPSec SA defines the encryption algorithm, the authentication algorithm, and the shared session key to be used during the IPSec connection. Both IPSec and IKE require and use SAs to identify the parameters of their connections. IKE can negotiate and establish its own SA. The IPSec SA is established either by IKE or by manual user configuration. IKE has two phases of key negotiation: phase 1 and phase 2. Phase 1 negotiates a security association (a key) between two IKE peers. The key negotiated in phase 1 enables IKE peers to communicate securely in phase 2. During phase 2 negotiation, IKE establishes keys (security associations) for other applications, such as IPSec.

The Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways feature also implements an extended codec selection algorithm that combines selection of a codec with selection of a cryptographic suite to be used to encrypt the RTP stream. Cisco IOS Release 12.3(11)T supports the AES_CM_128_HMAC_SHA1_32 cryptographic suite, which includes the AES-128-countermode encryption algorithm and the Hashed Message Authentication Codes (HMAC) Secure Hash Algorithm1 (SHA1) authentication algorithm.

Voice Security Features Interoperability with Endpoints

Cisco IOS MGCP gateways support voice security features on T1, E1, FXS, and FXO endpoints supported by network modules listed in Table 1, thereby enabling secure calls from analog phone to analog phone, or fax machine to fax machine. Similarly, secure calls are enabled from time- division multiplexing (TDM) endpoints or analog phones to Cisco IP phones. For a Cisco IP Phone to make and receive secure calls, all endpoints, that is, phones of all call participants, must support voice security features. If a call is nonsecure, no special icon displays on the phone. If a call is secure, the phone displays either the authenticated or encrypted call icons. For more information on secure call icons, refer to Cisco IP Phone 7970 Administration Guide for Cisco CallManager, Release 4.x or later, "Identifying Encrypted and Authenticated Phone Calls" section.

How to Configure Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

This section contains the following procedures:

•Installing Cisco CallManager,(required)

•Configuring IPSec on Cisco CallManager, (required)

•Configuring Voice Security Features on Cisco IOS MGCP Gateways, (required)

•Configuring Secure IP Telephony Calls, (required)

•Verifying Voice Security Features on Cisco IOS MGCP Gateways, (optional)

Installing Cisco CallManager

This task installs Cisco CallManager and configures it to work with IPSec and the Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways feature.

Step 1 Install Cisco CallManager on the server.

•Insert Cisco CallManager HW Detection CD version 2000.2.6, Disk1.

•When prompted, insert Cisco CallManager Base OS CD , Disk3 or 4.

Step 2 Determine the Windows OS version by going to C:\utils and double-clicking MCSVer.exe program. If you have Windows 2000.2.6sr3, no additional Windows upgrade is required. Go to Step 5. If you have Windows 2000.2.5 or a prior version, you must upgrade to Windows 2000.2.6. Go to Step 3. If you have Windows 2000.2.6, you must upgrade to Windows 2000.2.6sr3. Go to Step 4.

Step 3 Upgrade from Windows 2000.2.5 or a prior version.

•Go to http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des, to download the following files:

–win-OS-Upgrade-K9.2000-2-6.exe.

–win-OS-Upgrade-K9.2000-2-6-Readme.htm

Follow the steps listed in the ReadMe file.

Step 4 Upgrade from Windows 2000.2.6 to Windows 2000.2.6.sr3.

•Go to http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des, to download the following files:

–win-OS-Upgrade-K9.2000-2-6sr3.exe

–win-OS-Upgrade-K9.2000-2-6sr3-Readme.htm.

Follow the steps listed in the ReadMe file.

Step 5 Upgrade Cisco CallManager to version 4.1.

•Go to http://www.cisco.com/kobayashi/sw-center/sw-voice.shtml.

•Copy CiscoCallManagerUpgrade.exe to the local system.

•Run the upgrade.

Step 6 Use the ping command on both the gateway and Cisco CallManager to test the connection between gateway and Cisco CallManager. Go to the "Configuring IPSec on Cisco CallManager" section.

Configuring IPSec on Cisco CallManager

This task configures the IPSec connection between the MGCP gateway and the Cisco CallManager.

Step 1 Create an IPSec policy on the Windows 2000 server.

•Use the Microsoft Management Console (MMC) to work on the IP Security Policy Management snap-in. Click Start, click Run, and then enter secpol.msc.

•Right-click IP Security Policies on Local Machine, and then click Create IP Security Policy.

•Click Next, and then type a name for your policy.

•Click the Activate the default response rule check box to clear, and then click Next.

•Click Finish, while keeping the Edit check box chosen.

Step 2 Build a filter from the Cisco CallManager to the gateway.

•In the properties for the new policy created in Step 1, click the Use Add Wizard check box to clear, and then click Add to create a new rule.

•On the IP Filter List tab, click Add.

•Enter an appropriate name for the filter list, click the Use Add Wizard check box to clear, and then click Add.

•In the Source address area, choose the option My IP Address from the drop-down arrow. Enter the Cisco CallManager IP address.

•In the Destination address area, click A specific IP Subnet from the drop-down arrow. Enter the IP address of the router interface in the same subnet as the Cisco CallManager.

•Click the Mirrored check box to clear.

•On the Protocol tab, make sure the protocol type is set to Any. (IPSec tunnels do not support protocol-specific or port-specific filters).

•(Optional) If you want to enter a description for your filter, click the Description tab. It is recommended that you give the filter the same name you used for the filter list. The filter name is displayed in the IPSec monitor when the tunnel is active.

•Click OK, and then click Close.

Step 3 Build a filter from the gateway to the Cisco CallManager.

•On the IP Filter List tab, click Add.

•Type an appropriate name for the filter list, click the Use Add Wizard check box to clear, and then click Add.

•In the Source address area, click A specific IP Subnet from the drop-down arrow. Enter in the IP address of the router interface in the same subnet as the Cisco CallManager.

•In the Destination address area, choose the option My IP Address from the drop- down arrow.

•Click to clear the Mirrored check box.

•(Optional) If you want to enter a description for your filter, click the Description tab.

•Click OK, and then click Close.

Step 4 Configure a rule to negotiate tunnel security.

•On the IP Filter List tab, click the filter list you created in Step 2.

•On the Tunnel Setting tab, choose the optionTunnel Setting - encryption peers. For Cisco-Microsoft and for Microsoft-Cisco, configure the setting according to: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b12b5.shtml

•On the Connection Type tab, click All network connections.

•On the Filter Action tab, click the Use Add Wizard check box to clear , and then click Add to create a new filter action.

Note You must create a new filter; otherwise the default filter action allows incoming traffic in the clear.

•Keep the Negotiate security option enabled, and click the Accept unsecured communication, but always respond using IPSec check box to clear.

Note You must perform this step to ensure secure operation.

•Choose the Custom option to add a security method. Click the Data integrity and encryption box for Encapsulating Security Payload (ESP). Click MD5 for the Integrity algorithm. Click DES for the Encryption algorithm. Check the Generate a new Key every 3600 seconds box.

•Click OK. On the General tab, enter a name for the new filter action and then click OK.

•Choose the filter action you created in Step 2.

•On the Authentication Methods tab, perform the steps to configure a preshared key.

Note The preshared key must match the key configured on the router.

•Click Close.

Step 5 Set key exchange security methods.

•Right- click the IP Security Policy created in Step 1 and choose Properties.

•Click the General tab.

•Click the Advanced button.

•Click the Methods button.

•Ensure that the security Method with the following settings is at the top of the preference order: Type- IKE, Encryption -DES, Integrity - SHA1, Diffie-Hellman - Low(1)

•Save the configuration.

Step 6 Assign the new IPSec policy to the Windows 2000 gateway.

•In the IP Security Policies on Local Machine MMC snap-in, right-click the new policy, and then click Assign. A green arrow appears in the folder icon next to the new policy.

Step 7 Use the ping command on both the gateway and Cisco CallManager to test the connection between gateway and Cisco CallManager.

Step 8 Run ipsecmon.exe on the Cisco CallManager to verify the configuration.

Step 9 Use the show crypto isakmp sa command on the gateway to verify the IPSec configuration.

Configuring Voice Security Features on Cisco IOS MGCP Gateways

This task configures voice security features on the gateway.

Prerequisites

We strongly recommend that you first establish an IPSec connection between the Cisco CallManager and the MGCP gateway before you use the MGCP SRTP package. Otherwise, media keys will be sent in clear text and your voice call will not be considered secure. For more information, see the sections "Installing Cisco CallManager" and "Configuring IPSec on Cisco CallManager."

SUMMARY STEPS

1. enable

2. configure terminal

3. mgcp package-capability srtp-package

4. mgcp validate call-agent source-ipaddr

5. voice-card slot

6. codec complexity secure

7. exit

DETAILED STEPS

Command or Action

Purpose

Step 1

enable
Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configure terminal
Example:

Router# configure terminal

Enters global configuration mode.

Step 3

mgcp package-capability srtp-package
Example:

Router(config)# mgcp package-capability srtp-package

Enables the MGCP gateway capability to process SRTP packages.

Step 4

mgcp validate call-agent source-ipaddr
Example:

Router(config)# mgcp validate call-agent source-ipaddr

(Optional) Enables MGCP application validation that packets received are sent by a configured call agent.

Step 5

voice-card slot
Example:

Router(config)# voice-card 1

Enters voice-card configuration mode and configures thevoice card in the specified network module slot.

Step 6

codec complexity secure
Example:

Router(config-voice-card)# codec complexity secure

Restricts the number of channels per NM-HDV network module from 4 to 2, enabling SRTP support on the TI-549 DSP.

Note You do not need to specify secure codec complexity for TI-5510 DSPs, which support SRTP capability in all complexity modes.

Step 7

exit
Example:

Router(config-voice-card)# exit

Exits the current configuration mode.

Configuring Secure IP Telephony Calls

This task enables secure IP telephony calls from gateway to IP phone.

Certificate Trust Lists

Voice security features use digital certificates contained in eTokens for device authentication. This process validates the identity of a device and ensures that the entity is who it claims to be. Device authentication occurs between the Cisco CallManager server and supported IP phones when each entity accepts the certificate of the other entity. Cisco implements device authentication using the CTL feature on the Cisco CallManager. The CTL Client creates a certificate on each server in the cluster and generates a CTL file in the TFTP Path of the server for the phones to download. This file provides the IP phone with a list of certified hosts that it can trust. For more information, refer to Cisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1), "Signaling Authentication" chapter.

Prerequisites

•CTL Provider service must be running on the Cisco CallManager server.

•Smart Card service must be running on the Cisco CallManager server.

•Two USB eTokens are required.

Step 1 Install CiscoCTLClient.exe from c:\CiscoPlugins\Client\.

Step 2 Launch Cisco CTL Client from the desktop shortcut.

Step 3 Enter the Cisco CallManager IP address and password, then click Next.

Step 4 Choose Set CallManager Cluster to Secure Mode, then click Next.

Step 5 Click Add for Security Token Information.

Step 6 Click Add Tokens for CTL Entries.

Step 7 When prompted, insert the first USB eToken, then click OK.

Step 8 Repeat Step 5 and Step 6 for the second eToken.

Step 9 Click Finish for CTL Entries, then enter your eToken Password when prompted and click OK.

Step 10 Verify that voice security features are enabled.

•Open Cisco CallManager Administration, choose Access System, then Enterprise Parameters. Scroll down to Security Parameters, and verify that Cluster Security is set to 1.

•Set the Cisco CallManager Enterprise Parameter to Encrypted to force all devices in the cluster to run encrypted mode. You can also set each IP phone individually to Encrypted mode by choosing Device, then Phone, then Find, then Security Mode = Encrypted. Reboot the IP phones and verify that the Security Mode displays Encrypted under Security Settings.

Verifying Voice Security Features on Cisco IOS MGCP Gateways

This task verifies voice security feature configuration and MGCP gateway to Cisco CallManager IPSec connections.

SUMMARY STEPS

1. show mgcp

2. show mgcp connection

3. show mgcp srtp {summary | detail [endpoint]}

4. show mgcp statistics

5. show call active voice

6. show voice call port

7. show voice call status

8. show voice call status call-id

9. show voice dsp

10. show rtpspi call

11. show rtpspi statistics

12. show ccm-manager

13. show crypto engine accelerator statistic

14. show crypto ipsec sa

15. show crypto isakmp sa

16. show crypto session

17. show crypto session detail

DETAILED STEPS

Step 1 Use the show mgcp command to display the state of the mgcp package-capability srtp-package and mgcp validate call-agent source-ipaddr commands.
Router# show mgcp
MGCP Admin State ACTIVE, Oper State ACTIVE - Cause Code NONE
MGCP call-agent: 10.7.0.200 Initial protocol service is MGCP 0.1
The following line shows that call-agent validation is enabled:
MGCP validate call-agent source-ipaddr ENABLED
MGCP block-newcalls DISABLED
MGCP send SGCP RSIP: forced/restart/graceful/disconnected DISABLED 
MGCP quarantine mode discard/step
MGCP quarantine of persistent events is ENABLED
MGCP dtmf-relay for VoIP disabled for all codec types
MGCP dtmf-relay for VoAAL2 disabled for all codec types
MGCP voip modem passthrough disabled
MGCP voaal2 modem passthrough disabled
MGCP voip modem relay: Disabled.
MGCP TSE payload: 100
MGCP T.38 Named Signalling Event (NSE) response timer: 200
MGCP Network (IP/AAL2) Continuity Test timer: 200
MGCP 'RTP stream loss' timer disabled
MGCP request timeout 500
MGCP maximum exponential request timeout 4000
MGCP gateway port: 2427, MGCP maximum waiting delay 3000
MGCP restart delay 0, MGCP vad DISABLED
MGCP rtrcac DISABLED
MGCP system resource check DISABLED
MGCP xpc-codec: DISABLED, MGCP persistent hookflash: DISABLED
MGCP persistent offhook: ENABLED, MGCP persistent onhook: ENABLED
MGCP piggyback msg DISABLED, MGCP endpoint offset DISABLED
MGCP simple-sdp ENABLED
MGCP undotted-notation DISABLED
MGCP codec type g711ulaw, MGCP packetization period 20
MGCP JB threshold lwm 30, MGCP JB threshold hwm 150
MGCP LAT threshold lwm 150, MGCP LAT threshold hwm 300
MGCP PL threshold lwm 1000, MGCP PL threshold hwm 10000
MGCP CL threshold lwm 1000, MGCP CL threshold hwm 10000
MGCP playout mode is adaptive 60, 4, 200 in msec
MGCP Fax Playout Buffer is 300 in msec
MGCP media (RTP) dscp: ef, MGCP signaling dscp: af31
MGCP default package: line-package
The following lines show that the srtp-package command is enabled:
MGCP supported packages: gm-package dtmf-package mf-package trunk-package 
         line-package ms-package dt-package mo-package mt-package 
         sst-package fxr-package srtp-package 
MGCP Digit Map matching order: shortest match
SGCP Digit Map matching order: always left-to-right
MGCP VoAAL2 ignore-lco-codec DISABLED
MGCP T.38 Fax is ENABLED
MGCP T.38 Fax ECM is ENABLED
MGCP T.38 Fax NSF Override is DISABLED
MGCP T.38 Fax Low Speed Redundancy: 0MGCP T.38 Fax High Speed Redundancy: 0
MGCP control bound to interface FastEthernet0/0
MGCP media bind :DISABLED
MGCP Upspeed payload type for G711ulaw: 0,  G711alaw: 8
MGCP Dynamic payload type for G.726-16K codec
MGCP Dynamic payload type for G.726-24K codec
MGCP Dynamic payload type for G.Clear codec
Step 2 Use the show mgcp connection command to display information on active connections, including the encryption suite.
Router# show mgcp connection
Endpoint        Call_ID(C) Conn_ID(I) (P)ort (M)ode (S)tate (CO)dec (E)vent[SIFL] 
(R)esult[EA] Encryption(K)
The following line shows that encryption status is enabled, K=1.
1. S1/DS1-0/1   C=2,1,2  I=0x2  P=18204,0  M=2  S=4,4 CO=1 E=0,0,0,0  R=0,0 K=1
Step 3 Use the show mgcp srtp {summary | detail [endpoint]} command to display SRTP connections and validate master keys and salts for endpoints.
Router# show mgcp srtp summary
MGCP SRTP Connection Summary
Endpoint             Conn Id    Crypto Suite                  
aaln/S3/SU0/0        8          AES_CM_128_HMAC_SHA1_32       
aaln/S3/SU0/1        9          AES_CM_128_HMAC_SHA1_32       
S3/DS1-0/1           6          AES_CM_128_HMAC_SHA1_32       
S3/DS1-0/2           7          AES_CM_128_HMAC_SHA1_32       
4 SRTP connections active
Router# show mgcp srtp detail
MGCP SRTP Connection Detail for Endpoint *
Definitions: CS=Crypto Suite, KS=HASHED Master Key/Salt, SSRC=Syncronization Source, 
ROC=Rollover Counter, KDR=Key Derivation Rate, SEQ=Sequence Number, FEC=FEC Order, 
MLT=Master Key Lifetime, MKI=Master Key Index:MKI Size
Endpoint aaln/S3/SU0/0 Call ID 2 Conn ID 8
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=3NaOYXS9dLoYDaBHpzRejREfhf0= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
Endpoint aaln/S3/SU0/1 Call ID 101 Conn ID 9
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:Not Configured
Endpoint S3/DS1-0/1 Call ID 1 Conn ID 6
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=3NaOYXS9dLoYDaBHpzRejREfhf0= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
Endpoint S3/DS1-0/2 Call ID 100 Conn ID 7
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:Not Configured
4 SRTP connections displayed
Router# show mgcp srtp detail S3/DS1-0/*
MGCP SRTP Connection Detail for Endpoint S3/DS1-0/*
Definitions: CS=Crypto Suite, KS=HASHED Master Key/Salt, SSRC=Syncronization Source, 
ROC=Rollover Counter, KDR=Key Derivation Rate, SEQ=Sequence Number, FEC=FEC Order, 
MLT=Master Key Lifetime, MKI=Master Key Index:MKI Size
The following lines allow you to compare and validate a hashed version of the master key and salt, as indicated by the KS field, without the display revealing the actual master key and salt.
Endpoint S3/DS1-0/1 Call ID 1 Conn ID 6
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=3NaOYXS9dLoYDaBHpzRejREfhf0= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
Endpoint S3/DS1-0/2 Call ID 100 Conn ID 7
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:Not Configured
2 SRTP connections displayed
Step 4 Use the show mgcp statistics command to display statistics, including dropped packets from unconfigured call agents.
Router# show mgcp statistics
 UDP pkts rx 0, tx 0
 Unrecognized rx pkts 0, MGCP message parsing errors 0
 Duplicate MGCP ack tx 0, Invalid versions count 0
The following line shows the number of dropped packets from unconfigured call agents.
 rx pkts from unknown Call Agent 0
 CreateConn rx 0, successful 0, failed 0
 DeleteConn rx 0, successful 0, failed 0
 ModifyConn rx 0, successful 0, failed 0
 DeleteConn tx 0, successful 0, failed 0
 NotifyRequest rx 0, successful 0, failed 0
 AuditConnection rx 0, successful 0, failed 0
 AuditEndpoint rx 0, successful 0, failed 0
 RestartInProgress tx 0, successful 0, failed 0
 Notify tx 0, successful 0, failed 0
 ACK tx 0, NACK tx 0
 ACK rx 0, NACK rx 0
 IP address based Call Agents statistics:
 No Call Agent message.
 System resource check is DISABLED. No available statistic
Step 5 Use the show call active voice command to display encryption statistics.
Router# show call active voice
GENERIC: SetupTime=21072 Index=0 PeerAddress= PeerSubAddress= PeerId=0 
PeerIfIndex=0 LogicalIfIndex=0 ConnectTime=0 CallState=3 CallSecurity = On CallOrigin=2 
ChargedUnits=0 
InfoType=0 TransmitPackets=375413 TransmitBytes=7508260 ReceivePackets=377734 
ReceiveBytes=7554680
VOIP: ConnectionId[0x19BDF910 0xAF500007 0x0 0x58ED0] RemoteIPAddress=17635075 
RemoteUDPPort=16394 RoundTripDelay=0 SelectedQoS=0 SessionProtocol=1 
SessionTarget= OnTimeRvPlayout=0 GapFillWithSilence=0 GapFillWithPrediction=600
GapFillWithInterpolation=0 GapFillWithRedundancy=0 HiWaterPlayoutDelay=110
LoWaterPlayoutDelay=64 ReceiveDelay=94 VADEnable=0 CoderTypeRate=0
GENERIC: SetupTime=21072 Index=1 PeerAddress=+14085271001 PeerSubAddress= 
PeerId=0 PeerIfIndex=0 LogicalIfIndex=5 ConnectTime=21115 CallState=4 CallOrigin=1 
ChargedUnits=0 InfoType=1 TransmitPackets=377915 TransmitBytes=7558300 
ReceivePackets=375594 ReceiveBytes=7511880 TotalPacketsEncrypted=375594 
The following lines show statistics for encrypted and decrypted packets.
TotalPacketsDecrypted=375594 DecryptionFailurePacketCount=0 
TotalPacketsAuthenticated=375594 AuthenticationFailurePacketCount=0 
DuplicateReplayPacketCount=0 OutsideWindowReplayPacketCount=0
TELE: ConnectionId=[0x19BDF910 0xAF500007 0x0 0x58ED0] TxDuration=16640 
VoiceTxDuration=16640 FaxTxDuration=0 CoderTypeRate=0 NoiseLevel=0 ACOMLevel=4 
OutSignalLevel=-440 InSignalLevel=-440 InfoActivity=2 ERLLevel=227 
SessionTarget=
Step 6 Use the show voice call port command to display SRTP statistics.
Router# show voice call 1/0/0
1/0/0
      vtsp level 0 state = S_CONNECTvpm level 1 state = FXSLS_CONNECT
vpm level 0 state = S_UP
calling number , calling name unavailable, calling time 01/08 03:44
c3745_13#       ***DSP VOICE TX STATISTICS***
Tx Vox/Fax Pkts: 108616, Tx Sig Pkts: 0, Tx Comfort Pkts: 0
Tx Dur(ms): 2172320, Tx Vox Dur(ms): 2172320, Tx Fax Dur(ms): 0
        ***DSP VOICE RX STATISTICS***
Rx Vox/Fax Pkts: 108602, Rx Signal Pkts: 0, Rx Comfort Pkts: 0
Rx Dur(ms): 2172320, Rx Vox Dur(ms): 2171990, Rx Fax Dur(ms): 0
Rx Non-seq Pkts: 3, Rx Bad Hdr Pkts: 0
Rx Early Pkts: 0, Rx Late Pkts: 0
        ***DSP VOICE VP_DELAY STATISTICS***
Clk Offset(ms): -2819596, Rx Delay Est(ms): 65
Rx Delay Lo Water Mark(ms): 65, Rx Delay Hi Water Mark(ms): 65
        ***DSP VOICE VP_ERROR STATISTICS***
Predict Conceal(ms): 250, Interpolate Conceal(ms): 0
Silence Conceal(ms): 0, Retroact Mem Update(ms): 0
Buf Overflow Discard(ms): 0, Talkspurt Endpoint Detect Err: 0
        ***DSP LEVELS***
TDM Bus Levels(dBm0): Rx -37.7 from PBX/Phone, Tx -35.5 to PBX/Phone
TDM ACOM Levels(dBm0): +5.0, TDM ERL Level(dBm0): +5.0
TDM Bgd Levels(dBm0): -35.9, with activity being silence
        ***DSP VOICE ERROR STATISTICS***
Rx Pkt Drops(Invalid Header): 0, Tx Pkt Drops(HPI SAM Overflow): 0
        ***DSP VOICE SRTP STATISTICS***
The following lines show voice SRTP statistics.
*Jan  8 2004 04:21:01.743 PAT: TotalPacketsEncrypted: 108616  TotalPacketsDecrypted: 
108602
DecryptionFailurePacketCount: 0  TotalPacketsAuthenticated: 108602
AuthenticationFailurePacketCount: 0 DuplicateReplayPacketCount: 0
OutsideWindowReplayPacketCount: 0  packetsBadReceivedSSRC: 0
Note When a T.38 fax call (nonsecure) is attempted and the fax call goes through, then switches back to secure voice (SRTP) mode, output for the show voice call port command displays an authentication failure packet count of 20. This is a normal occurrence and should not affect voice quality. The authentication failure packet count occurs because the gateways do not switch back to secure voice at the same time, that is, one side of the call is in SRTP voice mode for a short period of time while the other side is in T.38 fax mode.
Step 7 Use the show voice call status command to display status of all voice ports.
Router# show voice call status
CallID     CID  ccVdb      Port      DSP/Ch  Called #   Codec    Dial-peers
0x5        11DE 0x660B24D0 1/0/0     1/1                g711ulaw 999100/0
0x7        11E1 0x665031A8 1/0:23.-1 1/2    *           g729ar8  0/999
0x11       11E4 0x6652B3B4 1/1:1.1   1/3     232222     g729ar8  999/0
3 active calls found
Step 8 Use the show voice call status call-id command to display status of a specific call.
Router# show voice call status 5
Gathering information (10 seconds)...
CallID     Port      DSP/Ch  Codec    Rx/Tx     En/De     ERL/Reflctr Jitter
0x5        1/0/0     1/1     g711ulaw 500/500   500/500   5.0/3       65/0
Router# show voice call status 7
Gathering information (10 seconds)...
CallID     Port      DSP/Ch  Codec    Rx/Tx     En/De     ERL/Reflctr Jitter
0x7        1/0:23.-1 1/2     g729ar8  500/500   500/500   6.0/4       70/0
Router# show voice call status 11
Gathering information (10 seconds)...
CallID     Port      DSP/Ch  Codec    Rx/Tx     En/De     ERL/Reflctr Jitter
0x11       1/1:1.1   1/3     g729ar8  500/500   500/500   7.0/4       70/0
Step 9 Use the show voice dsp commandto display the status of DSP voice channels.
Router# show voice dsp
DSP 	 DSP 	 	 	 	DSPWARE 	CURR 	 BOOT 	 	 	 	 	 	 	 	 	 PAK TX/RX
TYPE NUM CH CODEC 	 		VERSION 	STATE STATE 	 RST AI VOICEPORT TS ABORT PACK COUNT
==== === == ======== ======= ===== ======= === == ======== === ==== ===========
C549 1 	 01 {medium} 4.4.3 	 IDLE 	 idle 	 	 	 0 	 0 	 1/0:0 	 	 	 1 	 	 	 0 	 	 9357/9775
C549 1 	 02 {medium} 4.4.3 	 IDLE 	 idle 	 	 	 	 	 	 0 	 1/0:0 	 	 	 	2 	 	 0 	 	 0/0
C549 2 	 01 {medium} 4.4.3 	 IDLE 	 idle 			 	 	 0 	 0 	 1/0:0 	 	 	 3 	 	 	 0 	 	 0/0
C549 2 	 02 {medium} 4.4.3 	 IDLE 	 idle 	 	 	 	 	 	 0 		 1/0:0 	 	 		4 	 0 	 	 0/0
C549 3 	 01 {medium} 4.4.3 	 IDLE 	 idle 	 	 	 0 	 0 	 1/0:0 	 	 	 5 	 	 	 0 	 	 	 	 0/13
C549 3 	 02 {medium} 4.4.3 	 IDLE 	 idle 	 	 	 	 	 	 0 	 1/0:0 	 	 	 6 	 	 	 0 	 	 0/13
Step 10 Use the show rtpspi call command to display active SRTP call details.
Router# show rtpspi call
RTP Service Provider info:
No. CallId dstCallId Mode      LocalRTP RmtRTP LocalIP    RemoteIP   SRTP
1   6      5         Snd-Rcv   18662    19392  0xA0A0A0D  0xA0A0A0B    1
2   8      7         Snd-Rcv   18940    16994  0xA0A0A0D  0xA0A0A0B    1
3   16     17        Snd-Rcv   19038    17198  0xA0A0A0D  0xA0A0A0B    1
Step 11 Use the show rtpspi statistics command to display RTP statistics.
Router# show rtpspi statistics
RTP Statistics info:
No. CallId     Xmit-pkts Xmit-bytes Rcvd-pkts  Rcvd-bytes Lost pkts  Jitter Late
nc
1   6          0x842C    0x54AC30   0x842A     0x54AAE8   0x0        0x41     0x2
2   8          0x52B8    0x7C140    0x52B5     0x7C0F8    0x0        0x46     0x2
3   16         0x2EB0    0x46080    0x2EAF     0x46068    0x0        0x46     0x2
Step 12 Use the show ccm-manager command to display the status and availability of Cisco CallManager.
Router# show ccm-manager
MGCP Domain Name: router
Priority        Status                   Host
============================================================
Primary         Registered               10.10.10.130
First Backup    Duplicate of Primary     10.10.10.130
Second Backup   None
Current active Call Manager:    10.10.10.130
Backhaul/Redundant link port:   2428
Failover Interval:              30 seconds
Keepalive Interval:             15 seconds
Last keepalive sent:            04:06:40 PAT Jan 8 2004 (elapsed time: 00:00:04)
Last MGCP traffic time:         04:06:40 PAT Jan 8 2004 (elapsed time: 00:00:04)
Last failover time:             None
Last switchback time:           None
Switchback mode:                Graceful
MGCP Fallback mode:             Enabled/OFF
Last MGCP Fallback start time:  03:42:25 PAT Jan 8 2004
Last MGCP Fallback end time:    03:42:44 PAT Jan 8 2004
MGCP Download Tones:            Disabled
Backhaul Link info:
    Link Protocol:      TCP
    Remote Port Number: 2428
    Remote IP Address:  10.10.10.130
    Current Link State: OPEN
    Statistics:
        Packets recvd:   7
        Recv failures:   0
        Packets xmitted: 13
        Xmit failures:   0
    PRI Ports being backhauled:
        Slot 1, port 0
Configuration Error History:
FAX mode: cisco
Step 13 Use the show crypto engine accelerator statistic command to display statistics and error counters for the onboard hardware accelerator of the router for IPSec encryption.
Router# show crypto engine accelerator statistic
Virtual Private Network (VPN) Module in slot : 0
        Statistics for Hardware VPN Module since the last clear
         of counters 1814 seconds ago
                    638 packets in                         638 packets out
                  88640 bytes in                         87601 bytes out
                      0 paks/sec in                          0 paks/sec out
                      0 Kbits/sec in                         0 Kbits/sec out
                    315 packets decrypted                  323 packets encrypted
                  37680 bytes before decrypt             49921 bytes encrypted
                  21104 bytes decrypted                  67536 bytes after encrypt
                      0 packets decompressed                 0 packets compressed
                      0 bytes before decomp                  0 bytes before comp
                      0 bytes after decomp                   0 bytes after comp
                      0 packets bypass decompr               0 packets bypass compres
                      0 bytes bypass decompres               0 bytes bypass compressi
                      0 packets not decompress               0 packets not compressed
                      0 bytes not decompressed               0 bytes not compressed
                  1.0:1 compression ratio                1.0:1 overall
                     33 commands out                        33 commands acknowledged
                Last 5 minutes:
                     60 packets in                          60 packets out
                      0 paks/sec in                          0 paks/sec out
                    121 bits/sec in                        120 bits/sec out
                   1720 bytes decrypted                   1140 bytes encrypted
                     46 Kbits/sec decrypted                 30 Kbits/sec encrypted
                  1.0:1 compression ratio                1.0:1 overall
        Errors:
           ppq full errors         :        0   ppq rx errors           : 0
           cmdq full errors        :        0   cmdq rx errors          : 0
           no buffer               :        0   replay errors           : 0
           dest overflow           :        0   authentication errors   : 0
           Other error             :        0   RNG self test fail      : 0
           DF Bit set              :        0   Hash Miscompare         : 0
           Unwrappable object      :        0   Missing attribute       : 0
           Invalid attrribute value:        0   Bad Attribute           : 0
           Verification Fail       :        0   Decrypt Failure         : 0
           Invalid Packet          :        0   Invalid Key             : 0
           Input Overrun           :        0   Input Underrun          : 0
           Output buffer overrun   :        0   Bad handle value        : 0
           Invalid parameter       :        0   Bad function code       : 0
           Out of handles          :        0   Access denied           : 0
Warnings:
           sessions_expired        :        0   packets_fragmented      : 0
           general:                :        0
        HSP details:
           hsp_operations          :        0   hsp_sessions            : 0
Step 14 Use the show crypto ipsec sa command to display the settings used by current SAs.
router# show crypto ipsec sa
interface: FastEthernet0/0
    Crypto map tag: Gateway, local addr. 10.10.10.13
   protected vrf:
   local  ident (addr/mask/port/port): (10.10.10.13/255.255.255.255/0/0)
   remote ident (addr/mask/port/port): (10.10.10.130/255.255.255.255/0/0)
   current_peer: 10.10.10.130:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 324, #pkts encrypt: 324, #pkts digest: 324
    #pkts decaps: 316, #pkts decrypt: 316, #pkts verify: 316
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 71, #recv errors 0
     local crypto endpt.: 10.10.10.13, remote crypto endpt.: 10.10.10.130
     path mtu 1500, media mtu 1500
     current outbound spi: 9073D35
     inbound esp sas:
      spi: 0x9FCB508(167556360)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 5121, flow_id: 1, crypto map: gateway
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4446388/1913)
        ike_cookies: 6A391EE1 E57F3670 D4D78758 2F5C8E7C
        IV size: 8 bytes
        replay detection support: Y
      spi: 0xD132AE54(3509759572)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 5123, flow_id: 3, crypto map: gateway
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4402107/1913)
        ike_cookies: 6A391EE1 E57F3670 D4D78758 2F5C8E7C
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x7D078A45(2097646149)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 5122, flow_id: 2, crypto map: gateway
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4446388/1911)
        ike_cookies: 6A391EE1 E57F3670 D4D78758 2F5C8E7C
        IV size: 8 bytes
        replay detection support: Y
      spi: 0x9073D35(151469365)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 5124, flow_id: 4, crypto map: gateway
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4402077/1911)
        ike_cookies: 6A391EE1 E57F3670 D4D78758 2F5C8E7C
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:
   protected vrf:
   local  ident (addr/mask/prot/port): (10.10.10.13/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.131/255.255.255.255/0/0)
   current_peer: 10.10.10.131:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 10.10.10.13, remote crypto endpt.: 10.10.10.131
     path mtu 1500, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
Step 15 Use the show crypto isakmp sa command to display current IKE SAs at a peer.
Router# show crypto isakmp sa
dst             src             state          conn-id slot
10.10.10.130    10.10.10.13     QM_IDLE              1    0
Step 16 Use the show crypto session command to display the status of the current crypto session.
Router# show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 10.10.10.130/500
  IKE SA: local 10.10.10.13/500 remote 10.10.10.130/500 Active
  IPSEC FLOW: permit ip host 10.10.10.13 host 10.10.10.130
        Active SAs: 4, origin: crypto map
Step 17 Use the show crypto session detail command to display IPSec details and statistics of the current crypto session.
Router# show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 10.10.10.130/500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.10.10.130
      Desc: (none)
  IKE SA: local 10.10.10.13/500 remote 10.10.10.130/500 Active
          Capabilities:(none) connid:1 lifetime:07:30:00
  IPSEC FLOW: permit ip host 10.10.10.13 host 10.10.10.130
        Active SAs: 4, origin: crypto map
        Inbound:  #pkts dec'ed 335 drop 0 life (KB/Sec) 4402106/1800
        Outbound: #pkts enc'ed 327 drop 71 life (KB/Sec) 4402076/1800
Configuration Examples for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

This section provides the following configuration example:

•Voice Security Features Example

Voice Security Features Example

The following example shows voice security features enabled:
Router# show running-config
Building configuration...
Current configuration : 2304 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
voice-card 1
 no dspfarm
!         
voice-card 2
 no dspfarm
!         
The following lines show secure codec complexity enabled:
voice-card 4
 codec complexity secure
 dspfarm  
! 
!
no aaa new-model
ip subnet-zero
!
ip cef
no ip domain lookup
!
ip domain name cisco.com
The IP domain name should match the domain name configured on Cisco CallManager.
!
Cisco CallManager-manager mgcp
!
crypto isakmp policy 1
 authentication pre-share
 lifetime 28800
crypto isakmp key cisco123 address 10.1.1.12
The crypto key should match the key configured on Cisco CallManager. This method and encapsulation mode should also match the method and encapsulation mode configured on Cisco CallManager. Other methods of key exchange are also supported. For more information refer to Cisco IOS Security Configuration Guide, Release 12.3.
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
mode transport
The crypto IPSec configuration should match the Cisco CallManager configuration.
!
crypto map rtp 1 ipsec-isakmp
 set peer 10.1.1.12
 set transform-set rtpset
 match address 115
!
interface FastEthernet0/1
 ip address 10.1.1.212 255.255.255.0
 load-interval 30
 duplex auto
 speed auto
 crypto map rtp
!
The following line shows the IPSec access list.
access-list 115 permit ip host 10.1.1.212 host 10.1.1.12
!
voice-port 1/0/0
!
voice-port 2/0/0
!
mgcp
mgcp call-agent 10.1.1.12 service-type mgcp version 0.1
The mgcp package-capability command enables the MGCP application ability to manage SRTP calls and advertise SRTP capability in SDP sent to remote gateways.
mgcp package-capability srtp-package
!
mgcp profile default
!
dial-peer voice 100 pots
 application mgcpapp
 port 1/0/0
!
dial-peer voice 200 pots
 application mgcpapp
 port 2/0/0
!
dial-peer voice 201 pots
 application mgcpapp
 port 2/0/1
!
dial-peer voice 202 pots
 application mgcpapp
 port 2/0/2
!
dial-peer voice 203 pots
 application mgcpapp
 port 2/0/3
!
dial-peer voice 101 pots
 application mgcpapp
 port 1/0/1
!
dial-peer voice 110 pots
 application mgcpapp
 port 1/1/0
!
dial-peer voice 111 pots
 application mgcpapp
 port 1/1/1
!
!
alias exec k show mgcp conn | inc K=
alias exec sr sh call active voi | inc SRTP
alias exec rs sh rtpspi call | inc Snd-Rcv
alias exec vc sh voi call
alias exec m sh mgcp conn
alias exec cav sh call active voi
alias exec rsa sh rtpspi call
alias exec cc clear counters
alias exec sta sh int fa0/1 stat
alias exec cef sh ip cef
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end
Additional References

The following sections provide references related to the Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways feature.

Related Documents

Related Topic

Document Title

Cisco CallManager configuration

Cisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

Cisco CallManager and IPSec configuration

•"How to Configure IPSec Tunneling in Windows 2000," Microsoft Knowledge Base article.

•"Step-by-Step Guide to Internet Protocol Security (IPSec)," "Building A Custom IPSec Policy" section, Microsoft Knowledge Base article.

Cisco IP Phone 7940 and 7960 administration

Cisco IP Phone Model 7960G and 7940G Administration Guide for Cisco CallManager Release 4.1

Cisco IP Phone 7970 administration

Cisco IP Phone 7970 Administration Guide for Cisco CallManager

Cisco 2621 configuration

Cisco 2621 Modular Access Router with AIM-VPN/BP Security Policy

Cisco 2651 configuration

Cisco 2651 Modular Access Router with AIM-VPN/BP Security Policy

Cisco 3640 configuration

Cisco 3640 Modular Access Router with AIM-VPN/BP Security Policy

Cisco 3660 configuration

Cisco 3660 Modular Access Router with AIM-VPN/BP Security Policy

Cisco SRST configuration

Cisco SRST Version 3.0 System Administrator Guide

Cisco SRST command reference

Cisco SRST Version 3.0 Command Reference

Secure SRST router configuration

"Setting Up Secure SRST"

Advanced Encryption Standard (AES) feature

Advanced Encryption Standard

IPSec configuration

Cisco IOS Security Configuration Guide, Release 12.3

IPSec commands

Cisco IOS Security Command Reference, Release 12.3

MGCP configuration

MGCP and Related Protocols Configuration Guide

Cisco IOS voice configuration

Cisco IOS Voice Configuration Library

Cisco IOS voice command reference

Cisco IOS Voice, Video, and Fax Command Reference, Release 12.3T

Standards

Standards

Title

IETF draft draft-ietf-mmusic-sdescriptions-02.txt

Security Descriptions for Media Streams

MIBs

MIBs

MIBs Link

CISCO-VOICE-DIAL-CONTROL-MIB

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFCs

Title

RFC 3711

Secure Real-time Transport Protocol

Technical Assistance

Description

Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents new and modified commands only:

•codec complexity

•mgcp package-capability

•mgcp validate call-agent source-ipaddr

•show mgcp

•show mgcp srtp

•show mgcp statistics

•show voice dsp

codec complexity

To specify call density and codec complexity according to the codec standard that is being used, use the codec complexity command in voice-card configuration mode. To reset the flex complexity default, use the no form of this command.

codec complexity {flex [reservation-fixed {high | medium}] | high | medium | secure}
no codec complexity
Syntax Description

flex

When the flex keyword is used, up to 16 calls can be completed per digital signal processor (DSP). The number of supported calls varies from 6 to 16, depending on the codec used for a call. In this mode, reservation for analog voice interface cards (VICs) may be needed for certain applications such as Central Automatic Message Accounting (CAMA) E-911 calls because oversubscription of DSPs is possible. If this is true, enable the reservation-fixed keyword may be enabled. There is no reservation by default.

reservation-fixed

(Optional) If you have specified the flex keyword, the reservation-fixed keyword ensures that sufficient DSP resources are available to handle a call. If you enter the reservation-fixed keyword, set the complexity for high or medium. (See the guidelines following to understand the effects of the keywords.) This option appears only when there is an analog VIC present.

high

If you specify the high keyword to define the complexity, each DSP supports two voice channels encoded in any of the following formats:

•g711alaw—G.711 A-law 64,000 bps.

•g711ulaw—G.711 u-law 64,000 bps.

•g723ar53—G.723.1 Annex A 5300 bps.

•g723ar63—G.723.1 Annex A 6300 bps.

•g723r53—G.723.1 5300 bps.

•g723r63—G.723.1 6300 bps.

•g723r16—G.726 16,000 bps.

•g726r24—G726 24,000 bps.

•g726r32—G.726 32,000 bps.

•g728—G.728 16,000 bps.

•g729r8—G.729 8000 bps. This is the default.

•g729br8—G.729 Annex B 8000 bps.

•fax relay—2400 bps, 4800 bps, 7200 bps, 9600 bps, 12 kbps, and 14.4 kbps.

Note Codecs G.723.1 and G.728 are not supported on Cisco 1750 and Cisco 1751 modular access routers for Cisco Hoot and Holler over IP applications.

medium

If you specify the medium keyword to define the complexity, each DSP supports four voice channels encoded in any of the following formats:

•g711alaw—G.711 A-law 64,000 bps.

•g711ulaw—G.711 u-law 64,000 bps.

•g726r16—G.726 16,000 bps.

•g726r24—G.726 24,000 bps.

•g726r32—G.726 32,000 bps.

•g729r8—G.729 Annex A 8000 bps.

•g729br8—G.729 Annex B with Annex A 8000 bps.

•fax relay—2400 bps, 4800 bps, 7200 bps, 9600 bps, 12 kbps, and 14.4 kbps. Fax relay is the default.

secure

If you specify the secure keyword to define complexity, each DSP on an NM-HDV network module supports two voice channels encoded in any of the following formats:

•g711alaw—G.711 a-law 64,000 bps.

•g711ulaw—G.711 u-law 64,000 bps.

•g729—G.729 8000 bps.

•g729A—G.729 8000 bps.

Defaults

flex complexity

Command Modes

Voice-card configuration

Command History

Release

Modification

12.0(5)XK

This command was introduced on the Cisco 2600 and Cisco 3600 series.

12.0(7)T

This command was integrated into Cisco IOS Release 12.0(7)T.

12.0(7)XK

This command was implemented on the Cisco MC3810 for use with the high-performance compression module (HCM).

12.1(2)T

This command was integrated into Cisco IOS Release 12.1(2)T.

12.2(8)T

This command was implemented on the Cisco 1750 and Cisco 1751.

12.2(13)T

The ecan-extended keyword was added.

12.2(15)T

This command was integrated into Cisco IOS Release 12.2(15)T with support for the Cisco 2600 series, Cisco 2600XM, Cisco 3660, Cisco 3725, and Cisco 3745 routers. High codec complexity is supported for DSP processing on these platforms.

12.2(15)ZJ

This command was integrated into Cisco IOS Release 12.2(15)ZJ and the flex keyword was added.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

12.3(7)T

This command was integrated into Cisco IOS Release 12.3(7)T and the reservation-fixed keyword was added.

12.3(14)T

This command was integrated into Cisco IOS Release 12.3(14)T and the secure keyword was added. Secure codec complexity is supported for TI-549 DSP processing on the NM-HDV network module.

Usage Guidelines

Codec complexity refers to the amount of processing required to perform voice compression. Codec complexity affects the call density—the number of calls reconciled on the DSPs. With higher codec complexity, fewer calls can be handled. Select a higher codec complexity if that is required to support a particular codec or combination of codecs. Select a lower codec complexity to support the greatest number of voice channels, provided that the lower complexity is compatible with the particular codecs in use.

For codec complexity to change, all of the DSP voice channels must be in the idle state.

When you have specified the flex keyword, you can connect (or configure in the case of DS0 groups and PRI groups) more voice channels to the module than the DSPs can accommodate. If all voice channels should go active simultaneously, the DSPs become oversubscribed, and calls that are unable to allocate a DSP resource fail to connect. The flex keyword allows the DSP to process up to 16 channels. In addition to continuing support for configuring a fixed number of channels per DSP, the flex keyword enables the DSP to handle a flexible number of channels. The total number of supported channels varies from 6 to 16, depending on which codec is used for a call. Therefore, the channel density varies from 6 per DSP (high-complexity codec) to 16 per DSP (g.711 codec).

The high keyword selects a higher codec complexity if that is required to support a particular codec or combination of codecs. When you use the codec complexity high command to change codec complexity, the system prompts you to remove all existing DS0 or PRI groups using the specified voice card, then all DSPs are reset, loaded with the specified firmware image, and released.

The medium keyword selects a lower codec complexity to support the greatest number of voice channels, provided that the lower complexity is compatible with the particular codecs in use.

The secure keyword restricts the number of TI-549 DSP channels to 2, which is the lower codec complexity required to support Secure Real-Time Transport Protocol (SRTP) package capability on the NM-HDV and enable media authentication and encryption. If the secure command is not configured then the gateway will not advertise secure capability to Cisco CallManager, resulting in nonsecure calls. You do not need to use any command to specify secure codec complexity for TI-5510 DSPs, which support SRTP capability in all modes. Use the mgcp package-capability srtp-package command to enable MGCP gateway capability to process SRTP packages. Use the show voice dsp command to view codec complexity status.

Examples

The following example sets the codec complexity to high on voice card 1 installed on a router, and configures local calls to bypass the DSP:
voice-card 1
 codec complexity high
local-bypass
The following example sets the codec complexity to secure on voice card 1 installed on the NM-HDV, and configures it to support SRTP package processing, media authentication and encryption:
voice-card 1
	codec complexity secure
Related Commands

Command

Description

ds0-group

Defines T1/E1 channels for compressed voice calls and the CAS method by which the router connects to the PBX or PSTN.

mgcp package-capability

Enables MGCP gateway capability to process SRTP packages.

show voice dsp

Displays the current status of all DSP voice channels.

mgcp package-capability

To specify an MGCP package capability type for a media gateway, use the mgcp package-capacity command in global configuration mode. To remove a specific MGCP package capability from the list of capabilities, use the no form of this command.

mgcp package-capability package
no mgcp package-capability package
Syntax Description

package

Specifies one of the following package capabilities (available choices vary according to platform and release version; check CLI help for a list):

•as-package—Announcement server package.

•atm-package—ATM package. MGCP for VoATM using ATM adaptation layer 2 (AAL2) permanent virtual circuit (PVC) and a subset of ATM extensions specified by Cisco is supported. Switched virtual circuit (SVC)-based VoAAL2 is not supported.

•dt-package—DT package. Events and signals for immediate-start and basic dual-tone multifrequency (DTMF) and dial-pulse trunks.

•dtmf-package—DTMF package. Events and signals for DTMF relay.

•fxr-package—FXR package for fax transmissions.

•gm-package—Generic media package. Events and signals for several types of endpoints, such as trunking gateways, access gateways, or residential gateways.

•hs-package—Handset package. An extension of the line package, to be used when the gateway is capable of emulating a handset.

•it-package—PacketCable Trunking Gateway Control Protocol (TGCP) ISDN User Part (ISUP) trunk package.

•lcs-package—MGCP Line Control Signaling (LCS) package.

•line-package—Line package. Events and signals for residential lines. This is the default for residential gateways.

•mf-package—MF package. Events and signals for multifrequency tones (MF) relay.

•mo-package—MO (Multifrequency Operations) package. Events and signals for Operator Service Signaling protocol for Feature Group D (FGD).

•ms-package—MS package. Events and signals for MF single-stage dialing trunks, including wink-start and immediate-start PBX Direct Inward Dialing (DID) and Direct Outward Dialing (DOD), basic R1, and FGD Terminating Protocol.

•mt-package—MT package. Events and signals for the Operator Service Signaling Protocol.

•nas-package—NAS package. Events and signals for network access server (NAS) data lines.

•pre-package—MLPP package. Events and signals for multilevel precedence and preemption (MLPP).

•res-package—RES package. Events and signals for Resource Reservation Protocol (RSVP)-based bandwidth reservation.

•rtp-package—RTP package. Events and signals for the Real-Time Transport Protocol (RTP) stream.

•script-package—Script package. Events and signals for script loading.

•srtp-package—Secure RTP (SRTP) package. Enables MGCP gateway capability to process SRTP packages. The default is disabled.

•trunk-package—Trunk package. Events and signals for trunk lines. This is the default for trunking gateways.

Defaults

For residential gateways: line-package
For trunk gateways: trunk-package

Command Modes

Global configuration

Command History

Release

Modification

12.0(7)XR2

This command was introduced on the Cisco AS5300.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1(1)T.

12.1(3)T

This command was implemented on the following platforms: Cisco uBR924, Cisco 2600 series, and Cisco 3660. The line-package, rtp-package, and script-package keywords were added and a distinction was made between residential and trunking gateways.

12.1(5)XM

This command was implemented on the Cisco 3600 series and Cisco MC3810. The atm-package, hs-package, ms-package, dt-package, and mo-package keywords were added.

12.2(2)T

This command was integrated into Cisco IOS Release 12.2(2)T and implemented on the Cisco 7200 series.

12.2(2)XB

The res-package keyword was added.

12.2(8)T

This command was integrated into Cisco IOS Release 12.2(8)T.

12.2(11)T

This command was implemented on the following platforms: Cisco AS5300, Cisco AS5350, Cisco AS5400, and Cisco AS5850.

12.3(1)

The fxr-package keyword was added.

12.3(8)T

The lcs-package keyword was added.

12.3(8)XY

The pre-package keyword was added.

12.3(11)T

This command was integrated into Cisco IOS Release 12.3(11)T. The srtp-package keyword was added.

Usage Guidelines

Events specified in the MGCP messages from the call agent must belong to one of the supported packages. Otherwise, connection requests are refused by the gateway.

By default, certain packages are configured as supported on each platform type. Using this command, you can configure additional package capability only for packages that are supported by your call agent. You can also disable support for a package with the no form of this command. Enter each package you want to add as a separate command.

Use the show mgcp command to see the packages that are supported on the gateway.

Use this command before specifying a default package with the mgcp default-package command. Specify at least one default package.

Packages that are available to be configured with this command vary by platform and type of gateway. Use CLI help to ascertain the packages available on your gateway. This example shows the CLI help output for a Cisco 3660:
Router# mgcp package-capability ?
as-package     Select the Announcement Server Package
atm-package    Select the ATM Package
dtmf-package   Select the DTMF Package
gm-package     Select the Generic Media Package
hs-package	    Select the Handset Package
line-package   Select the Line Package
mf-package     Select the MF Package
res-package    Select the RES Package
rtp-package    Select the RTP Package
trunk-package  Select the Trunk Package
Note The CAS packages configured using the dt-package, mo-package, and ms-package keywords are available only as default packages. They do not appear as keywords in the mgcp package-capability command. The reason is that all the other packages are configured on a per-gateway basis, whereas the CAS packages are defined on a per-trunk basis. The per-trunk specification is made when the trunk is configured using the ds0-group command.

When the lcs-package keyword is used on the Cisco IAD, the named telephony events (NTEs) associated with the line control signalling (LCS) package are enabled automatically. NTEs are used by a media gateway to transport telephony tones and trunk events across a packet network. Refer to RFC-2833.

Note Using NTE in the LCS package requires a successful MGCP/Session Definition Protocol (SDP) negotiation during call setup. The Call Agent must use the Line Connection Option's fmtp parameter keyword, telephone-event, to indicate which LCS NTEs will be used. If the IAD has been configured to use the LCS package, the IAD will answer with a SDP containing the requested LCS NTE events.

Examples

The following example enables the trunk package, DTMF package, and script package on the gateway, and then names the trunk package as the default package for the gateway:
Router(config)# mgcp package-capability trunk-package
Router(config)# mgcp package-capability dtmf-package
Router(config)# mgcp package-capability script-package
Router(config)# mgcp default-package trunk-package
Related Commands

Command

Description

ds0-group

Specifies the DS0 time slots that make up a logical voice port

mgcp

Starts the MGCP daemon.

mgcp default-package

Configures the default package capability type for the media gateway.

show mgcp

Displays the supported MGCP packages.

mgcp validate call-agent source-ipaddr

To enable the Media Gateway Control Protocol (MGCP) application to validate that packets are received from a configured call agent, use the mgcp validate call-agent source-ipaddr command in global configuration mode. To disable the validation feature, use the no form of this command.

mgcp validate call-agent source-ipaddr
no mgcp validate call-agent source-ipaddr
Syntax Description

This command has no arguments or keywords.

Defaults

No validation occurs.

Command Modes

Global configuration

Command History

Release

Modification

12.3(11)T

This command was introduced.

Usage Guidelines

This command verifies that incoming packets are received from MGCP or Cisco CallManager configured call agents only. When the command is enabled, all MGCP messages received from call agents that are not configured in MGCP or Cisco CallManager are dropped. Use the mgcp validate call-agent source-ipaddr command in place of access lists to filter out packets from unconfigured call agents. Use the mgcp bind control source-interface interface command to restrict the MGCP application from responding to unconfigured call agent requests on nonsecure interfaces. Use the ccm-manager config server server address command to configure the Cisco CallManager address to be used when verifying incoming packets.

Examples

The following example shows that MGCP call-agent validation is enabled:
Router(config)# mgcp validate call-agent source-ipaddr
Related Commands

Command

Description

ccm-manager config server

Configures the Cisco CallManager address used in verifying incoming packets.

mgcp bind control source-interface

Restricts the MGCP application from responding to unconfigured call agent requests on nonsecure interfaces.

mgcp call-agent

Configures the IP address for the primary or default Cisco CallManager server and designates the optional destination UDP port number for the specified Cisco CallManager server.

show mgcp srtp

Displays active MGCP SRTP calls.

show mgcp

To display values for Media Gateway Control Protocol (MGCP) parameters, use the show mgcp command in privileged EXEC mode.

show mgcp [connection | endpoint | nas | profile | statistics]
Syntax Description

connection

(Optional) Displays the active MGCP-controlled connections.

endpoint

(Optional) Displays the MGCP-controlled endpoints.

nas

(Optional) Displays the MGCP data-channel information.

profile

(Optional) Displays the MGCP profile.

statistics

(Optional) Displays MGCP statistics regarding received and transmitted network messages.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.1(1)T

This command was introduced on the Cisco AS5300.

12.1(3)T

This command output was updated to display additional gateway and platform information.

12.1(5)XM

Output was updated to display additional gateway and platform information.

12.2(2)T

This command was implemented on the Cisco 7200 series.

12.2(2)XA

The profile keyword was added to the show mgcp command.

12.2(4)T

This command was integrated into Cisco IOS Release 12.2(4)T.

12.2(2)XB

Output for the show mgcp command was enhanced to display the status of MGCP system resource check (SRC) call admission control (CAC) and Service Assurance Agent (SA Agent) CAC. (Refer to the Cisco IOS Release 12.2(2)XB online document MGCP VoIP Call Admission Control.)

In addition, the nas dump slot port channel and nas info keywords and arguments were added to the show mgcp command. Because the number of keywords increased, the command-reference page for the show mgcp command was separated into the following command-reference pages:

•show mgcp

•show mgcp connection

•show mgcp endpoint

•show mgcp nas

•show mgcp profile

•show mgcp statistics

12.2(8)T

This command was integrated into Cisco IOS Release 12.2(8)T.

12.2(2)XN

Support for enhanced MGCP voice gateway interoperability was added to Cisco CallManager Version 3.1 for the Cisco 2600 series, Cisco 3600 series, and Cisco VG200.

12.2(11)T

This command was integrated into Cisco IOS Release 12.2(11)T and Cisco CallManager Version 2.0. It was implemented on the Cisco AS5350, Cisco AS5400, Cisco AS5850, and Cisco IAD2420 series. The MGCP SGCP RSIP field was enhanced to show the status of the mgcp sgcp disconnected notify command.

12.2(13)T

This command was supported with MGCP in Cisco IOS Release 12.2(13)T.

12.2(15)T

This command was implemented on the Cisco 1751 and Cisco 1760.

12.2(15)ZJ

This command was integrated into Cisco IOS Release 12.2(15)ZJ on the Cisco 26xxXM, Cisco 2691, Cisco 3640, Cisco 3640A, Cisco 3660, and Cisco 37xx.

12.3(2)T

This command was implemented on the Cisco 26xxXM, Cisco 2691, Cisco 3640, Cisco 3640A, Cisco 3660, and Cisco 37xx.

12.3(11)T

Command output was enhanced to display the enabled Secure Real-Time Transport Protocol (SRTP) package and enabled MGCP call-agent validation.

Usage Guidelines

This command provides high-level administrative information about the values configured for MGCP parameters on the router. For more specific types of information, use one of the optional keywords.

Use the show mgcp endpoint command to show a list of MGCP endpoint responses when using the Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways feature.

The BRI endpoints are displayed in a similar manner to the way analog (POTS) endpoints are displayed. The existing functions used for the analog endpoints are invoked. This display is independent of the platforms and hence the changes are required in the common code only.

This command checks for all "htsp_info_t" structures allocated. These structures store information corresponding to all the endpoints. These structures are allocated during system start up time only. The structures are allocated for all the interfaces present, but the "vtsp_sdb_t" structure is allocated only for the first channel of the BRI port.

Because endpoints using the MGCPAPP as the application layer have to be displayed, the endpoints are also displayed if the application being used by the endpoint is MGCPAPP only. Because the MGCPAPP is shared across both of the BRI channels and is port specific, both ports are displayed.

Examples

The following is sample output from this command:
Router# show mgcp
MGCP Admin State ACTIVE, Oper State ACTIVE - Cause Code NONE
MGCP call-agent: 172.18.195.147 2300 Initial protocol service is SGCP 1.5
MGCP block-newcalls DISABLED
MGCP send SGCP RSIP:forced/restart/graceful DISABLED, disconnected ENABLED
MGCP quarantine mode discard/step
MGCP quarantine of persistent events is ENABLED
MGCP dtmf-relay for VoIP disabled for all codec types
MGCP dtmf-relay voaal2 codec all
MGCP voip modem passthrough mode: NSE, codec: g711ulaw, redundancy: DISABLED,
MGCP voaal2 modem passthrough mode: NSE, codec: g711ulaw
MGCP TSE payload: 100
MGCP T.38 Named Signalling Event (NSE) response timer: 200
MGCP Network (IP/AAL2) Continuity Test timer: 3000
MGCP 'RTP stream loss' timer: 2
MGCP request timeout 500
MGCP maximum exponential request timeout 4000
MGCP gateway port: 2427, MGCP maximum waiting delay 3000
MGCP restart delay 0, MGCP vad DISABLED
MGCP rtrcac DISABLED
MGCP system resource check DISABLED
MGCP xpc-codec: DISABLED, MGCP persistent hookflash: DISABLED
MGCP persistent offhook: ENABLED, MGCP persistent onhook: DISABLED
MGCP piggyback msg DISABLED, MGCP endpoint offset DISABLED
MGCP simple-sdp DISABLED
MGCP undotted-notation DISABLED
MGCP codec type g711ulaw, MGCP packetization period 20
MGCP JB threshold lwm 30, MGCP JB threshold hwm 150
MGCP LAT threshold lmw 150, MGCP LAT threshold hwm 300
MGCP PL threshold lwm 1000, MGCP PL threshold hwm 10000
MGCP CL threshold lwm 1000, MGCP CL threshold hwm 10000
MGCP playout mode is adaptive 60, 4, 200 in msec
MGCP IP ToS low delay disabled, MGCP IP ToS high throughput disabled
MGCP IP ToS high reliability disabled, MGCP IP ToS low cost disabled
MGCP IP RTP precedence 5, MGCP signaling precedence: 3
MGCP default package: line-package
MGCP supported packages: gm-package dtmf-package trunk-package line-package
                         hs-package atm-package ms-package dt-package res-package
                         mt-package srtp-package fxr-package lcs-package	
Table 4 describes significant fields shown in this output.

Table 4 show mgcp Field Descriptions

Field

Description

MGCP Admin State...Oper State

Administrative and operational state of the MGCP daemon. The administrative state controls starting and stopping the application using the mgcp and mgcp block-newcalls commands. The operational state controls normal MGCP operations.

MGCP call-agent

Address of the call agent specified in the mgcp call-agent or call-agent command and protocol initiated for this session.

MGCP block-newcalls

State of the mgcp block-newcalls command.

MGCP send SGCP RSIP, disconnected

Setting for the mgcp sgcp restart notify and the mgcp sgcp disconnected notify commands (enabled or disabled).

MGCP quarantine mode

How the quarantine buffer is to handle Simple Gateway Control Protocol (SGCP) events.

MGCP quarantine of persistent events is

Whether SGCP persistent events are handled by the quarantine buffer.

MGCP dtmf-relay

Setting for the mgcp dtmf-relay command.

MGCP voip modem passthrough

Settings for mode, codec, and redundancy from the mgcp modem passthrough mode, mgcp modem passthrough codec, and mgcp modem passthrough voip redundancy commands.

MGCP voaal2 modem passthrough

Settings for mode, codec, and redundancy from the mgcp modem passthrough mode and mgcp modem passthrough codec commands.

MGCP TSE payload

Setting for the mgcp tse payload command.

MGCP Network (IP/AAL2) Continuity Test timer

Setting for the net-cont-test keyword in the mgcp timer command.

MGCP `RTP stream loss' timer

Setting for the receive-rtcp keyword in the mgcp timer command.

MGCP request timeout

Setting for the mgcp request timeout command.

MGCP maximum exponential request timeout

Setting for the mgcp request timeout max command.

MGCP gateway port

User Datagram Protocol (UDP) port specification for the gateway.

MGCP maximum waiting delay

Setting for the mgcp max-waiting-delay command.

MGCP restart delay

Setting for the mgcp restart-delay command.

MGCP vad

Setting for the mgcp vad command.

MGCP rtrcac

Whether MGCP SA Agent CAC has been enabled with the mgcp rtrcac command.

MGCP system resource check

Whether MGCP SRC CAC has been enabled with the mgcp src-cac command.

MGCP xpc-codec

Whether the mgcp sdp xpc-codec command has been configured to generate the X-pc codec field for Session Description Protocol (SDP) codec negotiation in Network-based Call Signaling (NCS) and Trunking Gateway Control Protocol (TGCP).

MGCP persistent hookflash

Whether the mgcp persistent hookflash command has been configured to send persistent hookflash events to the call agent.

MGCP persistent offhook

Whether the mgcp persistent offhook command has been configured to send persistent offhook events to the call agent.

MGCP persistent onhook

Whether the mgcp persistent onhook command has been configured to send persistent onhook events to the call agent.

MGCP piggyback msg

Whether the mgcp piggyback message command has been configured to enable piggyback messaging.

MGCP endpoint offset

Whether the mgcp endpoint offset command has been configured to enable incrementing of the local portion of an endpoint name for NCS. The local portion contains the analog or digital voice port identifier.

MGCP simple-sdp

Whether the mgcp sdp simple command has been configured to enable simple mode SDP operation.

MGCP undotted notation

Whether the mgcp sdp notation undotted command has been configured to enable undotted SDP notation for the codec string.

MGCP codec type

Setting for the mgcp codec command.

MGCP packetization period

The packetization period parameter setting for the mgcp codec command.

MGCP JB threshold lwm

Jitter-buffer minimum-threshold parameter setting for the mgcp quality-threshold command.

MGCP JB threshold hwm

Jitter-buffer maximum-threshold parameter setting for the mgcp quality-threshold command.

MGCP LAT threshold lwm

Latency minimum-threshold parameter setting for the mgcp quality-threshold command.

MGCP LAT threshold hwm

Latency maximum-threshold parameter setting for the mgcp quality-threshold command.

MGCP PL threshold lwm

Packet-loss minimum-threshold parameter setting for the mgcp quality-threshold command.

MGCP PL threshold hwm

Packet-loss maximum-threshold parameter setting for the mgcp quality-threshold command.

MGCP CL threshold lwm

Cell-loss minimum-threshold parameter setting for the mgcp quality-threshold command.

MGCP CL threshold hwm

Cell-loss maximum-threshold parameter setting for the mgcp quality-threshold command.

MGCP playout mode is

Jitter-buffer packet type and size.

MGCP IP ToS low delay

The low-delay parameter setting for the mgcp ip-tos command.

MGCP IP ToS high throughput

The high-throughput parameter setting for the mgcp ip-tos command.

MGCP IP ToS high reliability

The high-reliability parameter setting for the mgcp ip-tos command.

MGCP IP ToS low cost

The low-cost parameter setting for the mgcp ip-tos command.

MGCP IP RTP precedence

The rtp precedence parameter setting for the mgcp ip-tos command.

MGCP signaling precedence

The signaling precedence parameter setting for the mgcp ip-tos command.

MGCP default package

Package configured as the default package with the mgcp default-package command.

MGCP supported packages

Packages configured with the mgcp package-capability command to be supported on this gateway in this session. The lcr-package display is new in 12.3(8)T.

MGCP T.38 Fax

Settings for the mgcp fax t.38 command. The following values are displayed:

•MGCP T.38 fax: enabled or disabled.

•Error correction mode (ECM): enabled or disabled.

•Non-standard facilities (NSF) override: enabled or disabled. If enabled, the override code is displayed.

•MGCP T.38 fax low-speed redundancy: the factor set on the gateway for redundancy.

•MGCP T.38 fax high-speed redundancy: the factor set on the gateway for redundancy.

Related Commands

Command

Description

ccm-manager config

Supplies the local MGCP voice gateway with the IP address or logical name of the TFTP server from which to download XML configuration files and enable the download of the configuration.

debug ccm-manager

Displays debugging information about the Cisco CallManager.

debug mgcp

Enables debug traces for MGCP errors, events, media, packets, and parser.

isdn bind-l3 (interface BRI)

Configures the BRI interface to support MGCP and to bind ISDN Layer 3 with Cisco CallManager backhaul.

mgcp

Allocates resources for the MGCP and starts the daemon.

security password-group

Defines the passwords used by gatekeeper zones and associates them with an ID for gatekeeper-to-gatekeeper authentication.

show ccm-manager

Displays a list of Cisco CallManager servers, their current status, and their availability.

show ccm-manager fallback-mgcp

Displays the status of the MGCP gateway fallback feature.

show mgcp connection

Displays information for active MGCP-controlled connections.

show mgcp endpoint

Displays information for MGCP-controlled endpoints.

show mgcp nas

Displays MGCP NAS information for data ports.

show mgcp profile

Displays values for MGCP profile-related parameters.

show mgcp statistics

Displays MGCP statistics regarding received and transmitted network messages.

show mgcp srtp

To display information for active Secure Real-Time Transport Protocol (SRTP) connections that are controlled by Media Gateway Control Protocol (MGCP), use the show mgcp srtp command in privileged EXEC mode.

show mgcp srtp {summary | detail [endpoint]}
Syntax Description

summary

Displays MGCP SRTP connections summary.

detail endpoint

Displays MGCP SRTP connections details.

•The endpoint argument allows you to limit the display to endpoints for a specific connection. The endpoint argument can take the following values:

–Port numbers.

–The asterisk wildcard character *.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.3(11)T

This command was introduced.

Usage Guidelines

This command provides information about secure calls created by the MGCP application. To specify connection endpoints for display, use the show mgcp srtp detail endpoint command. To display valid values for the endpoint argument, that is, the endpoint port numbers, use the show mgcp connection command. Use the show mgcp srtp detail command to display a hashed version of the master key and salts (encryption mechanisms) used on each connection. This display allows you to validate keys and salts for each endpoint of a call without revealing the actual master key and salt.

Examples

The following is sample output from this command for encrypted connections:
Router# show mgcp srtp summary
MGCP SRTP Connection Summary
Endpoint             Conn Id    Crypto Suite                  
aaln/S3/SU0/0        8          AES_CM_128_HMAC_SHA1_32       
aaln/S3/SU0/1        9          AES_CM_128_HMAC_SHA1_32       
S3/DS1-0/1           6          AES_CM_128_HMAC_SHA1_32       
S3/DS1-0/2           7          AES_CM_128_HMAC_SHA1_32       
4 SRTP connections active
Router# show mgcp srtp detail
MGCP SRTP Connection Detail for Endpoint *
Definitions: CS=Crypto Suite, KS=HASHED Master Key/Salt, SSRC=Syncronization Source, 
ROC=Rollover Counter, KDR=Key Derivation Rate, SEQ=Sequence Number, FEC=FEC Order, 
MLT=Master Key Lifetime, MKI=Master Key Index:MKI Size
Endpoint aaln/S3/SU0/0 Call ID 2 Conn ID 8
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=3NaOYXS9dLoYDaBHpzRejREfhf0= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
Endpoint aaln/S3/SU0/1 Call ID 101 Conn ID 9
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:Not Configured
Endpoint S3/DS1-0/1 Call ID 1 Conn ID 6
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=3NaOYXS9dLoYDaBHpzRejREfhf0= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
Endpoint S3/DS1-0/2 Call ID 100 Conn ID 7
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:Not Configured
4 SRTP connections displayed
Router# show mgcp srtp detail S3/DS1-0/*
MGCP SRTP Connection Detail for Endpoint S3/DS1-0/*
Definitions: CS=Crypto Suite, KS=HASHED Master Key/Salt, SSRC=Syncronization Source, 
ROC=Rollover Counter, KDR=Key Derivation Rate, SEQ=Sequence Number, FEC=FEC Order, 
MLT=Master Key Lifetime, MKI=Master Key Index:MKI Size
Endpoint S3/DS1-0/1 Call ID 1 Conn ID 6
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=3NaOYXS9dLoYDaBHpzRejREfhf0= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
Endpoint S3/DS1-0/2 Call ID 100 Conn ID 7
  Tx:CS=AES_CM_128_HMAC_SHA1_32 KS=llYCQoqxtxtdf7ECe+x+DK+G9v4= SSRC=Random ROC=0 KDR=1 
SEQ=Random FEC=FEC->SRTP MLT=0x80000000 MKI=0:0
  Rx:Not Configured
2 SRTP connections displayed
Table 5 describes the significant fields shown in the display.

Table 5 show mgcp srtp Field Descriptions

Field

Description

Endpoint

Endpoint for each call, shown in the digital endpoint naming convention of slot number (S0) and digital line (DS1-0) number (1).

Call ID

MGCP call ID sent by the call agent.

Conn ID

Connection ID generated by the gateway and sent in the ACK message.

Crypto Suite

Identifies the cryptographic suite used on the connection.

Related Commands

Command

Description

debug mgcp

Enables debug traces for MGCP errors, events, media, packets, and parser.

mgcp

Allocates resources for the MGCP and starts the daemon.

security password-group

Defines the passwords used by gatekeeper zones and associates them with an ID for gatekeeper-to-gatekeeper authentication.

show mgcp

Displays values for MGCP parameters.

show mgcp connection

Displays information for active MGCP-controlled connections.

show mgcp endpoint

Displays information for MGCP-controlled endpoints.

show mgcp nas

Displays MGCP NAS information for data ports.

show mgcp profile

Displays values for MGCP profile-related parameters.

show mgcp statistics

To display Media Gateway Control Protocol (MGCP) statistics regarding received and transmitted network messages, use the show mgcp statistics command in privileged EXEC mode.

show mgcp statistics
Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.1(1)T

The show mgcp command was introduced on the Cisco AS5300.

12.1(3)T

The show mgcp command output was updated to display additional gateway and platform information.

12.1(5)XM

The show mgcp command output was updated to display additional gateway and platform information.

12.2(2)T

The show mgcp command was implemented on the Cisco 7200 series and this command was integrated into Cisco IOS Release 12.2(2)T.

12.2(2)XA

The profile keyword was added to the show mgcp command.

12.2(4)T

This command was integrated into Cisco IOS Release 12.2(4)T.

12.2(2)XB

Output for the show mgcp command was enhanced to display the status of MGCP system resource check (SRC) call admission control (CAC) and Service assurance agent (SA Agent) CAC. (Refer to the Cisco IOS Release 12.2(2)XB online document MGCP VoIP Call Admission Control.)

The nas dump slot port channel and nas info keywords and arguments were added to the show mgcp command. To simplify the command reference, the command page for the show mgcp command was separated into the following command pages:

•show mgcp

•show mgcp connection

•show mgcp endpoint

•show mgcp nas

•show mgcp profile

•show mgcp statistics

12.2(8)T

This command was integrated into Cisco IOS Release 12.2(8)T. Support for the Cisco AS5300, Cisco AS5350, Cisco AS5400, and Cisco AS5850 is not included in this release.

12.2(11)T

This command is supported on the Cisco AS5300, Cisco AS5350, Cisco AS5400, Cisco AS5800, and Cisco AS5850 in this release.

12.3(11)T

Output was enhanced to display dropped packets from unconfigured call agents if call-agent validation is enabled.

Examples

The following is sample output from this command for VoIP and VoAAL2 statistics:
Router# show mgcp statistics
UDP pkts rx 8, tx 9
Unrecognized rx pkts 0, MGCP message parsing errors 0
Duplicate MGCP ack tx 0, Invalid versions count 0
Rx packets from unknown Call Agent 0
CreateConn rx 4, successful 0, failed 0
DeleteConn rx 2, successful 2, failed 0
ModifyConn rx 4, successful 4, failed 0
DeleteConn tx 0, successful 0, failed 0
NotifyRequest rx 0, successful 4, failed 0
AuditConnection rx 0, successful 0, failed 0
AuditEndpoint rx 0, successful 0, failed 0
RestartInProgress tx 1, successful 1, failed 0
Notify tx 0, successful 0, failed 0
ACK tx 8, NACK tx 0
ACK rx 0, NACK rx 0
IP address based Call Agents statistics:
IP address 10.24.167.3, Total msg rx 8, successful 8, failed 0
The following is an example of the MGCP VoIP SRC CAC portion of this command output for a gateway configured with MGCP VoIP SRC CAC:
Router# show mgcp statistics
MGCP System Resource Check Statistics:
-------------------------------------
Total CreateConn checked by SRC :0
CreateConn accepted by SRC:0
CreateConn rejected by SRC:0
Total ModifyConn checked by SRC :0
ModifyConn accepted by SRC:0
ModifyConn rejected by SRC:0
Reason          Num. of requests rejected
------          -------------------------
cpu-5sec:       0
cpu-avg:        0
total-mem:      0
io-mem:         0
proc-mem:       0
total-calls:    0
Table 6 describes significant fields shown in this output.

Table 6 show mgcp statistics Field Descriptions

Field

Description

UDP pkts rx, tx

Number of User Datagram Protocol (UDP) packets transmitted and received from the call agent by the gateway MGCP application.

Unrecognized rx pkts

Number of unrecognized UDP packets received by the MGCP application.

MGCP message parsing errors

Number of MGCP messages received with parsing errors.

Duplicate MGCP ack tx

Number of duplicate MGCP acknowledgment messages transmitted to the call agents.

Invalid versions count

Number of MGCP messages received with invalid MGCP protocol versions.

Rx packets from unknown Call Agent

Number of dropped packets from unconfigured call agents.

CreateConn rx

Number of Create Connection (CRCX) messages received by the gateway, the number that were successful, and the number that failed.

DeleteConn rx

Number of Delete Connection (DLCX) messages received by the gateway, the number that were successful, and the number that failed.

DeleteConn tx

Number of DLCX messages sent from the gateway to the call agent (CA).

ModifyConn rx

Number of Modify Connection (MDCX) messages received by the gateway, the number that were successful, and the number that failed.

NotifyRequest rx

Number of Notify Request (RQNT) messages received by the gateway, the number that were successful, and the number that failed.

AuditConnection rx

Number of Audit Connection (AUCX) messages received by the gateway, the number that were successful, and the number that failed.

AuditEndpoint rx

Number of Audit Endpoint (AUEP) messages received by the gateway, the number that were successful, and the number that failed.

RestartInProgress tx

Number of Restart in Progress (RSIP) messages sent by the gateway, the number that were successful, and the number that failed.

Notify tx

Number of Notify (NTFY) messages sent by the gateway, the number that were successful, and the number that failed.

ACK tx, NACK tx

Number of Acknowledgment and Negative Acknowledgment messages sent by the gateway.

ACK rx, NACK rx

Number of Acknowledgment and Negative Acknowledgment messages received by the gateway.

IP address based Call Agents statistics: IP address, Total msg rx

IP address of the call agent, the total number of MGCP messages received from that call agent, the number of messages that were successful, and the number of messages that failed.

Total CreateConn checked by SRC

Total number of Create Connection (CRCX) messages that have been checked against the SRC component.

CreateConn accepted by SRC

Number of CRCX messages that have been accepted after being checked by the SRC component.

CreateConn rejected by SRC

Number of CRCX messages that have been rejected by SRC because of resource constraints.

Total ModifyConn checked by SRC

Total number of Modify Connection (MDCX) messages that have been checked against the SRC component.

ModifyConn accepted by SRC

Number of MDCX messages that have been accepted after being checked by the SRC component.

ModifyConn rejected by SRC

Number of MDCX messages that have been rejected by SRC because of resource constraints.

Reason

Specific threshold that was exceeded to cause the rejection.

Num. of requests rejected

Number of requests that have been rejected.

cpu-5sec

CPU utilization for previous 5 seconds threshold was exceeded.

cpu-avg

Average CPU utilization threshold was exceeded.

total-mem

Total memory utilization threshold was exceeded.

io-mem

I/O memory utilization threshold was exceeded.

proc-mem

Processor memory utilization threshold was exceeded.

total-calls

Total number of calls threshold was exceeded.

Related Commands

Command

Description

debug mgcp

Enables debug traces for MGCP errors, events, media, packets, and parser.

mgcp

Allocates resources for the MGCP and starts the daemon.

security password-group

Defines the passwords used by gatekeeper zones and associates them with an ID for gatekeeper-to-gatekeeper authentication.

show mgcp

Displays information for MGCP parameters.

show mgcp connection

Displays information for active MGCP-controlled connections.

show mgcp endpoint

Displays information for MGCP-controlled endpoints.

show mgcp nas

Displays MGCP NAS information for data ports.

show mgcp profile

Displays values for MGCP profile-related parameters.

show voice dsp

To show the current status of all digital signal processor (DSP) voice channels, use the show voice dsp command in privileged EXEC mode.

show voice dsp
Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release

Modification

11.3(1)MA

This command was introduced on the Cisco MC3810.

12.0(7)XK

This command was implemented on the Cisco 2600 series and Cisco 3600 series, and the display format was modified.

12.1(2)T

This command was integrated into Cisco IOS Release 12.1(2)T.

12.3(14)T

Command output was enhanced to display status information for NM-HDV network module TI-549 DSPs.

12.4(4)T

Command output was enhanced to display codec setting for modem relay operation.

12.4(9)T

This command was integrated into Cisco IOS Release 12.4(9)T.

Usage Guidelines

Use this command when abnormal behavior occurs in the DSP voice channels.

Examples

The following sample output shows the current status of the codec, set for modem relay, on channel 1.
Router# show voice dsp
----------------------------FLEX VOICE CARD 1 ------------------------------
                           *DSP VOICE CHANNELS*
DSP   DSP             DSPWARE CURR  BOOT                         PAK   TX/RX
TYPE  NUM CH CODEC    VERSION STATE STATE   RST AI VOICEPORT TS ABRT PACK COUNT
===== === == ======== ======= ===== ======= === == ========= == ==== ============
C5510 001 01 modem-re 4.5.909 busy  idle      0  0 1/1/0     05    0      298/353
                           *DSP SIGNALING CHANNELS*
DSP   DSP             DSPWARE CURR  BOOT                         PAK   TX/RX
TYPE  NUM CH CODEC    VERSION STATE STATE   RST AI VOICEPORT TS ABRT PACK COUNT
===== === == ======== ======= ===== ======= === == ========= == ==== ============
C5510 001 05 {flex}   4.5.909 alloc idle      0  0 1/1/3     02    0         15/0
C5510 001 06 {flex}   4.5.909 alloc idle      0  0 1/1/2     02    0         17/0
C5510 001 07 {flex}   4.5.909 alloc idle      0  0 1/1/1     06    0         31/0
C5510 001 08 {flex}   4.5.909 alloc idle      0  0 1/1/0     06    0        321/0
------------------------END OF FLEX VOICE CARD 1 ----------------------------
The following sample output shows the current status of all DSP voice channels:
Router# show voice dsp
DSP# 0, channel# 0 G729A BUSY
DSP# 0, channel# 1 G729A BUSY
DSP# 1, channel# 2 FAX IDLE
DSP# 1, channel# 3 FAX IDLE
DSP# 2, channel# 4 NONE BAD
DSP# 2, channel# 5 NONE BAD
DSP# 3, channel# 6 NONE BAD
DSP# 3, channel# 7 NONE BAD
DSP# 4, channel# 8 NONE BAD
DSP# 4, channel# 9 NONE BAD
DSP# 5, channel# 10 NONE BAD
DSP# 5, channel# 11 NONE BAD
The following is sample output from this command on a Cisco 1750 router:
Router# show voice dsp
DSP#0: state IN SERVICE, 2 channels allocated
channel#0: voice port 1/0, codec G711 ulaw, state UP
channel#1: voice port 1/1, codec G711 ulaw, state UP
DSP#1: state IN SERVICE, 2 channels allocated
channel#0: voice port 2/0, codec G711 ulaw, state UP
channel#1: voice port 2/1, codec G711 ulaw, state UP
DSP#2: state RESET, 0 channels allocated
The following is sample output from this command on a secure Survivable Remote Site Telephony (SRST) router with the NM-HDV network module and the TI-549 (C549) DSP installed:
Router# show voice dsp
DSP  DSP    DSPWARE  CURR     BOOT                              PAK   TX/RX
TYPE NUM CH CODEC    VERSION  STATE STATE  RST AI VOICEPORT TS ABORT PACK COUNT
==== === == ======== ======= ===== ======= === == ======== === ==== ===========
C549  1  01 {medium} 4.4.3    IDLE  idle     0  0   1/0:0   1   0    9357/9775
C549  1  02 {medium} 4.4.3    IDLE  idle     0      1/0:0   2   0    0/0
C549  2  01 {medium} 4.4.3    IDLE  idle     0  0   1/0:0   3   0    0/0
C549  2  02 {medium} 4.4.3    IDLE  idle     0      1/0:0   4   0    0/0
C549  3  01 {medium} 4.4.3    IDLE  idle     0  0   1/0:0   5   0    0/13
C549  3  02 {medium} 4.4.3    IDLE  idle     0      1/0:0   6   0    0/13
Table 7 describes the significant fields shown in the displays.

Table 7 show voice dsp Field Descriptions

Field

Description

DSP

Number of the DSP.

channel

Number of the channel and its status.

DSP TYPE

TI-549 (C549) DSP.

DSP NUM

Number of the DSP.

CH

Channel number.

CODEC

Complexity setting.

DSPWARE VERSION

Version of DSPware.

CURR STATE

Current status of the channel, either IDLE or BUSY.

BOOT STATE

DSP readiness, either idle or in service.

RST

Number of times the DSP has been reset or restarted.

AI

Alarm indication count on the channel.

VOICEPORT

Voice card number and slot.

TS

Time slot.

PAK ABORT

Number of dropped packets.

TX/RX PACKCOUNT

Number of transmitted and received packets

Related Commands

Command

Description

clear counters

Clears all the current interface counters from the interface.

show dial-peer voice

Displays configuration information for dial peers.

show voice call

Displays the call status for all voice ports.

show voice port

Displays configuration information about a specific voice port.

Glossary

CCM—Cisco Call Manager. For the purposes of this document this is the MGCP Call Agent.

CLI—Ccommand-line interface.

CTL—Certificate Trust List.

DTMF—Dual-tone multifrequency

HMAC—Hashed Message Authentication Codes.

IETF— Internet Engineering Task Force. Standards body for Internet Standards.

IKE—Internet Key Exchange.

IPSec—IP security.

MGCP— Multimedia Gateway Control Protocol.

PIN—Personal identification number.

RTCP—Real-Time Transport Protocol Control Protocol.

RTP—Real-Time Transport Protocol

SDP— Session Description Protocol.

SHA1—Secure Hash Algorithm1.

SRST—Survivable Remote Site Telephony.

SRTP—Secure RTP.

SRTCP— Secure RTCP.

VoIP— Voice over IP.

Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.

CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0406R)

Copyright © 2004, 2005 Cisco Systems, Inc. All rights reserved.

Hierarchical Navigation

Cisco IOS Software Releases 12.3 T

Media and Signaling Authentication and Encryption Feature on Cisco IOS MGCP Gateways

Downloads

Table Of Contents

Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Contents

Prerequisites for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Restrictions for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Information About Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Benefits of Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Feature Design of Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

MGCP Gateway Behavior and Voice Security Features

Voice Security Features Interoperability with Endpoints

How to Configure Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Installing Cisco CallManager

Configuring IPSec on Cisco CallManager

Configuring Voice Security Features on Cisco IOS MGCP Gateways

Prerequisites

SUMMARY STEPS

DETAILED STEPS

Configuring Secure IP Telephony Calls

Certificate Trust Lists

Prerequisites

Verifying Voice Security Features on Cisco IOS MGCP Gateways

SUMMARY STEPS

DETAILED STEPS

Configuration Examples for Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways

Voice Security Features Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

codec complexity

Syntax Description

Defaults

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

mgcp package-capability

Syntax Description

Defaults

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

mgcp validate call-agent source-ipaddr

Syntax Description

Defaults

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

show mgcp

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

show mgcp srtp

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

show mgcp statistics

Syntax Description

Command Modes

Command History

Examples

Related Commands