How to Configure Secure Signaling and Media Encryption for the Cisco VG224
Media Encryption (SRTP) on Cisco Unified CME provides secure voice call capabilities including secure Cisco VG224 Analog Phone Gateway endpoints.
Note For information about this feature in Cisco Unified CME, see the “Configuring Security” module in the Cisco Unified CME System Administration Guide.
To add a Cisco VG224 Analog Phone Gateway to a secure Cisco Unified CME system, perform the following tasks:
Configuring an External CA Server
To configure an external certificate authority (CA) server, perform the following steps:
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto pki server cs-label
4. database level {minimal | names | complete }
5. grant auto
6. database url root-url
7. no shutdown
8. exit
9. crypto pki trustpoint label
10. revocation-check method1 [ method2 [ method3 ]]
11. rsakeypair key-label [ key-size [ encryption-key-size ]]
12. exit
13. ip http server
14. exit
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
crypto pki server cs-label
Router(config)# crypto pki server cserver1 |
Defines a label for the certificate server and enters certificate server configuration mode.
- cs-label —Name for CA certificate server.
|
Step 4 |
database level { minimal | names | complete }
Router(cs-server)# database level complete |
(Optional) Controls the type of data stored in the certificate enrollment database.
- minimal — Enough information is stored only to continue issuing new certificates without conflict. This is the default functionality.
- names —The serial number and subject name of each certificate are stored in the database, providing enough information for the administrator to find and revoke a particular certificate, if necessary.
- complete —In addition to the information given in the minimal and names levels, each issued certificate is written to the database.
Note The complete keyword produces a large amount of information; so specify an external TFTP server in which to store the data using of the database url command. |
Step 5 |
grant auto
Router(cs-server)# grant auto |
(Optional) Allows an automatic certificate to be issued to any requester. The recommended method and default if this command is not used is manual enrollment.
Tip Use this command only during enrollment when testing and building simple networks. A security best practice is to disable this functionality using the
no grant auto command after configuration so that certificates cannot be continually granted.
|
Step 6 |
database url root-url
Router(cs-server)# database url nvram: |
(Optional) Specifies the location where all database entries for the certificate server are to be written out. If this command is not specified, all database entries are written to NVRAM.
- root-url —Location where database entries will be written out. The URL can be any URL that is supported by the Cisco IOS file system.
- If the CA is going to issue a large number of certificates, select an appropriate storage location like flash or other storage device to store the certificates.
Note When the storage location chosen is flash and the file system type on this device is Class B (LEFS), make sure to check free space on the device periodically and use the squeeze command to free the space used up by deleted files. This process may take several minutes and should be done during scheduled maintenance periods or off-peak hours. |
Step 7 |
no shutdown
Router(cs-server)# no shutdown |
(Optional) Enables the CA.
- You should use this command only after you have completely configured the CA.
- Enter your password when prompted.
|
Step 8 |
exit
Router(cs-server)# exit |
Exits certificate server configuration mode. |
Step 9 |
crypto pki trustpoint label
Router(config)# crypto pki trustpoint cserver1 |
(Optional) Declares a trustpoint and enters CA-trustpoint configuration mode.
- Use this command and the enrollment url command if this CA is local to the Cisco Unified CME router. These commands are not needed for a CA running on an external router.
- label —Name for the trustpoint. The label in this step should be the same as the cs-label in Step 3.
|
Step 10 |
revocation-check method1 [ method2 [ method3 ]]
Router(ca-trustpoint)# revocation-check crl |
(Optional) Checks the revocation status of a certificate and specifies one or more methods to check the status. If a second and third method are specified, each method is used only if the previous method returns an error, such as a server being down. Valid values for the method argument are as follows:
- crl —Certificate checking is performed by a certificate revocation list (CRL). This is the default behavior.
- none —Certificate checking is not required.
- ocsp —Certificate checking is performed by an Online Certificate Status Protocol (OCSP) server.
|
Step 11 |
rsakeypair key-label [ key-size [ encryption-key-size ]]
Router(ca-trustpoint)# rsakeypair exampleCAkeys 1024 1024 |
(Optional) Specifies an RSA key pair to use with a certificate.
- key-label —Name of the key pair, which is generated during enrollment if it does not already exist or if the auto-enroll regenerate command is used.
- key-size —(Optional) Size of the desired RSA key. If not specified, the existing key size is used.
- encryption-key-size —(Optional) Size of the second key, which is used to request separate encryption, signature keys, and certificates.
Note Multiple trustpoints can share the same key. |
Step 12 |
exit
Router(ca-trustpoint)# exit |
Exits CA-trustpoint configuration mode. |
Step 13 |
ip http server
Router(config)# ip http server |
Enables the Cisco web-browser user interface on the local Cisco Unified CME router. |
Step 14 |
exit
Router (config)# exit |
Exits global configuration mode. |
Creating a Trustpoint on the VG224
To create a trustpoint on the Cisco VG224, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto key generate rsa general-keys label key-label
4. crypto pki trustpoint label
5. enrollment url ca-url
6. serial-number none
7. fqdn none
8. ip-address none
9. subject-name [ x.500-name ]
10. revocation-check none
11. rsakeypair key-label [ key-size [ encryption-key-size ]]
12. exit
13. crypto pki authenticate trustpoint-label
14. crypto pki enroll trustpoint-label
15. exit
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
crypto key generate rsa general-keys label key-label
Router(config)# crypto key generate rsa general-keys label VG224 |
(Optional) Generates Rivest, Shamir, and Adelman (RSA) key pairs.
- general-keys —Specifies that the general-purpose key pair should be generated.
- label key-label —(Optional) Name that is used for an RSA key pair when they are being exported.
|
Step 4 |
crypto pki trustpoint label
Router(config)# crypto pki trustpoint VG224 |
Declares the trustpoint that your RA mode certificate server should use and enters CA-trustpoint configuration mode.
- label —Name for the trustpoint and RA.
|
Step 5 |
enrollment url ca-url
Router(ca-trustpoint)# enrollment url http://10.3.105.40:80 |
Specifies the enrollment URL of the issuing CA certificate server (root certificate server).
- ca-url —URL of the router on which the root CA has been installed.
|
Step 6 |
serial-number none
Router(ca-trustpoint)# serial-number none |
Specifies whether the router serial number should be included in the certificate request.
- none —Specifies that a serial number will not be included in the certificate request.
|
Step 7 |
fqdn none
Router(ca-trustpoint)# fqdn none |
Specifies a fully qualified domain name (FQDN) that will be included as “unstructuredName” in the certificate request.
- none —Router FQDN will not be included in the certificate request.
|
Step 8 |
ip-address none
Router(ca-trustpoint)# ip-address none |
Specifies a dotted IP address or an interface that will be included as “unstructuredAddress” in the certificate request.
- none —Specifies that an IP address is not to be included in the certificate request.
|
Step 9 |
subject-name [ x.500-name ]
Router(ca-trustpoint)# subject-name cn=VG224, ou=ABU, o=Cisco Systems Inc. |
Specifies the subject name in the certificate request. Note The example shows how to format the certificate subject name to be similar to that of an IP phone’s. |
Step 10 |
revocation-check none
Router(ca-trustpoint)# revocation-check none |
(Optional) Checks the revocation status of a certificate and specifies one or more methods to check the status. If a second and third method are specified, each method is used only if the previous method returns an error, such as a server being down.
- none —Certificate checking is not required.
|
Step 11 |
rsakeypair key-label [ key-size [ encryption-key-size ]]
Router(ca-trustpoint)# rsakeypair VG224 |
(Optional) Specifies an RSA key pair to use with a certificate.
- key-label —Name of the key pair, which is generated during enrollment if it does not already exist or if the auto-enroll regenerate command is used.
- key-size —(Optional) Size of the desired RSA key. If not specified, the existing key size is used.
- encryption-key-size —(Optional) Size of the second key, which is used to request separate encryption, signature keys, and certificates.
Note Multiple trustpoints can share the same key. |
Step 12 |
exit
Router(ca-trustpoint)# exit |
Exits CA-trustpoint configuration mode. |
Step 13 |
crypto pki authenticate trustpoint-label
Router(config)# crypto pki authenticate VG224 |
Retrieves the CA certificate and authenticates it. Checks the certificate fingerprint if prompted.
- trustpoint-label —Trustpoint label.
Note This command is optional if the CA certificate is already loaded into the configuration. |
Step 14 |
crypto pki enroll
trustpoint-label
Router(config)# crypto pki enroll VG224 |
Enrolls with the CA and obtains the certificate for this trustpoint.
- trustpoint-label —Trustpoint label.
|
Step 15 |
exit
Router(config)# exit |
Exits global configuration mode. |
Configuring STCAPP, Trustpoint, and Security
To configure STCAPP, trustpoint, and security mode, perform the following steps on the Cisco VG224.
SUMMARY STEPS
1. enable
2. configure terminal
3. stcapp ccm-group group-id
4. stcapp security trustpoint line
5. stcapp security mode [authenticated | encrypted | none]
6. stcapp
7. dial-peer voice tag pots
8. security mode [ authenticated | encrypted | none ]
9. end
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
stcapp ccm-group group-id
Router(config)# stcapp ccm-group 1 |
Configures an STC application group.
|
Step 4 |
stcapp security trustpoint line
Router(config)# stcapp security trustpoint VG224 |
Specifies the trustpoint to be used for setting up the TLS connection for STCAPP endpoints.
- This command must be configured for the STCAPP service to start.
|
Step 5 |
stcapp security mode [authenticated | encrypted | none]
Router(config)# stcapp security mode encrypted |
Enables security for STCAPP endpoints.
- This command and the stcapp security trustpoint command in the previous step must be configured for security to be enabled for the STCAPP endpoint.
|
Step 6 |
stcapp
Router(config)# stcapp |
Enables the STCAPP at the global level. |
Step 7 |
dial-peer voice tag pots
Router(config)# dial-peer voice 1 pots |
(Optional) Enters dial peer voice configuration mode. |
Step 8 |
security mode [authenticated | encrypted | none]
Router(config-dialpeer)# security mode encrypted |
(Optional) Enables dialpeer level STCAPP endpoint security and overrides global configuration.
- authenticated —Enables STCAPP endpoints using signaling authentication.
- encrypted —Enables STCAPP endpoints using data encryption.
- none—Disables dialpeer level STCAPP endpoint security configuration and defaults to global level configuration.
|
Step 9 |
end
Router(config-dialpeer)# end |
Exits dial-peer configuration mode and returns to privileged EXEC mode. |
Verifying and Troubleshooting Secure Signaling and Media Encryption on the Cisco VG224
To verify and troubleshoot secure signaling and media encryption on the VG224, perform the following steps:
SUMMARY STEPS
1. show sccp
2. show dial-peer voice
3. debug sccp tls
4. debug sccp message
5. debug voip application stcapp all
6. show stcapp device voice-port port
7. show call active voice brief
DETAILED STEPS
|
|
|
Step 1 |
show sccp
Router> show sccp |
Displays SCCP information such as administrative and operational status. |
Step 2 |
show dial-peer voice
Router> show dial-peer voice |
Displays dial peer information including security mode |
Step 3 |
debug sccp tls
Router# configure terminal |
Displays debugging information for SCCP and its related applications (transcoding and conferencing). |
Step 4 |
debug sccp message
Router# debug sccp message |
Displays debugging information for SCCP and its related applications (transcoding and conferencing). |
Step 5 |
debug voip application stcapp all
Router# debug voip application stcapp all |
Displays debugging information for the components of the STCAPP. |
Step 6 |
show stcapp device voice-port port
Router# show stcapp device voice-port 1/0/0 |
Displays configuration information about a specified STCAPP analog voice port. |
Step 7 |
show call active voice brief
Router# show call active voice brief |
Displays a truncated version of call information for voice calls in progress. |
Examples
The following examples show sample output for commands used to verify and troubleshoot STCAPP and security mode configuration:
show dial-peer voice: Example
Show dial-peer voice 5001
VoiceEncapPeer5001
peer type = voice, system default peer = FALSE, information type = voice,
description = `',
tag = 5001, destination-pattern = `',
voice reg type = 0, corresponding tag = 0,
………………….
………………….
digit_strip = enabled,
register E.164 number with H323 GK and/or SIP Registrar = TRUE
fax rate = system, payload size = 20 bytes
supported-language = ''
preemption level = `routine'
bandwidth:
maximum = 64 KBits/sec, minimum = 64 KBits/sec
voice class called-number:
inbound = `', outbound = `'
dial tone generation after remote onhook = enabled
The following lines show encryption enabled:
Signaling and Media Security = Encrypted
Time elapsed since last clearing of voice call statistics never
Connect Time = 0, Charged Units = 0,
Successful Calls = 0, Failed Calls = 0, Incomplete Calls = 0
Accepted Calls = 0, Refused Calls = 0,
Last Disconnect Cause is "",
Last Disconnect Text is "",
Last Setup Time = 0.
Last Disconnect Time = 0.
show sccp: Example
Gateway IP Address: 10.4.177.53, Port Number: 2000
User Masked Codec list: None
Call Manager: 10.4.177.51, Port Number: 2000
Priority: N/A, Version: 4.0, Identifier: 1
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 10.4.177.51, Port Number: 2443
TCP Link Status: CONNECTED, Device Name: AN0C8639A24D400
The following lines show secure media and signaling status:
Signaling Security: ENCRYPTED TLS
Supported crypto suites :AES_CM_128_HMAC_SHA1_32
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: RFC 2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 10.4.177.51, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN0C8639A24D401
The following lines show secure media and signaling status:
Signaling Security: AUTHENTICATED TLS
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: RFC 2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 10.4.177.51, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN0C8639A24D402
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: RFC 2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
show stcapp device voice-port: Example
Show stcapp device voice-port 2/0
Device Name: AN0C8639A24D400
The following line shows device security status:
Device Security Mode : Encrypted
Dialtone after remote onhook feature: activated
Last Event: STCAPP_CC_EV_CALL_DISCONNECT_DONE
Configuration Examples for Secure Signaling and Media Encryption for the Cisco VG224
The following examples show STCAPP security enabled at the system level and the security mode configured on the dial peer:
Router# show running-config
Building configuration...
Current configuration : 8906 bytes
!
! Last configuration change at 15:41:09 PDT Mon Oct 23 2006
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname akash
!
boot-start-marker
boot-end-marker
!
logging buffered 400000 debugging
no logging console
enable password lab
!
no aaa new-model
!
resource policy
!
clock timezone PST -8
clock summer-time PDT recurring
no ip domain lookup
!
The following lines show STCAPP security enabled at the system level:
stcapp ccm-group 1
stcapp security trustpoint analog
stcapp security mode encrypted
stcapp
!
voice-card 0
dsp services dspfarm
!
crypto pki trustpoint analog
enrollment url http://10.4.177.51:80
serial-number
revocation-check none
certificate ca 01
30820201 3082016A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
14311230 10060355 04031309 756E6974 69746573 74301E17 0D303630 35303132
33303130 335A170D 30393034 33303233 30313033 5A301431 12301006 03550403
1309756E 69746974 65737430 819F300D 06092A86 4886F70D 01010105 0003818D
00308189 02818100 C2D07857 B8DF7F55 3C2365B3 2E1524CF EE898D1F D7A04075
D36F0229 392803DF B45246B4 A447506F A3FCDD00 9FC93CD7 5B5573E0 7BFD25E1
AB2F24E2 740D5765 7F628B6E 0FD39BEE 940D80FF 3B9F9F17 7ACA8F82 1A9E3179
458781E8 87C95E1B 17E6A61C 7D138AC1 D8E30F3C 88BFAFEE A94D5F8C E433DF71
F076E96C 9BB5327F 02030100 01A36330 61300F06 03551D13 0101FF04 05300301
01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 168014B5
418287D0 61FE277C 9A1862B3 673BF7F7 0E47DD30 1D060355 1D0E0416 0414B541
8287D061 FE277C9A 1862B367 3BF7F70E 47DD300D 06092A86 4886F70D 01010405
00038181 002BB76E 22A59D73 6DBB62BA BAC3D5B4 2F739A26 D5FFF911 EDEB9BDC
7B29FECC E0B68E0F 22A3C0D0 8BA64592 30C6B628 5EFA3905 1B13BFE7 7CEB1456
55214435 07F752A6 73D5646A 4BB7B3C2 61E2C185 3A638FCA AE5AC6A1 3DB3590B
C3C6C924 D1E1E365 FE041B07 F3E2AF24 3701B664 A7879229 AFDF163A 00AA12AA
85866101 53
quit
crypto pki certificate chain analog
certificate 0A
308201BF 30820128 A0030201 0202010A 300D0609 2A864886 F70D0101 04050030
14311230 10060355 04031309 756E6974 69746573 74301E17 0D303630 35333032
31313630 345A170D 30373035 33303231 31363034 5A302A31 28301206 03550405
130B4648 4B303930 37463050 47301206 092A8648 86F70D01 09021605 616B6173
68305C30 0D06092A 864886F7 0D010101 0500034B 00304802 4100A6AD 0A376A6C
9EB668CC D0DF2A17 180E6CA2 FA5F243B 861EAA29 BE5FC488 A22AD4E8 5DFC22AC
13B43337 2F9FBA64 14E838EA 888E79DE 93AB63E4 4B4E2ECD 256D0203 010001A3
4F304D30 0B060355 1D0F0404 030205A0 301F0603 551D2304 18301680 14B54182
87D061FE 277C9A18 62B3673B F7F70E47 DD301D06 03551D0E 04160414 34D2D41C
274AB6E3 71A3A32C EC19D533 D3C0A020 300D0609 2A864886 F70D0101 04050003
818100A2 3947B1D0 FC5E9B79 0C1A28E7 BCB34C6C BB68C5F6 356F3F61 7525053E
0AED7325 9F286888 887810A6 B62FBAF3 BDC81542 C9828BBF 6A9FE936 AD3ED33B
D4F5AD22 E703C8E0 C3DDEAC8 2097A209 542551F7 6340A2A4 55A25A99 6A87367F
A0CBD9B6 E38D5E40 6479EB71 EFA644B3 93222D6F 235039AE BB9AA7B7 B1D07B3C FC6339
quit
certificate ca 01
30820201 3082016A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
14311230 10060355 04031309 756E6974 69746573 74301E17 0D303630 35303132
33303130 335A170D 30393034 33303233 30313033 5A301431 12301006 03550403
1309756E 69746974 65737430 819F300D 06092A86 4886F70D 01010105 0003818D
00308189 02818100 C2D07857 B8DF7F55 3C2365B3 2E1524CF EE898D1F D7A04075
D36F0229 392803DF B45246B4 A447506F A3FCDD00 9FC93CD7 5B5573E0 7BFD25E1
AB2F24E2 740D5765 7F628B6E 0FD39BEE 940D80FF 3B9F9F17 7ACA8F82 1A9E3179
458781E8 87C95E1B 17E6A61C 7D138AC1 D8E30F3C 88BFAFEE A94D5F8C E433DF71
F076E96C 9BB5327F 02030100 01A36330 61300F06 03551D13 0101FF04 05300301
01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 168014B5
418287D0 61FE277C 9A1862B3 673BF7F7 0E47DD30 1D060355 1D0E0416 0414B541
8287D061 FE277C9A 1862B367 3BF7F70E 47DD300D 06092A86 4886F70D 01010405
00038181 002BB76E 22A59D73 6DBB62BA BAC3D5B4 2F739A26 D5FFF911 EDEB9BDC
7B29FECC E0B68E0F 22A3C0D0 8BA64592 30C6B628 5EFA3905 1B13BFE7 7CEB1456
55214435 07F752A6 73D5646A 4BB7B3C2 61E2C185 3A638FCA AE5AC6A1 3DB3590B
C3C6C924 D1E1E365 FE041B07 F3E2AF24 3701B664 A7879229 AFDF163A 00AA12AA
85866101 53
quit
!
!
voice service voip
!
!
interface FastEthernet0/0
ip address 10.4.177.53 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 1.4.0.1
!
ip http server
no ip http secure-server
!
no cdp advertise-v2
!
!
control-plane
!
!
voice-port 2/0
!
voice-port 2/1
!
voice-port 2/2
!
voice-port 2/3
!
voice-port 2/4
!
.
.
.
!
voice-port 2/23
!
!
!
sccp local FastEthernet0/0
sccp ccm 10.4.177.51 identifier 1 version 4.0
sccp
!
sccp ccm group 1
associate ccm 1 priority 1
!
dial-peer voice 5001 pots
service stcapp
port 2/0
!
dial-peer voice 5002 pots
service stcapp
The following line shows the security mode configured on the dial peer:
security mode authenticated
port 2/1
!
dial-peer voice 5003 pots
service stcapp
security mode none
port 2/2
!
dial-peer voice 2000 voip
destination-pattern 7...
session target ipv4:10.4.177.100
incoming called-number 7000
codec g711ulaw
!
dial-peer voice 1 pots
!
dial-peer voice 5004 pots
service stcapp
shutdown
port 2/3
!
dial-peer voice 5005 pots
shutdown
destination-pattern 3001
port 2/4
!
.
.
.
!
dial-peer voice 5018 pots
service stcapp
shutdown
port 2/17
!
dial-peer voice 2001 pots
destination-pattern 2001
port 2/18
!
dial-peer voice 1000 voip
destination-pattern 1...
session target ipv4:10.3.105.5
!
dial-peer voice 5900 voip
destination-pattern 59..
session target ipv4:10.3.105.5
!
dial-peer voice 500 voip
destination-pattern 5...
session target ipv4:10.4.177.51
!
dial-peer voice 5019 pots
service stcapp
shutdown
port 2/18
!
dial-peer voice 5020 pots
service stcapp
shutdown
port 2/19
!
.
.
.
!
dial-peer voice 5024 pots
service stcapp
shutdown
port 2/23
!
!
!
!
line con 0
transport output all
line aux 0
transport output all
line vty 0 4
password lab
login
transport input all
transport output all
!
ntp clock-period 17179541
ntp server 10.4.177.51
end