Understanding ShoreTel Phones Boot up Process

So I was answering a friend who had inquired about how the boot up process works on a ShoreTel phone when I thought....hummmm...this would make a great blog entry because I'll forget iit n a few months. :)
So assuming we have the network configured as I have shown in the last blog entry (VOIP vlan 19, user vlan 14), we plug a brand spanking new phone into the switch on port A1.  Assuming you have your DHCP server set up correctly (which we will cover in just a minute) the phone will be into the untagged vlan 14 and request a DHCP address.  It gets one, but it also get the DHCP Option 156.  This option is used by the ShoreTel phone to determine where it's vmail server is as well as where it should live in the network. It see's that it should live in vlan 19 and reboots.  Now it uses tagged info on vlan 19 to request a new  DHCP address.  This time it gets one in the 10.3.9.x range and goes about its business.  One thing I fail to mention here is the first time this happens it's reboot city for the phone.  New phones, even out of the box seem to need an upgrade when the connect to the ShoreTel server.  On my gig network this first boot and config of the phone takes like 10 minutes.
Ok, on the DHCP server we have to set up option 156.  First right click on the DHCP server in the DHCP Server Manager tool and select "Set pre-defined options".  Here you need to add option 156 so it appears as an option at the vlan scope level. Set the data type to string.  Once the item is created go to vlan 14 (which the phone first boots looking for the info) and add scope option 156.    The string format should be something like:
ftpservers=10.3.19.99, country=1, language=1, layer2tagging=1, vlanid=19
10.3.19.99 is the address of the ShoreTel server, country is set to USA, language is set to english, layer2tagging is set to 1 or yes and vlanid is the vlan id of the vlan for voip.
Cool stuff.

ProCurve 5412zl and ShoreTel

So we've got the ProCurve set up for the ShoreTel system and phones now.  Here is the code snippet from the ProCurve:

interface A1
   name "Phone and PC Office 100"
   power-over-ethernet high
exit
interface A2
   name "Phone and PC Office 101"
   power-over-ethernet high
exit
interface D7 
   name "ShoreTel Voicemail Server"
   no power-over-ethernet
exit
interface D14
   name "ShoreTel 50"
   no power-over-ethernet
exit
interface D15
  name "ShoreTel T1"
   no power-over-ethernet
exit

vlan 14
   name "USER_VLAN14"
   untagged A1-A2
   ip address 10.3.14.1 255.255.255.0
   exit
vlan 19
   name "VOIP_Phone_VLAN"
   untagged D7, D14-D15 
   qos priority 7
   ip address 10.3.19.1 255.255.255.0
   tagged A1-A2 
   exit


qos udp-port 4102 priority 6
qos udp-port 1718 priority 6
qos udp-port 1719 priority 6
qos udp-port 1720 priority 6
qos udp-port 25 priority 6
qos udp-port 37 priority 6
qos udp-port 69 priority 6
qos udp-port 162 priority 6
qos udp-port 520 priority 6
qos udp-port 8089 priority 6
qos udp-port 8888 priority 6

You also need to configure your DHCP server so that when the phone boots up, it can determine the VOIP VLAN that you want to use.  To do this you need to set up the following DHCP options on your DHCP server in the untagged VLAN that the phones will first see when booting (VLAN 14 above):

042 = NTP Servers = NTP.Server.IP.Address1,  NTP.Server.IP.Address2
066 = Boot Server Host Name = ShoreTel Server IP address
067 = Bootfile Name = ShoreTel Server IP address

So far this ShoreTel stuff is pretty kick ass. I'm not regretting my decision at all.

HP ProCurve 5412zl and Equallogic PS5000E

So we finally got everything configured on the ProCurve 5412zl for the Equallogic today.  According to the documentation you need to configure the following:

• a separate iScsi VLAN
• turn on flowcontrol
• enable jumbo frames on the VLAN
• turn off spanning-tree on iScsi ports
• disable unicast storm control

Here is the snippet of the switch config for the Equallogic and server connected to it:

interface C19  
   name "ESX Server connection to iScsi VLAN"
   flow-control
   no power-over-ethernet
exit
interface D9  
   name "Equallogic NIC1"
   flow-control
   no power-over-ethernet
exit
interface D10 
   name "Equallogic NIC2"
   flow-control
   no power-over-ethernet
exit

vlan 25
   name "iScsi_VLAN"
   untagged C19, D9-D10
   ip address 10.3.25.1 255.255.255.0
   jumbo
   exit

spanning-tree
spanning-tree C19 bpdu-filter
spanning-tree D9 bpdu-filter
spanning-tree D10 bpdu-filter
spanning-tree C19 admin-edge-port
spanning-tree D9 admin-edge-port
spanning-tree D10 admin-edge-port
spanning-tree config-name "Calamazo"
spanning-tree force-version RSTP-operation

On the ProCurve, I couldn't find a setting for unicast storm control.  If you know how to do this hit me up in the comments.

Internet Access in Amerituckey

So from time to time I get requests for Internet access out of some back woods countrified hotel.  As anyone that has ever traveled anywhere in the U.S. knows...hotel Internet access is like a box of shitty chocolates.  You know it's gonna be horrible, but you're just not sure how horrible it's gonna be.  So I ran into this cellphone based router called Proxicast.

 You can use any basic cell card you want. I chose the Alltel Huawei EC360 because...well....the Proxicast guy said it was the best!  Alltel, unlike other carriers, has not yet limited their unlimited Internet access  (gotta love telco providers).

The card needs to be activated by a PC first, but once that's done it plugs in and comes up pretty quickly in the Proxicast router.

Performance has been pretty decent..about what you would expect. If you've got occasional users an only a few (1-2) people driving it hard you'll be ok.

We offer remote access through an SSL VPN box and we were able to get about 2-3 people running through the router successfully without constant complaining.  The big thing I noticed was that latency was pretty high.  I experienced latency in the range of 207ms all the way up and over a second. This is probably just the Alltel 3G network, but that's still pretty horrible. I wouldn't try and run Skype over this connection and expect not have to shout out "OVER" each time I finished a sentence.  In case you're curious here my speedtest.net results:

The nice thing about the Proxicast is you can plug it into the wall at the hotel and use the cell line as a backup.   If the hotel Internet goes down then you can swap over to cell access.  The fact that it's got a wireless access point baked in (a,b/g) makes it a nice piece of gear for a litigation lunchbox.

Data Forensics

It looks like Helix, a data forensics tool baked in a Live CD has been updated.  This is a cool tool that I've used in the past to analyze some images at work that we were given.  Rather then spending thousands of dollar on EnCase and other tools, I've used this tool to scour and search hard drive images.  As I'm not a forensic investigator, we generally pay for a licensed investigator to obtain the image and then we use our own tools to find the data.  There's also a forensic's wiki full of open source goodness.

VOIP

So we are moving to VOIP in our Denver office.  This will be a new area for us as we are  a long time Siemen's PBX customer.  After much consideration we've decided to go with ShoreTel

The decision was based on price, performance and ease of use.  Once again Cisco lost out on two of those issues...price and ease of use.  The performance metric was difficult to get a handle on (I'm not sure I ever did) because you'd almost have to do a bake off to tell the difference.  In the end, ease of use was the real motivation to go with ShoreTel.  We don't have a full time telcom person so I need my network admins to be able to configure and support the gear.  Cisco once again is just too complicated to deal with.  I'll let you know how it goes but so far I'm really excited.

Note to my open source homies: I did think about SwitchVox and given more time I may have decided to go with them.  However, in the interest of time (we go live 01/01/2009) and given the fact that there will be no IT support people in our Denver office I wanted a known, tested system.  So basically I whimped out.  Sometimes you gotta pick you battles.

Done Paying Ransom

We are opening a new office in Denver in January.  After doing some soul searching and research I've decided that I'm done paying Cisco ransom.  I'll be implementing HP ProCurve switches in the new office.  This is huge for me.  For many years I was a Cisco bigot.  I even sat in on the CCIE lab back in 2000. (Yep..I missed it by a few points but it was a cool experience.)  Now that I'm actually responsible for paying for the gear as well as configuring it, I can't justify Cisco anymore.  Here are the points on my reasoning:

• These days, layer 2 & 3 switching is commodity.  There are few gains found between different vendors gear.
• HP ProCurve gear has a lifetime warranty and free software updates.  Smartnet has always been painful to deal with because it's true extortion.  You are paying for them to fix things that were broken when you purchased the product.  Beyond that you are paying for insurance on the best made gear in the world.   Seems to me if it's the best gear it shouldn't need insurance...or at least cheaper insurance.
• The long life of a Cisco box is stifled by it's Smartnet price rising at every renewal and the fact that in 6 months the box that will work for years becomes End of Sale...then End of Life.  What's the use of buying high end gear and then swapping it out every 3 years just so Cisco has a better bottom line? 
• Cisco gear is a chain saw. It's really powerful to those who use it every day, but for those of us that want to set it and forget it....that's exactly what happens.  You spend hours researching a topic...figure out how to implement it..and then you forget about it.  When something breaks or needs adjusted the CLI forces you to "relearn" everything to get back to where you were.  They need to dumb some of this stuff down.
• eBay.  So you buy a used box and you have to "re-certify" it just to pay the ransom of Smartnet?!?!?!   You'd think they'd be happy just to get the support contract as expensive as it is.

So that's it.  As far as switches are concerned I'm done with Cisco.  Once I find a replacement router I feel good about, I'll jump ship there too.  As for firewalls...I just received a SonicWall NSA5500 that's waiting for me to play with.

So long Cisco....you were good to me once....but you've priced yourself out of the market.