Category: Networking

Cisco Configuration Professional Installation Notes

To install the Cisco Configuration Professional (CCP) software for the Catalyst 2960X/XR platform from a .tar file, you’ll need to extract and set it up on the switch’s flash memory. Here’s a step-by-step guide to install the .tar file on your Cisco 2960X switch:

What You’ll Need

  • The .tar file (e.g., ccp-c2960x.tar)
  • TFTP server (or FTP/USB depending on your method)
  • Console or SSH access to the switch

Step 1: Transfer the .tar File to the Switch

Use a TFTP server (like tftpd32 or SolarWinds TFTP) to upload the .tar file to the switch’s flash.

From the switch CLI:

copy tftp: flash:

You’ll be prompted:

Address or name of remote host []? 192.168.1.100  <-- your TFTP server
Source filename []? ccp-c2960x.tar
Destination filename [ccp-c2960x.tar]? <Enter>

Step 2: Extract the .tar File

Once the file is on the switch, extract it with:

archive extract flash:ccp-c2960x.tar flash:

This will unpack the files into a directory (e.g., ccp-web) inside flash.

Step 3: Enable the Web Interface

To use Configuration Professional, you need:

  • HTTP/HTTPS server enabled
  • A working VLAN interface with an IP address
  • Authentication (username/password)

Commands:

conf t
ip http server
ip http secure-server
username admin privilege 15 secret YourSecurePassword
interface vlan1
 ip address 192.168.1.1 255.255.255.0
 no shutdown
exit
ip default-gateway 192.168.1.254  ! Adjust as needed
end
write memory

🔗 Step 4: Access the Web Interface

Open a browser and go to:

http://192.168.1.1

or

https://192.168.1.1

You should see the Configuration Professional (CP Express) interface.

🧹 (Optional) Clean Up and Set as Default Web UI

If you want this web interface to load automatically on boot:

conf t
ip http path flash:ccp-web
end
write memory

And if you’re done, you can remove the .tar file to save space:

delete flash:ccp-c2960x.tar

16 million failed SIP registrations in 24 hours from 1 host

I recently stood up a Bicom PBXware virtual machine to do some testing. I noticed that there were a few thousand SIP registration failures a couple hours later as the box sat idle.

Today, I hopped on the box to begin some configuration for my testing environment and noticed the failed SIP registrations now sat at 16 million, or about 185/sec.

Investigating only from the dashboard, I noticed that they were all from the same IP address 167.x.x.255, which is a Digital Ocean IP. If I disable the PBXware Proxy service, it brings the failed SIP registrations to a screeching halt.

Tomorrow I’ll investigate this more. For now, I’ve disabled the PBXware Service from the web administration.

Detecting if SIP ALG is enabled on network

In trying to determine on a network that I don’t manage whether the network is “SIP Aware” (SIP ALG), I used the following method to quickly test.

Client Network

LAN192.168.1.1/24
WAN11.22.33.44
SIP Phone192.168.1.60

Remote Network

SIP Server4.49.115.30

I configured my phone to point to my linux server at 4.49.115.30 as the SIP server and started up a capture using tcpdump.

tcpdump -i ens192 -w sip_alg.pcap

I ran it for a few seconds to capture traffic from my phone.

Packet Showing Network With ALG

If the network is SIP aware and using ALG, the Contact: portion of the packet header message will show the public IP of the client’s network.

REGISTER sip:4.49.115.30:5060 SIP/2.0
Via: SIP/2.0/UDP 11.22.33.44:22501;branch=z9hG4bK738593727
From: "200" <sip:200@4.49.115.30:5060>;tag=738463962
To: "200" <sip:200@4.49.115.30:5060>
Call-ID: 0_738583021@192.168.1.60
CSeq: 1 REGISTER
Contact: <sip:200@11.22.33.44:22501>
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T33G 124.86.0.40 805e0cxxxxxx
Expires: 3600
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0

Packet Showing Network Without ALG

If the network is not SIP aware and using ALG, the Contact: portion of the packet header message will show the RFC 1918 IP address on the client’s network.

REGISTER sip:4.49.115.30:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.60:5060;branch=z9hG4bK735305753
From: "200" <sip:702200@4.49.115.30:5060>;tag=735174715
To: "200" <sip:702200@4.49.115.30:5060>
Call-ID: 0_735247007@192.168.1.60
CSeq: 1 REGISTER
Contact: <sip:200@192.168.1.60:5060>
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T33G 124.86.0.40 805e0cxxxxxx
Expires: 3600
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0

Disable SIP ALG

Here are some ways to disable SIP ALG on various devices I’ve had experience with.

Cisco ASA

ciscoasa> enable
Password:
ciscoasa# config terminal
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# no inspect sip

Unable to negotiate with port 22: no matching key exchange method found.

Working with an older Cisco ASA, I was not able to directly SSH to the host using SSH on Windows unless I specified the diffie-hellman-group1-sha1 algorithm.

PuTTY gives the following warning:

For Windows, I can use the following command to SSH (as well as SCP).

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@host

Could not establish trust relationship for the SSL/TLS secure channel.

Working with some older Cisco ASA devices, I’m trying to access the ASDM interface. The browser isn’t giving me luck, so I turned to PowerShell to help me, but I get the following error when trying an Invoke-WebRequest to grab the asdm.jnlp file I need.

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Eh, ok. My first thought was to somehow avoid a certificate check but I did not see a native way of doing this with Invoke-WebRequest (at least from an old Server 2008 box with PowerShell v4.0).

StackOverflow to the rescue. Here’s the solution that worked for me.

if (-not("dummy" -as [type])) {
    add-type -TypeDefinition @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

public static class Dummy {
    public static bool ReturnTrue(object sender,
        X509Certificate certificate,
        X509Chain chain,
        SslPolicyErrors sslPolicyErrors) { return true; }

    public static RemoteCertificateValidationCallback GetDelegate() {
        return new RemoteCertificateValidationCallback(Dummy.ReturnTrue);
    }
}
"@
}

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [dummy]::GetDelegate()

Now I can add on my Invoke-WebRequest and everything works.