Transcription
PROVISIONINGGUIDECisco SPA112, SPA122, SPA232DAnalog Telephone Adapters
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationshipbetween Cisco and any other company. (1110R)Copyright 2005-2013 Cisco Systems, Inc. All rights reserved.78-21581-01
ContentsChapter 1: Deployment and Provisioning5Deployment6Provisioning Overview8Chapter 2: Creating XML Provisioning Scripts14File Structure14Compression and Encryption19Applying a Profile to the ATA21Using Provisioning Parameters22Data Types31Chapter 3: In-House Preprovisioning and Provisioning Servers36Server Preparation and Software Tools36In-House Device Preprovisioning37Provisioning Server Setup38Chapter 4: Provisioning Examples44Basic Resync44Secure HTTPS Resync52Profile Management60Chapter 5: Provisioning Parameters65Configuration Profile Parameters66Firmware Upgrade Parameters71General Purpose Parameters72Macro Expansion Variables73Internal Error Codes76Chapter 6: Voice ParametersChapter 7: Router Configuration ParametersProvisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters771593
ContentsNested Structure160 WAN Interface WAN Interface Parameters161 PHY Port Setting Parameters168 MAC Address Clone Parameters169 Internet Option Parameters171 DHCP Server Pool Parameters173 WAN VLAN Setting Parameters182 CLDP Setting Parameters184 SNMP Parameters186 Time Setup Parameters192 QoS Bandwidth Control Parameters196 Software DMZ Parameters197 Bonjour Enable 199 Reset Button Enable 200 Router Mode 201 VPN Passthrough 202 Web Management 204 TR 069 Parameters209 Log Configuration Parameters213 Web Login Admin Name 221 Web Login Admin Password 222 Web Login Guest Name 222 Web Login Guest Password 223Additional Information in the router-configuration section223Appendix A: Acronyms224Appendix B: Time Zone Settings228Appendix C: Where to Go From Here230Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters4
1Deployment and ProvisioningCisco SPA100 and SPA200 Series ATAs are intended for high-volumedeployments by VoIP service providers to residential and small businesscustomers. In business or enterprise environments, these ATAs can serve asterminal nodes. These devices are widely distributed across the Internet,connected through routers and firewalls at the customer premises.The IP Telephony device can be used as a remote extension of the serviceprovider back-end equipment. Remote management and configuration ensuresthe proper operation of the IP Telephony device at the customer premises.This customized, ongoing configuration is supported by the following features: Reliable remote control of the endpoint Encryption of the communication controlling the endpoint Streamlined endpoint account bindingThis chapter describes the features and functionality available when provisioningthese ATAs and explains the setup required: Deployment, page 6 Provisioning Overview, page 8Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters
1Deployment and ProvisioningDeploymentDeploymentThese ATAs provide convenient mechanisms for provisioning, based on twodeployment models: Bulk distribution—The service provider acquires these ATAs in bulk quantityand either preprovisions them in-house or purchases RC units from Cisco.The devices are then issued to the customers as part of a VoIP servicecontract. Retail distribution—The customer purchases the ATA from a retail outlet andrequests VoIP service from the service provider. The service provider mustthen support the secure remote configuration of the device.Bulk DistributionIn this model, the service provider issues these ATAs to its customers as part of aVoIP service contract. The devices are either RC units or preprovisioned in-house.RC units are preprovisioned by Cisco to resynchronize with a Cisco server thatdownloads the device profile and firmware updates.A service provider can preprovision these ATAs with the desired parameters,including the parameters that control resynchronization, through various methods:in-house by using DHCP and TFTP; remotely by using TFTP, HTTP, or HTTPS; or acombination of in-house and remote provisioning.RC Unit DeploymentRC units eliminate in-house preprovisioning and reduce the need for the serviceprovider to physically handle the devices prior to shipping them to end customers.This approach also discourages the use of these ATAs with an inappropriateservice provider.A RC unit is preprovisioned by Cisco with the connection information for theprovisioning servers. These servers are maintained by Cisco Systems, Inc. for theservice provider that purchased the units. The MAC address of each RC unit isassociated with a customizable profile on the Cisco provisioning servers. Whenthe RC unit is connected to the broadband link, it contacts the Cisco provisioningserver and downloads its customized profile.Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters6
Deployment and ProvisioningDeployment1The service provider works with a Cisco sales engineer to develop a simpleprovisioning profile. The profile contains minimal information that redirects thedevice to the service provider provisioning server. This profile is placed on theCisco RC server by the Cisco Voice Team.RC Unit StatusThe status of an RC unit can be determined by viewing the Info ProductInformation page, Customization section, on the administration web server. An RCunit that has not been provisioned displays Pending. An RC unit that has beenprovisioned displays the name of the company that owns the unit. If the unit is notan RC unit, the page displays Open.Below is a sample template for an RC unit to be preprovisioned by Cisco with theconnection information:Restricted Access Domains "domain.com, domain1.com, domain2.com";Primary DNS* "x.y.w.z";Secondary DNS* "a.b.c.d";Provision Enable* "Yes";Resync Periodic* "30";Resync Error Retry Delay * "30";Profile Rule * "http://prov.domain.com/sipura/profile?id MA";The Restricted Access Domains parameter is configured with the actualdomain names of up to a maximum of five domains. The Primary DNS andSecondary DNS parameters are configured with the IP addresses of the DNSservers available to the RC unit.Retail DistributionIn a retail distribution model, a customer purchases a Cisco ATA and subscribes toa particular service. The Internet Telephony Service Provider (ITSP) sets up andmaintains a provisioning server, and preprovisions the phone to resynchronize withthe service provider server. See In-House Device Preprovisioning, page 37 formore information.The customer signs on to the service and establishes a VoIP account, possiblythrough an online portal, and binds the device to the assigned service account.When the device is powered up or a specified time elapses, the IP Telephonydevice resynchronizes, downloading the latest parameters. These parameters canaddress goals such as setting up a hunt group, setting speed dial numbers, andlimiting the features that a user can modify.Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters7
Deployment and ProvisioningProvisioning Overview1Resynchronization ProcessThe firmware for each ATA includes an administration web server that acceptsnew configuration parameter values. The ATA is instructed to resync with aspecified provisioning server through a resync URL command. For prov.supervoip.com/cisco-init/spa.cfgIn this example, a device at the DHCP-assigned IP address 192.168.1.102 isinstructed to provision itself to the SuperVoIP service at prov.supervoip.com.The remote provisioning server is configured to associate the ATA that isperforming the resync request with the new account, based on the config filespa.cfg.Through this initial resync operation, the ATA is configured in a single step, and isautomatically directed to resync thereafter to a permanent URL on the server.For both initial and permanent access, the provisioning server relies on the clientcertificate for authentication and supplies configuration parameter values basedon the associated service account.Provisioning OverviewAn IP Telephony device can be configured to resynchronize its internalconfiguration state to match a remote profile periodically and on power up bycontacting a normal provisioning server (NPS) or an access control server (ACS).By default, a profile resync is only attempted when the IP Telephony device is idle,because the upgrade might trigger a software reboot interrupting a call. Ifintermediate upgrades are required to reach a current upgrade state from an olderrelease, the upgrade logic is capable of automating multi-stage upgrades.NPSThe NPS can be a TFTP, HTTP, or HTTPS server. A remote firmware upgrade isachieved by using TFTP or HTTP, but not by using HTTPS because the firmwaredoes not contain sensitive information.Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters8
1Deployment and ProvisioningProvisioning OverviewCommunication with the NPS does not require the use of a secure protocolbecause the updated profile can be encrypted by a shared secret key. Securefirst-time provisioning is provided through a mechanism that uses SSLfunctionality. An unprovisioned ATA can receive a 256-bit symmetric keyencrypted profile specifically targeted for that device.TR-069The digital subscriber line (DSL) Forum TR-069, CPE WAN Management Protocol(CWMP), is used for communications between a customer premise equipment(CPE) device and an auto-configuration server (ACS). The TR-069 Agent managesa collection of CPE devices, with the primary capability for auto-configuration anddynamic service provisioning, software image management, status andperformance monitoring, and diagnostics.It supports multiple scenarios, including: Device administration: Authenticates administrators, authorizes commands,and provides an audit trail Remote Access: Works with VPN and other remote network accessdevices to enforce access policies Network admission control: Communicates with posture and audit serversto enforce admission control policiesThe TR-069 Agent CPE devices must be set up and enabled for TR-069. An ACSused to communicate with the CPE must be TR-069 compliant in order to enablethe TR-069 Agent.Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters9
1Deployment and ProvisioningProvisioning OverviewProvisioning StatesThe provisioning process involves these provisioning The device returns to a fully unprovisioned state; allconfigurable parameters regain their default values.Manufacturing reset can be performed through the IVRsequence ****RESET#1#.On phones that do not support IVR, press the reset buttonor LCD factory reset entry to reset it to the default values.Allowing the end user to perform a manufacturing resetguarantees that the device can always be returned to anaccessible state.Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters10
1Deployment and ProvisioningProvisioning OverviewStateDescriptionSP-CUSTService ProviderCustomizationThe Profile Rule parameter points to a device-specificconfiguration profile by using a provisioning server that isspecific to the service provider. The methods for initiatingresynchronization are: Auto-configuration by using a local DHCP server. ATFTP server name or IPv4 address is specified byDHCP. The TFTP server includes the Profile Ruleparameter in the configuration file. Entering a resync URL. The URL starts a webbrowser and requests a resync to a specific TFTPserver by entering the URL syntax: cfg, where:x.x.x.x is the IP address of the IP Telephonydevice,prvserv is the target TFTP server,and device.cfg is the name of the configurationfile on the server. Editing the Profile Rule parameter by opening theprovisioning pane on the web interface and enteringthe TFTP URL in the Profile Rule parameter. Forexample, tftp://prserv/spa112.cfg. Modifying the configuration file Profile Rule and tocontact a specific TFTP server and request aconfiguration file identified by the MAC-address. Forexample, this entry contacts a provisioning server,requesting a profile unique to the device with a MACaddress identified by the MA parameter:Profile Rule tftp.callme.com/profile/ MA/spa112.cfg;Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters11
1Deployment and ProvisioningProvisioning g—InitialConfigurationAn initial, device-unique CFG file is targeted to a IPTelephony device by compiling the CFG file with the SPC -target option. This provides an encryption that does notrequire the exchange of keys.The initial, device-unique CFG file reconfigures the deviceprofile to enable stronger encryption by programming a256-bit encryption key and pointing to a randomlygenerated TFTP directory. For example, the CFG file mightcontain:Profile Rule [--key A] tftp.callme.com/profile/ B/spa112.cfg;GPP A 8e4ca259 ; # 256 bit keyGPP B Gp3sqLn ; # random CFG file path rationProfile resync operations subsequent to the initial SECPRV-1 provisioning retrieve the 256-bit encrypted CFG filesthat maintain the IP Telephony device in a statesynchronized to the provisioning server.The profile parameters are reconfigured and maintainedthrough this strongly encrypted profile. The encryption keyand random directory location in the SEC-PRV-2configuration can be changed periodically for extrasecurity.Configuration Access ControlThe IP Telephony device firmware provides mechanisms for restricting end-useraccess to some parameters. The firmware provides specific privileges for login toan Admin account or a User account. Each can be independently passwordprotected.: Admin Account—Allows the service provider full access to all interactivevoice response (IVR) functions and to all administration web serverparameters. User Account—Allows the user to access basic IVR functions and toconfigure a subset of the administration web server parameters.Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters12
1Deployment and ProvisioningProvisioning OverviewThe service provider can restrict the user account in the provisioning profile in thefollowing ways: Indicate which configuration parameters are available to the User accountwhen creating the configuration. (Described in “Element Tags” on page 15.) Disable user access to the administration web server. Disable user access for LCD GUI. (Described in Access control for LCDGUI, page 17.) Disable the factory reset control by using the IVR. Restrict the Internet domains accessed by the device for resync, upgrades,or SIP registration for Line 1.Communication EncryptionThe configuration parameters communicated to the device can containauthorization codes or other information that protect the system from unauthorizedaccess. It is in the service provider’s interest to prevent unauthorized activity bythe customer, and it is in the customer’s interest to prevent the unauthorized use ofthe account. The service provider can encrypt the configuration profilecommunication between the provisioning server and the device, in addition torestricting access to the administration web server.Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters13
2Creating XML Provisioning ScriptsThe configuration profile defines the parameter values for the ATA.Standard XML authoring tools are used to compile the parameters and values. Toprotect confidential information in the configuration profile, this type of file istypically delivered from the provisioning server to the ATA over a secure channelprovided by HTTPS. See Compression and Encryption, page 19.NOTE Only UTF-8 charset is supported. If you modify the profile in an editor, do notchange the encoding format; otherwise, the ATA cannot recognize the file.File StructureThe profile is a text file with XML-like syntax in a hierarchy of elements, withelement attributes and values. This format lets you use standard tools to create theconfiguration file. A configuration file in this format can be sent from theprovisioning server to the ATA during a resync operation without compiling the fileas a binary object.You can obtain the profile for your ATA by logging on to your ATA and then enteringthe path to the file: http:// LAN IP address /admin/config.xmlFor example, using the default IP address of the ATA, you would enter:http://192.168.15.1/admin/config.xmlTo protect confidential information contained in the configuration profile, this file isgenerally delivered from the provisioning server to the ATA over a secure channelprovided by HTTPS. Optionally, the file can be compressed by using the gzipdeflate algorithm (RFC1951). In addition, the file can be encrypted by using 256-bitAES symmetric key encryption.Example: Open Profile Format flat-profile Resync On Reset Yes /Resync On Reset Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters
Creating XML Provisioning ScriptsFile Structure2 Resync Periodic 7200 /Resync Periodic Profile Rule tftp://prov.telco.com:6900/cisco/config/spa504.cfg /Profile Rule /flat-profile The flat-profile element tag encloses all parameter elements to berecognized by the ATA.Element Tags, Attributes, Parameters, and FormattingA file can include element tags, attributes, parameters, and formatting features.Element TagsThe properties of element tags are: The ATA recognizes elements with proper parameter names, whenencapsulated in the special flat-profile element. The flat-profile element can be encapsulated within other arbitraryelements. Element names are enclosed in angle brackets. Most of the element names are similar to the field names in theadministration web pages for the device, with the following modifications:-Element names may not include spaces or special characters. To derivethe element name from the administration web field name, substitute anunderscore for every space or the special characters [, ], (, ), or /.For example, the Resync On Reset field is represented by the element Resync On Reset .-Each element name must be unique. In the administration web pages,the same fields might appear on multiple web pages, such as the Line,User, and Extension pages. Append [n] to the element name to indicatethe number that is shown in the page tab.For example, the Dial Plan for Line 1 is represented by the element Dial Plan 1 Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters15
2Creating XML Provisioning ScriptsFile Structure Each opening element tag must be matched by a corresponding closingelement tag. For example: flat-profile Resync On Reset Yes /Resync On Reset Resync Periodic 7200 /Resync Periodic Profile Rule tftp://prov.telco.com: 6900/cisco/config/spa.cfg /Profile Rule /flat-profile Element tags are case sensitive. Empty element tags are allowed. Enter the opening element tag without acorresponding element tag, and insert a space and a forward slash beforethe greater-than symbol. In this example, Profile Rule B is empty: Profile Rule B / Unrecognized element names are ignored. An empty element tag can be used to prevent the overwriting of any usersupplied values during a resync operation. In the following example, theuser speed dial settings are unchanged: Speed Dial 2 2ua ”rw”/ Speed Dial 3 2ua ”rw”/ Speed Dial 4 2ua ”rw”/ Speed Dial 5 2ua ”rw”/ Speed Dial 6 2ua ”rw”/ Speed Dial 7 2
device.cfg, where: x.x.x.x is the IP address of the IP Telephony device, prvserv is the target TFTP server, and device.cfg is the name of the configuration file on the server. Editing the Profile_Rule parameter by opening the provisioning pane on the web interface and
