Unfortunately, the Cisco SDM Application Policy defaults don’t actually contain all of the right AIM server hosts.

In your policy map, you need to deny server requests to aimhttp.oscar.aol.com and kdc.uas.aol.com. This is in addition to the default SDM hosts, it appears the older server hosts are still alive.

The aimhttp.oscar.aol.com is the http proxy AOL has setup to bypass blocked hosts.

The kdc.uas.aol.com is a new host that has appeared with the latest version of AIM.

You can fully test your Policy by downloading AIM and running the auto-config wizard. If AIM is able to find a connection to AOL servers, you don’t have something setup right.

Cisco IOS routers have a new firewall configuration method.  Ok so its not so new (Feb 2006), but I tend to let drastic new technologies like this “cook” for a while before I’ll partake.  Plus I finally got a handle on the Inspect/CBAC way of doing things!!  BTW the “old” method is now called the IOS Classic Firewall

The new method is called Zone Based Firewall, or Zone Based Policy Firewall if you want, and definitely improves the simplicity of configuring a firewall policy.

If you’re used to working with the PIX/ASA firewalls, the learning curve is not as high because they work off the concepts of Zones also.

This document shows a very simple example of what the new ZBF configuration looks like.  They also provide some performance numbers, but what is absent is a comparison of performance from the previous Inspect/CBAC method.

That all being said SDM 2.5 builds ZBF configurations by default.  If you have an existing Inspect/CBAC configuration however SDM will continue to support it (at least for now).

I’ll be honest, when I first saw SDM build a ZBF firewall configuration I immediately pulled it out, put in my own Inspect/CBAC configuration, and then went on happily.

But times are changing, and if you need to firewall more than two interfaces, with varying degrees of lock-down, the ZBF truly looks like the way to go.  Managing multiple ACL’s and Inspect/CBAC configurations gets really tedious after a while, which makes it easy to screw something up inadvertently.

Here are a few other overview links to get you started:

Cisco IOS Firewall Performance Guidelines for Cisco Integrated Services Routers

Zone-Based Policy Firewall Design and Application Guide

Cisco IOS Firewall Zone-Based Policy Firewall Release 12.4(6)T Technical Discussion February 2006

Zone-Based Policy Firewall

Ivan Pepelnjak’s Deploying Zone-Based Firewalls book

IOS Zone Based Firewall Configuration

A great set of tools for working with Cisco IP phones is here.

Here is a summary of what is available:

Phone Remote

Phone Remote allows you to take control a Cisco IP phone (7940, 7941, 7960, 7961, 7970 and 7971 models) from anywhere with network connectivity.

Background Deployment

Background Deployment allows an administrator to remotely push a background image to java based phones (7941, 7961, 7970 and 7971 phones)

Ringtone Deployment Tool

Ring Tone Deployment is a utility which allows an administrator to remotely deploy a default ring type to 7940, 7941, 7960, 7961, 7970, 7971 model IP phones.