Re: Multisite UC540 and DMVPN

jeremyneedle · ‎06-16-2010

This is a bit involved, but any guidance would be greatly appreciated.

Also, I'm allow me to state I'm a CCNA, CCNA-Voice, and CCNP, so I"m not ignorant as to intelligent network design...I've just never deployed any other site-to-site VPN topology besides star. I.e never worked w/ GET or DMVPN, and I just recently discovered this technology and I'm intrigued. I've also only used ASA 5500's; never a router. However since DMVPN's are ONLY supported on IOS routers, I need to investigate this

Here is the scenario for a client I'm looking at:

1 central site w/ a UC560

The central site will have 50 users, w/ an Active Directory server, running exchange, and another file server which will house dept. shares and home directories

10 branch sites, each w/ a UC540.

Each branch site will have 20 users

So here's what occures to me.

- the DATA VLAN ~can~ function in the typical Hub-Spoke VPN since the server w/ all the user data is at HQ; its rare clients will need direct communication w/ each other

- HOWEVER, the VOICE VLAN on the other hand will probably have quite a bit of site-to-site communication

My design questions

1. Would there be any benefit to setting up a DMVPN for -just- the voice VLAN? It uses SCCP, not SIP for the phones, so I know the UC500 funcitons as a gateway. HOWEVER, since this is a distributed topology, w/ a UC500 at each site, would this be beneficial?

2. Instead of UC500, would it be beneficial to use 2800 w/ NM-CUE? This way the phones can actually utilize SIP. So...would using SIP instead of SCCP make a DMVPN an advantageous deployment?

3. And what if I went w/ the UC Business Edition w/ all the Unity [VM & AA] features also now housed ONLY at HQ. How would that effect this VPN architecture?

4.Practically speaking, in the big scheme of things, does it really matter? Having a DMVPN for the VOICE VLAN? Why or why not?

Please discuss. I've read several white papers from Cisco's site, but they seem to be focused more on "how" rather than "why or why not" to deploy a certain way.

jcarr · ‎09-15-2010

I'm also interested in the answers to your questions. We are working with a customer right now that has about 10 sites total and would like to deploy DMVPN. The branch locations are UC540 routers and the hub may end up being a 2921 with a UC540 for voice. I was worried about performance issues at the hub site with 10 branch routers and several remote access user VPN tunnels on a UC560.

Ajay Wadhwani · ‎03-03-2012

Hi,

One thing I would like to bring to your attention is the fact that the Cisco SBCS (UC500) can connect up to a maximum of 5 sites only.

Sent from Cisco Technical Support iPad App

pierrescotland · ‎03-07-2012

I've implemented a few roughly 10 site networks with uc500 but I've used a 2811 at the hub sites to do VPN. I only have 2 dynamic endpoints, and my preference is always to avoid dynamic endpoints unless absolutely unavoidable purely for troubleshooting.

It's very easy to add a simple GRE tunnel (or IPSec if encryption is required) for the voice paths between spokes if you have static IP on all the spokes.

Just remember that as with any mix of SB and trad Cisco kit that TAC support will be flaky unless raised on the trad kit eg 2811.

Sent from Cisco Technical Support iPhone App

ai.solutions · ‎05-30-2012

The uc500 is perfectly capable of DMVPN. Obviously command line config only.

I nearly always use DMVPN now instead of policy based methods. Just keep in mind the processor overhead of terminating too many vpns. If in doubt use a router in front.

Sent from Cisco Technical Support iPhone App