10-07-2020 03:08 PM - edited 10-07-2020 05:32 PM
Hello,
I am looking to confirm below is a supported DNS design along with other recommendations by the cisco UC engineers/experts here.
Objectives
CUCM Nodes
cucmpub.organization.local | 10.7.1.2 |
cucmsub1.organization.local | 10.7.1.3 |
cucmsub2.organization.local | 10.7.1.4 |
impub1.organization.local | 10.7.1.5 |
imsub1.organization.local | 10.7.1.6 |
Unity nodes
unitypub1.organization.local | 10.7.1.7 |
unitysub1.organization.local | 10.7.1.8 |
DNS Design
By utilizing same single DNS domain ‘example.com’ internally and externally.
Internal
External
INTERNAL DNS A-Records
Expressway -C
expc.example.com | cluster in round robin | 10.10.10.1 10.10.10.2 10.10.10.3 |
expc1.example.com | node#1 | 10.10.10.1 |
expc2.example.com | node#2 | 10.10.10.2 |
expc3.example.com | node#3 | 10.10.10.3 |
Expressway –E
expe.example.com | cluster in round robin | 10.10.1.11 10.10.1.12 10.10.1.13 |
|
expe1.example.com | node#1 | NIC#1 10.10.1.11 NIC#2 10.10.2.11 | NIC#2 is Nated on the Firewall |
expe2.example.com | node#2 | NIC#1 10.10.1.12 NIC#2 10.10.2.12 | NIC#2 is Nated on the Firewall |
expe3.example.com | node#3 | NIC#1 10.10.1.13 NIC#2 10.10.2.13 | NIC#2 is Nated on the Firewall |
Internal DNS SRV Records
Domain | Service | Protocol | Priority | Weight | Port | Target host |
example.com | cisco-uds | tcp | 10 | 10 | 8443 | cucmsub1.organization.local |
example.com | cisco-uds | tcp | 10 | 10 | 8443 | cucmsub2.organization.local |
example.com | cuplogin | tcp | 10 | 10 | 8443 | impub1.organization.local |
example.com | cuplogin | tcp | 10 | 10 | 8443 | imsub1.organization.local |
EXTERNAL DNS- A Records | round robin using Public DNS provider
Domain | IP Address | Target host |
example.com | 11.0.0.1 | expe1.example.com |
example.com | 11.0.0.2 | expe2.example.com |
example.com | 11.0.0.3 | expe3.example.com |
External DNS SRV Records
Domain | Service | Protocol | Priority | Weight | Port | Target host |
example.com | collab-edge | tls | 10 | 10 | 8443 | expe1.example.com |
example.com | collab-edge | tls | 10 | 10 | 8443 | expe2.example.com |
example.com | collab-edge | tls | 10 | 10 | 8443 | expe3.example.com |
example.com | sips | tcp | 10 | 10 | 5061 | expe1.example.com |
example.com | sips | tcp | 10 | 10 | 5061 | expe2.example.com |
example.com | sips | tcp | 10 | 10 | 5061 | expe3.example.com |
According to Expressway 12.5.x documentation,
1- Please verify above design looks good
2- The recommendation is to utilize single domain ‘Example.com’ with split DNS structure. Correct?
Single Domain with Split DNS - Recommended
A single domain means that you have a common domain (example.com) with separate internal and external DNS servers. This allows DNS names to be resolved differently by clients on different networks depending on DNS configuration, and aligns with basic Jabber service discovery requirements.
3- No concerns as Expressway systems (C and E) do NOT share the same domain with CUCM nodes per same documentation link. Correct?
Unified CM nodes and Expressway peers can be located in different domains. For example, your Unified CM nodes may be in the enterprise.com domain and your Expressway system may be in the edge.com domain.
In this case, Unified CM nodes must use IP addresses or FQDNs for the Server host name / IP address to ensure that Expressway can route traffic to the relevant Unified CM nodes.
Unified CM servers and IM and Presence Service servers must share the same domain.
The first character of the DNS host name defined for the Unified CM must be a letter (do not start with a digit or special character).
4- Review Expressway certificates requirements - an example would be helpful
Certificates
I appreciate your assistance in advance.
Thanks.
Solved! Go to Solution.
10-08-2020 10:02 AM
single domain:-
multi domain:-
single domain is pretty easy as all your applications will be in xyz.com.
Multi domain you need to play with DNS.
Both case user will login with email address.
10-07-2020 10:57 PM
Looks good to me. One note, you don’t need to have the cuplogin SRV records. It is only used by very old versions of Jabber and is described in the service discovery process that it’s no longer necessary.
10-08-2020 06:45 AM
Noted. Indeed the documentation doesn't state the 'cuplogin' is required.
Thanks for the feedback.
10-08-2020 08:58 AM
Roger,
could you please take a second look into the external DNS A-records? Do we need a specific one for the cluster E itself? see below table.
EXTERNAL DNS- A Records | round robin using Public DNS provider
Domain | IP Address | Target host |
example.com | 11.0.0.1 11.0.0.2 11.0.0.3 | expe.example.com |
example.com | 11.0.0.1 | expe1.example.com |
example.com | 11.0.0.2 | expe2.example.com |
example.com | 11.0.0.3 | expe3.example.com |
Thanks.
10-09-2020 10:32 AM - edited 10-09-2020 10:33 AM
Roger - it appears there's no requirement for MRA - cluster DNS A- record for the Exp-C cluster or Exp-E cluster. This is only needed for other Expressway deployments. Thanks anyway!
10-08-2020 03:23 AM
single domain is when all your applications both internal and external are in example.com.
but you case, internal and external is different.
i use below DNS entries if internal and external domains is different.
expressway c can be on .organization.local as your UC applications. these are internal servers.
you need to have two zones in internal DNS, one for organization.local and second example.com where u create a DNS A record for expresswaye.example.com pointing to internal ip of Expressway E.
And Internal DNS SRV Records as mentioned below.
Domain | Service | Protocol | Priority | Weight | Port | Target host |
organization.local | cisco-uds | tcp | 10 | 10 | 8443 | cucmsub1.organization.local |
organization.local | cisco-uds | tcp | 10 | 10 | 8443 | cucmsub2.organization.local |
When generating CSR for expressway E make sure that u add public domain in DNS field.
10-08-2020 07:01 AM - edited 10-08-2020 08:14 AM
Nithin- Good catch. I thought the single domain split DNS is from the enterprise level so it can support Exp-C and Exp-E using the same domain. Hence, I was proposing to use 'Example.com' additionally as noted in point#3 'Unified CM and Expressway in Different Domains Deployment' so they can be in different domains.
Here's my case:
1- Example.com is the domain associated with the users email/exchange so its a preferred path.
2- Currently, IM users are using 'Example.com' domain from the inside based on SRV records
Internal DNS SRV Records
Domain | Service | Protocol | Priority | Weight | Port | Target host |
example.com | cisco-uds | tcp | 10 | 10 | 8443 | cucmsub1.organization.local |
example.com | cisco-uds | tcp | 10 | 10 | 8443 | cucmsub2.organization.local |
example.com | cuplogin | tcp | 10 | 10 | 8443 | impub1.organization.local |
example.com | cuplogin | tcp | 10 | 10 | 8443 | imsub1.organization.local |
3- Potentially, by next summer we are planning to upgrade CUCM and move them into 'Example.com' domain /same IPs.
considering this - would you see any issues with the original design and do we need to add the two domains 'Example.com' and 'organization.local' into Expressway 'configurations- domains menu' for both Exp-C and E?
Thank you!
10-08-2020 10:02 AM
single domain:-
multi domain:-
single domain is pretty easy as all your applications will be in xyz.com.
Multi domain you need to play with DNS.
Both case user will login with email address.
10-09-2020 10:30 AM
Thank you for clarifying this. I truly appreciate it. After running this with TAC - it looks like below is a supported DNS design as well.
Mixed domain
client email address is @xyz.com.
UC application domain is xyz.local
expressway C domain is xyz.com //local dns enterprise
expressway E domain is xyz.com //global dns provider
Review DNS
Single Domain with Split DNS - Recommended
Dual Domain without Split DNS
Single Domain without Split DNS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide