Thanks for the reply Srdjan. We are planning to install 250 user system with Split Horizon topology.

Regards

KMS

Srdjan, KMS,

Appologies  to jump in, but I am  also doing a 50 port installation. I am leaning towards  internal topology as well as it appears to be less complex and best preforming.

Srjdan,

+5  for the info. Can you please confirm if below applies to 50 port  systems as well? Do we need to have a minimum of two boxes to install  split-horizon-topology?

"On another hand for that deployment you need 2 HW box's."

I  was under the impression we can patch the physical CWMS server onto a  DMZ switch and can do split-horizon-topology with only one hadware box.  Can you please confirm if thats possible at all?

I tried to raise a request with PDI and was rejected that PDI at the moment is not supporting this product.

I have same queries - let me know I can open a separate thread if you want.

1)  How much of a security risk it invloves doing Internal IRP?

2) Is there any additional Cisco device we can recommend to the customer to add extra layer of security to the solution?

3) We have only one hardware box - what would be the best design in that scenario? (50 port installation)

Terry

Hi Terry,

You can use two boxes if you like to:

One for Admin (Internal network) and other for IRP (DMZ network)

but "The IRM VMs can be co-located with the Internal VMs on the same blades.This is supported only with the Micro deployment"

so in your case you can install IRP on same box provided UCS has enough resouces to handle both Admin and IRP.

Yes you can do the same. As UCS has multiple physical nic, you can connect one to internal network and other to external(DMZ network). And within yout ESXi host you can have multiple vSwitches mapped accordingly to these uplinks and you can assign accordingly to your VM's.

Not much, remains same from security point of view, you are just letting port 80 and 443 traffic only on public VIP IP.

Having some kind of firewall to allow ony needed traffic always helps.

Feel free to post if any more question/s?

HTH

Arun

Arun +5 for the quick response.

Sorry just edited my post to include:

"Not much, remains same from security point of view, you are just letting port 80 and 443 traffic only on public VIP IP."

1) Do you mean not much of a difference between both topologies from security point of view?

2) Is there any feedback from field deployments, which design would be the recommended approach for micro deployment? Internal IRP or Split-horizon. Sorry if this is bit of repeat of the question. But according to the planning guide

it gets very complex with the split-horizon design and it also impacts performance. What would be the recommendation there?

3) For the Video conferencing do we have any sort of QoS policies to control/police number of calls etc. on the CWMS?

Thanks Again for your help.

Terry,

Really depends on company polices, as you know some comanies polices don't allow to put any external facing server in internal network but in DMZ only. We've seen both type of deployments but with a majority of Split-horizon compared to Internal.

Performance wise no issues with any type.

Yes, there are options on admin page to control QoS for both voice and video, RTP & signalling too. Just an FYI... standard video endpoitns are not supported with current release like EX-series or CTS endpoints, only Audio.

For policing no option on CWMS but you can control that via your regular QoS policies if you coming over remote WAN.

Thanks, Arun

Thanks Arun.