06-11-2017 08:35 PM - edited 03-18-2019 12:17 PM
Hello Support Community,
I hope this is in the right group. (Edit 6-13-2017 - I had this in Network Infrastructure - Other, but I'm not getting any replies, perhaps I'm impatient? So I moved it to Collab>IP Telephony)
We are currently looking at new options for Internet, WAN, and our SIP provider. The new plan includes dropping MPLS for Multipoint Metro Ethernet and removing an ISP provided SIP trunk in favor of something like Broadvoice(to save money).
Our current design is as follows:
Our service provider currently provides internet and MPLS on the same physical link. The SIP trunk rides over that MPLS circuit. We run BGP with our service provider over this MPLS circuit as well.
We have two voice 2911's and an ASA5512-X.
The first router is where the service provider connection terminates. This is split off via 802.1q tags and sub-interfaces: Internet and MPLS. The Internet link has an ACL that filters out bad IP's and denies all traffic to itself, but permits everything else. Another interface is configured with a public IP that resides in our public LAN block and is in an isolated VLAN(Internet VLAN). The router has an interface on the LAN(Voice), too. The MPLS and the LAN access interfaces are in the global default vrf. The Internet sub-interface and that second interface are in a separate vrf(we call it internet). It is configured as a CUBE.
The second router is where a PRI terminates and also acts as our VPN (site to site) gateway. This router has two interfaces configured. One in the LAN(Voice) and one in the "Internet VLAN", with a public IP. The public interface has an ACL that is only open from our other sites. Router 2 uses Router 1 to get out to the internet.
The ASA has it's interfaces configured similarly to router 2. it's inside interface is of course in the LAN (Data) and it's outside interface in the "Internet VLAN". The ASA is where we do NAT and uses Router 1 as its default gateway.
We run EIGRP internally between our two routers and our switch. The ASA is purely static routing.
We use CUCM 10.5.2.
Attached you'll find a diagram of the set up. I can provide sanitized configs if need be.
With broadvoice or a similar SIP provider, we would have to have an internet facing interface to register the SIP trunk. This would be difficult in our case as we have Router 1's internet facing interfaces split off in that internet vrf with no easy or safe way of getting it to our voice vlan.
How would you go about designing this? I'm racking my brain trying to figure it out. I can't figure out how to configure this to be secure, yet easy to troubleshoot the voice side of things. An option that I keep thinking about is maybe doing some sort of IOS firewall on Router 1 and dropping the vrf, as we wouldn't need separate routing instances anymore. I have read that a firewall between CUCM/Phones and the SIP Trunk complicates things. The other option is to use the new service provider for our voice needs, as they would have a dedicated link for SIP traffic, and I'm very tempted to just go this route for ease and a better sense of security.
I apologize if this doesn't make sense, as I seem to be rambling, and will attempt to clear anything up.
Any help is greatly appreciated!
06-13-2017 05:47 PM
Cisco Expressway-E on DMZ and Expressway-C inside
06-13-2017 06:00 PM
OK, let me kick the discussion of, I would try to stick the CUBE in the DMZ rather than in front of your firewall. Keep one router in front of your ASA and just add a static default route from your ASA to your router.
If you stick your CUBE in a DMZ you would only need to allow your provider to talk to your CUBE on port 5060/5061 to your DMZ and your CUBE to CUCM on port 5060/5061 (plus RTP ports).
Put your VCSe in the same DMZ as CUBE
Please rate if useful
06-14-2017 01:37 PM
Dennis,
Thank you for your reply!
I did think about that, but was conflicted on how that would work. The CUBE is the default gateway for the ASA, so not sure we could do that. We would have to NAT outgoing and incoming, correct?
If that's what we would need to do, then maybe we would need to create a new routing instance on the CUBE router, put an interface in the DMZ and set up NAT. We might be able to do that. One of Broadvoice's engineers said that they go strictly off of IP, so I'm assuming we won't have to register or do any out-bound proxy.
Sounds rough for troubleshooting.
We don't have any telepresence servers, yet so we wouldn't have to worry about that.
02-26-2018 01:17 PM
I know it has been a while since this post had any activity, but I wanted to report my findings if someone else has the same problem.
You can bind media and control to individual interfaces at the dial-peer level. You set the CUCM facing dial-peer to an interface on the global (or inside) vrf and all inbound to outbound/outbound to inbound dial-peers to an interface on the outside vrf. You then point CUCM to connect to the global/inside interace.
As long as you are on a supported IOS, the calls should flip from VRFs.
You need "IOS 15.6(2)T and above or IOS-XE16.3.1" for it to function.
See: https://supportforums.cisco.com/t5/ip-telephony/sip-trunk-in-vrf/td-p/3187309
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide