Site to site VPN and Voip

jclj · ‎06-07-2013

Hi, I'm fairly new to Cisco networking and don't know much about VPN and even less about voip. I have still been assigned the task of building a site to site vpn tunnel to our remote site (this will be with two ASA 5505's) which I think I can do. My question is how can I distribute our voip vlan to assign IP's to the phones on the remote switch if the router won't pass this info? Or at least get our phones to register from the remote site through our tunnel?

Our current voip is a hosted vendor, but we have it pushing to vlan200. Any phone connected to this vlan will get an auto assigned ip and the phone will sync. If i setup dhcp on the remote firewall then i will see duplicate ip's being assigned to the phones.

Again, still new to this (within the last 8 months)

Thanks for any help.

paulstone80 · ‎06-07-2013

Hi,

I see two options based on the information you've provided.

1. Configure a second subnet and DHCP scope for the VoIP network at the remote site and dhcp will be passed through the VPN to the clients.

2. If you want to extend the vlan to the remote site you can run a GRE tunnel inside the IPSec tunnel. This can't be configured on the ASA so you will need to build the tunnel between 2 routers.

HTH

Paul

Sent from Cisco Technical Support Android App

HTH Paul ****Please rate useful posts****

jclj · ‎06-07-2013

For the DHCP scope I build, will i need to adjust the DHCP scope at the main site to exclude the scope on the remote site? Since we have a hosted voip setup, the DHCP scope is on the vendors hardware.

Thanks

paulstone80 · ‎06-07-2013

Ideally you would create an entirely new subnet otherwise you will have to modify the scope on the vendors hardware so that there is no overlap.

Do you have access to the current dhcp server on the vendors hardware?

Sent from Cisco Technical Support Android App

HTH Paul ****Please rate useful posts****

jclj · ‎06-07-2013

No, I don't. I would need to open up a noc ticket with them and see if they will add the new subnet into the scope.

moncy_cisco · ‎06-07-2013

Hi ,
Can you explain the setup between the NOC where ur VoIP server located and HQ

Sent from Cisco Technical Support iPhone App

paulstone80 · ‎06-07-2013

OK, for consistency and ease of management it would be best if all the dhcp scopes for VoIP are served from the same device.

If you try to split the scope without modifying dhcp settings you will run into problems.

For example, let's say your current VoIP scope has the following settings;
Network: 10.10.100.0/24
Gateway: 10.10.100.1
Range: 10.10.100.50 - 200

If you were to split this so you have 2 x /25 networks of 10.10.100.0 and 10.10.100.128 but you don't modify the scope, the default gateway of both subnets will be 10.10.100.1.

The clients in the 10.10.100.128 network will be trying to use 10.10.100.1 as their gateway, which isn't a valid IP address for that network so they won't be able to route traffic outside of their network.

Does that make sense?

HTH

Paul

Sent from Cisco Technical Support Android App

HTH Paul ****Please rate useful posts****

jclj · ‎06-07-2013

right, and since the vendor send out all the DHCP for our phones, they will need to make that split and dhcp change on their end. Was hoping not to do that.

Can you explain how GRE tunnels work?

jclj · ‎06-07-2013

Moncy, the voip vendor we use also hosts our MPLS connection for a complely different site (DR). So, we have the link for data and then our phones pass through this link to the vendors site with a QOS. If our company wants to add phones to our network we have to open a ticket with them to do this. We will be bringing this in house sometime, but not this year.

paulstone80 · ‎06-08-2013

Hi Chris,

GRE tunnels act like a point-to-point link from a layer 3 perspective and support the forwarding of broadcasts and multicasts. You configure the tunnel between two peers and run it inside the IPSec tunnel.

Please note that although you may get this to work for your needs, it is not supported by Cisco.

I do feel it would be best if you created a new address space for the VoIP subnet at the remote site as this will reduce the complexity of the configuration.

If you want to avoid involving using the vendor for dhcp you can create the VoIP dhcp scope on an internal dhcp server and have the leases for the remote site served from there. You will probably need a dhcp setting on the scope to identify the VoIP system, you may need to get the details of this from the vendor. As the VoIP system is hosted remotely the vendor will need to know how to route to the remote site so they will need to add a route at their end.

I would try to avoid splitting the existing VoIP scope if possible and focus on creating a new address space.

Either way it does sound like you will have to engage with the vendor for some of the configuration of this new site.

I think you need to decide whether the solution needs to be based around future plans for the VoIP system being hosted internally and if it's feasible to start that transition with this project.

HTH

Paul

Sent from Cisco Technical Support Android App

HTH Paul ****Please rate useful posts****