Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
25
Helpful
4
Replies

Endpoints-CUBE-CUCM different vlans

Go to solution
gachilleas
Level 1
Level 1

‎05-05-2020 12:24 AM

Dear Community,

 

Are there any actual benefits if we implement different VLANs between endpoints and Unified Servers (CUCM, Unity, etc)?

If yes shall we put CUBE in servers' vlan or in the same as endpoints ?

In my opinion we gain a bit of security segregating the vlans but i want to know if there is documented somewhere in Cisco.

 

regards

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Roger Kallberg
VIP
VIP

‎05-05-2020 08:15 AM

There is one important factor that speaks for not having the UC servers and clients in the same VLAN and that's because there is a limitation to the number of MAC addresses the UC systems can hold in their ARP cache table.

++ SRND of the CUCM has the following note:

"Note The recommendation to limit the number of devices in a single Unified Communications VLAN to approximately 512 is not solely due to the need to control the amount of VLAN broadcast traffic. For Linux-based Unified CM server platforms, the ARP cache has a hard limit of 1024 devices. Installing Unified CM in a VLAN with an IP subnet containing more than 1024 devices can cause the Unified CM server ARP cache to fill up quickly, which can seriously affect communications between the Unified CM server and other Unified Communications endpoints. Even though the ARP cache size on Windows-based Unified CM server platforms expands dynamically, Cisco strongly recommends a limit of 512 devices in any VLAN regardless of the operating system used by the Unified CM server platform."



Response Signature


View solution in original post

4 Replies 4

Go to solution
Roger Kallberg
VIP
VIP

‎05-05-2020 08:15 AM

There is one important factor that speaks for not having the UC servers and clients in the same VLAN and that's because there is a limitation to the number of MAC addresses the UC systems can hold in their ARP cache table.

++ SRND of the CUCM has the following note:

"Note The recommendation to limit the number of devices in a single Unified Communications VLAN to approximately 512 is not solely due to the need to control the amount of VLAN broadcast traffic. For Linux-based Unified CM server platforms, the ARP cache has a hard limit of 1024 devices. Installing Unified CM in a VLAN with an IP subnet containing more than 1024 devices can cause the Unified CM server ARP cache to fill up quickly, which can seriously affect communications between the Unified CM server and other Unified Communications endpoints. Even though the ARP cache size on Windows-based Unified CM server platforms expands dynamically, Cisco strongly recommends a limit of 512 devices in any VLAN regardless of the operating system used by the Unified CM server platform."



Response Signature


Go to solution
gachilleas
Level 1
Level 1
In response to Roger Kallberg

‎05-05-2020 09:19 AM

Dear Roger,

 

thank you for your fast response which helped me a lot.

What you wrote is absolutely clear for me and as you mention it appears in the SRND.

 

The second part of my question is if there is a similar need for CUBE, SRST reference router and SCCP resources router ?

Do you suggest configuring them in different vlan than IP Phones?

 

Regards

 

 

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to gachilleas

‎05-05-2020 09:50 AM

That’s a bit harder to give a definitive answer as it would depend on what type of site it would be. For a remote site of a reasonable size I would recommend to keep the phones and voice gateway on the same VLAN. However for a central site, for example a DC, it might not be feasible to keep these in the same VLAN. This could also hold true for a larger remote site where geography might limit the ability to keep these in the same VLAN based on collision domains. From a technical standpoint there is no problem to keep these separated in different VLANs.



Response Signature


Go to solution
Wilson Samuel
Level 7
Level 7

‎05-05-2020 01:28 PM

Yes, I always deploy the End User devices (Phones, DXs, Jabber Clients etc) in a separate VLANs than in servers, because of the following (my own) reasons:

1. Its much easier to manage DHCP Scope for the End User devices
2. Less congestion in the VLAN as Roger Kallberg points out.
3. If there is any security incident its much easier to filter out traffic (if you ever wanted).

Coming to the second question about CUBE:
I usually put them in a separate network of their own, usually because CUBE is physical router and has dedicated connectivity to ITSP and making them in separate /30 subnets give one more layer of segregation when it comes to troubleshooting (easier IP Addressing etc)

Regards
HTH
Wilson Samuel
Customers Also Viewed These Support Documents