Showing results for 
Search instead for 
Did you mean: 

Pub + Subs in different VLAN+++

Hello all,

Actually on site in Egypt to deploy full VoIP infrastructure(main site: 4 VM(CUCM-Pub+ CUCM-Sub1-CM + CUCM-Sub2-TFTP + VoiceMail Unity + BAckup site: 3 VM: CUCM-Sub3-CM-BAckup + CUCM-Sub4-TFTP-Backup + UNity-BackUp), I have 2 big issues I wanna talk to you about.

In fact, I prepared all the VM in my Lab @ work. Then I uploaded them all in the current ESX here on site(lets talk about main site only).


1°) But it seems only SIP phones that have already been registered in my lab are registering OK. Phones I've never connected(despite being present in Subscriber-DB + Pub-DB) dont want to register. Whereas everything, IP, SIP, ... is OK. While tracing the SIP phones, these ones are sending their Register correct but Sub1_CallMAnager responds/sends back to the phones"Not found, not present in DB"...whereas I can see them perfectly when logged on the Web I/F of Subscriber1_CallMAnager=> Any idea?


2°) Due to some VLAN segregation, we recently changed SUb1_CM IP@ to put it in a separate VLAN than the 3 others(Pub+Sub2+Unity) here on main site. But I was not aware that ONLY Pub has full R+W rights. So, I tried to make changes from the Sub1_CM, but it tells me "NO permission". Thats why I understand I need to repair my Pub, because all management should be done from this machine, right?

But, at the moment, I had my 4 VM assigned to the same ESX Eth port: is there a way to say"OK, Pub is on VLAN1, and the 3 others on VLAN2? Or do I have to move my 3 other VM to a different ETh port of the ESX?

And by the way, what are the best practices about VLAN vs VM(Pub+Sub...) that Cisco advices? All in same VLAN? Or can we put Sub1_CM in 1 VLAN(because all VoIP traffic is here) + Unity eventually, and Pub + SUb2 in some other VLAN because no Voice traffic on these 2?


Thank you very much for support


13 Replies 13

Gregory Brunn

Can you go onto your command line and issue a utils dbreplication runtime state. Is your database in order?  


Please post a santized version of your output.


There is no problems and subs and pubs being on different vlans.

All best practices for this stuff is called out in the SRND. I suggest you read and refernece that document.

H Gregory

And thx for reply
I have some issue with my Pub, so I am thinking about reinstalling it from subscriber1_CM DB, I found a TC about it.
Anyway, my backup site is not connected yet, so the dbreplication state should not be that good...
And all that mess has happened since I changed IP@ of Sub1_CM... Pub is not well seen since then

About 2nd question, what is SRND? Can you gimme the link, pls?



Not sure what you mean by this “Or can we put Sub1_CM in 1 VLAN(because all VoIP traffic is here) + Unity eventually, and Pub + SUb2 in some other VLAN because no Voice traffic on these 2?”

Do you mean that sub1 and phones are in the same vlan? If so that would not be recommend. Ideally phones would be in their own vlan and the servers would be in one. Although the servers could very well be in different vlans. But as you run them in VMWare what would the reason be to put them into different vlans?

Response Signature

Hi Roger,


Let me be clear:


phones + Sub1_CM+Unity in Voice VLAN => because all RTP flow is here

Pub + Sub2_TFTP => no Voice traffic, so I wanna put it in another VLAN


+ Also fo r a matter of NAT/SRST/IP Lookup, I had to remove Sub1_CM from the Voice VLAN


Did I make it clear enough?


Thanks, that’s sort of what I thought. Minus the mention of NAT. What would be the reason for NAT being used for an internal sourced service?

About the RTP traffic, there are barely any traffic of this kind to any CM node. For sure it would be for CUC, but still the recommendation would be to put the phones and servers on different vlans. All this is very well described in the SRND, Solution Reference Network Design document. If your not familiar with this I recommend you to read up on the parts that you have questions about.

Response Signature

We are using NAT for SRST and roll-over issues.
Anyway, u right, is it direct RTP between internal phones, but also vs external via SIP trunk, right?
But I also have to setup a private connection via E1 from my network to a pre-existing network, that's why I wanna put Sub1_CM and SIP phones or Patton GW whatever, in same Voice VLAN
Anyway, I need to read SRND, I was not aware of this doc


As far as I know and from experience there is no reason for why NAT would be needed for SRST.

Yes there would be RTP between phones and the voice gateway(s) that interface with external services, like an ITSP or TDM service provider. That traffic wouldn’t however go via a CM, other than signaling.

Response Signature

We use SRST.... For SIP third-part, no Cisco IP-phones
SO, as it is not validated by Cisco, we had to do it our way! And also for network design issues
And obviously, u right: only SIG between SIP-phones and CM, and RTP is direct for the rest

And because my third-party SIP phones accept only 1 SIP registrar IP@ in their setup!
That's why I configured this Loopback NAT for SRST

Hi Roger,


I am afraid I forgot

This is a military project, so here it is briefly =>


IP from central => satellite up/RF=> satellite down/RF => IP to remote stations



Thats why it is really particular., this is not full IP, for a private company, bank
There is no direct RTP in this condition(how could it be?), all flows, sig+RTP, are going thru CM, so it is not an easy-to-deploy infrastructure...


Does anyone have any kid of experience on that kind of military + IP + RF environment?


Thx for advice



Hi Julien,


From reading your previous post I was wondering if you were DoD. I manage multiple clusters world wide. I would let your satcom engineers handle the RF and transport, let the network engineers handle all the routing and KGs. As long as you have full ip connectivity you should be fine assuming you have enough bandwidth. Let me know if you have any further questions.

Thank you for reply, DP215.


1st, I dont know what is a DoD.
But if you manage multiple Clusters worlwide, you can be my man(despite being beginer, lol)


I think I need to tell you the whole story of my worries:


In fact, I have jumped on this project like 3, 4 months ago.
Design was already done: All Pub + Subs in same Voice VLAN than phones: I know it can look strange but again, My predecessor was pretty weak. Of course, I'd never do that. And again it it is not a full IP network. Signalling + RTP are going thru Sub_CM, it can not be different on this military IP<>RF(satellite blabla)<>IP network


The thing is I do not have Cisco IP Phones, I have third party rugged SIP phones, which allow only 1 SIP server IP@ in it.

I know SRST is not validated for other than Cisco IP phones, but I managed to make it work with a loopback IP@, therefore declared in the SIP rugged phones. I had no other choice because customer really wanted this feature. And it works pretty OK.


But, during lab testing, I+my colleagues discovered some "hole" in our customized config. 

So we decided to put CM_Sub1 in a dedicated "CUCM" VLAN, leaving others(Pub+Sub2+Unity) in their old VoIP VLAN.

But as you can imagine, all PUB+ Sub were on BE7K/ESX port#2(1to4)

So obviously now, I do not have access anymore to Publisher.

And as Publisher is the only R+W DB server, I can not do any more setup(creation, modification, whatever... not allowed from CM_Sub1).

I have to tell you that PUB is correctly licensed.

So what would you advise for me to recover access to PUB? Obviously Pub and CM_Sub1 need to see each other, as when you do some setup from Pub, it downloads with R rights only to CM_Sub1...

Put PUB on ESX port #3? Put it in which VLAN? A dedicated one?

Because I have so much more setup to do: SIP trunk, FXO/FXS Gateway/trunk, modification... ANd curretnly, from CM_Sub1, not possible obviously


I hope I've been cleared enough


Thank you so much for advice



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: