cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
248
Views
25
Helpful
4
Replies
Highlighted
Beginner

Endpoints-CUBE-CUCM different vlans

Dear Community,

 

Are there any actual benefits if we implement different VLANs between endpoints and Unified Servers (CUCM, Unity, etc)?

If yes shall we put CUBE in servers' vlan or in the same as endpoints ?

In my opinion we gain a bit of security segregating the vlans but i want to know if there is documented somewhere in Cisco.

 

regards

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

There is one important factor that speaks for not having the UC servers and clients in the same VLAN and that's because there is a limitation to the number of MAC addresses the UC systems can hold in their ARP cache table.

++ SRND of the CUCM has the following note:

"Note The recommendation to limit the number of devices in a single Unified Communications VLAN to approximately 512 is not solely due to the need to control the amount of VLAN broadcast traffic. For Linux-based Unified CM server platforms, the ARP cache has a hard limit of 1024 devices. Installing Unified CM in a VLAN with an IP subnet containing more than 1024 devices can cause the Unified CM server ARP cache to fill up quickly, which can seriously affect communications between the Unified CM server and other Unified Communications endpoints. Even though the ARP cache size on Windows-based Unified CM server platforms expands dynamically, Cisco strongly recommends a limit of 512 devices in any VLAN regardless of the operating system used by the Unified CM server platform."

Please rate all useful posts

View solution in original post

4 REPLIES 4
Highlighted
VIP Advisor

There is one important factor that speaks for not having the UC servers and clients in the same VLAN and that's because there is a limitation to the number of MAC addresses the UC systems can hold in their ARP cache table.

++ SRND of the CUCM has the following note:

"Note The recommendation to limit the number of devices in a single Unified Communications VLAN to approximately 512 is not solely due to the need to control the amount of VLAN broadcast traffic. For Linux-based Unified CM server platforms, the ARP cache has a hard limit of 1024 devices. Installing Unified CM in a VLAN with an IP subnet containing more than 1024 devices can cause the Unified CM server ARP cache to fill up quickly, which can seriously affect communications between the Unified CM server and other Unified Communications endpoints. Even though the ARP cache size on Windows-based Unified CM server platforms expands dynamically, Cisco strongly recommends a limit of 512 devices in any VLAN regardless of the operating system used by the Unified CM server platform."

Please rate all useful posts

View solution in original post

Highlighted

Dear Roger,

 

thank you for your fast response which helped me a lot.

What you wrote is absolutely clear for me and as you mention it appears in the SRND.

 

The second part of my question is if there is a similar need for CUBE, SRST reference router and SCCP resources router ?

Do you suggest configuring them in different vlan than IP Phones?

 

Regards

 

 

Highlighted

That’s a bit harder to give a definitive answer as it would depend on what type of site it would be. For a remote site of a reasonable size I would recommend to keep the phones and voice gateway on the same VLAN. However for a central site, for example a DC, it might not be feasible to keep these in the same VLAN. This could also hold true for a larger remote site where geography might limit the ability to keep these in the same VLAN based on collision domains. From a technical standpoint there is no problem to keep these separated in different VLANs.

Please rate all useful posts
Highlighted
Rising star

Yes, I always deploy the End User devices (Phones, DXs, Jabber Clients etc) in a separate VLANs than in servers, because of the following (my own) reasons:

1. Its much easier to manage DHCP Scope for the End User devices
2. Less congestion in the VLAN as Roger Kallberg points out.
3. If there is any security incident its much easier to filter out traffic (if you ever wanted).

Coming to the second question about CUBE:
I usually put them in a separate network of their own, usually because CUBE is physical router and has dedicated connectivity to ITSP and making them in separate /30 subnets give one more layer of segregation when it comes to troubleshooting (easier IP Addressing etc)

Regards
HTH
Wilson Samuel
Content for Community-Ad