Solved: RV042 in front of UC540

y.kakoudakis · ‎07-26-2011

Our company has 2 sites (central and branch). We use 2 UC540W-BRI-K9 as a communications system, one at each site with several SPA phones. Both UCs have latest software packs (8.1) and connected with ISDN lines. We configured them by CCA 3.0(1) and everything is working OK. We have 2 routers RV042 (Firmware Version: 1.3.12.19-tm) that provide internet connection at each site’s LAN and site to site IPSEC VPN between both sites. We would like to be able to use our VPN tunnels for both data and voice communication. Both sites have static public IP addresses.

Our ultimate goal is to use the VPN for site to site dialing, call attendant, extension mobility, data sharing etc but we will keep using the PSTN telephone lines for domestic and international calls.

The questions we have are:

1) Is it possible to connect the RV042 routers in front of every UC540 so that we use the established IPSEC VPN for voice communication between the sites and not only for data? If it is possible, can you give us directions or suggest documentation that will help us with the configuration?
2) I believe we must configure two separate VLANs, for voice and for data. Can we have 2 VLANs with RV042?

Steven DiStefano · ‎07-26-2011

Hi Yannis,

One of the benefits of multisite (supported in your version of UC500 and CCA) is site to site dialing, which is actually using dial peers with SIP/H323 communications directly (peer to peer). The RV would then have to support SIP ALG if it was the head end router at each site, and accoring to the Cisco Datasheet, it does not.

I once configured the SA500 (part of the SBCS suite) to connect to a SIP trunk service provider for a SINGLE UC500, and it worked pretty well, but must admit, there werea bunch of partners who complained that its ALG was buggy, so I would ask your Cisco reps to comment on the latest maintenance release software package for it. But that, unfortunately, is NOT supported in multisite deployments. The SA500 or the RVxxx are not recognized as head end routers for UC500 in CCA. Check the CCA Multisite Manager and you will see the help should explain this.

So unless you are doing something that requires the RV042 to stay there, I would take it out and make the UC500 the internet router for those sites, and then you can configure multisite between the two. UC500 has an IOS firewall and in CCA you can lock down things using the security audit, and I did a port scan against it once, and only my port forwarding rules showed up as vunerabilities actually (which you wouldnt need if using VPN perhaps).

You didnt mention how large the branch office is? If its around 5 phones, I would personally put a SR520-FE teleworker router in it, with a POE switch (a small SG300 with the new FW that will be supported in CCA 3.1) and create a teleworker association instead. I persoanlly prefer the centralized call control, shared directory and dont want to dial an access code and an index digit to dial site to site. Remote Teleworkers appear as though they are on the central (main) site so they for all intensive purposes, behave as if they were. I think you could save some telecom cost too, but maybe need to add some bandwidth to the central site since it will puch calls to your ISDN provider from there for both sites.

Heck, maybe this is a good time to just ditch the Telco ISDN and go to SIP? :-)

Steve

View solution in original post

Steven DiStefano · ‎07-26-2011

Hi Yannis,

One of the benefits of multisite (supported in your version of UC500 and CCA) is site to site dialing, which is actually using dial peers with SIP/H323 communications directly (peer to peer). The RV would then have to support SIP ALG if it was the head end router at each site, and accoring to the Cisco Datasheet, it does not.

I once configured the SA500 (part of the SBCS suite) to connect to a SIP trunk service provider for a SINGLE UC500, and it worked pretty well, but must admit, there werea bunch of partners who complained that its ALG was buggy, so I would ask your Cisco reps to comment on the latest maintenance release software package for it. But that, unfortunately, is NOT supported in multisite deployments. The SA500 or the RVxxx are not recognized as head end routers for UC500 in CCA. Check the CCA Multisite Manager and you will see the help should explain this.

So unless you are doing something that requires the RV042 to stay there, I would take it out and make the UC500 the internet router for those sites, and then you can configure multisite between the two. UC500 has an IOS firewall and in CCA you can lock down things using the security audit, and I did a port scan against it once, and only my port forwarding rules showed up as vunerabilities actually (which you wouldnt need if using VPN perhaps).

You didnt mention how large the branch office is? If its around 5 phones, I would personally put a SR520-FE teleworker router in it, with a POE switch (a small SG300 with the new FW that will be supported in CCA 3.1) and create a teleworker association instead. I persoanlly prefer the centralized call control, shared directory and dont want to dial an access code and an index digit to dial site to site. Remote Teleworkers appear as though they are on the central (main) site so they for all intensive purposes, behave as if they were. I think you could save some telecom cost too, but maybe need to add some bandwidth to the central site since it will puch calls to your ISDN provider from there for both sites.

Heck, maybe this is a good time to just ditch the Telco ISDN and go to SIP? :-)

Steve

y.kakoudakis · ‎07-27-2011

Hi Steve,

thank you very much for helping us out, we have a much clearer picture now.

The conclusion is that we must give up trying to configure the RV042s. We don't want to use the UC540s as head end routers mostly for maintenance reasons (we don't want internet, VPN and telephony to be dependant by only one device). To answer some of your questions, each site uses 6 phones for the time being. Also ditching the telco ISDN or the teleworker solution are not an option for the moment.

We have a few more questions that the answers would point us to the right direction.

1) We already have purchased 2 routers SR520-ADSL-K9 (IOS version 12.4(20)T6-ADV-IP-SERV-CRYPTO) that we intended to use as replacements for the RV042s. We realized (the hard way) that they cannot be configured for

L2L IPSEC VPN using exclusively CCA. This can be done only by CLI. Since our knowledge of CLI is entry level we are looking for a configuration example so that we manage to setup both SR520-ADSL-K9 routers with the above requirements. The most difficult part is the QoS but a step by step guide (if it exists) would be ideal.

2) I understand that a new version of CCA (3.1) and software pack (8.2) will be released by the end of the month. Is there any chance that this or a future release would include L2L IPSEC VPN for the SR520 or we must start digging with the CLI?

Thank you very much!

Steven DiStefano · ‎07-27-2011

I think you may find that the only router CCA supported in front of the UC5xx, when used in a multisite deployment is the SR520-T1. So while those routers you purchased (SR520-ADSL) will work great for Teleworkers (and I think 6 phones would be fine within a single teleworker location (5 is a recommendation that I have seen bypassed by a couple phones)), they arent supported for UC5xx multisite in CCA.

So there is a policy in SBSC (SB TAC) that if you have advanced UC specialization or higher, you can get CLI help.

Regarding the new CCA release, I leave that to the CCA Product management team to respond.

y.kakoudakis · ‎08-01-2011

Hello Steve,

we knew about the SR520-T1 but unfortunatelly in Greece (where our company is located) T1 lines are not provided.

Thank you very much for your comments, you have been very helpful.