cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2001
Views
0
Helpful
5
Replies

UC500 Dynamic Routing With DMVPN

jcarr
Level 1
Level 1

I'm in the process of deploying several DMVPN remote UC500 sites with a 2921 router head end. I ran this design past the SMB support folks, and they agreed it would be a good solution. The reason for using DMVPN is its capability to build dynamic spoke to spoke tunnels for VoIP calls, but when I started configuring my first UC540 I noticed it did not support any dynamic routing protocols. I believe this is a requirement for building the spoke to spoke tunnels. I’m very disappointed that we cannot even configure EIGRP stub on these boxes. Will Cisco ever support dynamic routing on the UC500 platform? My options at this point are not good, spoke to spoke calls will have to flow through the Hub site, or full mesh VPN will have to be deployed.

5 Replies 5

John Platts
Level 4
Level 4

The UC500 does not support dynamic routing. However, you can put a UC500 in front of an ISR, set up static routes from the ISR to the UC500, and have the ISR publish routes to the UC500 subnets through dynamic routing protocols. In addition, traffic can be routed from a UC500 to an ISR, and then dynamically routed over the VPN tunnels by the ISR.

To install a UC500 in front of an ISR, you have to do the following:

  • Disable firewall and NAT on the UC500 (this can be done in CCA)
  • Plug the WAN port on the UC500 to one of the interfaces on the ISR
  • Configure the WAN port on the UC500 with a private IP address in a subnet separate from its Data VLAN, Voice VLAN, or CUE subnets. The ISR must also have the Ethernet interface or VLAN that the UC500 is connected to with another private IP address in the same subnet.
  • Configure NAT and firewall on the ISR. Be sure that NAT is enabled for traffic coming from the UC500 to the Internet.
  • Set up static routes from the ISR to the UC500

The instructions for integrating the UC500 with an external firewall (such as a ISR, SR520, SA520, ASA, or other device) is described in the following document:

https://supportforums.cisco.com/docs/DOC-9476

You can actually set up IPsec Static Virtual Tunnel Interfaces to set up site-to-site VPNs between UC500 units. This requires all of the site-to-site VPNs to be terminated on IOS-based devices, but no dynamic routing protocol is needed and static routes can be used to route traffic over IPsec Static Virtual Tunnel Interface. However, you will need to use CLI in order to set up IPsec Static Virtual Tunnel Interfaces as this feature is not currently supported in CCA.

CCA 2.1 and later can set up site-to-site VPNs between UC500 units through the CCA multisite manager, but it configures the VPNs using a crypto map and can currently only connect the Data VLAN subnets of the UC500s.

John Platts
Level 4
Level 4

You can actually use an 881, 891, 1921, or 1941 ISR to do DMVPN and dynamic routing, as long as you have installed the required licenses.

jcarr
Level 1
Level 1

If I have to tell the customer they need to order additional hardware it will not go over very well. I think we may just have to configure a hub and spoke DMVPN solution for data use (most data is located at the head site) and separate full mesh tunnels for voice traffic. This is not an ideal solution because of all the extra configuration nessacery when adding new locations. Also, I did read somewhere that a UC540 will only handle 5 VPN tunnels, so this solution will not scale well.    Does Cisco have any plans to add dynamic routing to the UC500 platform? It's available on the 1861 so the only reason to remove it from the UC500 is to sell more hardware (my opinion).

Even though the UC500 is marketed as a voice appliance, the UC500 series is still considered a router because it has routing, network address translation, and VPN capabilities.

Marcos Hernandez recommends that the UC500 be positioned as a voice appliance, as described in the post located at the following URL: https://supportforums.cisco.com/message/3147372#3147372

Here is a post that describes differences between the UC500 and ISRs:

https://supportforums.cisco.com/message/3084426#3084426

You are partly correct in your memory of  the UC540 licensed features.

The UC540 supports a total of 5 sites for the multisite voice feature but supports a total of 10 VPN tunnels (IPSec and/or SSL).

Multisite voice provides the ability to dial the remote offices using a site access code and the extension number of the target phone.

This is the limitation that likely matters most in your scenario.

For anyone that does not need a full UC540 at each site, a singe UC540 can support 10 remote teleworker locations with up to 5 phones at each location.

Here's a link to the UC500 product page, http://www.cisco.com/cisco/web/solutions/small_business/products/voice_conferencing/uc_500_series/index.html

Click the Resource tab and you'll find the following two documents are invaluable in keeping you out of trouble at the design stage:

Unified Communications 540 Platform Reference Guide

Cisco Smart Business Communications System Feature Reference Guide

Overall design guidance (SBCS Smart Designs) is here:

http://www.cisco.com/web/partners/sell/smb/tools_and_resources/smart_business_comm_system.html


Raymond