Embedding UC540 in SBS network

Unanswered Question
Jan 29th, 2010

Given: a very straight-forward small network with one SBS2003 server connected to a single subnet. The SBS server handles DHCP and DNS for this network. A Cisco 800 router is also connected to that subnet and handles VPN, NAT and Firewall. Now, we would like to embed a UC540 and ESW520 swich in this network. The ESW520 replaces an older switch and the UC540 will only be used for telephony/voice purpose. So we have configured the UC540 using the wizards and we have disabled several services like firewall, DHCP (for data), NAT, WAN interface (gateway). Also we have changed the IP subnet for the data VLAN from 192.168.10.x into 192.168.11.x because subnet 11 is the current running subnet in our network.

Now we encounter problems with all SPA504G phones. They continuously are downloading configs (in loops). It does not matter if a phone is connected directly to the UC540 or to the ESW520 switch. We also have two 7931 phones, they do not have that problem.

My questions:

1) Is there a manual, blueprint or sample config which we can learn from on how to implement a UC540 in a SBS environment?

2) Any idea why the SPA phones encounter connection problems and the 7931 phones don't?

Hope to find some leads or answers here. Thanks in advance for taking the time to look at this!

Cheers,

Ozz

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Bob Bagheri Fri, 01/29/2010 - 05:47

It sounds to me like you have already integrated the UC540 into your network and the issue is with the SPA phone. My guess is there is a firmware issue with the phone and I recommend you call the new SMB support center, not TAC.

Frankly I think each customer has specific requirements that ultimately should drive your design.  In this situation, I feel you are not taking full advantage of the UC540.  It is a great box for consolidating a small business network in order to make things more simplified and consolidate services to drive costs down.  Why keep the 800 router and any other legacy hardware where the UC540 can do everything you need, including a solid firewall and now, phone proxy, where you can send a phone home and it just connects back over the Internet.

Good luck, I think the UC540 is a great product and can really help your business

Re,
Bob

John Platts Fri, 01/29/2010 - 06:03

If I was deploying the UC540 in the SBS network, I would do the following:

  • Connect all LAN switches, servers, PC's, and IP phones on the LAN side of the UC540
  • Connect the UC540 to a ADSL modem, cable modem, FTTP ONT, or router that does not perform network address translation
  • Use the UC540 DHCP server and tell the data devices to use the SBS server for DNS instead of the ISP DNS servers

Remember that Cisco Unified IP Phones and Cisco Small Business Pro SPA500 phones require CDP to work properly with the UC520, UC540, and UC560. The UC520, UC540, UC560 Catalyst Express 500, Catalyst Express 520, ESW 520, and ESW 540 all have the following features which enable it to be used with the phones:

  • Support 802.1q VLAN trunking
  • Support Cisco Discovery Protocol
  • Configurable through Cisco Configuration Assistant
  • Support both voice and data VLANs

The Catalyst Express and ESW switches need to be connected to the UC500 unit on the LAN side with 802.1q VLAN trunking enabled. The Switch smartport role turns on 802.1q VLAN trunking, and needs to be set on switchports that are connected to other switches.

sethschmautz Fri, 01/29/2010 - 16:00

Hi Ozz,

I have a similar network here at our office with a single SBS2003 server, a UC520, 2x CE520 Gigabit switches, and 1x CE520 PoE switch for approximately 25 users.   Our network topology is as follows:

Internet---DSL modem---UC520---switches and wireless APs---SBS2003 server, client phones and client computers

WAN:

Currently, we are using the UC520 to interface with our DSL modem and for firewall, VPN, and NAT services.

LAN Data:

SBS2003 is DHCP server.

UC520 is DHCP only for VPN clients (may change this as I think I have an intermittent bug with VPN connections

LAN Voice:

UC520 is DHCP server

Future:

SA520 to interface with 2 DSL modems/connections to provide load balancing and auto failover.  Will probably route SIP trunk traffic over one WAN port.

I agree with the other user here who recommended using the UC500 as your router in this network.  The UC500 is a great hardware piece and there are a lot of features that would be more difficult if you have program routes in the Cisco 800 router to forward traffic to the UC500 for remote voice applications.

As for the problem with your 504G phones, it sounds like a firmware issue to me too.  Make sure that you have the latest software pack on the UC500 with the proper phone loads.

Good luck!

Seth

GeniozzBV Sat, 01/30/2010 - 08:11

Thanks guys for your replies, it's appreciated!

It is clear to me that I have change the role of the UC540 in my network. I will do so. Still I have some questions.

1) My current network uses subnet 192.168.11.x The UC540 default creates a data VLAN 192.168.10.x. Does the UC540 uses that subnet for VPN clients as well or does the UC540 creates a seperate VLAN for VPN clients. In other words, do I need to change the default VLAN from 192.168.10.x into 192.168.11.x to match my current network or do I need to create another VLAN to connect to my current network.

2) Default, the UC540 creates two VLANs, 1 for data and 1 for voice. The UC540 will be DHCP for voice and the SBS server will handle DHCP for data so I need to disable UC540s DHCP for data ... is that correct? But then, how will the UC540 handle DHCP for VPN clients?

Thanks again!

Cheers,

Ozz

sethschmautz Sat, 01/30/2010 - 15:59

Hi Ozz,

I took another look at our server, because of my previous post and because I was looking up a little information for you.  As I had mentioned before, I have had a few interesting things occur when tunneling in from the outside which I will elaborate on below.

1. In our scenario, our corporate LAN uses a 10.0.96.x subnet for data.  Our UC520 has an IP address in that range, and that subnet is assigned to Vlan 1.  However, it does not hand out any DHCP addresses on the LAN.  In your case, I would change Vlan 1 to 192.168.11.x and give the UC540 an address in that range.  Our SBS server is configured using the single adapter configuration in ISA.  It's default gateway is our UC520 and it's DNS servers were given to us by our ISP.  All client machines see the UC520 as the default gateway and the SBS server as the DHCP, DNS, and WINS servers.

2. This is where things get a little tricky (I suspect) with multiple DHCP servers.  When you setup VPN on the UC540, you are allowed to setup the starting IP address range, Ending IP address range, primary DNS, and secondary DNS.  I have the following setup on our UC520:

(SBS DHCP range: 10.0.96.156-236)

VPN Remote IP Range (in CCA on UC520): 10.0.96.242-252

VPN DNS 1: SBS Server

VPN DNS 2: DNS server from ISP (but this is probably unnecessary)

In our scenario, I have also configured the UC520 for split tunneling.  When VPNed in from the outside, my VPN clients access these subnets:

1. 10.0.96.0 for data Vlan

2. 10.1.1.0 for CME

3. 10.1.10.0 for CUE

Everything else uses whatever Internet connection they are currently connected to and doesn't weigh down my network with extra traffic.

The problem that I see (from time to time) is that DNS doesn't resolve all the time when accessing our SBS server from the outside.  We all have mapped drives on our laptops and when I try to access these mapped drives from the outside I get an intermittent problem where it does not connect.  I can ping the server's IP address, but I cannot ping it's FQDN.  Strangely, this is often times resolved in 5-10 minutes of just being active on the network, and when that doesn't solve it, disconnecting and reconnecting my VPN connection usually does the trick.  Every once in a while I have to use the server's IP address rather than the FQDN, but this is uncommon.  This is why I am unsure about whether this is a good configuration or not.  When I have extra time, I'll probably play around with some different scenarios.  But in the meantime, that should get you started.  Let me know if you have any questions.

Seth

GeniozzBV Sun, 02/07/2010 - 15:34

Hey guys,

I have finally managed it! It took me some time and don't ask me how I did it. I have tried the initial wizard several times to setup my UC540 and ESW520 and every time this ended in phones who did not connect, but kept on giving the status 'Downloading xxx.cfg.xml'

So what I did at last is to configure my UC540 manually using the options under "Configuration" ... and voila!!

I realize this is just a work around, but I am oh so glad everything is running just fine now. I must admit that I do not fully trust the UC540 wizards anymore and therefore I will create extra backups before I make any adjustments to the configs. Better safe than sorry.

Thanks again for your support, it helped me a lot!

Ozz