Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN with uc540 and uc560

Hi,

I am trying to prepare a solution using uc540 and uc560. The client has multiple locations and each of these locations will have uc540 or uc560 depending on the number of users. Each location will have it's own internet access and no direct WAN connection to the HQ. IP Telephony services will be independent but they still need VPN to the HQ site. They will have a VPN box to terminate the tunnels at HQ (not a UC5x0, probably a ASA box.

I have gone through the documentation and the discussions here and in all of them UC5x0 is the headend / vpn server.

The question is, is it possible to use the UC5x0 to be the remote vpn client to connect to the HQ without the need of an extra box like sr520 ? I can see that techincally there shouldn't be any rectrictions for this but I do nto have access to one these boxes at the moment and I couldn't find any real life scenarios which was deployed in this manner.

As it seems to be possible using CLI but not CCA, what is the impact of using this configuration by means of support ? In other words, even if it is technically possible, is it a supported deployment by Cisco to give support ?

Thanks

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions

VPN with uc540 and uc560

So a Multisite can connect UC5xx to UC5xx without the need for additional routers (up to 5 last time I looked).

There was also a request on the table for CCA to separate the Data from the VOice VPN in the GUI, so you could configure either or both.  Before CCA, we used to configure it separately.

https://supportforums.cisco.com/docs/DOC-9488

Community Member

VPN with uc540 and uc560

Hi Bora,

Just to expand a little further on what Steven has already provided you, I hope the answer assists you

The question is, is it possible to use the UC5x0 to be the remote vpn  client to connect to the HQ without the need of an extra box like sr520 ?  I can see that techincally there shouldn't be any rectrictions for this  but I do nto have access to one these boxes at the moment and I  couldn't find any real life scenarios which was deployed in this manner.

If I have understood this question right, then YES you could in theory... However! the caveat Unless the WAN connection is being delivered to the UC as Ethernet, you will still need an edge device if it is an ADSL connection, then the Cisco-887 in bridge mode is perfect (Cisco still do not have Hard-WIC cards for the UC's, boggles the mind really), or if it is delivered as Ethernet but to say something like an ME-3400 (As fibre and then Ethernet to the UC) you will need to set the WAN port up on the UC for that Internet connection for either delivery methods, but they must be an Ethernet service directly into the UC's WAN port.

The reason for this is that CCA wont do VPN connections unless the WAN is configured, and is configured with a static IP.... You can do it via CLI with no issues, but then you put the system in an unsupported state, unless you are UC-EXP certified, even though you may be certified, you then put the box out of CCA scope and you will then have to manage it full time via CLI (A real pain to be honest).

As it seems to be possible using CLI but not CCA, what is the impact of  using this configuration by means of support ? In other words, even if  it is technically possible, is it a supported deployment by Cisco to  give support ?

For me there is no easy way to answer this question, maybe for Cisco it is black and white, but I can tell you that it wont be a support scenario unless the company that you work for, and you are UC-EXP certified...

And yes it is technically possible, actually your deployment scenario is not unique and has been done many times, over the last 4 years I have done about 3 like the one you described, but at the time they were all done via CLI, we could bastardize the config as much as we wanted to get things to work the way we wanted them too... But alas the complaints about managing these sites are much higher then anywhere else

On a final note, so long as HQ has the ASA configure properly and the voice can passthrough unimpeded then you shouldn't have any problems, make sure who ever is configuring the ASA understands how the UC's work, and they understand that in order for it to work (In its current fashion) you will want to make all the subnets of the UC routable on the ASA (Inter-Vlan-Routing), trust me, you want it this way to prevent major headaches.

Please talk to your Cisco AM, they can either organise an Internal Cisco REP at that office to go over the deployment of this with you, or get the Distributor to put up one of their experts to assist, worst case scenario you contact support and work with them over the phone (But I would only recommend this as a last resort, you really want someone face-to-face on this).

Good luck

Cheers,


David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *
4 REPLIES

VPN with uc540 and uc560

So a Multisite can connect UC5xx to UC5xx without the need for additional routers (up to 5 last time I looked).

There was also a request on the table for CCA to separate the Data from the VOice VPN in the GUI, so you could configure either or both.  Before CCA, we used to configure it separately.

https://supportforums.cisco.com/docs/DOC-9488

Community Member

VPN with uc540 and uc560

Hi Bora,

Just to expand a little further on what Steven has already provided you, I hope the answer assists you

The question is, is it possible to use the UC5x0 to be the remote vpn  client to connect to the HQ without the need of an extra box like sr520 ?  I can see that techincally there shouldn't be any rectrictions for this  but I do nto have access to one these boxes at the moment and I  couldn't find any real life scenarios which was deployed in this manner.

If I have understood this question right, then YES you could in theory... However! the caveat Unless the WAN connection is being delivered to the UC as Ethernet, you will still need an edge device if it is an ADSL connection, then the Cisco-887 in bridge mode is perfect (Cisco still do not have Hard-WIC cards for the UC's, boggles the mind really), or if it is delivered as Ethernet but to say something like an ME-3400 (As fibre and then Ethernet to the UC) you will need to set the WAN port up on the UC for that Internet connection for either delivery methods, but they must be an Ethernet service directly into the UC's WAN port.

The reason for this is that CCA wont do VPN connections unless the WAN is configured, and is configured with a static IP.... You can do it via CLI with no issues, but then you put the system in an unsupported state, unless you are UC-EXP certified, even though you may be certified, you then put the box out of CCA scope and you will then have to manage it full time via CLI (A real pain to be honest).

As it seems to be possible using CLI but not CCA, what is the impact of  using this configuration by means of support ? In other words, even if  it is technically possible, is it a supported deployment by Cisco to  give support ?

For me there is no easy way to answer this question, maybe for Cisco it is black and white, but I can tell you that it wont be a support scenario unless the company that you work for, and you are UC-EXP certified...

And yes it is technically possible, actually your deployment scenario is not unique and has been done many times, over the last 4 years I have done about 3 like the one you described, but at the time they were all done via CLI, we could bastardize the config as much as we wanted to get things to work the way we wanted them too... But alas the complaints about managing these sites are much higher then anywhere else

On a final note, so long as HQ has the ASA configure properly and the voice can passthrough unimpeded then you shouldn't have any problems, make sure who ever is configuring the ASA understands how the UC's work, and they understand that in order for it to work (In its current fashion) you will want to make all the subnets of the UC routable on the ASA (Inter-Vlan-Routing), trust me, you want it this way to prevent major headaches.

Please talk to your Cisco AM, they can either organise an Internal Cisco REP at that office to go over the deployment of this with you, or get the Distributor to put up one of their experts to assist, worst case scenario you contact support and work with them over the phone (But I would only recommend this as a last resort, you really want someone face-to-face on this).

Good luck

Cheers,


David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *
Community Member

Re: VPN with uc540 and uc560

Hi Guys,

Thanks for the answers. I checked it and yes we are certified. So it seems like we will have to do it all on CLI. We will caveat the internet connection to come with ethernet connection. Thanks for the heads up about the possible problems. When we finish the actual deployment I will hopefully update the discussion with further information.

Thanks again

Cheers

Bora

Re: VPN with uc540 and uc560

Good luck sir!

Steve DiStefano

    • Sent from my iPhone. Excuse brevity and typographical errors. **

2940
Views
0
Helpful
4
Replies
CreatePlease to create content