Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Small businesses that have multiple locations have a need to allow for data and voice networking
between sites. The UC520 supports such deployments and can securely network multiple sites
together for both data and voice traffic. The multi site deployment involves IPSEC VPN tunnels
between sites along with inter site dialing using VOIP. The UC520 at each site can go from 8 to 64
users depending on user count at each site.
The information in this document applies to CCA Version 1.8 and Cisco UC500 software pack
version 4.2.9.
Contents
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
The information in this document applies to CCA Version 1.8 and Cisco UC500 software package
version 4.2.9.
If the number of users per site exceeds 5, the recommendation is to deploy a UC520 at that site.
Each site in a multi site deployment can still support remote teleworkers per above assuming the
UC520 site has enough bandwidth to support remote teleworker and inter site traffic and the total
number of VPN tunnels on the UC520 is 10 or less (remote teleworker + intersite).
The maximum number of UC520 sites that can be networked together is 5. If the customer
requirement is to network more than 5 sites, then the recommendation would be to look at Cisco
Integrated Services Routers (ISRs) which require Express Unified Communications Specialization.
WAN Connectivity:
Each site should have its own broadband WAN connection to the internet. This WAN connection
can be any broadband medium such as DSL, PPPoE, Cable, T1, Ethernet etc. The guidelines for
the WAN connection are:
WAN IP Address – the WAN IP address for each site MUST be a publicly routable IP
address over the internet so that the VPN tunnels can be setup.
Dynamic versus Static IP Address – the WAN IP address can be either dynamic using
DHCP or static IP address. Static IP addresses allow for simpler configuration of the VPN
tunnels. However DHCP or dynamic IP addresses would work as well – there is a
requirement to use DDNS (Dynamic DNS) to map a site DNS name to each WAN IP
address.
Bandwidth requirements – The broadband connection must have enough bandwidth per
site to handle any of the below traffic per customer requirement. If there is insufficient
bandwidth, this may lead to poor voice quality for inter site calls as well as slow data
connectivity.
o Internet traffic in / out from that site
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 2 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
WAN - Public IP
Internet
Dynamic / Static WAN CPE
UC520
Recommended Approach – all sites with Static IP addresses & sufficient bandwidth to cover
the data & voice requirements per site
IPSEC VPN Options for Multi Site connections:
Inter site connections over the internet are secured by using IPSEC VPN between sites. The
recommendation is to use IPSEC VPNs for connecting multiple UC520 sites using direct
encapsulation method. Using this method allows for:
QOS classification for voice over data traffic
Support for VPN Tunnels regardless if WAN IP address is dynamic or static
Full
Mesh Hub and Spoke
Site 1 Hub
Pros Cons
Full Mesh Redundancy/Alternate Paths Less VPN sessions for Remote Access
(EZVPN)
More complex configuration and routing
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 3 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
Hub & More VPN sessions available for Remote Bandwidth requirements at the Hub site
Spoke Users Single point of failure
Simpler configuration Call Admission Control (CAC) issues
QoS issues for spoke to spoke calls
For more information on IPSEC VPN using direct encapsulation, please refer to:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080739e
7c.pdf
Recommended Approach – Full Mesh IPSEC VPN using direct encapsulation
Data Connectivity
To ensure data is transferred between sites, there is a mandatory requirement to have unique
data subnets at each site. Hence when planning out the deployment design, it would be good to
have a unique IP subnet (change from default subnet of 192.168.10.0 / 24) per site. For example,
the site1 data VLAN would be 192.168.10.x / 24, site2 would 192.168.20.x/24 and so on. With CCA
1.8, it is possible to change the data VLAN IP address in the CCA Device Setup Wizard assuming
the UC520 is at factory default configuration. If a UC520 has already been configured then it is
recommended to go into CLI to change different attributes (IP address on data VLAN interface,
DHCP scope information, access-lists for firewall and NAT) – Appendix A has step by step
guidelines to this.
PSTN Trunks:
The PSTN Trunks can be either analog lines (into FXO ports), ISDN BRI, analog DID lines, T1 / E1
PRI, T1 / E1 CAS or SIP or a mix of trunks types at various sites depending on each site’s needs.
Incoming PSTN Inbound calls handled locally for the most part, with Inbound calls will need
Call Handling option to route calls to other sites using inter site to be routed to different
VOIP spoke sites using inter
site VOIP
Outgoing Call Outbound calls handled locally with option to send Outbound calls always
Handling tail end hop off (route specific area codes via go out the Hub site
intersite VOIP to local PSTN trunk at other sites) PSTN Trunks
which can provide cost savings. This option also
allows calls to the outside be sent via other sites if
PSTN trunks at a particular site are oversubscribed
Emergency Emergency calling will be locally handled at each All emergency calls will
Number site go out the Hub site
Considerations which may not provide
accurate location
information for spoke
sites
Site to site calling can be done using VOIP instead of traditional PSTN interconnects thereby
leading to significant cost savings and the ability to use less than 7 - 10 digits to dial between sites.
Dialplan Options – It is very important to design the dialplan for inter site calls appropriately to allow
for future expansion and also overlapping extension ranges at each site (note extensions here
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 4 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
covers not just phones but also hunt group pilot extensions, voicemail pilot extensions, call park
extensions, intercom extensions etc). There are 3 options
a) If the extensions at each site are unique (for example Site1 is 1xx, Site2 is 2xx and so on),
then the users could just dial the extensions at each site directly.
b) If the extensions at each site are unique (for example Site1 is 1xx, Site2 is 2xx and so on),
then the recommendation is to add an access code to signify intersite calls – for example
8 + 1xx to call Site1, 8 + 2xx to call Site2 and so on. This approach also allows to support
least cost PSTN routing where calls local to Site2 area can be routed via VOIP to Site2
instead of going out via the Site1 PSTN trunks.
c) If the extensions at each site are overlapping (for example all sites use extensions in the
2xx range), then the recommendation is to add an access code to signify intersite calls
plus a site prefix – for example 8 + 1 + 2xx to call Site1, 8 + 2 + 2xx to call Site2 and so
on. The site prefix makes the extensions unique across sites.
Using the third approach allows for simplicity as it can be applied to any install and allows for:
H.450.2 & H.450.3 - VoIP calls are not - Unique extensions for voicemail & AA pilot
based call transfer hairpinned across extensions at each site
and forwarding multiple sites - Additional config to route calls to voicemail &
AA pilot extensions at each site
Recommended Approach: Use prefix based dialing to call between sites with H.323 as the
VOIP protocol, disable H.450.2 & H.450.3 for hairpinning calls
Quality of Service (QoS):
For multi site deployments that involve inter site VOIP calling, QOS becomes a mandatory
requirement as the intersite data and VOIP traverse the same WAN link. The key requirements to
ensure appropriate QOS for the inter site calls are:
QoS guarantees: The Internet Service Provider (ISPs) needs to guarantee bandwidth for VoIP
calls to insure voice quality between sites. If the ISP does not support QoS and cannot guarantee
bandwidth for VoIP calls, then VPN alone will not guarantee voice quality. To support VoIP calls
between sites, the recommendation is to keep the round trip time for (RTT) for VoIP traffic between
sites under 150 msec – anything higher than that will likely cause delay and voice quality issues. As
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 5 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
a way to estimate the RTT between two sites, you can initiate a ping from one UC520 to the remote
UC520 and look at the average response time. The smaller the RTT, lower are the chances of
having poor voice quality. Since inter site voice and data go over the same internet access circuit,
there is a chance that voice quality may suffer during peak data usage times.if there is no QoS
guarantees are available from the ISP.
Call Admission Control (CAC) – This method implies restricting the number of inter site VOIP
calls so that the WAN links are not oversubscribed leading to poor voice quality. It is strongly
recommended to work with the end user and come up with the max number of inter site calls per
location so that the appropriate bandwidth can be provisioned for such calls. If the PSTN Trunks
being used are SIP Trunks, then CAC must take those calls into consideration as well (These calls
will take less bandwidth as compared to calls going over the IPSEC VPN as the VPN overhead is
not there).
Bandwidth & Codec selection – The WAN bandwidth at every site MUST be sufficient to handle
all types of traffic discussed in the WAN Connectivity requirements. If the WAN link has already
been provisioned, make sure the CAC method is used to limit the number of calls to fit into the
bandwidth available. Codec selection for inter site VOIP calls is as below
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 6 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
4
Auto Attendant Partial
Note 2 Call park retrieval is still possible only locally within each site, user can however transfer
calls from site 1 to site 2’s park slot.
Note 3 Please check the Advanced Features section for more information on VPIM
Note 4 Please check the Advanced Features section for more information on doing this with the
UCC Server
Note 5 With the UC500 7.0.2 EA SW Pack, it is possible to use blast or parallel hunt groups and
add users across sites
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 7 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
PSTN Trunks Analog lines, BRI, PRI, SIP etc Using 4 analog lines at each site
UC520 UC520
Internet
Seattle
UC520
Perform the procedures in this section to configure multi site for the UC520. CCA configuration can
be done locally by the installer on site or remotely using a VPN connection
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 8 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
the CCA session, allow the PC to get the new IP address from the UC520 using DHCP
and then reconnect using the new data VLAN IP address – 192.168.xx.1 where xx goes
from 10 to 30.
4. Save Configuration
Save the configuration on the UC520s after this has been done by going to Configure >
Save Configuration in CCA.
6. Setup site to site VPN using direct encapsulation IPSEC between the sites
Follow the below CLI steps (the bold text signifies the unique config per site)
San Jose
! Define the site to site traffic for VPN using the data subnets
access-list 192 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 193 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
! Define unique HOSTNAME
hostname SANJOSE-UC520
! Configure crypto settings
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 1800
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp identity hostname
!
crypto ipsec transform-set multisite esp-3des esp-sha-hmac
! Configure crypto-map for each site
crypto map multisite 2 ipsec-isakmp
set peer IRVINE-UC520.dyndns.org dynamic
set transform-set multisite
qos pre-classify
match address 192
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 9 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
Irvine
Configuration for the Seattle site will be on similar lines and is omitted for brevity. The IPsec Direct
Encapsulation VPN Design Guide can provide additional information for reference.
7. Configure Dynamic DNS and WAN interface settings
This configuration assumes DSL as the WAN connection with FastEthernet 0/0 being the WAN
interface on each UC520. Also, the NAT configuration is identified in the CLI to be the below and
that is what is changed to prevent site to site traffic from being translated.
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 10 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
Irvine
ip domain lookup source-interface FastEthernet0/0
ip domain name dyndns.org
!
ip ddns update method method1
http
add
http://uc520multi:cisco123@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myi
p=<a>
interval maximum 2 0 0 0
interval minimum 1 0 0 0
! Configure WAN interface for DDNS and VPN
interface FastEthernet0/0
description $FW_OUTSIDE$
ip dhcp client update dns
ip ddns update hostname IRVINE-UC520.dyndns.org
ip ddns update method1
ip address dhcp
ip access-group 104 in
ip nat outside
ip inspect SDM_HIGH out
ip virtual-reassembly
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 11 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
duplex auto
speed auto
crypto map multisite
! Define the NAT settings to prevent site to site traffic from being NATTED
! The access-list 105 is used in this case based on configuration done previously
ip access-list extended 105
1 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
2 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
Similar configuration would apply to Seattle.
This covers the QOS that is applied at each UC520. It does not guarantee against voice quality
issues for inter site calls but does provide all required QoS at the UC520. There does need to be
sufficient bandwidth on the WAN link provisioned for all traffic types at each site and if possible
push the Service Provider to give priority to VOIP traffic. The below configuration can be applied to
all sites as is – no site specific config is required. The recommendation for bandwidth allocation is
50% for VOIP media traffic and 5% for VOIP signaling traffic of the total WAN bandwidth.
! Classify IP traffic
class-map match-any media
match ip dscp ef
!
class-map match-any signaling
match ip dscp cs3
match ip dscp af31
! Define queuing
policy-map queue
class media
priority percent 50
class signaling
bandwidth percent 5
class class-default
fair-queue
! Define shaping to max WAN bandwidth – 2Mbps in this case
policy-map shape
class class-default
shape average 2000000
service-policy queue
! Apply QOS policy on the WAN interface
interface FastEthernet 0/0
service-policy output shape
! Apply Call Admission control for max of 4 inter site VOIP calls at each site
call threshold interface FastEthernet 0/0 int-calls low 4 high 4
9. Configure site to site dialplan using H.323 as the VOIP protocol:
This goes over the CLI required to setup inter site VOIP calls at each site with previously
mentioned dialplan.
SAN JOSE
! Global VOIP settings
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
supplementary-service h450.12
no supplementary-service sip moved-temporarily
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 12 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
IRVINE
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
supplementary-service h450.12
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
!
voice translation-rule 82200
rule 1 /^82\(…\)/ /\1/
!
voice translation-profile intersite
translate called 82200
!
interface VLAN1
h323-gateway voip bind srcaddr 192.168.20.1
!
dial-peer voice 82200 voip
description INCOMING INTERSITE CALLS
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 13 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 14 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
requirements are taken care off at each site to support these additional calls over the
VOIP trunks. A sample configuration based on the example above where all calls to local
area code for San Jose (408) are routed to SANJOSE-UC520 using VOIP trunks from the
Irvine UC520
http://www.myciscocommunity.com/community/smallbizsupport?view=overview
2. Get into config mode on the UC520 by typing “config terminal” in enable mode
3. Change the DHCP settings for the Data subnet – in this example the data subnet is being
changed from 192.168.10.x (default) to 192.168.20.x:
no ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.20.1 192.168.20.10
!
ip dhcp pool data
no network 192.168.10.0 255.255.255.0
no default-router 192.168.10.1
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
4. Change the interface IP address for the Data subnet – in case of UC520 Wireless SKUs
the interface is BVI1 while for all other SKUs the interface is VLAN1
interface Vlan1
ip address 192.168.20.1 255.255.255.0
5. At this point, the PC will loose IP connectivity to the UC520. You need to request a new IP
address on your PC for the new subnet. This can be doing by going to Start > Run on your
PC and typing in cmd. Then type in “ipconfig /renew” and you should see the new subnet
IP address show up on the PC
6. Launch a new telnet session as shown in Step A-1 & A-2 with the only difference being
the IP address of the UC520 will be 192.168.20.1 (or whatever was configured in step 4).
Once connected, go into config mode and add the below:
interface Loopback0
no ip access-group 101 in
!
interface Vlan100
no ip access-group 103 in
!
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 15 of 16
Application Note
UC520 Multi Site Deployment Guide for Data and Voice
no access-list 1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
!
no access-list 101
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny ip 192.168.20.0 0.0.0.255 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
!
no access-list 103
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_8##
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 deny ip 10.1.10.0 0.0.0.3 any
access-list 103 deny ip 192.168.20.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
!
interface Loopback0
ip access-group 101 in
!
interface Vlan100
ip access-group 103 in
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Proprietary Information. Page 16 of 16