[asterisk-users] Inexpensive Layer 3 Switch?
David Gomillion
david.gomillion at gmail.com
Tue Jun 26 13:12:04 CDT 2007
On 6/26/07, Marty Mastera <marty at m3resources.com> wrote:
>
> The only reason to route the voice VLAN is if you need the phones to
> access the Internet and/or vice-versa. If you only need to worry about the
> computers on the data VLAN accessing Trixbox's web interface, I would
> suggest using the Ethernet VLAN capabilities of Linux. You can create
> eth0.vlan1 for data on Trixbox, and have the "default" vlan for the port
> on the switch be voice. Then, the voice VLAN goes nowhere but to your PBX
> and the phones.
>
> The other option is to put in another NIC, one for the voice VLAN, the
> other for the data VLAN.
>
> I've been pretty happy with the Linksys 24-port layer 2 switches
> (SRW224P). They're running around $400 right now. If you really need layer3
> support, I would steer clear of the Netgear. I've had a lot of problems with
> them, and the support was disappointing. But then again, I got a bunch that
> don't work that I could sell you ;)
>
>
>
>
>
> Ahh, interesting idea…if I understood correctly, you're basically using a
> layer 2 switch and trunking the voice and data VLAN to the asterisk box and
> doing the routing and ACL work there? Advantage is lower cost because you
> don't need a layer 3 switch anymore and don't have to learn a new CLI or
> other config method.?
>
> Here's a bit more information…the client is a building owner who occupies
> the first floor and is renting out the rest of the building. In addition to
> his own voice/data network (which would be on separate VLANs) they want to
> offer the building tenants the ability to use their PBX and internet
> connection. Due to a quirk in the service providers SIP ALG all IP phones
> in the building must be on the same network (VLAN) which I don't see a
> problem with, but each tenant's data will be in a separate VLAN. I'm
> thinking I could trunk the voice VLAN and all of the individual tenant data
> VLANs to the Trixbox to allow them access to the web interface?
>
> Any other ideas out there based on this scenario?
>
We do something somewhat similar. Each switch has 2 data VLANs, and also is
part of the Voice VLAN. Each VLAN for data is routed, but the voice VLAN
only carries voice traffic. Our Asterisk server does not route packets
between the networks. So, aside from some nasty attacks that sniff and
replicate VLAN headers, our voice network is pretty secure.
So our network has 20 different data VLANs (again, 2 per edge switch), 1
server VLAN, 1 voice VLAN, 1 wireless VLAN, and one DMZ VLAN. The data and
server VLANs are all routed, and everything else is not. They have to go
through some type of bridge between the networks. For wireless, that's our
wireless switch. For the DMZ, it's our firewall. The voice VLAN can only
reach our Asterisk box.
If you use a SIP provider, you may have to either take another approach, or
realize that all SIP traffic will have to remain on the host (i.e. reinvites
are bad when you don't have a network path from A to B). But we're strictly
IAX between offices, and PSTN thru PRI.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20070626/1817cb3c/attachment.htm
More information about the asterisk-users
mailing list