[asterisk-users] OT: NAT in SPA922

James Lamanna jlamanna at gmail.com
Fri May 7 07:03:20 CDT 2010 

On Thu, May 6, 2010 at 8:14 PM, Vineet Bhojnagarwala <vbhoj74 at gmail.com> wrote:
> Alternatively, if using normal vlans, this can also be achieved by enabling
> access list on the switch and restrict traffic flows. Generally this is done
> on a layer 3 switch, don't think it will support on your switch model.

That is correct. In order to do this on a 2950, you will need a router
behind this to be the gateway for each vlan. (On Cisco equipment you'd
need to create a subinterface for each vlan (i.e. FastEthernet 0.xxx)
where xxx is your vlan number.
Then you can set each port up to be a trunk port on the 2950, but
specify the native vlan on the port as the PC vlan # and allow the
Vlan # for the phone vlan.

So something like:

switchport mode trunk
switchport trunk native vlan [pc vlan #]
switchport trunk allowed vlan [pc vlan #],[phone vlan #]

Then you will have to create access-lists on the router to block
intra-VLAN traffic.

This can also be all done on a Layer 3 switch (like the Cisco 3550),
by defining each VLAN as an interface:

interface VLAN 100
description Phone VLAN
ip address 192.168.100.1 255.255.255.0
!
interface VLAN 101
description Customer 1 VLAN
ip address 192.168.101.1 255.255.255.0
!
etc..

then your ports will look like:

interface FastEthernet 0/2
description customer 1 port
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 101
switchport trunk allowed vlan 100,101
!

Then you'll need access lists to prevent the intra-vlan traffic..

-- James




>
>
> Rgds,
> Vineet Bhojnagarwala RCDD, NTS, OSP
> Spear Networks Pvt Ltd
> Integration & Consultancy
> +91-9831436607
> On May 7, 2010, at 8:39 AM, Vineet Bhojnagarwala <vbhoj74 at gmail.com> wrote:
>
> I think this is a motel kind of situation and a PVLAN serves the situation
> right. Put all the ipphones in the voice vlan as suggested, make a seperate
> isolated vlan for the PCs, this will restrict traffic between the clients.
>
>
> Rgds,
> Vineet Bhojnagarwala RCDD, NTS, OSP
> Spear Networks Pvt Ltd
> Integration & Consultancy
> +91-9831436607
> On May 6, 2010, at 11:30 PM, "David White" <David.White at watchguard.com>
> wrote:
>
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com on behalf of Noah Miller
> Sent: Thu 5/6/2010 10:41 AM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] OT: NAT in SPA922
>
>>>> It is a building, with 24 separated rooms, each room will have a PC and
>>>> a IP
>>>> Phone. Every room connected to a switch Cisco 2950.
>>>> I want keeping all PCs isolated behind a NAT (no access to neighbour's
>>>> PC),
>>>> and still keep communication in same LAN between all IP Phones.
>>>>
>>>> Should I take another approach on that?
>>>>
>>> Put each PC in its own VLAN.  Keep all the phones in one VLAN.
>>>
>>> Although having a $30 router in each room hanging off the phone would
>>> accomplish what you want also.
>>
>> Take j's suggestion to use VLANs.  This is not a good situation for
>> NAT.  Cisco 2950's can do VLANs.
>>
>
> to be clear, the only way this will work with the PCs is if each PC vlan is
> *also* a unique ip subnet (else how do all the vlans access a common default
> gw?)
>
> place the phones in a voice vlan, and the phone problem is solved.
> as for the PC isolation, you might get better feedback on a cisco or other
> networking forum.
>
> -david
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list