[asterisk-users] OT: NAT in SPA922

Sebastian Milioto smilioto at gmail.com
Sat May 8 07:25:52 CDT 2010


Ok.. here is how I solved.
PC+IPPhone----------Cisco2950----Router.

Each PC in one private subnet NATed on the router. All phones in same
network (different from PCs).

Sebastian


On Fri, May 7, 2010 at 9:08 AM, James Lamanna <jlamanna at gmail.com> wrote:

> On May 7, 2010, at 8:03, James Lamanna <jlamanna at gmail.com> wrote:
>
> > On Thu, May 6, 2010 at 8:14 PM, Vineet Bhojnagarwala <vbhoj74 at gmail.com
> > > wrote:
> >> Alternatively, if using normal vlans, this can also be achieved by
> >> enabling
> >> access list on the switch and restrict traffic flows. Generally
> >> this is done
> >> on a layer 3 switch, don't think it will support on your switch
> >> model.
> >
> > That is correct. In order to do this on a 2950, you will need a router
> > behind this to be the gateway for each vlan. (On Cisco equipment you'd
> > need to create a subinterface for each vlan (i.e. FastEthernet 0.xxx)
> > where xxx is your vlan number.
> > Then you can set each port up to be a trunk port on the 2950, but
> > specify the native vlan on the port as the PC vlan # and allow the
> > Vlan # for the phone vlan.
> >
> > So something like:
> >
> > switchport mode trunk
> > switchport trunk native vlan [pc vlan #]
> > switchport trunk allowed vlan [pc vlan #],[phone vlan #]
> >
> > Then you will have to create access-lists on the router to block
> > intra-VLAN traffic.
> >
> > This can also be all done on a Layer 3 switch (like the Cisco 3550),
> > by defining each VLAN as an interface:
> >
> > interface VLAN 100
> > description Phone VLAN
> > ip address 192.168.100.1 255.255.255.0
> > !
> > interface VLAN 101
> > description Customer 1 VLAN
> > ip address 192.168.101.1 255.255.255.0
> > !
> > etc..
> >
> > then your ports will look like:
> >
> > interface FastEthernet 0/2
> > description customer 1 port
> > switchport mode trunk
> > switchport trunk encapsulation dot1q
> > switchport trunk native vlan 101
> > switchport trunk allowed vlan 100,101
> > !
> >
> > Then you'll need access lists to prevent the intra-vlan traffic..
>
>
> I lied. You don't need access-lists in this case with the "allowed
> vlan" statement.
>
> >
> > -- James
> >
> >
> >
> >
> >>
> >>
> >> Rgds,
> >> Vineet Bhojnagarwala RCDD, NTS, OSP
> >> Spear Networks Pvt Ltd
> >> Integration & Consultancy
> >> +91-9831436607
> >> On May 7, 2010, at 8:39 AM, Vineet Bhojnagarwala
> >> <vbhoj74 at gmail.com> wrote:
> >>
> >> I think this is a motel kind of situation and a PVLAN serves the
> >> situation
> >> right. Put all the ipphones in the voice vlan as suggested, make a
> >> seperate
> >> isolated vlan for the PCs, this will restrict traffic between the
> >> clients.
> >>
> >>
> >> Rgds,
> >> Vineet Bhojnagarwala RCDD, NTS, OSP
> >> Spear Networks Pvt Ltd
> >> Integration & Consultancy
> >> +91-9831436607
> >> On May 6, 2010, at 11:30 PM, "David White" <David.White at watchguard.com
> >> >
> >> wrote:
> >>
> >> -----Original Message-----
> >> From: asterisk-users-bounces at lists.digium.com on behalf of Noah
> >> Miller
> >> Sent: Thu 5/6/2010 10:41 AM
> >> To: Asterisk Users Mailing List - Non-Commercial Discussion
> >> Subject: Re: [asterisk-users] OT: NAT in SPA922
> >>
> >>>>> It is a building, with 24 separated rooms, each room will have a
> >>>>> PC and
> >>>>> a IP
> >>>>> Phone. Every room connected to a switch Cisco 2950.
> >>>>> I want keeping all PCs isolated behind a NAT (no access to
> >>>>> neighbour's
> >>>>> PC),
> >>>>> and still keep communication in same LAN between all IP Phones.
> >>>>>
> >>>>> Should I take another approach on that?
> >>>>>
> >>>> Put each PC in its own VLAN.  Keep all the phones in one VLAN.
> >>>>
> >>>> Although having a $30 router in each room hanging off the phone
> >>>> would
> >>>> accomplish what you want also.
> >>>
> >>> Take j's suggestion to use VLANs.  This is not a good situation for
> >>> NAT.  Cisco 2950's can do VLANs.
> >>>
> >>
> >> to be clear, the only way this will work with the PCs is if each PC
> >> vlan is
> >> *also* a unique ip subnet (else how do all the vlans access a
> >> common default
> >> gw?)
> >>
> >> place the phones in a voice vlan, and the phone problem is solved.
> >> as for the PC isolation, you might get better feedback on a cisco
> >> or other
> >> networking forum.
> >>
> >> -david
> >>
> >> --
> >> _____________________________________________________________________
> >> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >> New to Asterisk? Join us for a live introductory webinar every Thurs:
> >>               http://www.asterisk.org/hello
> >>
> >> asterisk-users mailing list
> >> To UNSUBSCRIBE or update options visit:
> >>   http://lists.digium.com/mailman/listinfo/asterisk-users
> >>
> >> --
> >> _____________________________________________________________________
> >> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >> New to Asterisk? Join us for a live introductory webinar every Thurs:
> >>               http://www.asterisk.org/hello
> >>
> >> asterisk-users mailing list
> >> To UNSUBSCRIBE or update options visit:
> >>   http://lists.digium.com/mailman/listinfo/asterisk-users
> >>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100508/313c1fc7/attachment.htm 


More information about the asterisk-users mailing list