Ok.. here is how I solved.<br>PC+IPPhone----------Cisco2950----Router.<br><br>Each PC in one private subnet NATed on the router. All phones in same network (different from PCs).<br><br>Sebastian<br><br><br><div class="gmail_quote">
On Fri, May 7, 2010 at 9:08 AM, James Lamanna <span dir="ltr"><<a href="mailto:jlamanna@gmail.com">jlamanna@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">On May 7, 2010, at 8:03, James Lamanna <<a href="mailto:jlamanna@gmail.com">jlamanna@gmail.com</a>> wrote:<br>
<br>
> On Thu, May 6, 2010 at 8:14 PM, Vineet Bhojnagarwala <<a href="mailto:vbhoj74@gmail.com">vbhoj74@gmail.com</a><br>
> > wrote:<br>
>> Alternatively, if using normal vlans, this can also be achieved by<br>
>> enabling<br>
>> access list on the switch and restrict traffic flows. Generally<br>
>> this is done<br>
>> on a layer 3 switch, don't think it will support on your switch<br>
>> model.<br>
><br>
> That is correct. In order to do this on a 2950, you will need a router<br>
> behind this to be the gateway for each vlan. (On Cisco equipment you'd<br>
> need to create a subinterface for each vlan (i.e. FastEthernet 0.xxx)<br>
> where xxx is your vlan number.<br>
> Then you can set each port up to be a trunk port on the 2950, but<br>
> specify the native vlan on the port as the PC vlan # and allow the<br>
> Vlan # for the phone vlan.<br>
><br>
> So something like:<br>
><br>
> switchport mode trunk<br>
> switchport trunk native vlan [pc vlan #]<br>
> switchport trunk allowed vlan [pc vlan #],[phone vlan #]<br>
><br>
> Then you will have to create access-lists on the router to block<br>
> intra-VLAN traffic.<br>
><br>
> This can also be all done on a Layer 3 switch (like the Cisco 3550),<br>
> by defining each VLAN as an interface:<br>
><br>
> interface VLAN 100<br>
> description Phone VLAN<br>
> ip address 192.168.100.1 255.255.255.0<br>
> !<br>
> interface VLAN 101<br>
> description Customer 1 VLAN<br>
> ip address 192.168.101.1 255.255.255.0<br>
> !<br>
> etc..<br>
><br>
> then your ports will look like:<br>
><br>
> interface FastEthernet 0/2<br>
> description customer 1 port<br>
> switchport mode trunk<br>
> switchport trunk encapsulation dot1q<br>
> switchport trunk native vlan 101<br>
> switchport trunk allowed vlan 100,101<br>
> !<br>
><br>
> Then you'll need access lists to prevent the intra-vlan traffic..<br>
<br>
<br>
</div></div>I lied. You don't need access-lists in this case with the "allowed<br>
vlan" statement.<br>
<div><div></div><div class="h5"><br>
><br>
> -- James<br>
><br>
><br>
><br>
><br>
>><br>
>><br>
>> Rgds,<br>
>> Vineet Bhojnagarwala RCDD, NTS, OSP<br>
>> Spear Networks Pvt Ltd<br>
>> Integration & Consultancy<br>
>> +91-9831436607<br>
>> On May 7, 2010, at 8:39 AM, Vineet Bhojnagarwala<br>
>> <<a href="mailto:vbhoj74@gmail.com">vbhoj74@gmail.com</a>> wrote:<br>
>><br>
>> I think this is a motel kind of situation and a PVLAN serves the<br>
>> situation<br>
>> right. Put all the ipphones in the voice vlan as suggested, make a<br>
>> seperate<br>
>> isolated vlan for the PCs, this will restrict traffic between the<br>
>> clients.<br>
>><br>
>><br>
>> Rgds,<br>
>> Vineet Bhojnagarwala RCDD, NTS, OSP<br>
>> Spear Networks Pvt Ltd<br>
>> Integration & Consultancy<br>
>> +91-9831436607<br>
>> On May 6, 2010, at 11:30 PM, "David White" <<a href="mailto:David.White@watchguard.com">David.White@watchguard.com</a><br>
>> ><br>
>> wrote:<br>
>><br>
>> -----Original Message-----<br>
>> From: <a href="mailto:asterisk-users-bounces@lists.digium.com">asterisk-users-bounces@lists.digium.com</a> on behalf of Noah<br>
>> Miller<br>
>> Sent: Thu 5/6/2010 10:41 AM<br>
>> To: Asterisk Users Mailing List - Non-Commercial Discussion<br>
>> Subject: Re: [asterisk-users] OT: NAT in SPA922<br>
>><br>
>>>>> It is a building, with 24 separated rooms, each room will have a<br>
>>>>> PC and<br>
>>>>> a IP<br>
>>>>> Phone. Every room connected to a switch Cisco 2950.<br>
>>>>> I want keeping all PCs isolated behind a NAT (no access to<br>
>>>>> neighbour's<br>
>>>>> PC),<br>
>>>>> and still keep communication in same LAN between all IP Phones.<br>
>>>>><br>
>>>>> Should I take another approach on that?<br>
>>>>><br>
>>>> Put each PC in its own VLAN. Keep all the phones in one VLAN.<br>
>>>><br>
>>>> Although having a $30 router in each room hanging off the phone<br>
>>>> would<br>
>>>> accomplish what you want also.<br>
>>><br>
>>> Take j's suggestion to use VLANs. This is not a good situation for<br>
>>> NAT. Cisco 2950's can do VLANs.<br>
>>><br>
>><br>
>> to be clear, the only way this will work with the PCs is if each PC<br>
>> vlan is<br>
>> *also* a unique ip subnet (else how do all the vlans access a<br>
>> common default<br>
>> gw?)<br>
>><br>
>> place the phones in a voice vlan, and the phone problem is solved.<br>
>> as for the PC isolation, you might get better feedback on a cisco<br>
>> or other<br>
>> networking forum.<br>
>><br>
>> -david<br>
>><br>
>> --<br>
>> _____________________________________________________________________<br>
>> -- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
>> New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
>> <a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
>><br>
>> asterisk-users mailing list<br>
>> To UNSUBSCRIBE or update options visit:<br>
>> <a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
>><br>
>> --<br>
>> _____________________________________________________________________<br>
>> -- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
>> New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
>> <a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
>><br>
>> asterisk-users mailing list<br>
>> To UNSUBSCRIBE or update options visit:<br>
>> <a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
>><br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</div></div></blockquote></div><br>