[asterisk-users] OT: NAT in SPA922

James Lamanna jlamanna at gmail.com
Fri May 7 07:08:58 CDT 2010 

On May 7, 2010, at 8:03, James Lamanna <jlamanna at gmail.com> wrote:

> On Thu, May 6, 2010 at 8:14 PM, Vineet Bhojnagarwala <vbhoj74 at gmail.com 
> > wrote:
>> Alternatively, if using normal vlans, this can also be achieved by  
>> enabling
>> access list on the switch and restrict traffic flows. Generally  
>> this is done
>> on a layer 3 switch, don't think it will support on your switch  
>> model.
>
> That is correct. In order to do this on a 2950, you will need a router
> behind this to be the gateway for each vlan. (On Cisco equipment you'd
> need to create a subinterface for each vlan (i.e. FastEthernet 0.xxx)
> where xxx is your vlan number.
> Then you can set each port up to be a trunk port on the 2950, but
> specify the native vlan on the port as the PC vlan # and allow the
> Vlan # for the phone vlan.
>
> So something like:
>
> switchport mode trunk
> switchport trunk native vlan [pc vlan #]
> switchport trunk allowed vlan [pc vlan #],[phone vlan #]
>
> Then you will have to create access-lists on the router to block
> intra-VLAN traffic.
>
> This can also be all done on a Layer 3 switch (like the Cisco 3550),
> by defining each VLAN as an interface:
>
> interface VLAN 100
> description Phone VLAN
> ip address 192.168.100.1 255.255.255.0
> !
> interface VLAN 101
> description Customer 1 VLAN
> ip address 192.168.101.1 255.255.255.0
> !
> etc..
>
> then your ports will look like:
>
> interface FastEthernet 0/2
> description customer 1 port
> switchport mode trunk
> switchport trunk encapsulation dot1q
> switchport trunk native vlan 101
> switchport trunk allowed vlan 100,101
> !
>
> Then you'll need access lists to prevent the intra-vlan traffic..


I lied. You don't need access-lists in this case with the "allowed  
vlan" statement.

>
> -- James
>
>
>
>
>>
>>
>> Rgds,
>> Vineet Bhojnagarwala RCDD, NTS, OSP
>> Spear Networks Pvt Ltd
>> Integration & Consultancy
>> +91-9831436607
>> On May 7, 2010, at 8:39 AM, Vineet Bhojnagarwala  
>> <vbhoj74 at gmail.com> wrote:
>>
>> I think this is a motel kind of situation and a PVLAN serves the  
>> situation
>> right. Put all the ipphones in the voice vlan as suggested, make a  
>> seperate
>> isolated vlan for the PCs, this will restrict traffic between the  
>> clients.
>>
>>
>> Rgds,
>> Vineet Bhojnagarwala RCDD, NTS, OSP
>> Spear Networks Pvt Ltd
>> Integration & Consultancy
>> +91-9831436607
>> On May 6, 2010, at 11:30 PM, "David White" <David.White at watchguard.com 
>> >
>> wrote:
>>
>> -----Original Message-----
>> From: asterisk-users-bounces at lists.digium.com on behalf of Noah  
>> Miller
>> Sent: Thu 5/6/2010 10:41 AM
>> To: Asterisk Users Mailing List - Non-Commercial Discussion
>> Subject: Re: [asterisk-users] OT: NAT in SPA922
>>
>>>>> It is a building, with 24 separated rooms, each room will have a  
>>>>> PC and
>>>>> a IP
>>>>> Phone. Every room connected to a switch Cisco 2950.
>>>>> I want keeping all PCs isolated behind a NAT (no access to  
>>>>> neighbour's
>>>>> PC),
>>>>> and still keep communication in same LAN between all IP Phones.
>>>>>
>>>>> Should I take another approach on that?
>>>>>
>>>> Put each PC in its own VLAN.  Keep all the phones in one VLAN.
>>>>
>>>> Although having a $30 router in each room hanging off the phone  
>>>> would
>>>> accomplish what you want also.
>>>
>>> Take j's suggestion to use VLANs.  This is not a good situation for
>>> NAT.  Cisco 2950's can do VLANs.
>>>
>>
>> to be clear, the only way this will work with the PCs is if each PC  
>> vlan is
>> *also* a unique ip subnet (else how do all the vlans access a  
>> common default
>> gw?)
>>
>> place the phones in a voice vlan, and the phone problem is solved.
>> as for the PC isolation, you might get better feedback on a cisco  
>> or other
>> networking forum.
>>
>> -david
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>               http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>               http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>

More information about the asterisk-users mailing list