On 6/26/07, Marty Mastera <[EMAIL PROTECTED]> wrote:
The only reason to route the voice VLAN is if you need the phones to access the Internet and/or vice-versa. If you only need to worry about the computers on the data VLAN accessing Trixbox's web interface, I would suggest using the Ethernet VLAN capabilities of Linux. You can create eth0.vlan1 for data on Trixbox, and have the "default" vlan for the port on the switch be voice. Then, the voice VLAN goes nowhere but to your PBX and the phones. The other option is to put in another NIC, one for the voice VLAN, the other for the data VLAN. I've been pretty happy with the Linksys 24-port layer 2 switches (SRW224P). They're running around $400 right now. If you really need layer3 support, I would steer clear of the Netgear. I've had a lot of problems with them, and the support was disappointing. But then again, I got a bunch that don't work that I could sell you ;) Ahh, interesting idea…if I understood correctly, you're basically using a layer 2 switch and trunking the voice and data VLAN to the asterisk box and doing the routing and ACL work there? Advantage is lower cost because you don't need a layer 3 switch anymore and don't have to learn a new CLI or other config method.? Here's a bit more information…the client is a building owner who occupies the first floor and is renting out the rest of the building. In addition to his own voice/data network (which would be on separate VLANs) they want to offer the building tenants the ability to use their PBX and internet connection. Due to a quirk in the service providers SIP ALG all IP phones in the building must be on the same network (VLAN) which I don't see a problem with, but each tenant's data will be in a separate VLAN. I'm thinking I could trunk the voice VLAN and all of the individual tenant data VLANs to the Trixbox to allow them access to the web interface? Any other ideas out there based on this scenario?
We do something somewhat similar. Each switch has 2 data VLANs, and also is part of the Voice VLAN. Each VLAN for data is routed, but the voice VLAN only carries voice traffic. Our Asterisk server does not route packets between the networks. So, aside from some nasty attacks that sniff and replicate VLAN headers, our voice network is pretty secure. So our network has 20 different data VLANs (again, 2 per edge switch), 1 server VLAN, 1 voice VLAN, 1 wireless VLAN, and one DMZ VLAN. The data and server VLANs are all routed, and everything else is not. They have to go through some type of bridge between the networks. For wireless, that's our wireless switch. For the DMZ, it's our firewall. The voice VLAN can only reach our Asterisk box. If you use a SIP provider, you may have to either take another approach, or realize that all SIP traffic will have to remain on the host (i.e. reinvites are bad when you don't have a network path from A to B). But we're strictly IAX between offices, and PSTN thru PRI.
_______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
