Ok.. here is how I solved. PC+IPPhone----------Cisco2950----Router. Each PC in one private subnet NATed on the router. All phones in same network (different from PCs).
Sebastian On Fri, May 7, 2010 at 9:08 AM, James Lamanna <jlama...@gmail.com> wrote: > On May 7, 2010, at 8:03, James Lamanna <jlama...@gmail.com> wrote: > > > On Thu, May 6, 2010 at 8:14 PM, Vineet Bhojnagarwala <vbho...@gmail.com > > > wrote: > >> Alternatively, if using normal vlans, this can also be achieved by > >> enabling > >> access list on the switch and restrict traffic flows. Generally > >> this is done > >> on a layer 3 switch, don't think it will support on your switch > >> model. > > > > That is correct. In order to do this on a 2950, you will need a router > > behind this to be the gateway for each vlan. (On Cisco equipment you'd > > need to create a subinterface for each vlan (i.e. FastEthernet 0.xxx) > > where xxx is your vlan number. > > Then you can set each port up to be a trunk port on the 2950, but > > specify the native vlan on the port as the PC vlan # and allow the > > Vlan # for the phone vlan. > > > > So something like: > > > > switchport mode trunk > > switchport trunk native vlan [pc vlan #] > > switchport trunk allowed vlan [pc vlan #],[phone vlan #] > > > > Then you will have to create access-lists on the router to block > > intra-VLAN traffic. > > > > This can also be all done on a Layer 3 switch (like the Cisco 3550), > > by defining each VLAN as an interface: > > > > interface VLAN 100 > > description Phone VLAN > > ip address 192.168.100.1 255.255.255.0 > > ! > > interface VLAN 101 > > description Customer 1 VLAN > > ip address 192.168.101.1 255.255.255.0 > > ! > > etc.. > > > > then your ports will look like: > > > > interface FastEthernet 0/2 > > description customer 1 port > > switchport mode trunk > > switchport trunk encapsulation dot1q > > switchport trunk native vlan 101 > > switchport trunk allowed vlan 100,101 > > ! > > > > Then you'll need access lists to prevent the intra-vlan traffic.. > > > I lied. You don't need access-lists in this case with the "allowed > vlan" statement. > > > > > -- James > > > > > > > > > >> > >> > >> Rgds, > >> Vineet Bhojnagarwala RCDD, NTS, OSP > >> Spear Networks Pvt Ltd > >> Integration & Consultancy > >> +91-9831436607 > >> On May 7, 2010, at 8:39 AM, Vineet Bhojnagarwala > >> <vbho...@gmail.com> wrote: > >> > >> I think this is a motel kind of situation and a PVLAN serves the > >> situation > >> right. Put all the ipphones in the voice vlan as suggested, make a > >> seperate > >> isolated vlan for the PCs, this will restrict traffic between the > >> clients. > >> > >> > >> Rgds, > >> Vineet Bhojnagarwala RCDD, NTS, OSP > >> Spear Networks Pvt Ltd > >> Integration & Consultancy > >> +91-9831436607 > >> On May 6, 2010, at 11:30 PM, "David White" <david.wh...@watchguard.com > >> > > >> wrote: > >> > >> -----Original Message----- > >> From: asterisk-users-boun...@lists.digium.com on behalf of Noah > >> Miller > >> Sent: Thu 5/6/2010 10:41 AM > >> To: Asterisk Users Mailing List - Non-Commercial Discussion > >> Subject: Re: [asterisk-users] OT: NAT in SPA922 > >> > >>>>> It is a building, with 24 separated rooms, each room will have a > >>>>> PC and > >>>>> a IP > >>>>> Phone. Every room connected to a switch Cisco 2950. > >>>>> I want keeping all PCs isolated behind a NAT (no access to > >>>>> neighbour's > >>>>> PC), > >>>>> and still keep communication in same LAN between all IP Phones. > >>>>> > >>>>> Should I take another approach on that? > >>>>> > >>>> Put each PC in its own VLAN. Keep all the phones in one VLAN. > >>>> > >>>> Although having a $30 router in each room hanging off the phone > >>>> would > >>>> accomplish what you want also. > >>> > >>> Take j's suggestion to use VLANs. This is not a good situation for > >>> NAT. Cisco 2950's can do VLANs. > >>> > >> > >> to be clear, the only way this will work with the PCs is if each PC > >> vlan is > >> *also* a unique ip subnet (else how do all the vlans access a > >> common default > >> gw?) > >> > >> place the phones in a voice vlan, and the phone problem is solved. > >> as for the PC isolation, you might get better feedback on a cisco > >> or other > >> networking forum. > >> > >> -david > >> > >> -- > >> _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >> New to Asterisk? Join us for a live introductory webinar every Thurs: > >> http://www.asterisk.org/hello > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> > >> -- > >> _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >> New to Asterisk? Join us for a live introductory webinar every Thurs: > >> http://www.asterisk.org/hello > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users