On May 7, 2010, at 8:03, James Lamanna <jlama...@gmail.com> wrote: > On Thu, May 6, 2010 at 8:14 PM, Vineet Bhojnagarwala <vbho...@gmail.com > > wrote: >> Alternatively, if using normal vlans, this can also be achieved by >> enabling >> access list on the switch and restrict traffic flows. Generally >> this is done >> on a layer 3 switch, don't think it will support on your switch >> model. > > That is correct. In order to do this on a 2950, you will need a router > behind this to be the gateway for each vlan. (On Cisco equipment you'd > need to create a subinterface for each vlan (i.e. FastEthernet 0.xxx) > where xxx is your vlan number. > Then you can set each port up to be a trunk port on the 2950, but > specify the native vlan on the port as the PC vlan # and allow the > Vlan # for the phone vlan. > > So something like: > > switchport mode trunk > switchport trunk native vlan [pc vlan #] > switchport trunk allowed vlan [pc vlan #],[phone vlan #] > > Then you will have to create access-lists on the router to block > intra-VLAN traffic. > > This can also be all done on a Layer 3 switch (like the Cisco 3550), > by defining each VLAN as an interface: > > interface VLAN 100 > description Phone VLAN > ip address 192.168.100.1 255.255.255.0 > ! > interface VLAN 101 > description Customer 1 VLAN > ip address 192.168.101.1 255.255.255.0 > ! > etc.. > > then your ports will look like: > > interface FastEthernet 0/2 > description customer 1 port > switchport mode trunk > switchport trunk encapsulation dot1q > switchport trunk native vlan 101 > switchport trunk allowed vlan 100,101 > ! > > Then you'll need access lists to prevent the intra-vlan traffic..
I lied. You don't need access-lists in this case with the "allowed vlan" statement. > > -- James > > > > >> >> >> Rgds, >> Vineet Bhojnagarwala RCDD, NTS, OSP >> Spear Networks Pvt Ltd >> Integration & Consultancy >> +91-9831436607 >> On May 7, 2010, at 8:39 AM, Vineet Bhojnagarwala >> <vbho...@gmail.com> wrote: >> >> I think this is a motel kind of situation and a PVLAN serves the >> situation >> right. Put all the ipphones in the voice vlan as suggested, make a >> seperate >> isolated vlan for the PCs, this will restrict traffic between the >> clients. >> >> >> Rgds, >> Vineet Bhojnagarwala RCDD, NTS, OSP >> Spear Networks Pvt Ltd >> Integration & Consultancy >> +91-9831436607 >> On May 6, 2010, at 11:30 PM, "David White" <david.wh...@watchguard.com >> > >> wrote: >> >> -----Original Message----- >> From: asterisk-users-boun...@lists.digium.com on behalf of Noah >> Miller >> Sent: Thu 5/6/2010 10:41 AM >> To: Asterisk Users Mailing List - Non-Commercial Discussion >> Subject: Re: [asterisk-users] OT: NAT in SPA922 >> >>>>> It is a building, with 24 separated rooms, each room will have a >>>>> PC and >>>>> a IP >>>>> Phone. Every room connected to a switch Cisco 2950. >>>>> I want keeping all PCs isolated behind a NAT (no access to >>>>> neighbour's >>>>> PC), >>>>> and still keep communication in same LAN between all IP Phones. >>>>> >>>>> Should I take another approach on that? >>>>> >>>> Put each PC in its own VLAN. Keep all the phones in one VLAN. >>>> >>>> Although having a $30 router in each room hanging off the phone >>>> would >>>> accomplish what you want also. >>> >>> Take j's suggestion to use VLANs. This is not a good situation for >>> NAT. Cisco 2950's can do VLANs. >>> >> >> to be clear, the only way this will work with the PCs is if each PC >> vlan is >> *also* a unique ip subnet (else how do all the vlans access a >> common default >> gw?) >> >> place the phones in a voice vlan, and the phone problem is solved. >> as for the PC isolation, you might get better feedback on a cisco >> or other >> networking forum. >> >> -david >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> New to Asterisk? Join us for a live introductory webinar every Thurs: >> http://www.asterisk.org/hello >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> New to Asterisk? Join us for a live introductory webinar every Thurs: >> http://www.asterisk.org/hello >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users