Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
5
Replies

OSPF, Rip, VPN, IPSec, and AVAYA VoIP with DHCP. How can I get the IP phones working on the second site?

samciscoupdateacc
Level 1
Level 1

‎11-01-2016 12:12 PM - edited ‎03-08-2019 08:00 AM

Hello,

I have an issue with my current project.  I am configuring a second site to use our current Avaya VoIP system in our head office and I am having trouble sending the DHCP and CallManger(H.323)  information over the VPN. 

Our phone system is managed by Avaya Controller IPOffice (DHCP Server) and it isn't connected to our data network. 

They sites are connected via IPsec VPN with OSPF areas and RIP v2. Redirected.

I have tried different option, but I am looking what is the best option to use that is stable and manageable.

If anyone has any ideas, please let me know. 

Thanks.

Sam 

Labels:
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎11-01-2016 01:15 PM

Sam, what are the two devices running the VPN ? Can you post the configs ?

0 Helpful

samciscoupdateacc
Level 1
Level 1
In response to Georg Pauwen

‎11-02-2016 06:42 AM

They are 2911 running the VPN.

0 Helpful

Georg Pauwen
VIP
VIP
In response to samciscoupdateacc

‎11-02-2016 12:21 PM

Hello,

where are your voice clients ? On interface GigabitEthernet0/2.113 (description Vlan113 b) ?

The access list that allows both DHCP and H.323 traffic would look like this:

(config)#ip access-list extended ALLOW_DHCP_H323
(config-ext-nacl)#permit udp any any eq 67
(config-ext-nacl)#permit udp any any eq 68
(config-ext-nacl)#permit tcp any any eq 1720

0 Helpful

samciscoupdateacc
Level 1
Level 1
In response to Georg Pauwen

‎01-26-2017 08:01 AM

HI Georg,

The IPsec doesn't support multicast. I need to use GRE Tunnel over PPTP Site-To-Site VPN with Bridge protocol.

I have no idea how to configure it all.

Any suggestion. 

Also, I would like to start with two new 2911 router with no configuration. 

 

Thanks 

0 Helpful

samciscoupdateacc
Level 1
Level 1
In response to Georg Pauwen

‎11-02-2016 09:20 AM

My site 1 location has the Avaya IPoffice and is the only one in the company.

This is my Site 1 config.


!
version 15.0

!
!
ip dhcp excluded-address 160.16.16.1 160.16.16.149
ip dhcp excluded-address 160.16.16.200 160.16.16.254
ip dhcp excluded-address 160.16.18.1 160.16.18.10
ip dhcp excluded-address 160.16.17.1 160.16.17.10
ip dhcp excluded-address 160.16.20.1 160.16.20.10
!
ip dhcp pool xyz
import all
network 160.16.16.0 255.255.255.0
dns-server 67.69.184.199 67.69.184.7 160.16.16.11 160.16.16.12
default-router 160.16.16.1
domain-name bfg.ca
!
ip dhcp pool VLAN111-Corp-Wifi
import all
network 160.16.18.0 255.255.255.0
dns-server 67.69.184.199 67.69.184.7 160.16.16.11 160.16.16.12
default-router 160.16.18.1
domain-name xxxx
!
ip dhcp pool VLAN113-Guest
import all
network 160.16.20.0 255.255.255.0
dns-server 67.69.184.199 67.69.184.7
default-router 160.16.20.1
domain-name xxxxx
!
ip dhcp pool VLAN110-Office
import all
network 160.16.17.0 255.255.255.0
dns-server 160.16.16.1 67.69.184.199 67.69.184.7 160.16.16.11 160.16.16.12
default-router 160.16.17.1
domain-name xxxx
!
!
ip name-server 67.69.184.199
ip name-server 67.69.184.7
ip name-server 8.8.8.8
ip name-server 160.16.16.1
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1928327714
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1928327714
revocation-check none
rsakeypair TP-self-signed-1928327714
!
!
!
!
redundancy
!
!
!
policy-map VPO
class class-default
shape average 200000000
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key yyyyy address 10.10.10.12 255.255.255.224
crypto isakmp key yyyyy address 10.10.10.13 255.255.255.224
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set Router-IPSEC esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set Router-IPSEC
!
!
!
!
!
!
interface Loopback0
ip address 11.1.1.1 255.255.255.0
!
!
interface Tunnel0
ip address 200.200.200.1 255.255.255.0
tunnel source 10.10.10.10
tunnel mode ipsec ipv4
tunnel destination 10.10.10.12
tunnel protection ipsec profile VTI
!
service-policy output VPO
!
interface Tunnel1
ip address 200.200.100.1 255.255.255.0
tunnel source 10.10.10.10
tunnel mode ipsec ipv4
tunnel destination 10.10.10.13
tunnel protection ipsec profile VTI
!
service-policy output VPO
!
interface GigabitEthernet0/0
ip address 10.10.10.10 255.255.255.224
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed 100
!
!
interface GigabitEthernet0/1
no ip address
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
no ip address
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2.1
encapsulation dot1Q 1 native
ip address 160.16.16.1 255.255.255.0
ip access-group LAN-VLAN1-IN in
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/2.110
description Vlan110 b
encapsulation dot1Q 110
ip address 160.16.17.1 255.255.255.0
ip access-group LAN-OFFICE-IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/2.111
description Vlan111 b
encapsulation dot1Q 111
ip address 160.16.18.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/2.113
description Vlan113 b
encapsulation dot1Q 113
ip address 160.16.20.1 255.255.255.0
ip access-group WLAN-Guest-In in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/2.500
encapsulation dot1Q 500
ip address 160.16.50.1 255.255.255.0
no ip redirects
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface Async0/0/0
no ip address
encapsulation slip
!
!
router ospf 1
log-adjacency-changes
redistribute rip metric 50 subnets
network 160.16.16.0 0.0.0.255 area 0
network 192.168.0.0 0.0.255.255 area 1
network 200.200.100.0 0.0.0.255 area 0
network 200.200.200.0 0.0.0.255 area 1
!
router rip
version 2
network 192.168.1.0
!
ip forward-protocol nd
!
no ip http server
ip http port 8125
ip http secure-server
ip http secure-port 44554
!
ip dns server
ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload

ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
ip access-list extended NAT_ACL
permit ip 160.16.16.0 0.0.0.255 any
permit ip 160.16.17.0 0.0.0.255 any
permit ip 160.16.18.0 0.0.0.255 any
permit ip 160.16.20.0 0.0.0.255 any
permit ip 160.16.50.0 0.0.0.255 any
deny ip any any
ip access-list extended WLAN-Guest-In
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
deny ip any 10.0.0.0 0.255.255.255
deny ip any 160.16.0.0 0.0.7.255
deny ip any any
!
!
!
!
!
route-map nonat permit 10
match ip address 110
!

This Config is for the Second location that needs the Voip Phones. 


!
version 15.0

!
!
ip dhcp excluded-address 160.16.70.1 160.16.70.149
ip dhcp excluded-address 192.168.1.1 192.168.1.169
!
ip dhcp pool xyz
import all
network 160.16.70.0 255.255.255.0
dns-server 67.69.184.199 67.69.184.7
default-router 160.16.70.1
domain-name xxxx


!
!


ip name-server 67.69.184.199
ip name-server 67.69.184.7
!
multilink bundle-name authenticated
!
!

!
!

!
!
redundancy
!
!
!
policy-map VPO
class class-default
shape average 200000000
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key yyyyy address 10.10.10.10 255.255.255.224
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set Router-IPSEC esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set Router-IPSEC
!
!
!
!
!
!
interface Loopback0
ip address 11.1.2.1 255.255.255.0
!
!
interface Tunnel0
ip address 200.200.200.2 255.255.255.0
tunnel source 10.10.10.13
tunnel mode ipsec ipv4
tunnel destination 10.10.10.10
tunnel protection ipsec profile VTI
!
service-policy output VPO
!
interface GigabitEthernet0/0
ip address 10.10.10.13 255.255.255.224
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
ip ospf cost 7
duplex auto
speed 100
!
!
interface GigabitEthernet0/1
ip address 192.168.1.3 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
no ip address
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2.1
encapsulation dot1Q 1 native
ip address 160.16.70.1 255.255.255.0
ip access-group LAN-VLAN1-IN in
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface Async0/0/0
no ip address
encapsulation slip
!
!
router ospf 2
log-adjacency-changes
redistribute rip metric 50 subnets
network 160.16.70.0 0.0.0.255 area 1
network 192.168.0.0 0.0.255.255 area 1
network 200.200.200.0 0.0.0.255 area 1
!
router rip
version 2
network 192.168.1.0
!
ip forward-protocol nd
!
no ip http server
ip http port 8125
no ip http secure-server
!
ip dns server
ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
ip access-list extended NAT_ACL
permit ip 160.16.70.0 0.0.0.255 any
!
!
!
!
!
route-map nonat permit 10

There are some additional routes and IP addresses assigned to the physical ports.  You can suggest to remove them remove them if needed. 

This my LAB network information.

Thanks 

Sam.

0 Helpful
Customers Also Viewed These Support Documents