Ip phones on a seperate interface to bypass firewall

waelsherif · ‎03-31-2016

I have a small network (150 users, 75 phone) Router 3945 as below drawing, we need to make a separate connections one for only call manager express on one interface (to bypass the firewall) and the other for internet access and the internet. what is the best way to do it? I assume with vlans but needs some guidance

Terry Cheema · ‎03-31-2016

Why are you not connecting router and firewall to Core switch?

Not sure how you are planning to setup but:

1) you can create a voice vlan on access switches and assign it to phone ports.

2) Create the voice vlan and configure the port connecting to router in the voice vlan - since you will be only passing voice traffic over this link you can configure it as access port and send untagged frames.

3) Create SVI's for voice vlan on core/L3 switches, optionally run DHCP on core. (can also run HSRP optionally)

4) On router interface configure the IP address and use this IP-address as source for your CME config SIP or SCCP

5) Bind all signalling to this interface.

Let us know if you need any further help.

-Terry

Please rate all helpful posts

waelsherif · ‎04-02-2016

no it's an access switch but with layer 3 features (3650), and I don't think we need vlan routing (it may require additional license) so please explain it in more details with commands if you can thanks.

Terry Cheema · ‎04-03-2016

1) On all you switches, create Voice Vlan

Conf t

Vlan 100

name VOIP

2) On phone ports:

conf t

int G1/0/1

switchport access vlan X
switchport voice vlan 100

no sh

3) On all trunk links

add the voice vlan to the allowed list if you are filtering vlans

4) On router:

int g0/0

ip address 10.1.1.1 255.255.255.0

5) Switch port connection to Router:

switchport access vlan 100

For Switch config guide: Ref: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-2/configuration_guide/b_162_consolidated_3650_cg.html

6) CME configuration:

Refer to below URLs depending upon if you have SIP or SCCP.

SCCP: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeadm/cmesystm.html#pgfId-1023245

SIP: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeadm/cmesystm.html#pgfId-1053668

7) Configure DHCP pool, below is a basic config for a Voice pool:

ip dhcp pool VOIP
network 10.1.1.1 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.1.1.1

I hope above should be enough to get you started.Please excuse any syntax errors, just typing here not copied from any CLI..

-Terry

Please rate all helpful posts

waelsherif · ‎04-04-2016

That's more than helpful, but i was wondering what is vlan x? is it the default vlan for data? I guess from that design we need to make dhcp work on all vlans, voice and data, and please note that phones will be on the same cable as pcs.

if you have another suggestion for a new design it will be appreciated, all we need is a redundant core switches in our case we did chose 2 (4500x) as a vss, and one uplink to each access switch, of course the firewall chosen is ASA 5508-X with Firepower, the router will be provided by the isp (3945). total nodes 220 (including 140 pcs, 75 phones, 20 printers, 30 ip cams).