Separate Voice and Data Subnets on Single LAN

Posted on 2011-09-14
Last Modified: 2012-06-22
I have a client with a Trixbox (free) PBX running all their phones on the same LAN as their data. They have a Sonicwall NSA 240 at the gateway. The PBX is connected to the outside world via PCI card connected to a PRI; voice traffic, therefore, traverse the LAN (for our purposes, and goes out the PRI without ever really running through the Sonicwall (other than for routing purposes). Their current switching configuration is Layer 2 but their switches are capable of Layer 3 (VLAN, etc....) switching (to be clear, I'm no expert on VLAN configuration).

The client wants to set up a subnet ( such that the voice traffic is on this subnet and the data continues to ride on Their proposal was to set up an interface on the Sonicwall to be configured with the gateway address of this subnet (e.g., X0>, X3> and set static routes in the Sonicwall such that the phones would communicate with the PBX ( but not with any of the data devices, including getting their DHCP IP address and config from the PBX.

My intial reaction is that this can't be done, but again, I'm not an expert on advanced networking concepts and am unsure if there is something that can be done to make this happen. That said, having a gateway interface on the Sonicwall (or any router/firewall) doesn't seem to make sense to me as the Sonicwall is not actually acting as the gateway (voice traffic goes out the PBX via PRI). I think it would be possible to static each phone and point it to the PBX manually and have it communicate with the PBX in this way but that's a bunch of work and really accomplishes very little of value.

I think the best option is to configure a VLAN on their switches and have all voice traffic on this VLAN. I need to have more information, however, in order to go back to the client and convince them that what they are trying to do is not feasible. Any insight anyone here can provide would be greatly appreciated!
Question by:wjb313
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

bitsmakebytzesrun earned 167 total points
ID: 36537266
you will want to setup two separate VLANs, one for the data and one for the voice networks (assuming workstations are not connected to the VoIP phones).  One port on each VLAN could then be connected to the sonicwall and addressed/rules/NATing setup.  The sonicwall will only need a default route out to their ISP, all locally connected networks should be routable.  this way they VoIP net can get outside data access if need (updates,etc) but are seperate from the workstations.  Soudns like all calls should go out the PRI interface of the PBX.  If the phones/PBX don't need data access, just put them on a separate VLAN and don't even connect the sonicwall to this vlan.

Assisted Solution

shbasm earned 167 total points
ID: 36537293
ok  set two vlans one for voice one for data in switches
if you dont use telephony service provider (dont forward calls to internet ) and you dont like
route between voice vlan and data vlan then you dont need to connect to Sonicwall
for more details post your switches and ip phones types

Assisted Solution

pridemarketing earned 166 total points
ID: 36537308
what they are asking to do can be done i do the same thing with a Cisco ASA. Just make sure the post on the Sonic is a gig port or this will be your bottle neck.

but i would have to agree a VLAN is the best option let your switch send the traffic and also make sure you have QOS setup for the phones.

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question