Go Premium for a chance to win a PS4. Enter to Win


VLAN With 3COM 2426-PWR Switch & Juniper SSG5-Serial Router

Posted on 2013-01-14
Medium Priority
Last Modified: 2013-01-14
I am working a VOIP provider install a replacement VOIP system.  I am not familiar with both Juniper Networks routers and 3COM switches as well VLANs.  The existing VOIP setup does not use separate VLANs, but has certain ports tagged for VOIP VLAN access.  I believe the existing VOIP System, IP phones, and host servers & PCs reside on the subnet.  The IP phones use static IPs -  

We will be installing a new VOIP system, but this time we will implement separate VLANs (Vlan=1, Vlan=2).  VLAN 2 is for all VOIP services.  We'll want to still take advantage of the extra port on the IP phones to connect PCs as well.  The VOIP installer wants to implement a separate VLAN using, but still be able to forward data to VLAN-1 ( and Internet access.  The reason why VLAN-2 needs to acces VLAN-1 is because the VOIP system will need to access an Exchange Server and implement unified messaging.  

3Com switch port-24 is connected to the Juniper router.  I believe this port is currently setup as Port State: Enabled, PVID: 1, Flow Control: Disabled, Speed: Auto(100), Duplex: Auto(Full).  This switch has VLAN-10 established with ports: 2,5-8,19,22-23 as tagged members.  IP phones are connected to ports 2,5,6,7,8,19,22,23.  I do not know what IP(s) are reserved for the existing VOIP Server.  

The Juniper router has bgroup0.1 with Tag-2, Trust, Layer3.  

How do I update both the switch port 24 as a trunk to the router, and setup the router with the correct vlan for VOIP to our mail server  PCs connected to the IP phones shouls also be granted access to the network.  The VOIP Vlan-2 also needs Internet access so the VOIP installer can access it remotely.

The confusion is the switch appears to have a VLAN-10 setup, and the router has VLAN-2, but I do not think this is all working.  I am not sure, that's why I am asking for advice.

I assume both the switch and the router should refer to the same VLAN ID: 2 or 10, and a trunk should be defined on port-24 on the router to allow traffic between the VLANs, etc.  There is confusion as to how the router and switch are currently configured.
Question by:cmp119
  • 2
  • 2
LVL 18

Accepted Solution

Sanga Collins earned 2000 total points
ID: 38775690
I do not have experience with the 3com equipment, but the following should help.

Since the Switch is already setup with VLAN10 on ports 2,5-8,19,22-23 and these are the ports the phone are connected to, I would change the VLAN tag in the Juniper to match the VLAN tag in the switch.

- Create a custom zone in the trust-vr named "VOIP"
- Create subinterface of bgroup0 with vlan tag = 10 and zone = VOIP
In the SSG, If you want to re-use brgoup0.1 I believe you have to delete it and recreate it again since the VLAN tag can not be changed after the sub interface is configured.
- Create policy from VOIP to trust: allow all, and another policy from trust to VOIP: allow all, and finally from VOIP to untrust: allow all (for internet)

The above steps will allow traffic from the VOIP network on VLAN10 to reach the servers in the trust zone (No VLAN tag), as well as reach the internet. You can test by plugging computer into one of the tagged ports and if you give it a valid IP you should be able to get to the internet.

There are a couple of issues. If you use the secondary port on the IP phones, the computers connected will be on the VLAN2 network (since the switch is tagging the traffic) this may cause issues if you have a windows domain environment.

Author Comment

ID: 38776101
Can you elaborate on the issues within a Windows domain environment?
LVL 18

Expert Comment

by:Sanga Collins
ID: 38776293
When you have computers on a different subnet that are joined to a domain you have to be very careful with DNS resolution and IP schemes. Newer versions of windows server are much better at handling this, but if you have server 2003 or earlier you must be extra vigilant

Author Closing Comment

ID: 38776451
Sangamc provided all the answers I need.  Thank you.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question