Solved

VLAN With 3COM 2426-PWR Switch & Juniper SSG5-Serial Router

Posted on 2013-01-14
4
957 Views
Last Modified: 2013-01-14
I am working a VOIP provider install a replacement VOIP system.  I am not familiar with both Juniper Networks routers and 3COM switches as well VLANs.  The existing VOIP setup does not use separate VLANs, but has certain ports tagged for VOIP VLAN access.  I believe the existing VOIP System, IP phones, and host servers & PCs reside on the 10.1.0.0 subnet.  The IP phones use static IPs 10.1.0.200 - 10.1.0.207.  

We will be installing a new VOIP system, but this time we will implement separate VLANs (Vlan=1, Vlan=2).  VLAN 2 is for all VOIP services.  We'll want to still take advantage of the extra port on the IP phones to connect PCs as well.  The VOIP installer wants to implement a separate VLAN using 10.2.0.0, but still be able to forward data to VLAN-1 (10.1.0.0) and Internet access.  The reason why VLAN-2 needs to acces VLAN-1 is because the VOIP system will need to access an Exchange Server and implement unified messaging.  

3Com switch port-24 is connected to the Juniper router.  I believe this port is currently setup as Port State: Enabled, PVID: 1, Flow Control: Disabled, Speed: Auto(100), Duplex: Auto(Full).  This switch has VLAN-10 established with ports: 2,5-8,19,22-23 as tagged members.  IP phones are connected to ports 2,5,6,7,8,19,22,23.  I do not know what IP(s) are reserved for the existing VOIP Server.  

The Juniper router has bgroup0.1 with Tag-2 10.2.0.1/24, Trust, Layer3.  

How do I update both the switch port 24 as a trunk to the router, and setup the router with the correct vlan for VOIP to our mail server 10.1.0.2.  PCs connected to the IP phones shouls also be granted access to the 10.1.0.0 network.  The VOIP Vlan-2 also needs Internet access so the VOIP installer can access it remotely.

The confusion is the switch appears to have a VLAN-10 setup, and the router has VLAN-2, but I do not think this is all working.  I am not sure, that's why I am asking for advice.

I assume both the switch and the router should refer to the same VLAN ID: 2 or 10, and a trunk should be defined on port-24 on the router to allow traffic between the VLANs, etc.  There is confusion as to how the router and switch are currently configured.
0
Comment
Question by:cmp119
  • 2
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 38775690
I do not have experience with the 3com equipment, but the following should help.

Since the Switch is already setup with VLAN10 on ports 2,5-8,19,22-23 and these are the ports the phone are connected to, I would change the VLAN tag in the Juniper to match the VLAN tag in the switch.

- Create a custom zone in the trust-vr named "VOIP"
- Create subinterface of bgroup0 with vlan tag = 10 and zone = VOIP
In the SSG, If you want to re-use brgoup0.1 I believe you have to delete it and recreate it again since the VLAN tag can not be changed after the sub interface is configured.
- Create policy from VOIP to trust: allow all, and another policy from trust to VOIP: allow all, and finally from VOIP to untrust: allow all (for internet)

The above steps will allow traffic from the VOIP network on VLAN10 to reach the servers in the trust zone (No VLAN tag), as well as reach the internet. You can test by plugging computer into one of the tagged ports and if you give it a valid IP you should be able to get to the internet.


There are a couple of issues. If you use the secondary port on the IP phones, the computers connected will be on the VLAN2 network (since the switch is tagging the traffic) this may cause issues if you have a windows domain environment.
0
 

Author Comment

by:cmp119
ID: 38776101
Can you elaborate on the issues within a Windows domain environment?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38776293
When you have computers on a different subnet that are joined to a domain you have to be very careful with DNS resolution and IP schemes. Newer versions of windows server are much better at handling this, but if you have server 2003 or earlier you must be extra vigilant
0
 

Author Closing Comment

by:cmp119
ID: 38776451
Sangamc provided all the answers I need.  Thank you.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now