Shark Attack
asked on
pbx question
I believe I asked this before but never came to a solution. I have included an image of a scenario for better understanding. Our PBX phone system is hosted by an outside phone company. We do not have any internal resource that enabled out ip phones. The only thing on the switches I have is a voice-vlan.
The ONLY way I can get the proper user config like extension, configs etc. is if I connect the phone to my backup ISP (Comcast) which is not part of my network once on that network, the phone gets manually configured with a TFTP server of the phone company, once that's complete, the phone can reach the tftp and get the config. Once that's done, I can plug the phone to my primary network, and everything works. The problem is, every time I need to reset the phone to factory resetting for whatever reason, I need to first plug it into the external network and then back to my primary.
The reason why I have to do this, is because I have an ASA on my primary network and seems like it's having an effect on the connection to that tftp server. I performed packet tracer and I get all permits on the output.
What might be wrong? I have nothing permitting from the outside in, everything on my infrastructure is ipsec tunnels. I dont need access to the inside for anything. I know I should be permitting port 69 I guess? but I remember talking to cisco once and they said it wont be enough, it will be a lot of work. I didn't understand completely what was his idea on making this work,
The ONLY way I can get the proper user config like extension, configs etc. is if I connect the phone to my backup ISP (Comcast) which is not part of my network once on that network, the phone gets manually configured with a TFTP server of the phone company, once that's complete, the phone can reach the tftp and get the config. Once that's done, I can plug the phone to my primary network, and everything works. The problem is, every time I need to reset the phone to factory resetting for whatever reason, I need to first plug it into the external network and then back to my primary.
The reason why I have to do this, is because I have an ASA on my primary network and seems like it's having an effect on the connection to that tftp server. I performed packet tracer and I get all permits on the output.
What might be wrong? I have nothing permitting from the outside in, everything on my infrastructure is ipsec tunnels. I dont need access to the inside for anything. I know I should be permitting port 69 I guess? but I remember talking to cisco once and they said it wont be enough, it will be a lot of work. I didn't understand completely what was his idea on making this work,
ASKER
Thanks, My vlan config and port config on the switch is as follows:
10.153.0.10 is domain controller.
When I plugged it to a pc I was getting 192.168.10.0 address not 10.100.0.0/24 address
I plugged it back to phone and I got 10.100.0.22 address
interface Vlan2
description voip network
ip address 10.100.0.1 255.255.255.0
ip helper-address 10.153.0.10 interface GigabitEthernet0/38
description
switchport access vlan 5
switchport mode access
switchport voice vlan 2
speed 1000
duplex full
spanning-tree portfast10.153.0.10 is domain controller.
When I plugged it to a pc I was getting 192.168.10.0 address not 10.100.0.0/24 address
I plugged it back to phone and I got 10.100.0.22 address
ASKER
i dont even know where that 192.168.10 is coming from. When that's assigned to the pc via some dhcp im unable to ping out with that 192.168.10 but when i plug the phone to it, not sure why i get 10.100.0/24 voice vlan ip
If your PBX is a cisco device, the device in combination with a switch auto-assign vlans based on mac addresses, phone vendor mac addresses are automatically set to voice VLAn and will get the 10.100.x.x IP, anything that falls outside of the phone voice VLAN will be in the data vlan and will get the default 192.168.10.x IP allocated to it.
ipconfig /all | find /i "DHCP"
will show you the IP of the DHCP server that assigned the IP.
If you have a DHCP agent/ip helper it will forward the requests and will get the IP based on the scope from another DHCP server.
ipconfig /all | find /i "DHCP"
will show you the IP of the DHCP server that assigned the IP.
If you have a DHCP agent/ip helper it will forward the requests and will get the IP based on the scope from another DHCP server.
ASKER
ok so what does that mean? Can I still make this work somehow without plugging to my outside network?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for your help!
Your switch has a auto vlan assignment based on MAC address.
Configure a laptop to mimic a phone and connect it, see if ithe laptop has internet access.
It sounds the phones have an initial configuration dealing with where it needs to connect to so all it needs is to get an ip allocated unless you have configured DHCP server on the backup link that includes option 67 and 68 as the tftp server and the config/file it needs to retrieve, I suspect that your voice-vlan config assigns IPs but only allows sip/VoIP/h.323 through/in/out.