1. Home
  2. Cisco Systems
  3. VoIP VLAN across router-router link?

VoIP VLAN across router-router link?

Can anyone point me to a howto, or other tutorial that might provide some insight in solving this problem....

Two buildings "A" and "B", each with it's own LAN made up of C3750 switches. A 2800 router is at each building and a fiber optic WAN point-to-point line connects between the two routers. Each building has it's own separate IP address network, and very limited traffic is allowed to pass across the routers between the two networks. In fact, all traffic is shut off by ACL's in the routers except for a limited number of workstations in building "A" are permitted to access some applications on a very specific limited enumerated set of host addresses and tcp ports in building "B" and vice-versa. Opening up broad ranges of hosts and/or ports in either routers' ACL lists is strictly forbidden. The dilemma is that there is a desire to install one Cisco VoIP phone system across the two buildings' LANS as if they were one single network and one single organization when they are in fact two separate organizations on the data network side of things... the data networks must remain strictly separated except for the limited amount of individual host-to-host traffic. Is it at all possible to create a separate voice VLAN that spans both buildings so that the phones will work seemlessly, while preserving the relative isolation of the two separate data networks? The Cisco pc apps such as Attendant Console, video conferencing, etc, would have to work seemlessly from PCs on the data networks in either building too. It would have to be so secure also, that there would be no possible way at all for an unauthorized workstation in either building to then be able to circumvent the routers' ACLs and gain access to any unpermitted host in the other building. Security of the data networks is of such paramount importance that even an accidental breach could bring about severe punishment to the poor schmuck who's in charge of securing the networks.

Reply to
One's Too Many
Loading thread data ...

Sounds like you need a PIX in between to enforce the security.

Scott

Reply to
Thrill5

In your environment I would us the 3750s instead of the 2800 any way. You can move the fiber connections to the 3750, have the networks seperated by a VLAN. This would still be a layer-3 hope, you could install ACLs to secure your network. Plus you could have Voice VLANs at each site.

Reply to
billyc5022

Removing the pair of 2800's is not an option. I am mandated to force all traffic between the two sites' data networks to only be permitted to flow between the two routers. Bridging the two buildings' 3750 stacks together physically at the hardware level is strictly forbidden by the policy I must work under. We've pretty much decided that we must build a separate voice-only network in building "B" and bridge that one to the combined voice+data network in building "A". We'll simply do without having the Cisco VoIP-related PC apps from being able to work seemlessly on the data network PCs in building "B" unless we can simply open up a most minimal set of host-to-host address/port ACL's in the routers to let that traffic thru for a select few workstations. Getting a single phone network working across the 2 buildings is more important that getting the voip-related PC apps to work also at building "B"... while preserving the critical security of the data network in building "B". Having a combined voice+data network in building "A" is not a problem, but keeping B's data network isolated, with the single egress/ingress point of the router is about the only way get past the security auditing entity which governs my operation, and they have all but declared VLAN separation to be artificial, make-believe, software-emulated separation that flunks their security mandates.

snipped-for-privacy@gmail.com wrote:

Reply to
One's Too Many

How would they feel about MPLS? Supported to various degrees on both the Cisco 2800 series routers and the Cisco Cat 3750 "Metro" series.

Reply to
Walter Roberson

The security folks had never heard of MPLS, but after showing them some some info on what it was all about, were surprisingly warm to the idea. Unfortunately our VoIP integrator/vendor had also never heard of it and refuses to consider it due to perceived worries about QoS and voice performance issues and not wanting to be a pioneer with any technology on this contract. Looks like we're going the separate physical network way for voice in the security-sensitive building. It really won't add all that much to the total project cost, just a couple percent in the big picture, and certainly will provide the best voice network there, plus keep the data network physically isolated. Sometimes it's just not worth banging your head against a wall too much to try to save a few bucks on a big project, eh?

Reply to
One's Too Many

Agree! :-) But did you considered the costs of having to maintain the two networks? Need a new IPphone, then you need to patch a new socket to the Voice Network. Moving the furnitures around? Patch and Unpatch again... This can be quickly an issue...

Probably you will not manage to convince your security/auditors that VLAN are nice, but if you do, you may want to check

formatting link
allows dynamic vlan management: you configure all your switches the same way, and based on the MAC address, you end up in one VLAN or in another. And you get free live inventory of all your systems on your LAN. ;-) (Auditors like this!)

Ok, MAC authentication is not bullet proof (but hey, still better than nothing), and freenac is currently testing 802.1x integration (with fallback on MAC auth for non 802.1x enabled devices. Did I hear IP Phones somewhere?)

Best regards, and good luck with your security staff!

Steph

Reply to
freeNAC

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.