1

We have a few small sites that each have a Draytek Vigor (various models) which are configured to create a company VPN. It's setup as follows:

Branch 1 (192.168.1.0/255.255.255.0) Accepts Incoming
Branch 2 (192.168.2.0/255.255.255.0) Dials Out
Branch 3 (192.168.3.0/255.255.255.0) Dials Out
Branch 4 (192.168.4.0/255.255.255.0) Dials Out

There is a IP phones system (BCM 50/Avaya) running in Branch 1 on 192.168.1.210. I would like to be able to put an IP phone in one of the other branches that will use the VPN tunnel to connect to Branch 1. I believe, from the engineer that installed it originally, that this is a common thing to do. However, all the documents I have read state that the Branches must be on different subnets.

So, how do I make the IP phone work if it's on a separate subnet? Would it work correctly if I manually set the IP of the phone to 192.168.1.XX from a Branch other than Branch 1?

dannymcc
  • 2,677
  • 10
  • 46
  • 72

2 Answers2

4

Sounds like you need a basic primer on how IP routing works.

Yes, each branch should be on its own subnet. Without that, you'd have L2 broadcast domains spanning your WAN which could get, well, interesting.

Do the IP phones all connect back to a central softswitch at Branch 1? If so, as long as your routing is set up correctly (either static or dynamic routes at all locations for all necessary subnets), then there's nothing preventing this from working just fine. Along with making sure routing is configured correctly, you'll need to make sure that your firewall ACLs allow the necessary traffic in both directions.

The one thing that can typically make things difficult for VoIP on a segmented network is if NAT is happening. SIP (and several other VoIP protocols) do not typically play nice with NAT and usually require some tweaking of the IP phone config to get it working right. From your description, though, I doubt that NAT would come into play here.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Currently the IP phones are all in Branch 1, I am about to try putting one in Branch 3. All phones connect to the BCM 50 system. So I should have different subnets in each branch - but set the IP phones in the branches to the same subnet as branch 1 (where the phone system is)? – dannymcc Sep 12 '11 at 18:42
  • 1
    No, in this environment, you do not want to try and get a subnet to appear in multiple locations. That's just asking for a world of hurt. There are some rare instances where it can happen correctly, but this is not one of them. Each branch should have a unique subnet or set of subnets for its devices. – EEAA Sep 12 '11 at 18:44
  • So the routing for the IP phone IP to the Branch 1 subnet should be configured using the VPN routers? – dannymcc Sep 12 '11 at 18:50
  • The VPN devices on both ends of the tunnel will likely need to be involved, but possibly your site routers as well. It's impossible for any of us to say, as there's a myriad of ways your routing could be set up. – EEAA Sep 12 '11 at 18:53
  • Fair comment. At least I understand that they need to be on different subnets now. I'll look into the routing of the phones next. Thanks! – dannymcc Sep 12 '11 at 18:55
  • Before you start mucking around with your routing and VPN infrastructure, I'd make sure you spend a non-trivial amount of time researching and learning about IP routing. No offense, but you're still very new at this and there are a thousand ways you could really mess things up. – EEAA Sep 12 '11 at 18:58
1

from your branch configuration they are all in seperate /24 subnets, so thats not an issue.

depending on your vpn configuration, it should simply be a matter of, giving the IP phone an IP within the subnet of the branch in which it is connected and telling it to connect to the IP of the VoIP system in Branch1, your vpn should automatically send out routes that will force this to pass over the vpn.

easiest way to check is to confirm you can ping an IP (or the VoIP system) from the desired branch, if this is working then your vpn routing should be correctly configured

eg, Phone in Branch 3 should have IP - 192.168.3.100 and told to connect to 192.168.1.10 assuming those are relevant IP's of the hardware

anthonysomerset
  • 3,983
  • 2
  • 20
  • 24