cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dlazure
New Contributor III

Peer to Peer voip on 2 different subnet issue - no audio

Jump to solution

HI

I have 17 ip phones connected to a 3448. the 3448 is connected via VPN to another 3448 wich connect the voip system. in the 17 ip phones 4 of them are connected on a different subnet because the office did not have 2 data cable. The voice network is 172.17.0.0 255.255.0.0 and the data network is 10.10.201.0 255.255.255.0

if an iphone form the data network call internaly a phone from the voice network there is no audio, RETP packets cant get through

here is a copy of the config

!

!

! ADTRAN, Inc. OS version R10.11.0.E

! Boot ROM version 13.03.00.SB

! Platform: NetVanta 3448, part number 1200821E1

! Serial number LBADTN1311AF102

!

!

hostname "Payette_St-Lambert"

enable password

!

clock timezone -5-Eastern-Time

!

ip subnet-zero

ip classless

ip default-gateway xx.xx.xxx.xx

ip routing

ipv6 unicast-routing

!

!

domain-name "payette.xx.xx

domain-proxy

name-server 8.8.8.8 4.2.2.1

!

!

no auto-config

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

!

!

banner motd #

                ****** Important Banner Message ******

Enable and Telnet passwords are configured to "password".

HTTP and HTTPS default username is "admin" and password is "password".

Please change them immediately.

The switchport interfaces are enabled with an address of 10.10.10.1

Telnet, HTTP, and HTTPS access are also enabled.

To remove this message, while in configuration mode type "no banner motd".

                ****** Important Banner Message ******

#

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

!

!

!

!

!

!

!

!

!

no dot11ap access-point-control

!

!

!

!

!

!

!

ip dhcp database local

!

ip dhcp pool "lan"

  network 10.10.201.0 255.255.255.0

  dns-server 207.164.234.129 207.164.234.193

  default-router 10.10.201.1

!

!

!

!

!

!

!

ip crypto

!

crypto ike policy 100

  initiate main

  respond anymode

  local-id address `xx.xxx.xxx.x

  peer xx.xx.xx.xx

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

!

crypto ike remote-id address xx.xx.xx.xx preshared-key xxxxxxxxxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

!

!

ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

ip crypto map VPN 10 ipsec-ike

  description VPN TO LONGEUIL

  match address ip VPN-10-vpn-selectors1

  set peer xx.xx.xx.xx

  set transform-set esp-3des-esp-md5-hmac

  set pfs group1

  ike-policy 100

!

qos map VOIP 1

  match precedence 7

  priority percent 40

!

!

!

!

vlan 1

  name "Default"

!

vlan 2

  name "Voice"

!

!

!

no ethernet cfm

!

interface eth 0/1

  description Internet connection

  no ip address

  traffic-shape rate 26214000

  qos-policy out VOIP

  no shutdown

!

!

interface eth 0/2

  no ip address

  shutdown

!

!

!

interface switchport 0/1

  no shutdown

!

interface switchport 0/2

  no shutdown

  switchport access vlan 2

!

interface switchport 0/3

  no shutdown

!

interface switchport 0/4

  no shutdown

!

interface switchport 0/5

  no shutdown

!

interface switchport 0/6

  no shutdown

!

interface switchport 0/7

  no shutdown

!

interface switchport 0/8

  no shutdown

!

!

!

interface vlan 1

  ip address  10.10.201.1  255.255.255.0

  ip access-policy Private

  media-gateway ip primary

  qos-policy out VOIP

  no shutdown

!

interface vlan 2

  description Voice

  ip address  172.17.0.1  255.255.0.0

  ip mtu 1500

  ip access-policy Voice

  no rtp quality-monitoring

  media-gateway ip primary

  qos-policy out VOIP

  no awcp

  no shutdown

!

interface ppp 1

  description Internet connection

  ip address negotiated no-default

  ip mtu 1500

  ip access-policy Public

  ip crypto map VPN

  media-gateway ip primary

  no fair-queue

  ppp pap sent-username

  no shutdown

  cross-connect 1 eth 0/1 ppp 1

!

!

!

!

!

!

!

ip access-list extended VPN-10-vpn-selectors1

  permit ip 10.10.201.0 0.0.0.255  10.10.200.0 0.0.0.255 

  permit ip 172.17.0.0 0.0.255.255  10.10.200.0 0.0.0.255 

  permit ip 172.17.0.0 0.0.255.255  172.16.0.0 0.0.255.255 

  permit ip 10.10.201.0 0.0.0.255  172.16.0.0 0.0.255.255 

!

ip access-list extended web-acl-1

  remark Traffic to netVanta

  permit ip any  any     log

!

ip access-list extended web-acl-10

  remark port 21

  permit tcp any  any eq ftp   log

!

ip access-list extended web-acl-11

  remark Admin access

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

  permit icmp any  any  echo   log

!

ip access-list extended web-acl-12

  remark port 3283

  permit tcp any  any eq 3283   log

  permit tcp any  any eq 5900   log

  permit tcp any  any eq www   log

!

ip access-list extended web-acl-2

  remark NAT

  permit ip any  any     log

!

ip access-list extended web-acl-3

  remark NAT

  permit ip any  any     log

!

ip access-list extended web-acl-4

  remark Traffic to netVanta

  permit ip any  any     log

!

ip access-list extended web-acl-5

  remark InterVlan

  permit ip 172.17.0.0 0.0.255.255  10.10.201.0 0.0.0.255 

!

ip access-list extended web-acl-6

  remark InterVlan

  permit ip 10.10.201.0 0.0.0.255  172.17.0.0 0.0.255.255 

!

ip access-list extended web-acl-9

  remark FTP

  permit tcp any  any eq 548   log

!

!

!

!

ip policy-class Private

  allow list VPN-10-vpn-selectors1 stateless

  allow list web-acl-1 self stateless

  allow list web-acl-5 stateless

  nat source list web-acl-2 interface ppp 1 overload

!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors1 stateless

  allow list web-acl-11 self

  nat destination list web-acl-9 address 10.10.201.30

  nat destination list web-acl-10 address 10.10.201.30

  nat destination list web-acl-12 address 10.10.201.30

!

ip policy-class Voice

  allow list VPN-10-vpn-selectors1 stateless

  allow list web-acl-4 self stateless

  allow list web-acl-6 stateless

  nat source list web-acl-3 interface ppp 1 overload

!

!

!

ip route 0.0.0.0 0.0.0.0 ppp 1

ip route 10.10.200.0 255.255.255.0 ppp 1

ip route 70.28.46.198 255.255.255.255 64.230.199.1

ip route 172.16.0.0 255.255.0.0 ppp 1

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

!

!

!

!

!

!

!

sip udp 5060

sip tcp 5060

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

line con 0

  login

!

line telnet 0 4

  login

  password password

  no shutdown

line ssh 0 4

  login local-userlist

  no shutdown

!

!

!

!

!

!

!

end

0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: Peer to Peer voip on 2 different subnet issue - no audio

Jump to solution

It looks like your allow policy ACLs are backwards.

Try moving

allow list web-acl-5 stateless

to the

ip policy-class Voice


and

allow list web-acl-6 stateless

to the

ip policy-class Private


I'd put these at the top of the policy.

Also, now that you've posted here you might want to...


service password-encryption

no user admin


change the enable password

change the password for user Adm1n

change the telnet password or shut down telnet completely.


Just sayin...

View solution in original post

0 Kudos
2 Replies
jayh
Honored Contributor
Honored Contributor

Re: Peer to Peer voip on 2 different subnet issue - no audio

Jump to solution

It looks like your allow policy ACLs are backwards.

Try moving

allow list web-acl-5 stateless

to the

ip policy-class Voice


and

allow list web-acl-6 stateless

to the

ip policy-class Private


I'd put these at the top of the policy.

Also, now that you've posted here you might want to...


service password-encryption

no user admin


change the enable password

change the password for user Adm1n

change the telnet password or shut down telnet completely.


Just sayin...

0 Kudos
jayh
Honored Contributor
Honored Contributor

Re: Peer to Peer voip on 2 different subnet issue - no audio

Jump to solution

Another consideration which will be cleaner and avoid the issue completely:

Most IP phones have the capability of trunking two VLANs where one is used for the internal VoIP usage of the phone itself and a second passes through data to the PC port on the back of the phone.  On your switchports for those, configure: 

interface switchport 0/[whatever]

  no shutdown

  switchport mode trunk

  switchport trunk allowed vlan 1-2

  switchport trunk native vlan 1  ! < This is default, change if data not on vlan 1

  switchport voice vlan 2

The phone should learn its voice VLAN via LLDP, if not you can manually configure it on the phone.  The data VLAN 1 will appear untagged on the pass-through port on the phone to the desk PC.