My 924e has some connectivity issues when reaching it from another vlan on the LAN.
I have ETH 0/1 set up as the public IP from the ISP
I have ETH 0/2 set up as the private LAN IP
But, there's only one place to put in a default gateway. I am using the default gateway of the ETH0/1 WAN ISP for now, but that seems to break connectivity from ETH 0/2. IS there any way we can tweak its config to route traffic accordingly depending on what connection it is using? The simple fix would be to have a separate default gateway for each interface, but I'm not sure how to do that.
If I change the default gateway to be proper for the LAN IP on ETH 0/2 pointed to our router, that works but it breaks ETH 0/1 public ip connectivity.
Thanks for any insight you may have.
answerphone wrote:
I do have a question though.. Some of our LAN users are coming in from a different VLAN. The device will have the IP of 192.168.0.194 on ETH 0/2 but the vlan we need it to work with is 192.168.50.0. Would I need to add a static route for these users?
I'm not sure if you mean a different VLAN or a different subnet. If there's an internal router that is connected both to 192.168.0.X/24 and 192.168.50.X/24 then on your TA924e you would add a static route to the 192.168.0.x interface of that router, like ip route 192.168.50.0 255.255.255.0 192.168.0.X where X is the last octet of the internal router.
If you have both subnets connected to the TA924e, you could configure a subinterface on eth 0/2 in the 192.168.50.x range on a separate VLAN.
In any case you'll need to be sure that the SIP devices behind the TA924e have their gateway pointed to the inside IP of the TA924e and not the default gateway of the Internet router.
answerphone wrote:
I am not sure if LAN hosts will need to access the internet. This device is used for a SIP gateway only. We are definitely not going to use it for LAN users to browse the internet with. We have a separate router appliance for this purpose (192.168.0.1). I could also be misunderstanding you completely.
This complicates things. I'd suggest that you consider using the TA924e both as the gateway for your SIP devices and the LAN hosts to access the Internet. This only requires one public IP now, not one for the TA924e and one for your other router. It also allows you to configure QoS for the SIP devices so that LAN traffic doesn't affect voice quality. The TA924e has a very robust firewall, VPN, and NAT capability.
If you must keep your other device, I'd recommend segmenting the network with VLANs so that all of your SIP devices are on a different subnet and VLAN from your data LAN. Actually, I'd do that in any case. Their policies are likely to be very different.
First, make sure you have IP routing enabled. "ip routing" in global configuration mode.
Next, don't use the "ip default-gateway" command, that's primarily for hosts and layer 2 devices without IP routing enabled. Instead configure a static default route along the lines of "ip route 0.0.0.0 0.0.0.0 w.x.y.z" where w.x.y.z is your ISP's router on the WAN link connected to eth 0/1.
For your hosts on the LAN, I'm assuming you're using private IP space such as 192.168.y.z, 10.x.y.z, or something between 172.16.y.z and 172.31.y.z. This network is directly connected to the 924e, so it doesn't need or want a default gateway configured on the 924e itself. The hosts connected to the LAN should have their default gateway set to the IP address you have configured on eth 0/2 of the 924e. This can either be configured manually or via DHCP.
For the LAN hosts to reach the Internet via the WAN, you'll need to implement NAT on the 924e. Write back if you need help with this.
Awesome. I plan to work on this gateway issue on a spare device in a test environment here.
I do have a question though.. Some of our LAN users are coming in from a different VLAN. The device will have the IP of 192.168.0.194 on ETH 0/2 but the vlan we need it to work with is 192.168.50.0. Would I need to add a static route for these users?
I am not sure if LAN hosts will need to access the internet. This device is used for a SIP gateway only. We are definitely not going to use it for LAN users to browse the internet with. We have a separate router appliance for this purpose (192.168.0.1). I could also be misunderstanding you completely.
Thank you for the help!
answerphone wrote:
I do have a question though.. Some of our LAN users are coming in from a different VLAN. The device will have the IP of 192.168.0.194 on ETH 0/2 but the vlan we need it to work with is 192.168.50.0. Would I need to add a static route for these users?
I'm not sure if you mean a different VLAN or a different subnet. If there's an internal router that is connected both to 192.168.0.X/24 and 192.168.50.X/24 then on your TA924e you would add a static route to the 192.168.0.x interface of that router, like ip route 192.168.50.0 255.255.255.0 192.168.0.X where X is the last octet of the internal router.
If you have both subnets connected to the TA924e, you could configure a subinterface on eth 0/2 in the 192.168.50.x range on a separate VLAN.
In any case you'll need to be sure that the SIP devices behind the TA924e have their gateway pointed to the inside IP of the TA924e and not the default gateway of the Internet router.
answerphone wrote:
I am not sure if LAN hosts will need to access the internet. This device is used for a SIP gateway only. We are definitely not going to use it for LAN users to browse the internet with. We have a separate router appliance for this purpose (192.168.0.1). I could also be misunderstanding you completely.
This complicates things. I'd suggest that you consider using the TA924e both as the gateway for your SIP devices and the LAN hosts to access the Internet. This only requires one public IP now, not one for the TA924e and one for your other router. It also allows you to configure QoS for the SIP devices so that LAN traffic doesn't affect voice quality. The TA924e has a very robust firewall, VPN, and NAT capability.
If you must keep your other device, I'd recommend segmenting the network with VLANs so that all of your SIP devices are on a different subnet and VLAN from your data LAN. Actually, I'd do that in any case. Their policies are likely to be very different.