I have a total access 900e router bringing in a verizon fiber connection for our voip system. I want to use one of the other ports on the router to connect it to my LAN and monitor the router with solarwinds. I just want to allow ping traffic on that interface from my local area network. I have looked at the ACLs and tinkered but I'm afraid to do anything drastic for fear of taking our phones down. any advice would be helpful.
If the management LAN isn't supposed to interact with the Verizon fiber or VoIP system and is strictly for monitoring, you might want to put it in a separate VRF. Otherwise an ACL for the monitoring system restricting its access or policy routing would be good choices.
There are a number of ways to restrict traffic between interfaces, each has advantages and disadvantages. The choice and exact configuration depends on your network topology, what you are trying to accomplish, your business security policy, etc.
What have you tried, and what worked as expected or didn't work? If the phone traffic is business critical you may need to do your reconfiguration during a maintenance window or experiment on a lab system to determine the best approach before deploying it in production, or both.
Here’s what I’ve done
1. Turned on the giga-eth 0/1 port.
2. Connected it to one of our data switches.
3. Set it to DHCP.
4. It is getting an IP from DHCP.
5. I can’t ping that IP.
It seems like that interface will not accept ping traffic.
If you have a default route configured on the box out a different interface (such as your Verizon fiber) and there is an internal router between the source of your pings and the Gi 0/1 port, then the return traffic from your pings will be sent out the configured default and die.
Add a static route to the subnet containing your monitoring server to the configuration, using the gateway assigned by DHCP.
DHCP subnet 192.168.20.0/24 with gateway of 192.168.20.1
Monitoring server on 192.168.100.7 with /24 mask.
Add the following
ip route 192.168.100.0 255.255.255.0 192.168.20.1
I just wanted to check back with you on this to see if your problem was resolved. If Verizon owns and/or manages the unit, you will likely need to work with them to make sure your configuration changes have no negative effects on essential services. However, feel free to reply on this thread with your unit's current configuration, minus any confidential information such as your public IP addresses, phone numbers, or login credentials, and we would be glad to point out any apparent problems.