7925G? HELP? Need a real pro for this one?

Unanswered Question
Mar 26th, 2009
User Badges:

Our wireless system is completely off our internal network. Its on its own cable broadband connection. The only thing that can touch our lightweight AP's is our wireless server that has 2 NIC cards. One NIC has an ip just to manage the AP's on there seperate c2960 switch and the other NIC has an internal IP so we can remotely manage. How can I hook up these phones so it can reach our internal voice LAN without compromising the network. I have attached a diagram of our wireless setup. I was told i have to use one of the gigabit ports on the switch the AP's connect through and connect it to my ASA box. Please advise. Thank You.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Leo Laohoo Thu, 03/26/2009 - 16:05
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Have you read the Cisco Unified Wireless IP Phone 7925G Deployment Guide?


JON O'NAN Sat, 03/28/2009 - 14:22
User Badges:

I have used GRE tunnels with Policy Based Routing in the past. This would require a L3 switch at the Access Points.

Georgios Nikitas Mon, 03/30/2009 - 04:04
User Badges:

I would suggest you create a different SSID at your APs only for the telephones.

Set different security for this SSID, for best results use WPA2 with AES encryption.

Make sure this SSID is hooked up to a different VLAN, for example VLAN 99.

Make sure your Access Points have a trunk connection with the switch.

Create the vlan99 at the switch.

Statically set one of your switch ports to VLAN99 and connect that port with one of the ports of your ASA Firewall. Make the correct firewall settings so that you restrict access of that port only to the necessary IPs of your voice VLAN.

** Make sure you use a different IP subnet for your VLAN99!

gamccall Tue, 04/14/2009 - 10:02
User Badges:
  • Silver, 250 points or more

"I have set up my network so that my wireless clients have no access to my internal network. How can I get some of my wireless clients access to my internal network?"

As things stand, you can't.

In order to make this work, you have to make a connection between your TOCWirelessSwitch and your internal LAN.

Now, there are obviously ways to make this as secure as possible- using an ASA and/or ACLs would be the obvious choices- but you will no longer have the complete physical isolation that you do now.

Of course, you would put your wireless phones on a separate SSID and VLAN from your data traffic, and make sure that the only traffic allowed to cross the new connection is restricted to the phone addresses and the specific ports your voice traffic uses.


This Discussion