VOIP and VLANs, general n00b Qs
-
Why VLANs in the first place?
I am not aware of IP telephones which are VLAN-capable. Perhaps some are, but if your telephones don't support VLANs directly, you'll need VLAN switches (which then perform VLAN stripping/tagging for the phnoes). or one VLAN-capable switch and two sets of cables (data backbone and a physically separate VoIP backbone).
VLANs are typically deployed for two reason:
1. security.
2. to really piss off the network admin ;-)Do you really fear that someone might unplug your VoIP phone and use the network connection to break into your data network? Not totally unreasonable, if one of your phones is accessible from outside your house.
-
2. to really piss off the network admin ;-)
hmm, the only one that should be able to implement vlan's are the network admins.
most network admins don't like to piss off themselfs. -
Usually, the IT people try to get their hands on magazines nefore the management does, to check if they contain any articles which might cause management to get "funny ideas".
Unfortunately, management sometimes manages to get around these security measures. And then it might happen that management reads an article like "Deplay VLANs for Security". Note that used the word "read", not "understand".
Management will, of course, now doggely pursue the idea of VLANs. Yup, one migh tthink of simple setups like a "guest VLAN" and an "employee/work VLAN". But management knows that they have paid for expensive switches capable of handling 4096 VLANs. Some why implement just two and waste the other 4094 they have already paid for?
Right. Each device connected to teh networks gets it's own VLAN. Firewall rules to permit traffic between VLANs have to requested from the managemtn, in writing, with a plausible (well, plausible for the management, which is something different) explanation of the need. I know - that's an extreme example, since when have you last seen a manager who could count to 4096? ;)
The Wikipedia VLAN article (http://en.wikipedia.org/wiki/Vlan#Implementation) describes a few of the exciting scenarios which the network guy might encounter. However, it doesn't mention that eavery switch manufacturer chooses different wordings for the same settings. What one switch might call "VLAN tagging" might be "VLAN stripping" on the other.
Whatever. VLANs configuration in quite comfortable and straightforward in pfSense (IMHO). On the other hand, pfSense is compatible with a lot of hardware, so another option is to plug in a few four-port network cards.
Of course, one motivation for "playing around with VLANs" is to gain knowledge which could be advatagenous in discussions or when applying for a job. I'm just wary of unnecessary complexity in production use.
-
I think Netgear calls the access ports (where you would connect VLAN-unanware devices, like PCs, printers, VoIP phones) "untagged".
pfSense has to be connect to a trunk port, that would be a "tagged" port for Netgear.
-
I am not aware of IP telephones which are VLAN-capable.
We currently use Polycom Soundpoint IP 331 at our office in a VLAN and you can manually tag the VLAN withing the phone.
I found this white paper on VLAN and Polycom phones (http://docs.polycom.com/global/documents/whitepapers/vlans_and_polycom_soundpoint_ip_desktop_ip_telephones.pdf), if you ignore the polycom side of thing, you should be able to get a hint or two on VLAN for phones no matter what phone you use.
-
I am not aware of IP telephones which are VLAN-capable.
Actually most "business-class" IP phones are VLAN-capable, since many years (notice that the Polycom pdf linked by gfoxfarmer is almost 10 years old).
In fact some of the better ones, can be configured use a dedicated Voice VLAN that is separate from an untagged PC VLAN completely automatically, using DHCP options.
-
Yes, I have to agree with this ^
Almost all VoIP phones I've had anything to do with were using VLANs (or at least VLAN capable).1. should I split out my LAN into 2 VLANs? one for data and one for voice, or just keep using the LAN as it is now (for date) and split out a voice VLAN?
You should use two VLANs. This is because you should not use a single NIC to handle tagged and untagged traffic. Some combinations of hardware/driver will fail to do this correctly, discarding one or the other. I've never seen that happen personally but it might so best practice is to avoid that situation.
Steve
-
Interesting. I just checked, it appears that I've managed to have experienced only the rare VoIP products which do not support VLANs.
Having the phones handle the VLAN natively (on trunk ports) defeats security. It only makes sense if you base traffic shaping on VLAN tags (layer 2). Of course, VoIP traffic shaping can be done without VLANs as well, using, for example, TOS (layer 3). Which is, of course, the only option for me, since I have to deal with the apparently only non-VLAN capable VoIP hardware ;)
However, if you use VLAN-capable phones on trunk ports, you don't need a "VLAN switch". You can run the non-VoIP devices on an untagged LAN and configure a VoIP-VLAN on pfSense (and setup the phones accordingly). No need to muck around with VLAN configurations on the switch.
-
Exactly, this isn't really about security. It makes it much easier to prioritise VoIP traffic if all your devices are on a separate VLAN. Many VoIP phones have what amounts to a VLAN switch internally. They provide a LAN port that can tag/untag to a different VLAN. Thus you can provide connectivity to both a phone and a PC at a desk via a single ethernet cable on separate subnets.
Steve
-
Ok, so I've decided I want to try playing with VOIP and VLANs.
… I've purchased a VLAN capable 5 port Netgear switch to test.
Hope this is still helpful… I noticed you mention Netgear, so the attached show my VLAN / Netgear setup. It's working fine.
![wan vlan.jpg](/public/imported_attachments/1/wan vlan.jpg)
![wan vlan.jpg_thumb](/public/imported_attachments/1/wan vlan.jpg_thumb)