Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    implementing VLAN for VOIP - what do I do with current flat LAN

    L2/Switching/VLANs
    2
    4
    950
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • pzangaP
      pzanga
      last edited by

      We are in the middle of a VOIP installation at my work (3 sites) and as part of that I need to implement a VLANs for the voice traffic. All 3 sites are currently basic flat networks consisting of PCs, printers and a couple of servers at our main office. This the first time I've set up VLANs, but I have read and watched quite a bit and have a good handle on configuring pfsense (an SG-2100 and 2 Sg-1100s), my managed switches (Netgear JGS524Ev2 and GS308E), tagging/untagging, etc, but I have a few unanswered questions. I should note that our PCs will be daisy chained with the IP phones, with the exception of our servers (no phone) and ATA ports for fax lines (no PC).
      My main question, which I haven't seen specifically addressed in my research, is "what do I do with the current LAN set-up (data network), leave it as is or replace it with a data VLAN?" If I leave it as is, it is not clear to me how that would work with VLAN tagging on the switches. Is the LAN the same as the native VLAN/VLAN 1 when 802.1q tagging is in place? If I've understood my reading correctly, using VLAN 1 is not recommended, so creating a new data VLAN would be the right course if thats the case, I believe.
      My thinking is that I should create a separate data VLAN in addition to the voice VLAN. I would like to keep the current LAN IP address range (192.168.0.1/24) for the data VLAN, mainly so I don't have to reconfigure a bunch of devices with static IPs, and change the IP range of the LAN. Does that raise any issues?
      Finally, it's not clear if I need to do anything special to access the management interfaces of my switches once VLANs are implemented. Currently I access the switches on the LAN via static IPs. With VLANs enabled would that still be the case?

      Is that as clear as mud? Any help is appreciated. Let me know if more details are needed. Thanks

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @pzanga
        last edited by

        @pzanga

        It is common to have VoIP on a VLAN. Just leave the LAN as is for everything else and add the VLAN. You'll have to configure the phones to connect to the VLAN. This is done in the phone's config, though sometimes it can be done with the appropriate DHCP options. However, I haven't used that method.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        pzangaP 1 Reply Last reply Reply Quote 0
        • pzangaP
          pzanga @JKnott
          last edited by

          @jknott
          Thanks. It makes sense to me that I can leave the current LAN as is, but that still leaves me with the question of how to deal with that on my managed switches, since the phones will be daisy chained with PCs, essentially requiring trunk ports connecting to the phone/PC combo. I see 2 main options:

          1. Using 802.1q port tagging. Upon further reading since I posted last night, my understanding is that the current LAN is the same as the default VLAN (VLAN 1 on my Netgear switches). I would tag each trunk with the Voice VLAN, and leave VLAN 1 untagged (VLAN 1 should never be tagged anyway, I believe). This would allow me to use DHCP on both VLANs, plus static IPs where needed.
          2. Use port based VLANs on the switches. Assign VLAN 1 and the Voice VLAN to each trunk. Since there is no tagging, and the PCs are not VLAN aware, I don't believe DHCP would work and I would need to set static IPs for every device. Am I correct in that assumption?

          I think option 1 is the preferred choice, not least of all because option 2 is a configuration headache. That leaves the issue of using VLAN 1. From what I can see, the default VLAN cannot be changed from VLAN 1 on the Netgear switches. Sounds like best practice from a security stand point would be to create a new data VLAN, set up appropriate tagging on the switch and pfsense, and leave at least 1 port open on each switch, assigned to VLAN 1 for access to the management console. Or, ignore best practice and leave the switch IPs in the data VLAN, so I can access them from my desk and not have to go to the equipment closet, and remove VLAN 1 from all switch ports.

          Questions? Comments? Snide remarks? ☺
          Seriously though, any help is appreciated, as always.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @pzanga
            last edited by

            @pzanga

            Yes, you'd use tagged VLANs. Just think of the VLAN as being a different network that just happens to run over the same cables.

            The details vary with switch make, but the ports have to be configured to pass both the native LAN and the VLAN. Just make sure you use the same VLAN ID everywhere.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.