VoIP Vlan setup

February 19, 2009 at 19:00:07
Specs: Windows XP
Greetings:
My company will be deploying a VoIP system in the near months. This will be a hosted IP Centrix system. I have two sites with a metro ethernet Fiber backbone. Each site will have about 30 phones installed. The Lans at both sites need to be upgraded as they are using unmanaged swithes before VoIP implemetation. I need your help designing the Voice Vlans and choosing the best switches for both QoS and PoE. The two swithes that I am leaning towards is the HP Procurve 2610 series and Dell 3500 series. Here is a little about my general network topology. Each site has a Cisco 1841 router and a Cisco 3750 switch, both of which are owned by our ISP. The ISP will be responsible for QoS policies at the gateways. Site 1 is on a 172.16.1.1/24 subnet and Site 2 is 172.16.2.1/24 subnet. Each site has basic networking resources, i.e. DHCP,DC,DNS. Each site has 3 to 4 unmanaged switches. As I said above, I plan to upgrade said switch's to managed ones. My phones will be Polycom models with built in switches that will connect to the user's workstation. OK, all that said, I need help setting up the voice VLANs. Here are my questions:
1. What are the best practices?
2. Do I need a layer 3 device between the main switch and the gateway at each site or should I have a gateway just for voice?
3. Do I need a seperate DHCP server on the voice vlans?
4. What security risks should I consider.

Sorry for the long post and perhaps stupid questions but I am green to VoIP and Vlans.

Kind Regards,
Phillip


See More: VoIP Vlan setup

Report •


#1
February 20, 2009 at 05:54:27
Check out the Nortel Baystack 5520. It's a PoE/QoS capable L3 switch.

From your description, everything is in place and already working as far as the MAN goes so all you'll need is the inclusion of managed switches and of course, to deploy your VLAN's. You will want to QoS internally as well since your Video conferencing (if you have it, if you don't, plan on having it in the future) should be your highest priority traffic followed by the VoIP and then everything else with web browsing and email traffic having the lowest priority.

I'm not familiar with the phones you mentioned but we use Nortel (no surprise there, we're almost finished replacing all our cisco for Nortel products) and if you're sharing a single network port, with our phones, you plug the phone into the wall outlet and the PC/Laptop into the phone. So make sure you double check on how yours connect. Doing it backwards will be a problem.

1) You will want VLAN 1 to be your managment VLAN. Which is to say, all network devices (switches, routers etc) should be on this network. Think of it as your backbone network. Nothing else will reside on this subnet but network devices. Then you will need to create a VoIP VLAN as well as a data. Depending on your needs, you may find you need more but start simple (KISS - always!)

2) You shouldn't need anything you don't already have. At least, not as far as data traffic goes. Where's your VoIP controller? You will have to plan the route to the VoIP controller. This will mean working up a plan with the VoIP provider and possibly your ISP.

3) Probably if you're going to go with DHCP. Since this is going to be a separate subnet I would think you'll need a separate DHCP server for it. Or at the very least, a separate DHCP scope/subnet.

4) The usual security issues apply here.

Do some reading/research on VLAN's before implementing and before you deploy your new PoE/QoS L3 switches, do extensive labbing. Ironing out bugs and issues before deployment will make the deployment itself go smoothly.

I'm not a huge fan of either HP or Dell. Most certainly not for network devices. HP started making printers and that's their forte. Dell, well, I won't support any manufacturer who moves their company to Mexico in order to make the big brass more $$$ by taking jobs from US/Canadian citizens. The Nortel's might cost more but in this case, you get what you pay for and on the plus side, you don't have to deal with either HP or Dell's support people if something does go wrong. It's worth noting in 4+ years of working with Nortel 5510/5520 switches, we've only had one have any hardware issues. It burnt up it's main power supply. Fortunately, I believe in redundancy so it had a backup PSU in it and never even hiccupped or dropped a single packet when it switched over.

If you scroll down, below my reply you should see links to a couple other VLAN conversations. It's worth giving them a quick read.



Report •

#2
February 20, 2009 at 07:27:28
Thank you Curt R for you prompt response. Due to budget restraints, I can't put in L3 switches. I was hoping to use L2 swithes to separate my data and voice traffic on the LAN side and route them to the gateways either by using the ISP's Cisco equipment or by installing a L3 device before the gateway. Does this sound like a viable solution? BTW, the management Vlan tip sounds like a very good practice. Wuould these ports where I trunk the switches together as well?

P


Report •

#3
February 20, 2009 at 08:04:42
"My phones will be Polycom models with built in switches that will connect to the user's workstation."

We had a post here not too long ago who was also using this setup.

A VLAN WILL DO YOU NO GOOD

The problem with this design is the combined phone and workstation on one wire. Proper design is a workstation vlan and a phone vlan. That is two different connections to the switch.

You can NOT accomplish this with the polycomms!!!

You will end up just as the original poster of having to cable correctly to do proper vlans to address the conjestion issues this polycomm configuration results in.


Report •

Related Solutions

#4
February 20, 2009 at 08:31:26
Thank you Curt R for you prompt response. Due to budget restraints, I can't put in L3 switches. I was hoping to use L2 swithes to separate my data and voice traffic on the LAN side and route them to the gateways either by using the ISP's Cisco equipment or by installing a L3 device before the gateway. Does this sound like a viable solution?

Bummer! It would have been nice to go to L3 switches for many and various reasons.

I suspect you could enlist the help of your ISP to do your routing so I would talk to them, explain your situation, find out what they can do for you and what it would cost. Then compare that to doing it yourself.

If you know UNIX, OpenBSD can be made into a router/firewall quite easily and it's basically free. Where I work, we used teamed (for redundancy) OpenBSD boxes as our routers/firewalls and they work quite well.

BTW, the management Vlan tip sounds like a very good practice. Wuould these ports where I trunk the switches together as well?

Just FYI, a management VLAN is a must in a larger environment. You will want to go this route if feasible with an eye toward expansion and ease of management.

Since your switches will be assigned IP's in your management VLAN (for sake of example we'll say: VLAN 1 = 192.168.1.0/24) With all trunk ports assigned to VLAN 1 (base VLAN), and all other VLAN's are to be passed on this trunk port (as 'allowed VLAN's'), it follows that all traffic (ie: all VLAN's) are then carried on the trunk ports and broken out on the individual ports.

Now let's say you have:
VLAN 2 = 192.168.2.0/24 = Data
VLAN 3 = 192.168.3.0/24 = VoIP

If your VoIP phone is being connected directly to the switch with nothing plugged into it, the port would be tagged with VLAN 3. If it were a data port, VLAN 2. If a combination, like with my Nortel phone and my PC plugged into it, it's base VLAN would be VLAN 3 and VLAN 2 would be an 'allowed VLAN' also tagged to the port.

The reverse would be true for your setup with the phone plugging into the PC.

The following is pretty much the documentation format we use for our switch configs:

Switch - port - Base VLAN - Allowed VLAN's - Description

192.168.1.100 - 48 - 1 - 1, 2, 3 - Trunk (uplink to ???)

192.168.1.100 - 1 - 1 - 1 - management port

192.168.1.100 - 2 - 2 - 2, 3 - Data/VoIP

192.168.1.100 - 3 - 2 - 2, 3 - Data/VoIP

192.168.1.100 - 4 - 2 - 2 - Data

192.168.1.100 - 5 - 3 - 3 - VoIP

Port 1 is designated as a 'management port' so if you need to, you can take a laptop, plug into port 1, give your laptop an IP in the management subnet and then make changes to the switch or whatever you need to do. This is in case your main connection to the switch stops working for whatever reason and you can no longer remote into it.

Port 2 is going to be assigned to a PC that has a VoIP phone plugged into it so it has to carry both VLAN's with the base VLAN being that of whatever device is actually plugged into the port.

I did port's 4 and 5 as one each Data/VoIP so you could see the difference.

You will also need to have input from whomever is going to be taking care of your VoIP controller so I suspect you'll need to meet/talk with both your ISP and the VoIP people (Centrix) in order to deploy your VLAN's and VoIP correctly.


Report •

#5
February 20, 2009 at 13:08:25
Thank you so much Curt for you very detailed response. This setup should work perfect for my LANs. How are you passing Vlan IDs and addresses to your phones?

P


Report •

#6
February 21, 2009 at 05:52:10
The phones are on DHCP and when we set them up, we have to add the VLAN tag then to it's configuration as part of the setup. The data VLAN tags are added by the switch.

Report •

#7
February 21, 2009 at 12:13:57
How are you going to put different vlan tags on a phone and a workstation when they use the same port/wire?

Report •

#8
February 22, 2009 at 08:10:58
wanderer:
Thanks for your interest. Here is the voice Vlan method that I have been told to implement. I will assign the the voice vlan id to the phone and tag all traffic from the phone. Untagged traffic (packets from PC) will be passed to the data Vlan.

P


Report •

#9
February 22, 2009 at 08:20:11
Curt:
FYI...My ISP and Centrix provider is the same company. Are you using a server on each of your subnets for DHCP? Do you think a seperate gateway and internet pipe for voice traffic would be much better than routing data and voice through the same gateway. I am planning on upgrading my current internet pipe from 3 megs to 6 megs.

P


Report •

#10
February 22, 2009 at 12:43:41
Unless your polycomm phones built in hub/switch can also do vlan tagging, your plan will not work.

Which is the point I have been making.

Vlan tagging is done at the switch port level. You can not have two devices on that port and have them get different vlan tagging.

The whole point of having a phone vlan and a data vlan is to separate the traffic between the two.

The best I get out of the Polycom site and their ip phones is "dual-port 10/100 ethernet switch"

This is not a managed or vlan capable switch.


Report •

#11
February 22, 2009 at 17:00:38
Wanderer:

Here is a link to a Polycom white paper about Vlans on the IP phones that I will be deploying. Perhaps this will clarify things. Please let me know what you think.

http://www.polycom.com/global/docum...

P


Report •

#12
February 23, 2009 at 07:37:17
Curt:

Are you using a server on each of your subnets for DHCP?

Our network is rather large and has many, many VLAN's. In order to keep things properly secured, our security specialist uses router/firewall's made from teamed OpenBSD servers (for redundancy). These server's can also be configured as DHCP servers if necessary. So whenever DHCP is required on the other side of a boundary (firewall) then that firewall gets DHCP added to it.

For example, lets say you have a client subnet attached to Router/Firewall #2 on interface em4. Router/Firewall #2 has multiple interfaces that each connect to different subnets. You would simply enable DHCP on the appropriate interface (em4) to provide DHCP to the subnet.

Do you think a seperate gateway and internet pipe for voice traffic would be much better than routing data and voice through the same gateway. I am planning on upgrading my current internet pipe from 3 megs to 6 megs.

It shouldn't be necessary. You need to employ QoS in your internal network though and it should also be available on the hard link between the two sites. If it's not, then you could have issues and may want to look at separate connections...so make sure you discuss QoS on the dedicated link between sites with your provider.

wanderer:

For a while I ran my PC through my VoIP phone here in my office. As I described above, I set the base VLAN (PVID) on the Nortel Baystack 5520 port as being that of my VoIP VLAN and added the data VLAN as an 'allowed' VLAN. The VoIP VLAN was configured on the phone during initial setup. If memory serves (I might be mistaken on this) I had to set the port as a 'trunk' port because when configured like this, it behaved as a trunk. Which is to say, it carried the traffic of two, or more, VLAN's. I don't have the time to redo this setup to verify if I had to make that port a trunk port or not but I do know it worked....lol.

It's the equipment we're using that makes this possible (ie: switches and VoIP phones).


Report •

#13
February 23, 2009 at 08:18:13
wanderer

I had forgotten we'd also played around with my coworkers VoIP phone so I checked the port he's plugged into. It is set as a trunk with the base VLAN (PVID) being the VoIP VLAN (72) tag. His is also set to carry our data VLAN (7) and our DHCP VLAN as well (11) and I remember testing to make sure both worked with our department laptop.

Set the laptop to DHCP and plug it into his VoIP set and it gets a proper DHCP IP and connects and can browse the web (our DHCP is external access only).

Change it to a Net 4 IP (VLAN 7) and it starts working on Net 4 and has full internal access as well as external.

So as I said, it's the equipment involved.

Unlike Cisco switches, our Nortel switches have to have any/all VLAN's added manually to the trunk ports. Cisco's put every VLAN on a trunk port by default. At least, all the Cisco switches I've worked with do. It might interest you to know that I had my port set to:
PVID: 72
Allowed VLAN's: 72, 11 (DHCP)

Whereas my coworkers is set to:
PVID: 72
Allowed: 72, 11, 7

The main trunk port to our core switches are:
PVID: 1 (management VLAN)
Allowed: 1 (Net 33), 7 (Net 4), 11 (DHCP), 18 (Net 14), 41 (Video Conference VLAN), 72 (VoIP)

Anybody else reading this might ask, "Net 4 is VLAN 7 why not make them the same?"

The answer is, legacy. This is what was in place when I began working here and it would be way more work than I care to even think about to coordinate VLAN tags to be the same as the subnet. I've made it policy that any new subnets we bring into use are to have a matching VLAN tag.

This is why I always advise people who are starting to VLAN tag to do that from the outset. It's sooooooo much easier to remember that VLAN 7 is Net 7 and VLAN 4 is Net 4 etc etc.....lol


Report •

#14
February 23, 2009 at 11:04:40
Curt:
I turns out that I may be able to put a L3 switch in the topolgy at each site if I reduce the number of ports. I was originally planning on installing 48 ports but stacking two switches with one being L3 capable may be the best solution. I will need at least 20 ports of PoE per site. Do you recommend a budget friendly switch that will do the required routing to my gateways. My ISP dosen't seem like they are willing to help without charging me for the service. Thanks again for all your help.

P


Report •

#15
February 23, 2009 at 13:56:32
Hey gfan.

No matter what, shop around. Make sure the switch has all the features you need (ie: Poe/QoS capable - L3 etc) and look at the price and compare with other comparable switches. Definately take a look at a Nortel 5520 in the 24 port model. They may fit your budget but I know the 48 port ones are worth around $5,000.00 (CDN). You will want to go with whichever switch provides all the features you need and has the best price. Don't forget to look at warranty and support while pricing out your equipment.

If you haven't signed any contracts you may want to hold off. If it were me, the contract would state that the provider not only provides equipment and the connection, but also has to help get things setup and working.........and that would include routing.

When we included VoIP in our network, we bought our own controller which connects to our PBX (phone) switch (as I said, we have a large environment here). A part of the VoIP provider's package was to help us get the controller configured and working properly. We would NOT have gone with this provider if they were just going to sell us equipment and not help us make it work and/or provide training on it. This is something that you must always include in your contract.


Report •


Ask Question