VLAN necessary or not?

I setup FreePBX without using VLANs so it resides on my data network. We have 75 sip devices and about 16 analog FAXs and phones connected via Vega gateways.
The data network has about 125 devices. Do I need to setup a voice VLAN since we have less than 300 total network devices.
We have HP switches with 10 gig fiber up links between them

How would VLANs come into play here? Do you have a flat network? Are you using multiple subnets that are passed between devices through an uplink connection? Are you using VLANs now to pass traffic this way?

Deciding whether or not to have separate networks between your voice and data is an internal decision based on your needs, requirements and setup. The amount of devices on the network may or may be a factor but it’s not an overly deciding factor.

However, do not conflate having a segregated network with the need to have VLANs or that VLANs will do the segregation. VLANs are just there to tag that traffic on your routers/switches/etc that have those multiple subnets passing traffic over a single port. As I said above, the uplink ports between your router and the switch where some ports on the switch need to be for subnet A and others need to be for subnet B or a case where the PCs piggy back the phone so both subnets need to be on that port. The VLANs are there for the routing of the traffic and that’s it.

The answer is no. Period.

Anyone telling you otherwise is trying to sell you something.

VLAN’s exist solely for virtual segregation of physical networks into multiple subnets using a single physical medium.

There is nothing about security or QoS involved.

Those things can be added. But they are add ons.

You need to learn how networking even works.

Since you are asking, you obviously have no clue, which means you have a basic /24 network. Gods, probably still on 192.168.1.0/24

You have 254 usable IP addresses in a /24. One will be your router.

You have ~200 used IP addresses. 125+75 + 1(or 2 vegas) = 201

You should probably think hard about changing your network to a /23.

But otherwise, you need do nothing.

Actually I reasonably understand networking. I inherited this network configuration. It was a /16 network and is now set as a /19 network in the 10.X.X.X. 8192 devices on one subnet which is still way over kill given the quantity of devices. It is not changed any smaller as a lot of my infrastructure are machines with static IP addressing that are all over this range, some of these machines are old enough to have tubes in them and would take significant bugger eating to figure out how to change.
My questions are more for FreePBX. Given my small number of devices on a reasonably robust infrastructure is there a necessary or major benefit to implementing a VLAN for voice and turning on QOS on my switches. I am partially live (2 buildings out of 5) with the system and have no reported issues as of yet. My phones, Sangoma and Polycom are all connected via PJ_SIP.

You shouldn’t have any issues with your configuration at all. In your case, separating the networking segments would probably be more for a management point of view than a capacity separation concern. Different IP segments for different locations to help you determine phone registration locations maybe? VoIP traffic on a LAN is relatively light, shouldn’t be any type of struggle at all. I’ll keep phone traffic on a separate vlan from computers on larger deployments, not from a capacity point of view, but more from a traffic segregation protection in case a network gets flooded by a virus or something, which is rare in itself now a days.

QoS for voice traffic has nothing to do with a VLAN.

1 Like

Just like I pointed out, VLANs also aren’t needed to segregate the network either. I have quite a few setups where the Voice, Data and Guests (hotels) have three subnets off my router/firewall and not a single VLAN because they have their own dedicated ports on the router that switches plug into.

Same result, no VLANs.

1 Like

Voice VLANs have some security value in two situations:

  1. Where you have to deal with untrusted devices on your network and you expect attacks from them.
  2. You’re dealing with information that requires such extreme paranoia that you require device-level authentication for everything attaching to your network.

These are both pretty serious edge cases - something you might see in a hardcore R&D or national security-sensitive installation. In the overwhelming majority of cases, they’re not worth the hassle.

From a generic QoS and basic functionality standpoint they’re unnecessary in reasonably modern corporate networks. In the few remaining corner cases, money for expensive consultants to set it up isn’t an issue. At that point you’re also getting into 802.1x authentication (because otherwise why bother?), possibly passthrough 802.1x for the devices daisy-chaining off the phones (twice the fun!), etc. Lots of hassle all over the place. Never mind all of the weird phone quirks to deal with - I doubt this stuff is battle-tested outside of vendors like Cisco.

I don’t know why this has to be explained over and over again.

VLANS DO NOT HAVE ANYTHING TO DO WITH SECURITY OR SEGREGATION OF THE NETWORK!

Everything people keep describing things I already do WITHOUT VLANS at a small amount of locations that I manage. I have my routers, they have three DHCP servers each with their own subnet. I have to routes set to not allow the three subnets to talk to each other. I have each DHCP server/subnet assigned to specific interfaces (like ether3, ether4, ether5 for example) and then each of those networks plug their switches into their respective ports. Done. Now all three networks exist, they are secured/segregated from each other and never shall they cross paths. No VLANs required or needed for this setup.

I need to use VLANs when I have the exact same setup on the router but everything is going over ether4 and ether5 to switches that can have devices on any of those three networks so at this point I need VLANs to be able to tag the traffic I want on each of those subnets. This is what VLANs are used, to route multiple subnets over the same “trunk” and shared equipment that devices will use.

They DO NOT MAGICALLY keep your network segregated or secured.

Tom,

With all the respect, there’s really no need to yell at each other here because of different opinions on VLAN’s, not everyone finds having 3 DHCP servers and 3 different switches the best solution as you do.

I’ll give you a little example, if you have a office, especially these brick buildings, where you can’t or don’t want to run new dedicated cables for the new VoIP phones, so what you do is, you use the Ethernet cable for the phone, and you jump the PC through the phone.
VLANs here is the only option.

We usually stack a few Catalyst switches together, setup a few VLANs (Data, Voice, Cams, Mgmt, etc) one DHCP server, and of course proper firewall rules between the VLANs.

2 Likes

With all due respect, this isn’t about a difference in “opinions” it a difference of people saying things that are incorrect as being “right”. That is wrong. Not to mention that this has already been mentioned a few times in this very thread. VLANs are not there for security or segregation of the network.

The whole point of that was to show the times when VLANs are needed and when they are not. You understand that the point of the VLANs is to tag traffic so it can route through the network properly. When you have two subnets (voice and data, for example) that need to be on the same switch that is plugged into your network, you need VLANs because that’s how your going to send the traffic over the uplink between the router and the switch. Then you need to program the switch to have the VLANs on the ports that should have those VLANs. Some ports may have one VLAN, some may have the other and some may need to pass both through.

My point with those setups that I gave was to show that you can have a segregated and secured network between those subnets without the use of VLANs because in those deployment situations they wouldn’t be needed. I also pointed out that there are numerous setups in which I have to use VLANs because all the devices on the different networks are on the same switches and equipment. THAT is when you need VLANs.

Sorry but after correcting people multiple times in the same thread (multiple people making those corrections too) it becomes frustrating when new posters say the exact things that we just corrected others on saying. Either they aren’t reading the previous posts completely or they are just posting without thinking.

Sorry I stirred up a hornet’s nest. I just wanted to verify that not using VLANs with a flat network was going to be an issue now or in the future. And do I really need QOS enabled anywhere? From the answers given so far. I should be fine not using VLANS or QOS with my small number of devices and an enterprise class network.

OK, I’m not sure where all these misconceptions are coming from. 1) The amount of devices on your network do not dictate if you need VLANs or QoS on the network. How you have your network infrastructure will determine that. 2) A Flat Network is a network with one subnet which is basically every network in someone house or if they just use the default stuff on the router. 3) You cannot really have an “enterprise class network” with a flat network because that would mean your grandma with her D-Link router in her house would have an “enterprise class network” because she would have the same setup as you. A single flat network with one subnet.

So far nothing here sounds like anything really needs to be done. It’s just a simple, flat network. No VLANs, no additional subnets and as for QoS well that is more on the amount of traffic, bandwidth and how you want to prioritize said traffic.

I meant enterprise class equipment with enterprise class performance. I do have VLANs in use already. My lighting control network has 16 access points and a server in it own VLAN. Maybe a flat network for data and phones is not considered enterprise class in your eyes but my point is my network loads are low considering there are only 350 total devices including phones on a network with a 10 gig backbone , a 1 gig backup backbone and 100 mb fiber connection to the Internet. If I had bandwidth limitations between the switches then I could get network congestion which would invoke QOS. If I have a 100 users who all decide to download files at the same time, this could overwhelm my bandwidth (likely only the internet connection) which is where QOS would come into play. I will enable QOS on the firewall router to the Internet if I have any remote user issues. If I had a 1000 users then having network congestion could be a lot more likely. So I believe the number of devices has to considered. On my internal network neither are needed as 100 total users are not going to overwhelm my switches. In reality I have 5 or 6 users that download or upload large files regularly. Largest internet usage is streaming radio and video and that usually is well under 5-10% of the pipe. I am using a PRI connected to a Vega 200 to provide PSTN connectivity so external SIP traffic would only be remote users.

Why would you ever implement a VLAN for this? There is zero reason to do so. THe phones work just fine on the data network.

A flat network isn’t enterprise in anyway. Doesn’t matter if you have a $5,000 Cisco/Juniper or whatever as the router/switch. Having a rack mounted router that costs a lot of money doesn’t make it enterprise when all it’s doing is a /24 that any one does at home. I’ve got $60 Mikrotik’s doing more “enterprisey” network than people that spent hundreds to thousands on a name that still misses features that I have with my “soho priced” router.

I’ve got 10 user offices with more complex setups than 50 user offices due to the requirements of their needs on the network. The amount of users and devices are just one of the numerous factors in all this.

The only time I do this is when I don’t control the data network but they only have one drop per Phone/PC to a switch. In most cases I have to take over the management of the switch because this is too complicated for most office network admins. So I set my network up with a VLAN tag and let theirs be untagged/VLAN1 so they don’t have to do stuff and then set my phones to use the VLAN for voice but leave the data port untagged. Oh and when there is a need for prioritized traffic of the voice, even when I do both networks, so I can set my priority queues in the router based on the VLAN/subnet.

I’m not disagreeing with you, I’m just pointing out valid reasons.

VLANS DO NOT HAVE ANYTHING TO DO WITH SECURITY OR SEGREGATION OF THE NETWORK!

Ummm… that’s literally, exactly what they’re there for - segregating layer 2 broadcast / switching domains (and the associated higher-level protocols), most commonly for security purposes in modern networks that vanishingly rarely have to worry about broadcasts / multicasts overwhelming a segment. Being angry about it doesn’t change anything. Now, if someone decides for whatever reason that they want to have unrestricted routing between VLANs (assuming they’re even on the same routing table / VRF, which is not always the case), then that’s most certainly a possibility. But that’s fairly rare with high speed switching and so usually they’re providing isolation for security purposes.

Reference:
http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=4

3 Likes

I am not saying you should always do that. But in a scenario like mentioned where you want to segregate, your only option is VLAN’s.

There is, if you don’t want users to access devices on the Voice network, you want different DHCP options on both networks or even web access etc.