I’m setting up a new system where my Fpbx 14 is on a seperate vlan/subnet with the hardphones, while the rest of the office would be on a “data” vlan or subnet.
But, I have softphones on surfing workstations living on the data vlan/subnet, what to do with those machines? I’d like to just allow the softphones to reach the pbx, nothing else, without performance loss if possible.
Which is better for segregation, vlan or subnet? In sip settings, localnet can see multiple subnets, but does this not defeat security by segregation? Tunneling would make some overhead, no?
What’s the best way to allow just the softphone to get to my pbx on the adjacent vlan/subnet?
All suggestions or thoughts are welcome, I can research. Router is mikrotik 3011 I am learning it now. Two Unif POE switches 24 and 48 which can vlan tag.
While my experience with VLANs is not extensive (expletive riddled and immensely frustrating, but not extensive) I would steer away from using VLANs for your phones. The advantage of using VLANs is that it’s easier to establish smaller broadcast domains, but the trouble you can run into getting it to work has always been more than I want to deal with.
If you’re going to be using the same physical network, you can use different IP address ranges on the same network infrastructure and not mess with the VLAN tagging and the performance should be almost identical. Note that you can even go so far as setting up separate networks (192.168.0.x and 192.168.100.x) and have them not share broadcast domains using the same switch. I like to think of it as an “RLAN” (Real vice Virtual) that has all of the advantages of a VLAN while maintaining the level of simplicity my simple mind can comprehend.
"…setting up separate networks (192.168.0.x and 192.168.100.x) and have them not share broadcast domains using the same switch. "
Two different animals.
For Layer 2 (ethernet) broadcasting, a VLAN can most decidedly ensure QoS. Tagging voice to have priority over data packets is most certainly worth the trouble, if you are running a business. You are not going to get that with Layer 3 subnetting.
Chassv, I am a network guy and I have struggled with this same issue at my clients. Sorry to say there are no good answers here.
On option is to create a vlan sub-interface on your workstations for the “softphone vlan”. All modern windows flavors can do this. then, you can assign an ip to the workstation in that range as well. But, as you might imagine, this is a pain and I am not necessarily recommending it.
As I said, I am not aware of a good answer for this.
No, by putting QoS on a VLAN, you absolutely do not prioritize voice. You are instead prioritizing the entire VLAN. Broadcasts, DHCP, DNS, SIP, and yead RTP (the actual voice).
No, by putting QoS on a VLAN, you absolutely do not prioritize voice. You are instead prioritizing the entire VLAN. Broadcasts, DHCP, DNS, SIP, and yead RTP (the actual voice).
A VLAN is 100% never for voice QoS.
Your point that VLAN will not discriminate is noted, but the switch will treat a tagged L2 frame with higher priority than non-VLAN or a lower priority VLAN. As you noted, if a VLAN carries everything, data as well as broadcasts, then within that data will be RTP, etc. So, there you go, a higher QoS is obtained.
But not for the voice traffic. Within the VLAN, the voice traffic has no priority.
Don’t put anything else in that VLAN. That way, that VLAN, with voice traffic & broadcast traffic is given priority over any other lower ranked VLAN and/or other traffic that is not tagged with a VLAN.
Raising the priority of the voice vlan certainly provides some (and in some cases, enough) QoS for the voice traffic but if, for some reason, your voice vlan has so much DNS, DHCP and/or other broadcast traffic that it’s a problem one can certainly apply QoS rules within the vlan.
@OP
The only reason this is a complicated or “debated” answer is because of the complexity and [general lack of] knowledge/resources for dealing with VLANs. Take the required expertise out of the equation and VLANs are a clearer winner.
Now this, of course, assumes you have something to gain from a vlan that you can’t gain from simple address space segregation. (eg. L2 broadcast domain isolation)
KISS always prevails but as Albert Einstein told us: “make things as simple as possible. but no simpler.”
e.g. use subnets if and as long as it suffices but as soon as it doesn’t, well, you already know the answer…
