Vlans for voice ip phones

(Ralph) #1

Has anyone setup a working vlan for voice. I am looking for guidance in how to setup freepbx server without being shut out by new ip address.

Many thanks in anticipation.


Do you mean losing access to the FPBX server when you change it’s IP address to be on the voice VLAN? If so, that all depends on your console access. If you have no console access then you need to be quite careful!
If no console access, I would suggest disabling the firewall so at least that will not block you, or at least whitelist the new network block in advance. However that won’t save you if a mistake is made in configuring the new address.
If you have console access, you are in a much better position.


I agree 100% that if you don’t have console access things can get really ugly quickly and you can get yourself into a really bad situation.

All my tagging is at the switch ports I am not using the built in firewall (I have POTS to the world)

When I switched mine to a vlan, I use the DHCP client on FreePBX and reserved the new IP on my DHCP server (otherwise DHCP and FreePBX server is a bad idea). I set the DHCP lease time low in case of an opps, and remotely rebooted FreePBX. I also was logged into its switch, as soon as I rebooted the FreePBX, ie right after pressing the reboot button, I switched the vlan on that switch port, so when the server was done rebooting it would request an IP but since it was now tagged, it would get a new IP from the new vlan block. I also created a firewall policy to give my laptop access to the server on the new vlan.

Be sure to write down the MAC address of the server so if something weird happens you can use AngryIP or your firewall DHCP logs to find the server. If things got stange, I can have console access so I was OK with my reboot and switch vlans at same time approach. If you do this, remember to set the lease time back or switch back to static.

I also used a similar technique to change the vlan on my phones, btw. Most worked OK but I had one Polycom phone that I couldn’t get to work. My other 10 or so 335 phones were just fine but this one phone was causing me to pull my hair out. I switched it to the vlan fine, could log into it but couldn’t get it to provision correctly. I ended up factory resetting everything , reloading firmware on the phone and then it worked fine with the new provisioning server address etc. My warning is that weird things can happen when you start tying to get things separated to different vlans, things that should work fine don’t.

(Ralph) #4

I have console access via the GUI ans SSH but my fear is that will not work if I setup vlan on pbx server using a new network address. Also my phones and the pbx have fixed ip addresses as issued by my router. Do these become redundant when I use a vlan?
Sorry if this seems a silly question but I am trying to understand how things tie together.
Thanks for help.


why not just add a tagged vlan to the FreePBX interface, that way the phones can use the vlan, you can manage on the untagged address.

When you are sure that you can manage on the vlan, then . . ,

(Ralph) #6

If I add a tagged vlan on Network interface on the GUI it issues a new network address. Does that risk losing connection on the original address?


it is always best practice to assign servers’ address(es) statically , never rely on dhcp.

(Jared Busch) #8

It may be your practice. But it is not a best practice.
In all networks I design and maintain, aside from the Router, Hypervisor, DHCP server, DNS Server, and Domain Controller (if Windows network), nothing is assigned statically unless the application forces it.
DHCP reservations handle anything that should never “move”

(Jared Busch) #9

Don’t use a VLAN then.

There are pretty much zero real reasons to use a VLAN for a voice network.


Even your router?

Forgive my cynicism but relying on windows for anything is not what I would do, what happens when your PBX reboots on a bad Tuesday morning?

(Jared Busch) #11

Who said anything about relying on Windows?

Reread what i posted.


By “console access via the GUI ans SSH”, sounds like you don’t have access to the actual console of the system? i.e. if a VM, access to the console via something like the Vsphere console app; if is a physical box, the console is either a serial port or a standard monitor/keyboard or if an actual server platform, access to the serial console via ssh or maybe via http depending on the hardware.

(Itzik) #13

I’ll disagree with that.
One of the main reasons we put voice on a VLAN is because of security. You never know, I mean, YOU know what access the phone vendor has to that network, so having these devices on a different VLAN with no access to the data or any other network is a good idea…

(Jared Busch) #14

I’ll give you that if the PBX itself is on prem. Otherwise meh.

And this is otherwise. The OP is doing it himself. There is no other vendor.

(Ralph) #15

Following all the above let me make clear the pbx server is in my property and I usually run headless via a browser on another machine, however if need be I can plug a monitor and keyboard into the pbx server for access directly.
My rationale for a vlan is 1 security, 2 voice priority to reduce any delay. I experience this mostly with a couple of Grandstream DECT phones running off a single unit. From what I have read using a vlan will improve this.
Experts so far seem to differ about value of vlan but taken that I have reached that decision can someone confirm that using System admin, Network, create interface, choose vlan is the correct way to do this and what risk do I run for being shut out.

Thanks to all

(Tom Ray) #16

OK well let’s understand something basic about VLANs, they aren’t some magical solution. VLANs are for when the network subnets are not physically separated on the network. I.e. two or more subnets need to route over the same interfaces, etc…

Not sure what security you think it provides. At best it means that the subnets can’t route/talk to each other. That’s just basic Layer2 with or without VLANs, different L2 domains (subnets) don’t talk to each other without routing in place.

Voice priority doesn’t require a VLAN, it can be based on numerous factors like a single IP, multiple IPs, etc. but that will also depend on your router abilities.

Now this whole thing with the GS DECTs, you’re getting delay, lag, audio issues? Putting this on a VLAN isn’t going to solve the bandwidth consumption. But since at most you’re looking at 80Kbps per call how many handsets are on this DECT set? Because you would need at least 11-12 handsets going at once to even have a 1Mbps pipe happening on a switch/network that is at least 100Mbps but most likely 1Gbps.

I’m not saying that using VLANs isn’t needed or that it shouldn’t be done. I usually have 2-3 VLANs on a deployment depending on how big it is and what is involved. But I’ve seen too many people come in on forums/IRC and what to do VLANs for all the wrong reasons and not have a basic understanding of what they are for. The general thought process is “I read on the Internet VLANs do magic…” and that generally isn’t the case. I’ve lost count of how many people have a single subnet but want help setting up multiple VLANs for “security”. Just not how it works.

(Ralph) #17

Thanks Tom Ray for your response. The pbx is on my home network with all the system using common cables around the house. There are only 2 DECT phones. I followed the Crosstalk Solutions video on vlans using a Ubiquti managed switch which suggested a voice vlan. They setup the vlan on the switch and did not mention vlans on the phone settings or the pbx. I have read a guide to vlans which helped somewhat but I am not clear if I need to tag voice data from the phone to the pbx via the switch for the switch to recognise tagged data or just tag data at the switch ports.
I realise that these questions show a high degree of ignorance but I am grateful for your help.
If you want to direct me to a book, webpage or video to learn for my self I would be grateful for that too.

(Tom Ray) #18

You don’t need VLANs or multiple subnets from the sound of it. The video in question I’m sure was directed more to business networks.


I agree, I don’t think you need vlans. They are just a way to virtually separate networks for security.

There were some posts on DHCP that I think should be clarified. With DHCP, the DHCP server assigns the IP address, the IP address can change. However this is different from a DHCP server with reservations. In that case the DHCP is still issuing the IP address and related info (gateways, etc) but the IP address is static, from the reservation table.

(system) closed #20

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.