Review these settings please, VLAN/VOIP roll-out on existing network, advice?


Recommended Posts

We had Layer-2 switches, with some VOIP phones on the same 172.16.50.x subnet. The switches are all changed out to Layer-3, each have a static interface IP for management on the 172.16.50.x subnet, and currently the switch where the gateway router is located has a static interface IP for management on it's VLAN2 172.31.17.x subnet.

 

We want to put the VOIP server, and all of the IP phones on the 172.31.17.x subnet. I have a couple of questions, I am also attaching a drawing to better show the setup.

 

1: Any reason to add a static interface IP to each switch under the VLAN2 subnet? I can get to them just fine on the VLAN1 172.16.50.x subnet.

 

2: When I set the VOIP server IP settings up, I was greeted with a "The default gateway is not on the same network segment" in Windows, however I am able to communicate to VOIP server and the gateway/internet from the VOIP server.

 

3: I thought I would need to "trunk" the SFP fiber modules for VLAN1/VLAN2 on each of the other switches down the line from the first switch 172.16.50.126/172.31.17.1 in order to communicate with it. However I have a workstation on the 172.16.50.127 switch, with an IP of 172.16.50.210 and I can ping/RDP the VOIP server on IP 172.31.17.50 just fine.

 

I'm concerned I have something setup incorrectly in the way the traffic is routing, any suggestions or thoughts would be great, and I will answer any questions to help clarify ASAP.

 

network-setup2.jpg

Link to comment
Share on other sites

1.  No reason to have them on vlan2

2.  All voip should be on its own subnet.  Gateway should be on the same subnet, not exactly sure how you would route to a different subnet when it isn't on that subnet to be routed to.  Your gateway is what directs traffic, how is it that you are able to connect to an ip outside of the subnet?  Do you have another ip on that voip server?  I see vlan1 and vlan2 trunked to the voip server, but I think there is some information missing there. 

3.  If you have your routing setup and you have not created any acls to deny traffic, then it would be able to connect and see that network. 

Link to comment
Share on other sites

9 hours ago, sc302 said:

1.  No reason to have them on vlan2

2.  All voip should be on its own subnet.  Gateway should be on the same subnet, not exactly sure how you would route to a different subnet when it isn't on that subnet to be routed to.  Your gateway is what directs traffic, how is it that you are able to connect to an ip outside of the subnet?  Do you have another ip on that voip server?  I see vlan1 and vlan2 trunked to the voip server, but I think there is some information missing there. 

3.  If you have your routing setup and you have not created any acls to deny traffic, then it would be able to connect and see that network. 

1: Ok good. One less thing to configure

2: That's what I thought, I think I am going to have to setup one of the TZ-600 ports to be a separate IP going into the first Adtran switch with an IP on 172.31.17.x to act as the router, instead of just a static route between subnets doing it and make that IP the Gateway for devices on the VLAN2 and then setup ACLs between 172.16.50.x and 172.31.17.x

3: Makes sense.

Link to comment
Share on other sites

How does this look.

1: Removed VLAN2 interface IP of 172.31.17.1 from Adtran

2: Added X4 LAN interface on Sonicwall with 172.31.17.1/255.255.255.0

3: Hooked X4 LAN into Adtran port 1, set it to Trunk between VLAN1 and VLAN2

4: Hooked VOIP Server into Adtran port 2, set it to Trunk between VLAN1 and VLAN2

5: Changed Gateway on VOIP server to 172.31.17.1

 

Haven't setup any ACLs yet, by default LAN>LAN is Allow so I'll do that later.

 

network-setup3.jpg

 

Link to comment
Share on other sites

"The switches are all changed out to Layer-3"

 

Why?  Are you actually going to do downstream routing?  Or just got newer model that can do layer 3 and your still going to just use layer 2?

 

You have all of those switches daisychained like that??  That is not a good setup.. They should all home run back to your core switch..  Those users on the last switch trying to get to the internet say are going to have to share that same 1 gig pipe on every uplink with all the other users on that switch as well, etc..

  • Like 1
Link to comment
Share on other sites

Well if you are with me...unedit my edit

 

Your phone should be on one port on your sonicwall and your data should be on another port with your phone being on a lower (less secure) security level, and you data being on a higher (more secure) security level.  This way your data network can connect to the phone and your phone network cannot connect to your data.  By doing this you can also set the qos on the firewall allowing the phone network higher priority to take the bandwidth it needs to be able to have clarity and maintain the phone calls.  It would be a great idea to keep it separate as much as possible for ease of understanding, drawing it out, and securing the networks, if you have the cabling to do so between closets/switches.

 

edit:  yep looks ok in the second drawing. 

Link to comment
Share on other sites

Im with sc302 for phone and data, its a good idea to keep those on different ports.  Shoot even different switches there are many companies that have their data switches and then their voice switches.

 

If your going to just vlans - this is when dynamic vlans comes in handy ;)  So you can assign a port in a location to either voice or data depending on what gets plugged in.

 

Fixing up the vlans is easy part, what is concerning to me is the physical layer 1 connectivity..  Daisy chaining like that is not very good idea.. Are these switches on different floors in a highrise and that is why you have them daisy chained vs home run all the way to floor where fiber connections happen? etc..

Link to comment
Share on other sites

6 hours ago, BudMan said:

"The switches are all changed out to Layer-3"

 

Why?  Are you actually going to do downstream routing?  Or just got newer model that can do layer 3 and your still going to just use layer 2?

 

You have all of those switches daisychained like that??  That is not a good setup.. They should all home run back to your core switch..  Those users on the last switch trying to get to the internet say are going to have to share that same 1 gig pipe on every uplink with all the other users on that switch as well, etc..

Yeah the problem is each one of those switches in in a separate building, each one further then the next, so the fiber is aerial and run between buildings, the furthest one being about 1400 meters away.

 

We don't do much high bandwidth application data, and we limit streaming via App Control in the Sonicwall, for say Netflix, Youtube etc.

 

This is a small server environment of only a few servers and 80 workstations.

Link to comment
Share on other sites

Well whatever I have setup, the VLAN's don't seem to matter right now.

 

Sonicwall has:

X0 LAN 172.16.50.254 - physical cable to Adtran switch

X4 LAN 172.31.17.1 - physical cable to Adtran switch

 

VOIP Server 172.31.17.50 - physical cable to Adtran switch

 

In the Adtran, I have the VLAN1 and VLAN2 setup, ports with those 3 physical cables above are set to "Trunk". However any other port that is just set to VLAN1 can still talk to IPs on VLAN 2, and if I take a static IP phone out, set it with a static IP like 172.31.17.100 it can talk to 172.31.17.50 with no VLAN settings added.

 

If I disable the "Trunk" setting on those ports above, I can still pass traffic both ways between 172.31.17.x and 172.16.50.x which shouldn't happen. 


First time here really setting up VLANs.

Link to comment
Share on other sites

You are going to be able to pass traffic between vlans. Layer 3 enables routing so unless you specify vlan 2 to stop talking to vlan 1 it is going to keep talking. 

 

Vlan 1 and 2 are in the same house.  How do you stop people from talking in the same house? You make rules... If they don't follow the rules, you put them in their own rooms... They switch rooms, you kick them out.   But it all starts with you doing something other than just inviting them over to stay. 

Link to comment
Share on other sites

1 minute ago, sc302 said:

You are going to be able to pass traffic between vlans. Layer 3 enables routing so unless you specify vlan 2 to stop talking to vlan 1 it is going to keep talking. 

Ok, so how is the IP phone connecting from it's  IP 172.31.17.100 to 172.31.17.50 with no VLAN setting added to the phone? Because of the L3 routing? 


And if so, where would I typically control this traffic from to stop the talking between the VLANS, at the Sonicwall with ACL rules between X0 and X4, or at the Adtran switches?

 

BTW thank you for the information.

Link to comment
Share on other sites

Just now, sc302 said:

Look at the subnet

 

172.31.17 is the same network, .1 will be able to talk to .254 and every address in between. 

I get that, but 172.16.50.X (data) is able to talk to 172.31.17.X (VOIP) is what I mean.

 

I'm not even sure if I have the VLANs setup correctly, I only have VLAN1 and VLAN2 setup in the Adtran switches, nothing in the Sonicwall.

Link to comment
Share on other sites

Because layer 3 routes by default. The master switch or firewall is saying it knows both networks and I will pass over to the other network. 

Link to comment
Share on other sites

lets take the sonicwall and all other swithches out for a minute.

lets work with your first drawing where the first switch has the following vlan ip info

 

VLAN1= 172.16.50.126

VLAN2= 172.31.17.1

 

Without you doing anything, this device knows about and will route traffic to 172.16.50 and 172.31.17 from the opposite networks.  You don't have to do anything and it will automatically allow traffic through.  If you put a default gateway on that switch to go to the sonicwall, any traffic that isn't going to 172.16.50 or 172.31.17 will be forwarded onto the sonicwall.

 

So if you want vlan1 to not talk to vlan2, you will have to make a rule on the adtran that has an ip address on both vlans (this would be the gateway address for the vlans). 

Link to comment
Share on other sites

Just now, sc302 said:

Because layer 3 routes by default. The master switch or firewall is saying it knows both networks and I will pass over to the other network. 

Ok, tomorrow should I try taking one of the phones and manually turning off LLDP-MED and placing it on VLAN2 to test traffic flow or is LLDP-MED doing this automatically?

Link to comment
Share on other sites

1 minute ago, sc302 said:

lldp-med has zero to do with this, as in nothing.

Got it, on the VOIP phones however, the VLAN setting is greyed out until I disable LLDP-MED on the phone.

Link to comment
Share on other sites

vlan really doesn't matter on the phones, unless you are connecting a pc to the pc port on the phone.  That is when you are trunking to the phone which will require the phone to be on a tagged (pc lan) and untagged (default vlan) port. 

 

For now, that feature is unnecessary....if you have a separate wall jack for the pc's.

 

 

edit: what voip phones do you have a gain?  would like to do some reading on them. 

Link to comment
Share on other sites

3 minutes ago, sc302 said:

vlan really doesn't matter on the phones, unless you are connecting a pc to the pc port on the phone.  That is when you are trunking to the phone which will require the phone to be on a tagged (pc lan) and untagged (default vlan) port. 

 

For now that feature is unnecessary, if you have a separate wall jack for the pc's.

Yeah we don't, we are passing the PC through the phones, which BTW is working fine on the couple of test phones. The PCs are 172.16.50.x and the IP phone is 172.31.17.x.

 

I think my only concern with this really is setting up the VLAN and enabling QoS settings for VLAN2 over VLAN1 for traffic priority. There will only be a total of 70 phones, all over gigabit. What are your thoughts on that? At max we have about 10 concurrant calls going at a time.

 

If none of this is really necessary, I am fine with leaving the VLAN stuff alone and just keeping the two subnets on seperate interfaces on the Sonicwall and not touching the QoS stuff.

Link to comment
Share on other sites

Just now, sc302 said:

qos should be handled on the sonicwall side. 

 

Ok so since the X0 LAN and X4 LAN interfaces are handling the traffic between the two, I should look at the QoS settings in the Sonicwall.

 

In the case of the VLAN 1 and 2 settings on the Adtran switches, should I even leave the VLAN2 setting in all of them if I am not using it?

Link to comment
Share on other sites

yes on the qos on sonicwall

 

 

To clarify,

x0 physical

x4 physical

are both plugged into the first switch?

 

If that is the case, than all subequent switches should be trunking.  None should have an ip on those vlans

 

The switches can have their own management vlan with ip associated to it, but the sonicwall should handle the routing to that vlan and one of the switches will need to have an ip address on either vlan where the sonicwall knows what to contact to get to that subnet.  I hope that makes sense. 

Link to comment
Share on other sites

4 minutes ago, sc302 said:

yes on the qos on sonicwall

 

 

To clarify,

x0 physical

x4 physical

are both plugged into the first switch?

 

If that is the case, than all subequent switches should be trunking.  None should have an ip on those vlans

 

The switches can have their own management vlan with ip associated to it, but the sonicwall should handle the routing to that vlan. 

Correct, x0 and x4 are plugged into the first adtran switch. The ports that x0 and x4 are plugged into on that switch are set to "trunked". Nothing changes however traffic wise if I turn "trunked" to "Default vlan1" and I have 0 settings in the Sonicwall for VLANs setup.

 

EDIT: Also I have no other switching ports set to "trunked" either down the line

Link to comment
Share on other sites

that is fine. 

 

in the sonicwall, you can make the firewall rules up to not have them talk to each other....if that is  how you want it.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.