Jump to content



Photo

Vlan to separate VOIP from PC's


  • Please log in to reply
20 replies to this topic

#1 +djdanster

djdanster

    Neowin elite

  • Tech Issues Solved: 2
  • Joined: 28-October 08
  • Location: England, Great Britain
  • OS: Windows 8.1
  • Phone: Samsung Galaxy S4 White Frost

Posted 05 February 2014 - 09:43

I've just started a new job and I've immediately been tasked with setting up a vlan within the network and unfortunately this is not my field of best expertise (networking as a whole - I'm ###### at it).

 

The final objective would be to separate off the voip phones from the client PC's. Future will be to separate off cctv into their own vlan (but that's a different post for a different time).

 

192.168.1.1 --> 192.168.1.49 - reserved for networking devices and servers.

192.168.1.50 --> 192.168.1.99 - reserved for VOIP telephony.

192.168.1.100 --> 192.168.1.200 - reserved for DHCP, over ethernet and wireless via 2 access points.

192.168.1.201 --> 192.168.1.253 - reserved for printers and CCTV.

192.168.1.254 - reserved for main router.

 

Switches connecting the phones and computers are Netgear GS108T - fully managed (so capable of vlan?)

 

If you need any more info, I'll gladly list off the other devices.

 

What method would you recommend? tagging or port? Is one method outdated?




#2 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 February 2014 - 14:32

You do understand your breaking up your network at non subnet borders.. There is no mask that breaks up a network at those numbers.  Seems more like address management inside 1 /24 vs actual vlans or network segments / subnets.  Which sure you can use what specific address in a segment for specific things but that is not vlans.

 

A /27 would give you 30 useable addresses, and /26 would give you 62.. There is no real easy simple way to breakup your network into those numbers.  But why are you limiting yourself to 1 /24?  That is rfc1918 space why not just use multiple /24's to make it simple to easy see the borders.  Keep in mind for every subnet/segment/vlan you break out your going to loose the wire and the broadcast in that segment.  You need to keep that in mind when subnetting say a /24 into smaller segments.  I really suggest you KISS

 

192.168.1.0/24 - network equipment and routers (infrastructure)

192.168.2.0/24 - VOIP

192.168.3.0/24 - Printers

192.168.4.0/24 - CCTV

192.168.5.0/24 - Wired clients

192.168.6.0/24 - Wireless

 

Just quick off the top, you could combine those if you wanted like wireless and wired on same segment via AP, etc.

 

As to tagging or ports - that would depend on what network equipment are you working with..  You could do it completely physical where you use dumb switches for each network segment, and just your core switch/router has to have interfaces on the different network segments.  Or you could just vlan with tags if your switches support it.

 

What network hardware do you have, router, switches make and models?

 

BTW here is a great cheatsheet for subnets you might want to print out and post on your office/cube wall, etc.

 

http://media.packetl..._Subnetting.pdf

 

ipv4subnet.png



#3 OP +djdanster

djdanster

    Neowin elite

  • Tech Issues Solved: 2
  • Joined: 28-October 08
  • Location: England, Great Britain
  • OS: Windows 8.1
  • Phone: Samsung Galaxy S4 White Frost

Posted 05 February 2014 - 17:45

Under Construction - Geez I'm such a retard.



#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 February 2014 - 17:50

So per your pm you want me to dumb it down more..  But not sure where your confused..  Do you not know what a subnet is?  Or what a mask is?

 

What equipment are we working with? 

 

So if I give you an address like 192.168.1.0/24 - do you not know what that means, what about say 192.168.1.128/25

 

What is say 192.168.0.127/25 ?

 

I am more than happy to go over basic network with you or anyone - but how basic do we have to take it?



#5 OP +djdanster

djdanster

    Neowin elite

  • Tech Issues Solved: 2
  • Joined: 28-October 08
  • Location: England, Great Britain
  • OS: Windows 8.1
  • Phone: Samsung Galaxy S4 White Frost

Posted 05 February 2014 - 17:57

So per your pm you want me to dumb it down more..  But not sure where you're confused..  Do you not know what a subnet is?  Or what a mask is?

 

What equipment are we working with?

 

Ok, scrap what I was going to post above.

 

I understand what a subnet is, but not a mask.

 

The equipment in the cabinet and various other places is:

 

1. Patch panel

2. Avaya 1152A1 PDU- for Cisco phones & POE AP's

3. Netgear Prosafe SRX5308 Firewall

4. Thomson Speedtouch Gateways - x4

5. Bonded internet gateway

6. Netgear Prosafe 24 Port Smart Switch GS724T

 

Under each desk, there is a Netgear GS108T managed switch... And 2 POE AP's across the building.

 


So if I give you an address like 192.168.1.0/24 - do you not know what that means, what about say 192.168.1.128/25
 
What is say 192.168.0.127/25 ?
 
I am more than happy to go over basic network with you or anyone - but how basic do we have to take it?

 

 

That is what it draws a blank. I did this is CCNA1 however I really fully understood it.

Edited by djdanster, 05 February 2014 - 18:00.


#6 TPreston

TPreston

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 18-July 12
  • Location: Ireland
  • OS: Windows 8.1 Enterprise & Server 2012R2/08R2 Datacenter
  • Phone: Nokia Lumia 1520

Posted 05 February 2014 - 17:59

K.I.S.S! ditch 192.168.whatever and go for 10.0.x.x/24 simpler to type and remember!

10.0.0.0/24 - network equipment and routers (infrastructure)
10.0.1.0/24 - VOIP
10.0.2.0/24 - Printers
10.0.3.0/24 - CCTV
10.0.4.0/24 - Wired clients
10.0.5.0/24- Wireless

Think of these subnets as separate networks/switches that need to be plugged into a router or secure gateway.



#7 OP +djdanster

djdanster

    Neowin elite

  • Tech Issues Solved: 2
  • Joined: 28-October 08
  • Location: England, Great Britain
  • OS: Windows 8.1
  • Phone: Samsung Galaxy S4 White Frost

Posted 05 February 2014 - 18:09

You do understand you're breaking up your network at non subnet borders.. There is no mask that breaks up a network at those numbers.  Seems more like address management inside 1 /24 vs actual vlans or network segments / subnets.  Which sure you can use what specific address in a segment for specific things but that is not vlans.

 

A /27 would give you 30 useable addresses, and /26 would give you 62.. There is no real easy simple way to breakup your network into those numbers.  But why are you limiting yourself to 1 /24?  That is rfc1918 space why not just use multiple /24's to make it simple to easy see the borders.  Keep in mind for every subnet/segment/vlan you break out your going to loose the wire and the broadcast in that segment.  You need to keep that in mind when subnetting say a /24 into smaller segments.  I really suggest you KISS

 

I don't quite understand this.

 

192.168.1.0/24 - network equipment and routers (infrastructure)

192.168.2.0/24 - VOIP

192.168.3.0/24 - Printers

192.168.4.0/24 - CCTV

192.168.5.0/24 - Wired clients

192.168.6.0/24 - Wireless

 

Just quick off the top, you could combine those if you wanted like wireless and wired on same segment via AP, etc.

 

Sorry, yes what is in the OP is what it's currently like, not what I want the final project to end up with. What you have listed is ideal. I'd probably still keep the wireless and wired together on one segment.

 

As to tagging or ports - that would depend on what network equipment are you working with..  You could do it completely physical where you use dumb switches for each network segment, and just your core switch/router has to have interfaces on the different network segments.  Or you could just vlan with tags if your switches support it.

 

I'd prefer is I could keep the current equipment, so what ever's compatible with the hardware.

 

What network hardware do you have, router, switches make and models?

 

Equipment is listed in the post above.

 

BTW here is a great cheatsheet for subnets you might want to print out and post on your office/cube wall, etc.

 

http://media.packetl..._Subnetting.pdf

 

attachicon.gifipv4subnet.png

 

Cheers, I've printed this off!


K.I.S.S! ditch 192.168.whatever and go for 10.0.x.x/24 simpler to type and remember!

10.0.0.0/24 - network equipment and routers (infrastructure)
10.0.1.0/24 - VOIP
10.0.2.0/24 - Printers
10.0.3.0/24 - CCTV
10.0.4.0/24 - Wired clients
10.0.5.0/24- Wireless

Think of these subnets as separate networks/switches that need to be plugged into a router or secure gateway.

 

I've seen this before and it looks a lot cleaner that what we currently have 192.168.1.x...



#8 +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 05 February 2014 - 18:12

I just want to add that you should use something other than 192.168.1.0 simply to avoid any IP conflicts with devices that anyone in the company could plug in.



#9 OP +djdanster

djdanster

    Neowin elite

  • Tech Issues Solved: 2
  • Joined: 28-October 08
  • Location: England, Great Britain
  • OS: Windows 8.1
  • Phone: Samsung Galaxy S4 White Frost

Posted 05 February 2014 - 18:33

I just want to add that you should use something other than 192.168.1.0 simply to avoid any IP conflicts with devices that anyone in the company could plug in.


Would the dhcp not stop this from conflicts?

#10 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 February 2014 - 18:36

Ok 10.0 is easier to type I will give you that ;) heheh

 

"Under each desk, there is a Netgear GS108T managed switch"

 

What??  Why?

 

As to you know what a subnet is - but you don't know what a network mask is?  So 255.255.255.0 confuses you?  That is the same as /24

 

4. Thomson Speedtouch Gateways - x4

5. Bonded internet gateway

 

So you have 4 internet connections -- that you load balance with?  So what your current network landscape -- just the 1 192.168.1.0/24?



#11 +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 05 February 2014 - 18:37

If someone went out a got a Linksys AP or whatever and it had a default IP of 192.168.1.1 and say your firewall was .1.1, there would certainly be a conflict and DHCP would not be involved at all. Further, depending on what device is hosting DHCP, if they did the same with a router, your DHCP server could see that router is also a DHCP server and turn itself off to avoid conflict. Just food for thought.



#12 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 February 2014 - 18:59

And someone plugging in network gear to your network is a problem on its own let a lone conflict with your IP space.

 

In my example the 192.168.1.0/24 if for infrastructure, not ports on the floor - so even if users plugged the lan port of their linksys router into the port at their desk.  It would not be on a 192.168.1.0/24 network - so no conflict.  Are you saying users are getting into the computer room/DC and plugging their home hardware into switches there that are on the 192.168.1.0/24 network?? ;)

 

Your point is valid if your on a flat network that is only the 192.168.1.0/24 for everything and the ports the users have access to would be on that network - and then your not running any sort of nac or nap or even port security..  What sort of company would allow users to plug in equipment to a port?  At min there should be port security setup so if the user unplugs their PC/Laptop they can not plug in something -- that would prevent your scenario where someone plugs in something that conflicts with your routers IP ;)

 

Les say your small, etc.. and user plugs in something that takes down your network..  Wouldn't that user be let go, or atleast shamed on the common area wall for all other users to see and prevent that from happening again ;)



#13 +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 05 February 2014 - 19:20

And someone plugging in network gear to your network is a problem on its own let a lone conflict with your IP space.

 

In my example the 192.168.1.0/24 if for infrastructure, not ports on the floor - so even if users plugged the lan port of their linksys router into the port at their desk.  It would not be on a 192.168.1.0/24 network - so no conflict.  Are you saying users are getting into the computer room/DC and plugging their home hardware into switches there that are on the 192.168.1.0/24 network?? ;)

 

Your point is valid if your on a flat network that is only the 192.168.1.0/24 for everything and the ports the users have access to would be on that network - and then your not running any sort of nac or nap or even port security..  What sort of company would allow users to plug in equipment to a port?  At min there should be port security setup so if the user unplugs their PC/Laptop they can not plug in something -- that would prevent your scenario where someone plugs in something that conflicts with your routers IP ;)

 

Les say your small, etc.. and user plugs in something that takes down your network..  Wouldn't that user be let go, or atleast shamed on the common area wall for all other users to see and prevent that from happening again ;)

Hey, in a company where proper policies are in place backed up with HR, certainly you would be spot on. And very good point about plugging in on the floor and being on a different VLAN and thus a non-issue - if VLANs are in place.



#14 OP +djdanster

djdanster

    Neowin elite

  • Tech Issues Solved: 2
  • Joined: 28-October 08
  • Location: England, Great Britain
  • OS: Windows 8.1
  • Phone: Samsung Galaxy S4 White Frost

Posted 05 February 2014 - 20:07

Ok 10.0 is easier to type I will give you that ;) heheh

 

"Under each desk, there is a Netgear GS108T managed switch"

 

What??  Why?

 

As to you know what a subnet is - but you don't know what a network mask is?  So 255.255.255.0 confuses you?  That is the same as /24

 

4. Thomson Speedtouch Gateways - x4

5. Bonded internet gateway

 

So you have 4 internet connections -- that you load balance with?  So what your current network landscape -- just the 1 192.168.1.0/24?

 

I have no idea why the other guy put them in. Wouldn't a basic unmanaged switch done the job?

 

So the /24 defines that I can have a max of 256 addresses (ref that pdf)? How is that possible? I thought the max it could do was 255? Does it spill into the next 192.168.2.x? This is exactly what I didn't understand when I did my ccna1.

 

Correct. I have 4 internet connections that are load balanced. Currently, just 1 192.168.1.xxx network. It's only a small office/warehouse.



#15 +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 05 February 2014 - 20:16

I have no idea why the other guy put them in. Wouldn't a basic unmanaged switch done the job?

 

So the /24 defines that I can have a max of 256 addresses (ref that pdf)? How is that possible? I thought the max it could do was 255? Does it spill into the next 192.168.2.x? This is exactly what I didn't understand when I did my ccna1.

 

Correct. I have 4 internet connections that are load balanced. Currently, just 1 192.168.1.xxx network. It's only a small office/warehouse.

256 addresses including .0 and .255. 255 is broadcast. Not a valid IP to use. 254 usable.