Getting computers and phones on the correct VLAN regardless of switch port?
-
I'm not super experienced with VLANs yet, so I'm trying to wrap my head around this.
I have switches with only the data network running on the default VLAN ID 0, un-tagged. I want to add a new VLAN ID 5 for voice traffic. I want to have it so that no matter what switch port I plug in a computer or phone to, they end up on the correct VLAN.
To clarify even more: If I plug in a computer on switch port Gi0/0/3, it would only talk on the data VLAN. If I plug in a phone set to switch port Gi0/0/3, it would only talk on the voice VLAN. In this case, I am assuming I would set all switch ports to trunk mode and then I would have to configure each one of the phone sets to have their Ethernet traffic tagged right away for VLAN 5.
This is the only way I can see it working. Otherwise, I would have to plug computers into data VLAN switch ports and phones into voice VLAN switch ports.
Do I have this right?
-
Why are you segregating voice and data traffic?
-
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN despite the switch port.
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
-
You might be able to use a NAS (network access service) to do this for you based on MAC or something.
You’re description says you’re doing this manually on the switch or manually on the computer.
-
But I agree with Coliver, why are you splitting the traffic?
There is a persistent belief that voice traffic needs to be separated from data traffic for QOS reasons. But what is often completely over looked is the QOS only kicks in when a switch/port is at 100% saturation. If you are there you likely have other issues to fix first.
-
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
I know Cisco has VMPS, which requires a separate server and database. I believe that for the Dell PowerConnects you would most likely need to setup an individual RADIUS server to do 802.1x authentication.
-
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
VLAN isn't about security. A malicious actor only needs to guess the other VLAN id in order to access the other network quite often.
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN despite the switch port.
If this is for VoIP, the answer is "you don't". VLANs undermine VoIP traffic. It adds bottlenecks and makes QoS harder.
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
-
@travisdh1 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
VLAN isn't about security. A malicious actor only needs to guess the other VLAN id in order to access the other network quite often.
lol. I continually hear people saying conflicting things like this. VLANs are used for security and management purposes.
-
@travisdh1 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
VLAN isn't about security. A malicious actor only needs to guess the other VLAN id in order to access the other network quite often.
It can be, VLANs can aid in security under the right conditions. In this example, if he moved from tagged to assigned port VLANs, and then added port security to make sure unassigned devices could not be added to the ports, then it could provide some separation security.
All based around LAN security, though, which is inherently insecure, so better to secure the traffic than to use VLANs. But short of going LANless, there are cases where you can make VLANs add a little security.
-
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@travisdh1 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
VLAN isn't about security. A malicious actor only needs to guess the other VLAN id in order to access the other network quite often.
lol. I continually hear people saying conflicting things like this. VLANs are used for security and management purposes.
VLANs CAN be used for that. The most common reason is "error", at least in these examples.
VLANs when used for things like guest networks, that's security for sure, and very effective. Easy to enforce, clear separation of traffic.
When it comes to VoIP, VLANs aren't for security or management, not really. They don't affect security in any meaningful way, and they make management way harder.
-
If you want the phones and computers to get the correct VLAN, you need to then tag every single port on the switches involved and then configure either by DHCP option or manually on each device to get the VLAN assigned to the device. That means a lot of manual work besides using the DHCP option on your DHCP server for the phones at least.
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.
VLANs aren't a singular thing, just a general concept. They can be created in multiple ways. One of which is tagging, which is required for how you are using it here with the phones on shared "trunk" ports with the PCs.
But you can do port based VLAN as well, which has no protocol. This is a "Layer 1" VLAN where the port (on the switch) that is used determines the VLAN instead of a tag. With port based, you can use physical security to enforce the VLAN traffic and devices on the network can't violate the VLAN security to get around it.
-
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.
VLANs aren't a singular thing, just a general concept. They can be created in multiple ways. One of which is tagging, which is required for how you are using it here with the phones on shared "trunk" ports with the PCs.
But you can do port based VLAN as well, which has no protocol. This is a "Layer 1" VLAN where the port (on the switch) that is used determines the VLAN instead of a tag. With port based, you can use physical security to enforce the VLAN traffic and devices on the network can't violate the VLAN security to get around it.
So you mean like, put ports 1 - 10 on VLAN 5 thus forcing any devices plugged into those ports to be on that VLAN?
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.
VLANs aren't a singular thing, just a general concept. They can be created in multiple ways. One of which is tagging, which is required for how you are using it here with the phones on shared "trunk" ports with the PCs.
But you can do port based VLAN as well, which has no protocol. This is a "Layer 1" VLAN where the port (on the switch) that is used determines the VLAN instead of a tag. With port based, you can use physical security to enforce the VLAN traffic and devices on the network can't violate the VLAN security to get around it.
So you mean like, put ports 1 - 10 on VLAN 5 thus forcing any devices plugged into those ports to be on that VLAN?
Right. Ports 1-10 on VLAN 5, 11-24 on VLAN 0. As long as you control what gets plugged into them, the VLANs are essentially air tight.
-
This port ID system is great, too, if you want to be able to move equipment around quickly. Make white wall ports for PCs, yellow for phones. Yeah, it takes twice as many wall ports, but it is SO easy to set up.
