VoIP and Data on different Vlans

Unanswered Question
Dec 14th, 2006

Hi guys,

actually we have both services on the same native vlan (1). A Cisco IP phone connected to a floor switch acts as a switch too for the PC directely connected.

We have implemented QoS, but we like to migrate the Voice into a new different Vlan.

My question is:

if data stay on native vlan and Voice into a new one... no problem.

If we want to remove the native vlan and create two new vlans, each for a different service, is it a problem for the IP phone to manage 2 tagged traffic? one for its and one for the PC (and for shure remove the tag).

Any suggestion?

thank you and

Best Regards,

G.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3 (1 ratings)
Rob Huffman Thu, 12/14/2006 - 05:56

Hi Graziano,

Here are some good Cisco Voice SRND recommendations that support splitting Voice and Data onto separate VLAN's;

When you deploy voice, Cisco recommends that you enable two VLANs at the access layer: a native VLAN for data traffic and a voice VLAN under Cisco IOS or Auxiliary VLAN under CatOS for voice traffic.

Separate voice and data VLANs are recommended for the following reasons:

Address space conservation and voice device protection from external networks

Private addressing of phones on the voice or auxiliary VLAN ensures address conservation and ensures that phones are not accessible directly via public networks. PCs and servers are typically addressed with publicly routed subnet addresses; however, voice endpoints should be addressed using RFC 1918 private subnet addresses.

QoS trust boundary extension to voice devices

QoS trust boundaries can be extended to voice devices without extending these trust boundaries and, in turn, QoS features to PCs and other data devices.

Protection from malicious network attacks

VLAN access control, 802.1Q, and 802.1p tagging can provide protection for voice devices from malicious internal and external network attacks such as worms, denial of service (DoS) attacks, and attempts by data devices to gain access to priority queues via packet tagging.

Ease of management and configuration

Separate VLANs for voice and data devices at the access layer provide ease of management and simplified QoS configuration.

From this SRND doc;

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a00806e8c42.html

The Cisco Unified IP Phone has an internal Ethernet switch, enabling it to switch incoming traffic to the phone, to the access port, or to the network port.

If a computer is connected to the access port, the computer and the phone share the same physical link to the switch and share the same port on the switch. This shared physical link has the following implications for the VLAN configuration on the network:

Data traffic present on the VLAN supporting phones may reduce the quality of Voice-over-IP traffic.

You can resolve these issues by isolating the voice traffic onto a separate VLAN on each of the ports connected to a phone. The switch port configured for connecting a phone would have separate VLANs configured for carrying:

Voice traffic to and from the IP phone (auxiliary VLAN)

Data traffic to and from the PC connected to the switch through the access port of the IP phone (native VLAN)

Isolating the phones on a separate, auxiliary VLAN increases the quality of the voice traffic and allows a large number of phones to be added to an existing network where there are not enough IP addresses.

From this good doc;

http://www.cisco.com/en/US/products/hw/phones/ps379/products_administration_guide_chapter09186a008066c7ce.html#wp1055525

Virtual LAN

Cisco VLAN technology, built into Cisco routers, Cisco Catalyst switches, and Cisco Aironet wireless access points, separate the physical network into multiple logical networks - for example, one each for a company's HR, sales, marketing, engineering, and finance organizations. A basic technique for voice security is to create a separate VLAN for voice. One advantage is that traffic sent over the voice VLAN is not visible to insiders or outsiders connected to data VLANs, and data traffic cannot cross over to the voice VLAN. Another advantage is that IT can assign a unique class of service for the voice VLAN to ensure that voice traffic receives priority over data traffic.

From this Security doc;

http://www.cisco.com/en/US/netsol/ns641/networking_solutions_white_paper0900aecd80460724.shtml

Hope this helps!

Rob

Please remember to rate helpful posts.....

foster@softbank... Thu, 12/14/2006 - 20:43

I think setting like this at switch.

when you are done with that trunk set on the port connected with the IP phone.

interface Vlan 10

description Data VLAN 10

ip address 64.100.10.11 255.255.255.0

interface Vlan110

description Voice VLAN 110

ip address 10.100.10.11 255.255.255.0

Actions

Login or Register to take actions

This Discussion

Posted December 14, 2006 at 4:04 AM
Stats:
Replies:2 Avg. Rating:3
Views:608 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard