Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Local Vlan Questions

I am trying to see if I understand how vlan's work and have a few vlan quesiton. We have multiple remote sites that connect to our Main office. Each remote site has a router with the following configuration:

int gi0/0.5

  desc Voice Vlan

  encap dot1q 5

  ip address

At each remote site, the switches have been configured with vlan5.

Vlan5 is used to connect the phones at the remote sites to CallManager which is located at our Main office.

The Main Office has a 3750 metro with the following configuration

int vlan5

  ip address

My questions are:

1. Is it true that the network exist only at the remote site and other remote sites will not see it (network stops at the remote sites router)?

2. Is it true that voice traffic from the remote site is routed from the remote site's router to the District office?

3. Is there any kind of security risk with the above configuration?

Everyone's tags (3)
Hall of Fame Super Silver

Re: Local Vlan Questions

Hello Dtom,

I guess that second byte in District Office is different than that used at Remote Office.

For your questions

1)  each remote office has a Voice Vlan for IP phones with associated an IP subnet that is confined in the remote office. IP communication between these IP subnets is required to be able to place and receive phone calls (the bearer voice stream is directly between IP phones, call manager is consulted only for call setup).

2) yes, routing allows the IP phones to register with Call manager at central site.

3) there might be or not there isn't enough information to comment on this.

Generally speaking, some security improvement can be provided by the adoption of VRF lite or MPLS VPN so that the VOIP IP subnets are kept separated. In alternative IP ACLs can be used so that the Call Manager can be reached only by IP phones subnets and from VOIP gateways. In some setup there is a FW or FW pair protecting the Call Manager cluster.

Hope to help