So the good people I work for are expanding the office by adding another floor. I thought this would be a good time to segment. Our current network is flat, VOIP phones and all servers/PC's on the same192.168.1.0 network. Currently, there are non-Cisco switches inplace.While they are "managed"switches, no VLANS are configured.
We have purchased (4) Cisco SG300 switches that I must deploy in the next week. We will have the following VLANS:
Vlan10 192.168.2.x = Vlan on the new first floor. It will consist of VOIP phones (non Cisco) and laptop/pc plugged into phones. This VLAN will need access to everything in VLAN 20 because that is where the Domain Controller, Windows DHCP, Exchange, VOIP Server, etc, is located. They will also need Internet access, which is provided via the firewall at 192.168.1.1 .
Vlan20 192.168.1.x = This VLAN must be able to reach all other VLANS and will host all servers, along with a dozen VOIP phones with PC's connected.
Vlan30 192.168.3.x = I would like to be able to seperate out the guest wireless on the new first floor office if possible. Only needs internet access and
Vlan40 172.16.4.x = DMZ subnet which VLAN 10 and VLAN 20 must be able to reach. This DMZ is configured in the firewall (SonicWall) via designated port.
Vlan50 = Phones... I have no idea.
See attached file for what I invision.
My questions are:
1) Do I need the make the switch at 192.168.1.20 a Layer 3 switch and have it route the inter vlan traffic? If so, can a layer 3 switch also have access ports? There are several servers that need to be plugged into that switch and I am not sure if when it is coverted to Layer 3 with still do acces ports?
2) Phones, not sure how to get them into a voice vlan and the then have the pc connected to the phone bein a different vlan?
I have week to work through all of this. Any help is appreciated.
Looks like you have some work ahead!
1) Something on your network will have to do the intervlan routing and provide the interfaces for routing. It can be your router, or a layer 3 switch. A layer 3 switch can indeed have access ports which allow only one vlan. One thing to note, when changing one of these switches to layer 3 the configuration will be wiped and you will have to start over, so make this decision first.
2) The great news is that the SG300s provide a great voice vlan feature. Please make sure all switches are on the latest firmware available as this will help. If your phones support CDP then they will be automatically detected and added to the voice vlan. This will allow you to have phones and PCs on the same port. Make sure to create all the vlans you will need and then specify which vlan will be your voice vlan.
Here is a link to the admin guide. Just search through it and if you get stumped on something feel free to post again.
Stumped on the voice vlan. Because every desk has a non-Cisco IP phone (it says it will support CDP though) and laptop behind the phone, do I set the port to be a trunk or an access port on the switch?
do I set the port to be a trunk or an access port on the switch?
This will depend on the manufacturer of the VoIP phone. Some phone will play "nice" with Cisco/Linksys but others will be a handful.
Another thing to consider when you are deploying PoE switches and VoIP phones: TDR.
Make sure you have a full-blown TDR tester that is capable of testing ALL FOUR PAIRS.
You will want to set the port to trunk mode. As long as the switch is on the latest firmware and the phone does support CDP, it should be discovered. As leolaohoo mentioned, sometimes 3rd party products have an issue, but if they have CDP it should work.
For the auto-voice vlan to work, you would want to set two things, make sure the voice vlan itself has been created and specified under the voice vlan tab. Second make sure that you are using CDP to discover the phones and not the telephony-OUI option.
If you are having trouble getting it to work, then feel free to call the support center.
So in my example, I could set the port to trunk with VLAN 50 tagged and VLAN 10 untagged and the phone would get one IP range (let call it 192.168.50.x) and the laptop would get a 192.168.2.x (keeping in mind I need those ranges setup in my dhcp server)?
Message was edited by: Jeff Hood typo
I could set the port to trunk with VLAN 50 tagged and VLAN 10 untagged
Yes and No. This depends on what kind of switch you got. If you have the Catalyst-range of switches, you can create two kinds of VLANs: VLAN 10 (data) and 50 (voice). In your Catalyst switch you can enable voice and data on the same switchport:
switchport access vlan 10
switchport voice vlan 50
I have the SG300 series, which I do not believe supports the vlan config the same as the Catalyst, with the access port having the switchport voice command.