Jump to content
RESET Forums (homeservershow.com)
Sign in to follow this  
Poppapete

VLAN on 24 port switch.

Recommended Posts

Poppapete

Since going fibre my ISP has given me a "free" VoIP #. It seems a good idea to set up a separate VLAN for this. So I setup 2 new VLAN's leaving the default with nothing. But when I transfer all the ports I will loose contact with the management interface. Thought about leaving one port on the default VLAN for access via a laptop and switch the management interface over then access it from the desktop and disable that port. Will that work?

 

Don't want to set everything up loose access and have to factory reset the switch to get in!

 

:(

Share this post


Link to post
Share on other sites
Jason

I never quite understood the purpose or benefits of VLANs. Would you mind sharing?

Share this post


Link to post
Share on other sites
jem101

Yes your idea will work - or at least it should, but there really is no need to setup two VLANs if all you want to do is to segregate off your SIP traffic. Leave your PC/laptop etc. on the default management VLAN (probably 1) and create a new VLAN for your VoIP traffiio Don't forget the frame tagging on the trunk port out to your router

 

 

Technically a VLAN is used to segregate broadcast domains, ie if a device attached to a switch port in VLAN 3 sends out broadcast frames, then these are only received by devices also attached to ports in VLAN 3 and isn't forwarded to the other ports, which would normaly be the case with a switch. You could think of it as a way of minimising unnecessary traffic being received by devices which don't need to see it.

Share this post


Link to post
Share on other sites
Poppapete

I never quite understood the purpose or benefits of VLANs. Would you mind sharing?

 

Security and for QOS, fewer "crashes" on the LAN.

 

Yes your idea will work - or at least it should, but there really is no need to setup two VLANs if all you want to do is to segregate off your SIP traffic. Leave your PC/laptop etc. on the default management VLAN (probably 1) and create a new VLAN for your VoIP traffiio Don't forget the frame tagging on the trunk port out to your router

 

I will see if my TPG will allow changes to the default VLAN, if so then problem solved. I was going to set up 4 VLAN's

Network - for all

DATA - for all except VoIP

VoIP - for VoIP

Cameras - for my security Cameras

 

even thought of one for my wireless AP for added security but best to try one extra for the VoIP to start.

 

I was also going to set all ports as General and Untagged. Should I set the port connected to my Sophos differently?

 

EDIT: VLAN 1 the default vlan cannot be edited or deleted - so on factory reset you can get into it.

Share this post


Link to post
Share on other sites
jem101

You probably will need to get your hands dirty with the weird and wacky world of frame tagging, but how much so depends on exactly what it is you are trying to do and what your equipment is capable of.

 

So imagine this situation, I want to have my data traffic and by VoIP traffic kept as separate as possible so I decide to connect everything up to a managed switch and use VLANs to effectively create two separate networks but all using the same switch. I decide to create two separate networks one for data with IP addresses of 192.168.100.0/24 (where the /24 is the CIDR notation for a subnet mask of 255.255.255.0, so in this instance the valid addresses on this network is 192.168.100.1 - 192.168.100.254) and a separate network for VoIP traffic on 192.160.200.0/24. And I create two VLANs with IDs of 100 and 200 to do this - we'll leave VLAN 1 (the default management VLAN) alone.

 

Let's imagine I have a router with an IP address of 192.168.100.1, two PCs with addresses of 192.168.100.10 and .11 and two VoIP devices and their IPs are going to be 192.168.200.10 and 200.11. So you can see I'll have two separate IP networks and device on each of them won't be aware of what's on the other one. I plug my router into port 1 and the two PCs into ports 2 and 3 - on the switch I 'untag' ports 1-3 to be on VLAN 100.

 

Yes I know the terminology is a bit 'backwards' why do I untag a port to assign it to a VLAN? Well the logic is; if the switch ports 1-3 see an ethernet frame coming along which doesn't have any VLAN tag information already, then assign it to VLAN 100 and send it on it's way.

 

And this will all work fine - the two PCs can see each other (assuming that they have the right IP addresses in the right range, they can see the router and get out to the internet.

 

So the next step is to untag ports 4 and 5 on VLAN 200 and connect my two VoIP devices to them. The two devices will see each other (again assuming they have the right addresses) and they won't see the two PCs - which is what we want, except they won't see the router either and won't get out to the internet which isn't what we want.

 

There are two big problems here, firstly the VoIP devices are on a different network with a different IP range to the router. Now the way to fix this is to have a switch which is capable of routing between the two networks - a so-called layer-3 switch. In this scenario we would also need to configure the switch to have an IP address on each of the two network. This is called the VLAN interface address (in fact technically a switch doesn't have an IP address itself, what it has is one or more VLAN interface addresses), we define a VLAN interface address on the right subnet for VLAN 100 and VLAN 200 and the switch can then, itself, properly route traffic between them.

 

Now if you don't have a layer-3 switch then there are other things you could do, you could let the VoIP devices be on the same subnet as the PCs etc. That will take away some of the advantages of VLANs (in particular they will be able to ping each other and will all receive broadcast traffic) but it's still better than nothing. Alternatively you may be able to configure your router to be able to route traffic between the VLANs externally - an arrangement which goes by the wonderful name of 'router-on-a-stick'.

 

The second issue is that the port which the router is connected to is on VLAN 100 so it will drop any traffic from the VoIP devices because they have all been 'tagged' as being VLAN 200 (see above). So what we need to do is tag port 1 to be on VLANs 100 and 200. That way the port will pass traffic on either VLAN and hence your VoIP devices will be able to see the internet.

 

Lastly if you do have two completely separate subnets then you will also have an issue of IP address assignments, DHCP requests don't traverse VLANs without the use of what's called a DHCP helper address setting in the switch and all the inter-vlan routing being set up.

 

This is how it is done properly, but it does get very complex, very quickly. What I'd be tempted to do is to set up your VLANs but keep everything on the same subnet, at least for now, which means you won't need to worry about the interface addresses or VLAN routing and you'll still get some of the benefits of keeping the traffic separate. You will absolutely have to tag the port on which your router is attached to pass traffic on all the defined VLANs.

 

Hope this helps a bit

 

John

Share this post


Link to post
Share on other sites
Poppapete

Hope this helps a bit

 

Jem101

 

Beautifully explained and I appreciate the time it took.  I spent the weekend looking into it and I think I under stand. My research uncovered 2 things.

 

1. My switch (Managed Layer 3) a TP-Link  TL-SG3424 has the ability to automatically detect VoIP traffic and can change the port setting to in fact setup a VoIP "Voice VLAN".

 

2.Then I came upon this and would like opinions!

 

"

WILL VLAN HELP ME

 

No, unfortunately you've read some myths about VLANs. VLANs are for security and management of massive scale networks. They do absolutely nothing for performance and, in fact, cripple performance on your network by forcing communications to fall to routing even internally. VLANs are never for performance reasons. That is a function of real LANs... those with their own dedicated switching fabric. VLANs are one of those things in IT that are so misunderstood that the amount of myth around them is insane. There is no reason for a VLAN in your home unless you are doing it purely for lab reasons or, possibly, because you want a guest wireless network that has no way to access your home network.

If you are talking to someone who is using VLANs instead or QoS you are talking to someone very, very confused.

Also, I've never heard of a home network big enough to use QoS. Can you? Sure. Will it hurt? No. The question is, is it worth the effort. QoS only matters if your switch is saturated. If QoS is needed, VLANs are useless and hurting you. If you need QoS at home, consider upgrading your switch instead.

 

From <http://community.spiceworks.com/topic/314211-vlans-basic-concepts-for-segmenting-a-home-network>

Share this post


Link to post
Share on other sites
Jason

I use Sophos UTM's QoS to prioritize my VoIP traffic. No VLANs. Works great.

Share this post


Link to post
Share on other sites
jem101

Hope this helps a bit

 

Jem101

 

Beautifully explained and I appreciate the time it took.  I spent the weekend looking into it and I think I under stand. My research uncovered 2 things.

 

1. My switch (Managed Layer 3) a TP-Link  TL-SG3424 has the ability to automatically detect VoIP traffic and can change the port setting to in fact setup a VoIP "Voice VLAN".

 

2.Then I came upon this and would like opinions!

 

"

WILL VLAN HELP ME

 

No, unfortunately you've read some myths about VLANs. VLANs are for security and management of massive scale networks. They do absolutely nothing for performance and, in fact, cripple performance on your network by forcing communications to fall to routing even internally. VLANs are never for performance reasons. That is a function of real LANs... those with their own dedicated switching fabric. VLANs are one of those things in IT that are so misunderstood that the amount of myth around them is insane. There is no reason for a VLAN in your home unless you are doing it purely for lab reasons or, possibly, because you want a guest wireless network that has no way to access your home network.

If you are talking to someone who is using VLANs instead or QoS you are talking to someone very, very confused.

Also, I've never heard of a home network big enough to use QoS. Can you? Sure. Will it hurt? No. The question is, is it worth the effort. QoS only matters if your switch is saturated. If QoS is needed, VLANs are useless and hurting you. If you need QoS at home, consider upgrading your switch instead.

 

From <http://community.spiceworks.com/topic/314211-vlans-basic-concepts-for-segmenting-a-home-network>

 

 

Well this is correct although I'd maintain that there are a few cases in which putting in a VLAN might improve performance, but that's going to be be if you have some equipment which is very broadcast-happy and there is only a need for them to rarely talk to other devices - put them on a separate network and let them get on with it. Yes two devices on different VLANs will communicate much slower (relatively speaking) than two devices on the same VLAN because in the latter case the frames are moved at 'wire speed' whereas in the former the packets need to be routed between networks with all the overheads that implies. But that's the whole point of VLANs, you separate devices into groups which rarely do need to communicate - most of their traffic is kept local.

 

Security is the big reason for VLANing traffic. As an example I'm currently I'm at one of my client sites which is a managed office complex, they have 30 or so tenants and two 100 meg symmetric fibre connections. There are about ten fully-managed switches scattered throughout the complex which all the tenants plug their PCs etc. into. Each tenant is on a separate VLAN, and gets a different set of IP addresses from a single DHCP server. All of their individual networks are separate, they can't see each other, even though they are all connected to the same set of switches and share a common internet gateway - a set of ACLs on the core routing switch makes sure that outbound traffic only goes where it should and doesn't allow any other inter-VLAN routing.  So that's the main use of VLAN technology as the article said.

 

I have another client with about 70 IP cameras in their offices and production facility - I bit overkill I think but whatever! These cameras are a bit chatty so I did move them all and the NVR recording devices to a separate VLAN which does seem to have improved things a bit for the other users but it's very hard to quantify.

 

Now if you really want traffic isolation then VLANs are the way to go, but if you are just concerned about making sure that your VoIP traffic doesn't suffer from contention with other less time-critical traffic then that's a QoS function and this should also be applied at the switch level ideally as well as at the router. Of course once the traffic leaves your network and goes out into the big, bad world then it's anyone's guess what happens - you just need to hope that your ISP and others know to prioritise VoIP traffic properly.

 

Having said that if you fancy setting up a VLAN system just for your own practice then it sounds like your switch can support it all and it won't do much harm. You can always factory reset the switch and start again if it all goes wrong.

 

John 

Share this post


Link to post
Share on other sites
Poppapete

So I might just go down the QoS path starting with the switch and then maybe the Sophos router. Thanks for all the input, I have as usual learnt much from this forum.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  



×
×
  • Create New...