Seperating data traffic from VOIP traffic

I had a question on separating data traffic from VOIP traffic.

Besides security what would be the benefit in a small Enterprise branch office to separate the traffic by creating multiple VLANS which would make us have to use additional subnets as well.

I bring this up because it was asked of me what will it help. I had already implemented lldp med policy for untagged traffic for the QoS of the voice traffic so it had a higher priority so I could not really answer except for the security portion but they did not care about the security part.

I always heard as an example that data was like football players and voip like flowers and t he flowers always get trampled but now that I know more I don’t understand it because by being trampled I would think they meant congestion on the network and the data sucking up all the bandwidth that the voip might need. However, with Qos implemented that would seem to fix that.

So I really don’t know why you would need to separate data from voip if you was not worried about security and your subnets where not to large and you had QoS implemented.

Can someone help to answer this question or confirm what I have said is correct so far so I will know for sure moving forward.

Thanks,

Brian,
There are two possible reasons for separate vlans. One might be for purposes of traffic identification. This might be considered the lazy (or paranoid) man’s approach to identifying VOIP traffic so it can be acted upon properly. Lazy because it is easy to know that traffic is VOIP related because of its source or destination address. Paranoid because maybe you don’t trust the devices on the edge of your network that marks the traffic as it enters your network.

The second reason might be strictly non-technical. For a long time (and it still might be), it was considered best practice to separate your data this way. If you start to run into problems and you want support from your VOIP vendor, they might give you fits if you still don’t conform to this old model.

That’s all I can think of …

Thanks Andrew. When your new to things getting help to understand boundaries helps out a ton. This saves me tons of research looking for things that does not exist. So its very helpful.

I worked on a brocade switch today and I asked the brocade guy does the brocade switch come with a default password out of the box. I was setting up a new switch in Norway.

Later he said I didn’t really do anything to help but I told him that was not true as he gave me some information that helped with my boundaries I could have been searching half a day to find out if there was a default password but instead I marked that off and went to the next thing.

Boundaries is huge and what I am saying is thank you as it means a lot when I see another little piece of the world I am working in =)

To me you guys are giants where I work the guys think I am a guru because I always come up with ways to fix things but then I see network guys like you who just blow my mind.

I am just determined to find my answer and work hard but I am truly impressed with the knowledge out there from people like yourself and Renee and others.

As I am the only networking guy in my company and I forced my way into it because the network manager left and they never hired another and I started getting certs and giving them answers to things and was able to wiggled my way into a huge position. However, I don’t have many people to ask question of or mentor me and no matter how hard you work it takes time to build real world experience so thanks as you guys are mentors to me even if you don’t know it and the little things really matter.

Hey Brian,
If you are interesting in continuing your Cisco/Networking education, you might want to check out INE’s specials for the 12 days of Christmas. I notice that on December 18th, they are going to have a promo (probably 50% off) their CCNP R&S bundle. INE videos are a great source of education (especially when you combine it with a Cisco VIRL license or GNS3).

http://www.ine.com/2016-12-days-of-deals.htm

Thanks I will probably buy it. I had dropped cbt nuggets monthly subscription and not picked up and just been briefly reading over my books which I have some good ones and this site as well. I have been more playing non stop with live production equipment (in safe controlled way I promise lol)

I really have a big question on a network setup we run in Dordrecht Netherlands for 5 switches all layer 2. Would you mind if I asked you a question on that setup.

My manager for some reason does not want to use a different subnet for the voice and the data traffic. He is not worried about security aspect and says there should be no reason we would need routing between the data and the voice data. Instead he said just mark the ports from the media/cic servers with VLAN-VOICE and VLAN-DATA and both that way the voice vlan can communicate with the media servers and since all phones on the same vlan for this branch office all the phones will connect and work together.

Also there is a router but not managed by us some ISP company manages the router and all of our traffic is sent over IPSEC VPN so for the routed traffic we are not concerned about Qos.

Now on the voice vlan we have applied a LLDP policy which tags the VLAN ID inside of the 802.1Q header with the VLAN we choose see below we are testing on one phone right now so only applied to one port.

lldp tagged-packets process
lldp med network-policy application voice tagged vlan 100 priority 5 dscp 46 ports ethe 1/1/9
lldp run

on the data vlan we used the command dual-mode so basically on a brocade this is similar to a cisco were we make that port able to send and receive tagged and untagged traffic. after that we was able to tag the port to the voice vlan we had created.

once we did that and I set up the test voice vlan on all 5 switches and made sure all the trunk ports allowed the traffic I checked the mac address of the port:

Total active entries from port 1/1/9 = 2
MAC-Address Port Type Index VLAN
0004.xxxx.32e5 1/1/9 Dynamic 2104 50
0004.xxxx.32e5 1/1/9 Dynamic 14100 100

so the lddp policy was tagging the frame and sending over the voice vlan and it also sends it over the untagged port.

Just to note when we remove the LLDP the frame is no longer tagged and we will no longer see the mac of the phone on the voice vlan.

So recap for voice vlan 100 and data vlan 50 (changed some information for posting but you get the point)

when I read about using the same subnet for voice as you use for data the only forums post I could find on some other generic forums from google search stated you do not do that and the said it could not be done and the reason they gave was because when you setup the routing interface on say a layer 3 switch you could not setup the same default gateway for both of the routing interfaces or if you used a router the sub interfaces.

That made since but when I my manager pushed back at me this unorthodox method he kept asking where would we need routing at? As long as the voice traffic could reach the media/cic server and reach the phones and it could get its DHCP information then it did not need to be routed or speak to the other vlans and his whole thing was you could add ports that was needed to the voice vlan so he had me add all the server ports to both the voice vlan and data vlan.

Its just not what I read about in the academia environment and the books as they list out best practices. I guess my question is this. do you see any concerns besides security or something about this that it wont work?

I know this post is long and the thoughts probably not laid out well please push back for specific questions to help draw out the information if you are interested in trying to help me figure this out in my head and make sure it works and that he is not having me do something that can cause big issues.

I like to do this just to keep traffic orderly. Typically I’ll choose something like 172.19.x.x for my voice subnets, with the third octet designating the location. That way if I’m ever looking at a 172.19.10.135 address in a capture or something like that I know right away that I’m looking at voice traffic from whatever my “10” location is. And if I ever want to write an ACL to reference all voice traffic I can do it with one line. (Permit ip 172.19.0.0 0.0.255.255 172.19.0.0 0.0.255.255)

Ben