Voice VLAN concerns.

Okay...bear with me. I need to type this out for my own sanity about as much as I need input on the matter.

I'm using a 3Com NBX V3001 phone system at a customer site. They have two sites, separated by two T1 links.

I will refer to the Voice VLAN as VLAN 2.

This particular phone system has the ability, natively, to use a voice VLAN, which I assume only means the unit itself is smart enough to tag it's frames accordingly without actually having to place the switch port in VLAN 2.

The switches support an "auto" voice VLAN feature. Basically, when the switchport sees a source MAC from a phone, it creates a mini trunk and allows that switchport to forward data frames in the native VLAN, as well as the tagged frames for VLAN 2, to support the PC's that are hooked to the phones.

This all works fine on the local network. However, across a T1 link it fails since the layer 2 and corresponding VLAN information get stripped when the frame hits the router, then encapsulated with PPP to be passed over the T1 link.

Talking to 3Com and doing a bit of research led me in the direction of GRE tunnels, but from what I understand, GRE tunnels are a layer 3 protocol and will not "save" the layer 2 frame with the VLAN tag intact, unless other methods are used in conjunction.

My actual question is this - why is this "Voice VLAN" even necessary? These phones are not the only devices hanging off the switchports. Each phone has a PC connected to it and the switchports are going to forward frames in VLAN 1 and VLAN 2 out to the phone, thus still forcing the phone to look at and "ignore" the native VLAN (data) traffic, right?

If this is the case, couldn't I just turn off the voice VLAN, then use QoS on the switches and routers to give the voice traffic priority?

If these phones were the only devices on the switchports and I could hard code the ports as only being in the Voice VLAN, then I could see the benefit, as the phones would not even see the data traffic, but that's not the case here.

Getting these phones working over this T1 link while keeping the VLAN tagging that I'm not even sure is helping, is driving me insane. And this very scenario I'm posting here is apparently over the head of the 3Com engineers as well, if you can believe that.

Thoughts?

Move this thread if you want. I thought about posting it in the CCNA forums since it relates closely to what's on the exam.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

darkerosxx

I'm no voice engineer, but what I've read is that the voice vlan is mainly used for QoS and voice security(so people can't snoop into your phone calls). I'm sure someone else could give you greater concerns.

wastedtime

I don't feel experienced enough to give you a definitive answer on this but here it goes. The vlan tagging out the trunk ports shouldn't matter as it will get left up to the routing tables on the routers. This is when the GRE tunnel should be coming in to send it to the other site. When it arrives at the other site the router should be configured to put it into the correct vlans. Separating your data and voice is good practice both for security and for QoS. Also your VLAN 2 traffic should have priority over the data traffic going out the router.

If someone could confirm this or expand on it would be helpful.

networker050184

wastedtime wrote: »

I don't feel experienced enough to give you a definitive answer on this but here it goes. The vlan tagging out the trunk ports shouldn't matter as it will get left up to the routing tables on the routers. This is when the GRE tunnel should be coming in to send it to the other site. When it arrives at the other site the router should be configured to put it into the correct vlans. Separating your data and voice is good practice both for security and for QoS. Also your VLAN 2 traffic should have priority over the data traffic going out the router.

If someone could confirm this or expand on it would be helpful.

Pretty much what I was thinking as well. The router at the other site should be able to **** it into the correct VLAN based on destination address.

/usr

I am not experienced in setting up QoS, I only know what I've read.

Assuming I don't use the voice vlan (in this case, the only purpose it seems to serve is ease of QoS and security, as the VLAN's aren't truly "separated" in the traditional sense) and leave the voice in the native VLAN, can I still prioritize the voice traffic on the switches and routers? Both support QoS.

wastedtime

I guess it can be done but it isn't a very scalable design and you would probably find it difficult to get it to work right. I don't know 3com equipment, but I know cisco had an auto QoS command that could get you some basic functionality.

pitviper

/usr wrote: »

I am not experienced in setting up QoS, I only know what I've read.

Assuming I don't use the voice vlan (in this case, the only purpose it seems to serve is ease of QoS and security, as the VLAN's aren't truly "separated" in the traditional sense) and leave the voice in the native VLAN, can I still prioritize the voice traffic on the switches and routers? Both support QoS.

Security is huge – There are a few readily available utilities (VOMIT is one) that will reassemble and play back VoIP calls from any PC when the PCs are in the same broadcast domain. It’s much easier to separate the traffic then it is to configure SRTP – Not to mention the added overhead of SRTP.

networker050184

QoS wouldn't be that big of a deal to do with it all in the same VLAN. Just make sure its marked correctly and then use the markings.

wastedtime

Wouldn't it be possible for some computers to give there traffic high priority tags? Also wouldn't it be difficult to manage at least on the switches? I don’t really have much experience with this but just wondering.

/usr

Okay, so my next question is this - how do I use the VLANs as I originally described, across the T1 links?

If you're saying the router at each end can tag packets based on destination IP, I don't see how that would work.

Despite the fact that these are "Voice VLANs", they are not VLANs in the traditional sense. The phones, even though they tag their frames in VLAN 2, are not in a separate subnet. They are in the same subnet as the PC's on each end, so how could the router tag frames based on desination IP, unless I gave it a subset of addresses, for example 10.0.0.50 through 10.0.0.75?

Just curious.

If you know the "right" way to do this, please point me towards relevent reading material.

wastedtime

You had me all the way till you said the VLANs use the same subnet. I am curious about the answer is to both that and QoS.

networker050184

The router will send it out of its corresponding interface into the VLAN based on where the traffic is destined. For instance if you are using say router on a stick you would have something like this -

interface FastEthernet0/0.2
encapsulation dot1q 2
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0.3
encapsulation dot1q 3
ip address 10.1.0.1 255.255.255.0

So when the router receives the packet destined towards 10.0.0.3 it sends it out interface f0/0.2 putting it in the correct VLAN. Same thing applies for a L3 switch with SVIs or a plain routed port connected to a switch access port.

If you have them sharing the same subnet on both VLANs and at both sites its going to get a bit complicated. Might have to start looking into VRF-lite.

As far as QoS, yes it would be possible for an end host to mark their traffic. That is one of the benefits of using separate VLANs so you can do VLAN based QoS. The switch QoS would still classify based on CoS so it wouldn't really be much of a different config.

/usr

I mean, giving the phones an IP address on another subnet since they are tagged accordingly, is not an issue and can be accomplished through software. They don't have to be in the same subnet as the phones I suppose, it's just how they were setup

So...pardon me if this sounds like an ignorant question, but the ability of the router to tag traffic based on destination IP, subnet, etc...what exactly is that called?

I'm looking for reading material and I need a general idea of where to start looking, so I can start looking into the commands on how to set it up on the specific routers I'm working with.

Or are you saying that I could create a sub-interface, route that traffic to the corresponding subinterface on the other side, then tag ALL traffic (which would only be the voice traffic) coming out of that sub-interface? Is that possible? If that last part is way off, I apologize.

Edit: I'm an idiot. By nature, I suppose sub-interfaces using router on a stick / dot1q encapsulation, accomplish that exact thing.

networker050184

/usr wrote: »

I mean, giving the phones an IP address on another subnet since they are tagged accordingly, is not an issue and can be accomplished through software. They don't have to be in the same subnet as the phones I suppose, it's just how they were setup

So...pardon me if this sounds like an ignorant question, but the ability of the router to tag traffic based on destination IP, subnet, etc...what exactly is that called?

I'm looking for reading material and I need a general idea of where to start looking, so I can start looking into the commands on how to set it up on the specific routers I'm working with.

Or are you saying that I could create a sub-interface, route that traffic to the corresponding subinterface on the other side, then tag ALL traffic (which would only be the voice traffic) coming out of that sub-interface? Is that possible? If that last part is way off, I apologize.

Edit: I'm an idiot. By nature, I suppose sub-interfaces using router on a stick / dot1q encapsulation, accomplish that exact thing.

It doesn't have to be a dot1q subinterface. It can be a regular routed port connected to an access port on a switch or an SVI it will all accomplish the same thing.

Once the traffic enters that access port it becomes a member of that VLAN and will have that tag on it when it goes across the trunk to the telephony server. I'm guessing you have a dot1q trunk to the server since you said its capable of doing a voice VLAN. If not then I don't see what the point of the tag is since it will be stripped prior to it being sent out to the server.

/usr

By server, do you mean the telephone system?

Any switchport on these switches that receives a source MAC which has OUI that equals that of a 3Com telephone product, gets placed into the voice VLAN but can also still send frames in the native VLAN.

So essentially, yes. A mini type of trunk gets created on the access ports, passing both the VLAN tagged frames to the phone and native VLAN frames to the PC connected to the phone.

The only place I am having any difficulty whatsoever is on the routers.

I have two T1's and two serial interfaces connecting these routers.

Let's call site A the main site. It houses the NBX telephone system. Site B will be the remote site. Site A is using a subnet of 10.0.0.0 /24, Site B is using 10.0.1.0 /24.

If I created subinterfaces on the Ethernet ports of each router, like this.

Site A
Ethernet 0/0.2
encapsulation dot1q 2
ip address 10.0.2.251 /24

Site B
Ethernet 0/0.2
encapsulation dot1q 2
ip address 10.0.3.251 /24

Thus, the phones at site A would be in subnet 10.0.2.0 /24 and the phones at site B would be in subnet 10.0.3.0 /24.

I could then setup static routes for these subnets, just like I did the data subnets. By default, since the traffic destined for these subnets has to come out the sub-interfaces, the frames are going to be tagged accordingly and placed into VLAN 2 when leaving the router's Ethernet interface, correct?

I mean...correct me if I'm wrong, but would this work? This way, my phones stay in VLAN 2, the PC's can be connected to the phones and all devices can still communicate on the network, QoS becomes easier, etc.

If I'm overlooking something here, please don't hesitate to point it out.

Also, would GRE Tunnels be necessary to accomplish this?

networker050184

Yes, by server I meant the phone system. If its not a trunk port to the server, then the VLAN tag won't get passed there and there is no reason to worry about what VLAN the voice is in.

That set up looks good to me. There is no specific need for GRE unless you need it for something else.

/usr

I don't know if there is a "need" for GRE, because I'm not familiar enough with it to say where you need it and where you don't.

As it was explained to me, I would need a GRE tunnel to support the multicasting the NBX does to achieve conference calls, paging, etc.

/usr

I don't think that's right.

the_Grinch

I'll tell you how we have it setup at my company (we have a hosted VOIP solution). Originally, we had it setup so that the phone plugged into the wall and then gave internet to the computer. VLAN2 was for voice and VLAN1 for data. Now as it currently stands only a couple of the phones are plugged into the wall and then the computer. We give the phones a 192.168.3.x and the computers a 192.4(I didn't set this up).x.x. It is my understanding that the VLANs help with the QoS and believe me no QoS/CoS causes a ton of issues with the voip. We also give priority to VLAN2 so that those packets go out first. Also, we have all the ports on the switches setup in trunk mode. Hope that helps!

/usr

It confirms what I kind of just realized today, for whatever reason. My phones need to actually be in a different subnet in order for this to work properly end to end.

unclerico

/usr wrote: »

Getting these phones working over this T1 link while keeping the VLAN tagging that I'm not even sure is helping, is driving me insane. And this very scenario I'm posting here is apparently over the head of the 3Com engineers as well, if you can believe that.

Chances are that the phones either mark the voice traffic with CoS 5 which is a L2 marking or they don't mark anything at all. When a frame gets forwarded to a router, the router strips off the L2 header and creates a new one so if the phones are marking at L2 all CoS markings are stripped off so the packets will be forwarded best-effort. You need to make sure things are being marked at L3 (ToS) with IP Precedence/DSCP values so that the markings are preserved across L3 boundaries. You need to make sure the proper queueing mechanisms are in place and that you have a priority queue for voice bearer traffic. Last but most definitely not least you need to make sure that the service provider will provide you with class of service. No GRE tunnels needed.

/usr

The setup I posted earlier worked, I tried it out today.

And apparently these 3Com switches automatically apply DSCP QoS to all packets considered to be voice.

hypnotoad

I might be off base here, but a VLAN is an ethernet concept - this is something a T1 knows nothing of, so why try to mess with VLANs across the T1 links?

/usr

Because the NBX telephone system is set to communicate in VLAN 2. If I don't have a way to force the traffic coming from the remote end to be placed into VLAN 2 upon arrival, then the NBX doesn't see the phone traffic.

I understand that VLAN's are a layer 2 concept and that information gets stripped when it hits the router to be encapsulated properly in order to be sent across the T1 links. That was always the question I had - "how am I supposed to work around that while maintaining my VLAN information?" For some reason, I completely overlooked the big picture until people started discussing it here, then it just kind of clicked.

Like I said, the solution I posted here works. Whether or not it's the optimal setup for a VoIP deployment, I'm not quite sure, but it's acceptable in this case and achieves what we were going for. The phones are in their own VLAN and QoS is being applied.