Solved

How do I configure tagging for VLAN's with IP phones?

Posted on 2013-05-23
20
1,628 Views
Last Modified: 2013-06-05
Hi all,

I am trying to implement VLAN's in my network. Currently everything is on a flat 192.168.0.0 /24 network, and I am nearly out of IP's. It is definitely time to redesign the network to allow for future growth, and I think the best way to do that is to use VLAN's.

I have Cisco Small Business series switches with PoE, a SonicWall NSA 2400 firewall and Mitel IP phones with integrated switches (1 port for network, 1 port for PC). All Sites are connected via TLS.

I need help in understanding how  to configure the VLAN tagging in order to accomplish this. The goal is to have each site's data and voice traffic on it's own VLAN, yet be able to communicate with servers on the management LAN - to have the IP phones get their IP from DHCP on one VLAN, and the connected PC get it's IP from DHCP in another scope. DHCP is from a Windows Server with the new scopes already created and activated.


Again, everything is currently on the 192.168.0.0 /24 network
Here's how I would like it to be:
VLAN 1 -   MGMT             10.0.1.0 /24
VLAN 10 - Site 1 Data      10.0.10.0 /24
VLAN 11 - Site 1 Voice     10.0.11.0 /24
VLAN 20 - Site 2 Data      10.0.20.0 /24
VLAN 21 - Site 2 Voice     10.0.21.0 /24
VLAN 30 - Site 3 Data      10.0.30.0 /24
VLAN 31 - Site 3 Voice     10.0.31.0 /24
And so on, for a total of 8 Sites

I wish I could give more than 500 points; looking forward to your advice!
0
Comment
Question by:CoSmismgr
  • 11
  • 7
  • 2
20 Comments
 
LVL 5

Author Comment

by:CoSmismgr
Comment Utility
Here's some details on existing setup
0
 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 250 total points
Comment Utility
I am not quite familiar with this type of cisco switches, but basically if you have a layer 3 switch you can enable routing on it.

If you want to use your PCs trough the IP phones, you would need to make Phone vlan tagged and PC vlan untagged on the switchport
0
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 250 total points
Comment Utility
So each vlan has a subnet like you wrote. To cross clans you have to go through a layer thre device. In your network that's the sonicwall. Since the traffic goes in and out the Same LAN x0 port, and so does all your wan traffic, you may have performance issues. To help with this, use multiple ports from the switch to the sonicwall. Allow one or more vlans on the switch out each port (careful not to multiparth).

Usually ip phones only have a 100mbps port so running the pc through it isn't the best idea but here is how you do it: set the pvid of the switch port as data. Allow untagged data and tagged voice (maybe you need to tag data for your gear but not usually). Set the ip phone as voice vlan.

Careful not to make things too seperate as you force all cross vlan traffic through your router. That's why people use a layer 3 switch, so the traffic can be routed to another vlan without going back up to the router.
0
 
LVL 5

Author Comment

by:CoSmismgr
Comment Utility
I want to use my Layer 3 switch for the intervlan routing. It is the middle one in the diagram and it is in L3 mode, so routing is enabled.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
That's fine. Any questions on the other stuff?
0
 
LVL 5

Author Comment

by:CoSmismgr
Comment Utility
What about communicating with DHCP server and PBX controller on different VLAN's? How should the tagging be configured for that? The port mode options on the Cisco SBS switches are General, Access, Trunk or Customer. I can only tag one VLAN on access mode, and only one untagged VLAN in Trunk mode. General mode I can tag/untag whatever I need.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
For dhcp you can add a nic for each vlan to the vm or do the vlans inside the vm as the vmxnet3 knows tagging.

For the switch I prefer to manually allow but I don't have as many as you do.
0
 
LVL 5

Author Comment

by:CoSmismgr
Comment Utility
What should the PVID be on the ports where I want to connect an IP phone on VLAN 11 and a PC through the phone on VLAN 10?
How should I configure the trunk ports (PVID, tagged, untagged)?

So I will need a NIC on the DHCP server for every VLAN I want to use DHCP with?
0
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
It should be 10

Trunk port should be tagged, PVID on tagged port should be your management vlan, usually it is VLAN 1
0
 
LVL 5

Author Comment

by:CoSmismgr
Comment Utility
Okay I need to first work on the NIC's for DHCP server... then I'll test this out.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 5

Author Comment

by:CoSmismgr
Comment Utility
Okay, definitely not an option to add a NIC for each VLAN - I think I should be able to use IP helper or DHCP Relay to accomplish this, just trying to learn how.
0
 
LVL 5

Author Comment

by:CoSmismgr
Comment Utility
I have DHCP Relay enabled on all switches, scopes built on server, but DHCP is not working on a host connected to an IP phone which is plugged into port 13 on the bottom L2 switch. The port is set to trunk, PVID 10, 11 tagged.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
if you give the pc a static in the vlan10 range, does it work?
0
 
LVL 5

Author Comment

by:CoSmismgr
Comment Utility
Yes but need DHCP working.

Here's what I did:

I set the port host 2 is on to General mode with 10UP, 11U
I set the port DHCP server is on to General mode with 1UP, 10U, 11U
LAG's between switches are set to Trunk mode with 1UP, 10T, 11T
Port 26 on L3 switch (to firewall) set to trunk mode with 1UP, 10T, 11T

I added routing statements in the firewall for the VLAN networks, with L3 switch VLAN interfaces as default gateway.


Host in VLAN 10 now gets an IP from DHCP correctly and interVLAN routing is working!!

I added the IP phone into the mix and the phone and PC both get an IP from VLAN 10... however I want the voice traffic to be on VLAN 11. I just need to get DHCP working properly for the IP phones now.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
so the problem is that the dhcp server doesn't know if the dhcp request is coming from vlan10 or 11 so it always hands out 10. The only way I know how to handle this is to tag 10 and 11 to the dhcp server, but that means you need a nic that understands tags or two nics, one per vlan. If it's all in vmware (this is how I have mine setup) you just add a second virtual nic, one to a vswitch on vlan10 and one to a vswitch on vlan 11, with only one cable from the switch to the esxi hosts.
0
 
LVL 5

Author Comment

by:CoSmismgr
Comment Utility
I don't have VMWare so I can't add vnics on the DHCP server. If I change the PVID of the port to 11, both the PC and phone get an IP from VLAN 11, but I then need the PC in VLAN 10. Still trying to figure out why the phones aren't being redirected to VLAN 11 after obtaining an IP from the default VLAN when it's set to 10.

Here's what my IP phones do:

Power up
Run ‘Boot' code
Request IP address (untagged) through DHCP
Receive IP address from default VLAN (data VLAN) and specific phone and system options
Check VLAN information - This isn't happening... or if it is, it is not getting the correct information - the phone shows 'VLAN none Priority none' although Option 125 in DHCP is suppose to tell it to use VLAN 11, priority 6
Relinquish IP address (untagged)
Request IP address on voice VLAN (tagged)
Receive IP address from voice VLAN and specific phone and system options again
Check VLAN information matches, if not repeat until it is.
Locate TFTP server
Get running code
Register with call control

I believe this is a Mitel issue, I'm trying to contact their support.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
I think it's because the port going to the dhcp server is untagged for 10 and untagged for 11. So even if the phones and everything do it correctly, the tags are being stripped off leaving the port for the dhcp server. You have two choices:
1. have a nic in the dhcp server that understands vlan tags, and tag both 10 and 11 on that switch port
2. add a nic for each vlan.

There may be another way, like using a different dhcp server, but I'm not familier with that route.
0
 
LVL 5

Author Comment

by:CoSmismgr
Comment Utility
I changed settings on the switchport the DHCP server is connected to from 1UP, 10U, 11U to 1UP, 10T, 11T. The switchport that the test host connects to is configured with 10UP, 11U

Same results as before... phone and PC get IP from VLAN 10 and can communicate with VLAN 1.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
0
 
LVL 5

Author Comment

by:CoSmismgr
Comment Utility
The IP Helper is ok I think, as requests are being forwarded properly to my DHCP server on VLAN 1. But the phone for some reason simply will not assign the appropriate VLAN information that it is supposed to get from DHCP Option 125 (possibly a firmware issue), where it should be VLAN 11 instead of the PVID of 10. I guess my workaround is to provide a separate network connection for the PC and the phone; they will get proper VLAN from DHCP according to PVID of the switch port... and also offer 1Gbps speed opposed to 100Mbps through the phone switchport.


Closing this question as it has gone from a tagging issue to a Mitel IP phone DHCP issue. splitting points between fgasimzade and aarontomosky.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now