VLAN and WAN split or just Routing?

I am about to be switching up my overall networks a good bit. I migrated from all local servers to the cloud. Now my MPLS network does me no good pointing traffic back to my main HUB site since nothing is here.
That being said, I need more bandwidth for web browsing like cable, but still need something reliable like my T1's for my VoIP phones. I currently have the T1's in place that can handle the VoIP traffic if that is all it had to do. I will be adding cable, DSL, etc. to use for internet and RDP traffic. Can I use VLANs to separate my IP phones and PCs to route traffic like that?

Basically, all devices connected to same network switch and same LAN port on Router/Firewall. I want to assign the phones an IP address (ex. 192.168.20.1-100) and the PCs something different (ex. 192.168.1.1-100). Can I do this and use a VLAN setup on the Router/Firewall and then route all 192.168.20.x traffic to the WAN1 T1 and all 192.168.1.x traffic to WAN2 DSL? Will that work or do I need VLANs on the network switch based on port connected or something? Never worked with VLANs before. My main problem there will be that there is only one network drop at some locations that connects to the phones, and then passes through to the computers... I am thinking I could static the phones to 192.168.20.x though and keep the computer on 192.168.1.x even though it passes through. I have not tested that yet either. I would need to do the same thing for all 10 of my subnets at different locations.

If I can do that, I can then do some QoS on the 192.168.20.x subnet hopefully.

If the above scenario is not an option, I guess I would be pushed into doing some routing based on port/protocal/service being used instead of IP address. This meaning, anything using a specific range of UDP ports gets routed to WAN1 or anything going out to a specific IP address would use WAN1.

Thanks for any input. Which of these options would be best? Are either options feasible?
LVL 2
SE-PneumaticAsked:
Who is Participating?
 
Aaron TomoskySD-WAN SimplifiedCommented:
If you have two physically separate switches and wires to the phones/computers, you can do the vlan just in the sonicwall. If you want to have a switch where some ports are vlan 10 and some are vlan 20, you at least need a smart switch like the netgear gs724t

If you have enough wires, don't use the passthrou ports on phones.

Sonicwalls can very easily do ip ranges, ports, services, whatever in a rule that pushes traffic out a specific wan. The easiest is to set the t1 as wan1, and add cable as wan2 and just push 80/443 traffic out that. It's set as a route in the sonicwall and will automatically disable if the wan2 interface goes down and failover to wan1.
0
 
giltjrCommented:
I'll re-read your question just to make sure I did not miss anything, but you can put your voice traffic on one VLAN and "data" traffic on another VLAN.  This is how it is normally done so you can use QOS.  

You would want a managed switch and the typical configuration is to tag the voice traffic and leave the data traffic untagged.  This is done because most VOIP phones have two Ethernet ports built into them.  One to connect to the LAN and one to connect to the computer.  The phone needs to be setup so that it knows which VLAN id the voice traffic is on and it will pass the untagged traffic onto the computer.  The only down side to this is that most VOIP phones only support 100 MbE, so if you really needed 1 GbE you would need to look at other solutions.

Normally routing is done based on the destination IP address.  However, you can also do routing based on source IP address.  So, if your router support source based routing, then you can also route voice outbound over one link and "data" outbound over another link.
0
 
SE-PneumaticAuthor Commented:
So the VLAN setup needs to be done with a managed switch and not in my Sonicwall Firewall?

My phone do have a passthrough port and an option for VLAN (not sure how to configure this though). The 100Mb connection is fine for my use.

All of my phones do connect back to a specific group of IPs. Instead of the VLAN, would I be better off just forcing any traffic outbound with the particular IP of my phone system over WAN1 and all other traffic over WAN2?
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
SE-PneumaticAuthor Commented:
I don't have separate network ports or switches. There is only one drop at most locations so the phone plugs in and then the PC into the phone. That all runs back to one network switch which then goes to my Sonicwall.

I'm starting to think the VLAN isn't going to work for this setup and I would be better off just sending all 80/443 or specific outbound IP ranges to go over WAN1 and all other traffic over WAN2.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
Vlans can work and are a good idea for qos, but for stage 1 you can do one rule in the sonicwall and be off.
0
 
giltjrCommented:
I guess you could use the Sonicwall, but typically it better to have something other than your firewall manage VLAN's and QOS and leave your firewall do doing "firewall work."

Using VLAN's is better in my opinion, as it gives you more flexibility.  It also would allow source routing by a whole subnet instead of indvidual IP addresses or a range of addresses.
0
 
SE-PneumaticAuthor Commented:
But since I don't have individual ports for the phones and computers, how can I do the VLANs?
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
All the ip phones with passthrough ports i've used (cisco, nortel, avaya, polycom) can be set to tag packets from the phone and leave computer packets untagged.

So lets assume your computers are on vlan 10 and your phones are on vlan 20.
In the switch:
set the port pvid to 10 (what it will assign an untagged packet)
set vlan 10 untagged out that port
set vlan 20 tagged out the port

Then in the phone, set it to vlan 20.
0
 
SE-PneumaticAuthor Commented:
I am using Yealink phones currently. On the phone, when going into settings for Network, It has
WAN Port
PC Port
VLAN
etc.

When selecting the WAN Port, it prompts for DHCP or Static.

When selecting the PC Port, it prompts for Bridge or Router.

When selecting VLAN, it then prompts for WAN or PC Port.
     When going to either of those, it then prompts for enable or disable...
0
 
giltjrCommented:
Which model phone?  I would like, if possible, to read the doc.
0
 
giltjrCommented:
I looked at a manual for one of the phones.

You want the PC port in bridge mode.  This makes the phone act like a switch.

From there it looks like you might have a couple of options.  It looks like you can have both the VIOP VLAN (WAN) and Data (LAN) VLAN tagged and the phone allows you to tag the frames for QOS.  If you tag both VLANs, then the SonicWall would need to tag both VLAN's.  I am also assuming that you have the SonicWall doing DHCP for both VLAN's, but you don't have to.  Just whatever is doing DHCP has to be setup on both VLAN's and have all traffic tagged also.  However this requires your computer to be configured to be VLAN aware.

Another option would be just to tag one VLAN (VIOP/WAN) and not the other.  The advantage of this is you don't have to configure your computer to understand VLAN's.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
most workstation nics are not vlan aware. Definitely recommend just tagging the phone packets.
0
 
SE-PneumaticAuthor Commented:
I would rather not have to configure the PCs for anything. I will have to look in the morning for the exact model number on the phones.
0
 
giltjrCommented:
Then your best bet would be to have VIOP on one VLAN that is tagged and computers on another VLAN, un-tagged.
0
 
SE-PneumaticAuthor Commented:
The model of the phones are Yealink SIP-T20P.
0
 
giltjrCommented:
O.K. the manual I looked at was the T19P's and they seem to be the "lowest" model.  So the T20P's should support VLAN's  also.

So if it were me I would setup a VLAN for voice and a VLAN for data.  Have the voice VLAN as tagged and the data VLAN as untagged.  That way the PC don't have be configured to support VLAN's.
0
 
SE-PneumaticAuthor Commented:
All of that is done on the phones?
0
 
giltjrCommented:
No.  Other things will need to be configured.  I think you said that your switches are non-managed, which basically means no QOS, and that  you were going to have your firewall handle the VLANs.

So on the firewall you will need to create the two VLAN's and setup the voice to be tagged and the data to be untagged on the same interface.

Now for DHCP, whatever is doing the DHCP it will need to be setup to support doing DHCP for the new VLAN (voice).  You should be able to leave the DHCP server that the computers use today as is, and that would be for the "data" VLAN.
0
 
SE-PneumaticAuthor Commented:
The firewall will be doing DHCP.
0
 
giltjrCommented:
Then for testing you should be able to add a VLAN on the firewall  and set it up to do DHCP for IP subnet that VLAN will use.

If you currently don't have a VLAN the the existing "data" subnet, you will to create a VLAN for that and assign that subnet to that VLAN.

Then assign the "old" VLAN/Subnet as  untagged on the interface that connects to your inside switched and assign the "new" VLAN as tagged on the same interface.

Then configure the phone as needed.  "Bridged" mode, WAN tagged with new VLAN and PC untagged.

Of course backup everything on the firewall before hand and do this during a outage Window.
0
 
SE-PneumaticAuthor Commented:
How would the firewall know which device to assign which IP to?
Ex. PCs on 192.168.1.x
      Phones on 192.168.20.x

Would I need to keep the DHCP setup for 192.168.1.x and the computer pull an IP while I static the phones to 192.168.20.x so they go on that VLAN?
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
when you add a dhcp range to the sonicwall, you assign it an interface. Since the tagged vlan is a subinterface, you can assign the dhcp range to it separate from the normal range.

when you use a separate dhcp server (e.g. windows), you add an ip helper from the vlan to the dhcp server. this is done in whatever is doing your routing for the vlan, in your case the sonciwall. What IP helper does (or dhcp helper in some switches) is forward the dhcp request to the dhcp server and it also includes the subnet it came from so that the correct ip range dhcp can be handed out.
0
 
SE-PneumaticAuthor Commented:
I don't think I'm familiar enough with this to implement in a live environment currently. I will go with routing based on destination IP and ports for now and revisit this later as a possible solution to accomplish my goal.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
if you tell me what is providing your dhcp (sonicwall or something else) I can give better directions.
0
 
SE-PneumaticAuthor Commented:
The Sonicwall is providing DHCP. I have internet coming in on the assigned WAN port, then the LAN port goes out to a basic unmanaged switch, then the lines go out to the phones (Yealink SIP T20P), then to the PCs. Phones and PCs are currently getting a DHCP address through this setup. If I could get it to do DHCP for the PCs on their current subnet (i.e. 192.168.1.c) and get the phones on a separate subnet (i.e. 192.168.20.x), then I would assume in my Sonicwall, I would route all 192.168.20.x subnet over my MPLS WAN connection toward my phone system PBX, and all other 192.168.1.x subnet over the other WAN port that goes out for general web access, etc.

Would this be any different or better than just keeping them all on the current 192.168.1.x subnet and trying to route all traffic going to the PBX IP and the UDP ports I know it uses over the MPLS WAN port and all other traffic over the Internet WAN port?
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
so once you add the sub-interface for the vlan (say x0:v10), goto network->dhcpserver and add a range, and attach it to the x0:v10 interface, easy peasy.

pushing traffic out an interface is easy too, network->routing. Just define the service group and/or destination hosts group and set the wan to go out.
0
 
SE-PneumaticAuthor Commented:
How do I make sure the phones pull from the vlan DHCP and the computers pull from the regular LAN?
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
we already addressed setting the vlan and passthough ports on the phones and switches above.

You also (in the switch) have to tag the voice vlan out the port to the sonicwall, and add the interface as a subinterface of x0 to the sonicwall.
0
 
SE-PneumaticAuthor Commented:
So do I need a new switch too instead of the basic unmanaged switch I have now?
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
you cannot do vlans with an unmanaged switch. you at least need a smart switch like the netgear gs724t or the cisco 200/300 smb line
0
 
giltjrCommented:
It's true that you can't do VLAN's on unmanaged switches, but if the Sonicwall is tagging the frames for the voice VLAN and the phones are configured to tag the frames of the voices VLAN, and both are leaving the data traffic untagged it should work.

The only gotach would be if the unmanaged switch gets upset because the frames for the tagged VLAN are bigger than 1500 bytes.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
with the price of netgear smart switches as they are, I would never buy an unmanaged switch.
0
 
giltjrCommented:
I would not either, heck Netgear is now making "unmanaged" smart swtiches that support QOS and VLAN.  They have a line they call "Unmanaged Plus Switch Series"

I have 8 port model that has 4 POE ports and 4 standard ports.  They even have a 5 port model that can be powered using POE.

http://www.netgear.com/business/products/switches/unmanaged-plus/gigabit-plus-switch.aspx#tab-models
0
 
SE-PneumaticAuthor Commented:
The switches currently in place have been here for 5+ years (before I started with the company).
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
great basic vlan voip information given
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.