different vlans for servers/PCs/VoIP phones

Dan used Ask the Experts™
We are moving into a new building, and we will have all newer Cisco switches, 2960X and 3850's for the cores.
I'm planning to have different vlans for the servers, PCs, VoIP phones, but I was thinking, since all of the different equipment need to communicate with the servers,
I will need to allow and route all the different vlans to access the servers vlan.  If that's the case, is then better to just create one flat network, everyone in one vlan, a /22 instead?
I guess I need to find some good articles on line to dig deeper into vlans, but on the surface, besides having a smaller broadcast domain, it just adds more complexity.

Any thoughts?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018
It is better to have several VLAN's and to set the Voice VLAN as having higher priority. (That will give you a lot better quality conversations, even if there are some heavy file copies running on the network).
Steven CarnahanAssistant Vice President\Network Manager
It is better to use multiple VLAN's.  This helps cut down on broadcast traffic and also isolate some traffic.  How are you going to connect all this together?  How many switches?  You will want to have one switch connected directly to the router and all other switches directly connected to that switch to cut down on hops.  

I then suggest that you place all servers on a single switch in their own VLAN.  All other devices can be put on any of the other switches and separated by VLAN as well.  

An example using our configuration:  We have Cisco IP phones.  We have them in VLAN 100.  We have workstations in a data VLAN 2.  Our servers are in a server VLAN 300.  On the trunk ports we allow traffic for VLAN 100, VLAN 2 and the management VLAN 99 (also defined).  

By assigning the different ports to the different VLAN's you cut down on the chatter (broadcast) between ports. We also use PoE phones and our workstations plug into the phone so we have both VLAN 100 and VLAN 2 on ports that have both a phone and computer.
Definitely worth having voice on a separate VLAN if viable, separating PCs & servers is also a good idea for security/access reasons mostly.

If you have a VLAN capable router/firewall its best to make that the default gateway for each VLAN and control traffic between the VLANs in there.
if not you may be able to use a layer 3 switch to allow traffic between the VLANS (as it wold act as the default gateway instead of the router/firewall) but this may limit your control over what can and cannot flow between VLANs.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

atlas_shudderedSr. Network Engineer

Pretty sure this question is the same as this one?

DanNetwork Engineer


Atals - yes, totally forgot I had opened that, it's very close, I'm just getting close to making a decision, forgot bout it.
Sr. Network Engineer
Separating VLANS or macros segmentation is generally done for three primary reasons:

1.  Security/Access Control
2.  Administrative Control and Customization/Specifics
3.  Traffic Management

All of these have already been hinted at above.  I think everyone has pretty well pinged on the major one in your scenario - the phones - at least as far as you are relating relevant information.  Because of the specifics of your deployment and questions as to trust/liability, the security question is probably going to be the big one behind Traffic Management.  

The one thing that I will add to the conversation that has not really been stated yet is this - I would go ahead and segment into subnets/vlans if for no other reason than it sets a pattern that may not be absolutely critical to function today but could become at some future point.  It is a lot easier to build it in today than it will ever be in the future.  How you choose to leverage that segmentation in the immediate is your call but it will be their and you will save yourself the biggest potential headache in the scenario - segmentation in an established/we're used to this network.
DanNetwork Engineer


thanks for the input guys
Olgierd UngehojerSenior Network Administrator

I would keep servers and PCs on one vlan and Voip on second. If you separate servers and PCs by vlans you will have to do much more configuration on the router, firewall etc. Practically every new software will have to go over thru firewall or router or some bridge to communicate with servers.  Next questions is how many DHCP server are you going to setup ? You will need separate DHCP broadcast packets and make sure that you have plan how to manage with vlans. Broadcast packets are kind nasty to deal with it and they can propagate between vlans if switch is booting up or you do some changes on trunk port.

Most of the switches has QoS and you do not need valns to give priorities for voip packets. Vlan is only an extra layer of security but if you want to have voip tight with your computers for Unified Messaging, O365 you will have to built extra configuration for it what will work thru vlans.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial