different vlans for servers/PCs/VoIP phones

We are moving into a new building, and we will have all newer Cisco switches, 2960X and 3850's for the cores.
I'm planning to have different vlans for the servers, PCs, VoIP phones, but I was thinking, since all of the different equipment need to communicate with the servers,
I will need to allow and route all the different vlans to access the servers vlan.  If that's the case, is then better to just create one flat network, everyone in one vlan, a /22 instead?
I guess I need to find some good articles on line to dig deeper into vlans, but on the surface, besides having a smaller broadcast domain, it just adds more complexity.

Any thoughts?
DanNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
It is better to have several VLAN's and to set the Voice VLAN as having higher priority. (That will give you a lot better quality conversations, even if there are some heavy file copies running on the network).
Steven CarnahanNetwork ManagerCommented:
It is better to use multiple VLAN's.  This helps cut down on broadcast traffic and also isolate some traffic.  How are you going to connect all this together?  How many switches?  You will want to have one switch connected directly to the router and all other switches directly connected to that switch to cut down on hops.  

I then suggest that you place all servers on a single switch in their own VLAN.  All other devices can be put on any of the other switches and separated by VLAN as well.  

An example using our configuration:  We have Cisco IP phones.  We have them in VLAN 100.  We have workstations in a data VLAN 2.  Our servers are in a server VLAN 300.  On the trunk ports we allow traffic for VLAN 100, VLAN 2 and the management VLAN 99 (also defined).  

By assigning the different ports to the different VLAN's you cut down on the chatter (broadcast) between ports. We also use PoE phones and our workstations plug into the phone so we have both VLAN 100 and VLAN 2 on ports that have both a phone and computer.
SteveCommented:
Definitely worth having voice on a separate VLAN if viable, separating PCs & servers is also a good idea for security/access reasons mostly.

If you have a VLAN capable router/firewall its best to make that the default gateway for each VLAN and control traffic between the VLANs in there.
if not you may be able to use a layer 3 switch to allow traffic between the VLANS (as it wold act as the default gateway instead of the router/firewall) but this may limit your control over what can and cannot flow between VLANs.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

atlas_shudderedSr. Network EngineerCommented:
Pretty sure this question is the same as this one?

https://www.experts-exchange.com/questions/29127828/Network-Design.html
DanNetwork EngineerAuthor Commented:
Atals - yes, totally forgot I had opened that, it's very close, I'm just getting close to making a decision, forgot bout it.
atlas_shudderedSr. Network EngineerCommented:
Separating VLANS or macros segmentation is generally done for three primary reasons:

1.  Security/Access Control
2.  Administrative Control and Customization/Specifics
3.  Traffic Management

All of these have already been hinted at above.  I think everyone has pretty well pinged on the major one in your scenario - the phones - at least as far as you are relating relevant information.  Because of the specifics of your deployment and questions as to trust/liability, the security question is probably going to be the big one behind Traffic Management.  

The one thing that I will add to the conversation that has not really been stated yet is this - I would go ahead and segment into subnets/vlans if for no other reason than it sets a pattern that may not be absolutely critical to function today but could become at some future point.  It is a lot easier to build it in today than it will ever be in the future.  How you choose to leverage that segmentation in the immediate is your call but it will be their and you will save yourself the biggest potential headache in the scenario - segmentation in an established/we're used to this network.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DanNetwork EngineerAuthor Commented:
thanks for the input guys
Olgierd UngehojerSenior Network AdministratorCommented:
I would keep servers and PCs on one vlan and Voip on second. If you separate servers and PCs by vlans you will have to do much more configuration on the router, firewall etc. Practically every new software will have to go over thru firewall or router or some bridge to communicate with servers.  Next questions is how many DHCP server are you going to setup ? You will need separate DHCP broadcast packets and make sure that you have plan how to manage with vlans. Broadcast packets are kind nasty to deal with it and they can propagate between vlans if switch is booting up or you do some changes on trunk port.

Most of the switches has QoS and you do not need valns to give priorities for voip packets. Vlan is only an extra layer of security but if you want to have voip tight with your computers for Unified Messaging, O365 you will have to built extra configuration for it what will work thru vlans.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.