Networking,Vlans confused

I just started a thread today and will be posting everyday this week walking through this subject.
Your LAN configuration
I have been spending hours and hours and weeks and weeks with CISCO engineers to get an in depth understanding on this subject.
I have also reviewed many VoIP books that fall short on this subject.
If you are going to have a rock solid VoIP system with good QOS and MOS you should have your LAN LOCKED down correctly.
VLANS and your Router to Switch setups are everything.
I want to sleep at night knowing I've set this up right.

Follow this thread below and I will post detailed information.
http://telephonation.com/index.php?option=com_kunena&Itemid=67&fu...

Thanks,
Jay, FtOCC, SCVPC, LVSC, LOC, DREC, SBSC, MCSE, A+, MCT
Fonality trixbox Open Communication Certification
Speakeasy Certified Voice Partner Certification
Linksys Voice System Certification
LinksysOne Certification
Data Recovery Expert Certification
Small Business Specialist Certified
Microsoft Certified System Engineer
CompTIA A+ Certification
Microsoft Certified Trainer

ComputerHMO
Pasadena, CA
USA

jaycweiss - If you are talking to Cisco engineers to obtain in depth information then this is unlikely to be of significant benefit to kingtux as he is deploying Juniper/Netgear switches. Cisco hardware supports a number of useful proprietary features (e.g. Portfast, VTP) and QoS configuration is always vendor/hardware/software specific.

Considering the long list of VoIP related certifications you list in your signature, I would have have thought that you would have already built up a good understanding of VoIP LAN design fundamentals. If you have read lots of books on the subject and feel that they fall short then maybe you have been reading the wrong books.

All the general LAN design principles for things like security and QoS are applicable to VoIP, which from a network perceptive is just another application, albeit it with stringent packet delay/jitter/loss requirements. Assuming the LAN is already secure, has sufficient capacity to support the appropriate amount of VoIP traffic, and has an existing well designed QoS policy implemented, then from a design perspective in most cases working out how much bandwidth needs to be allocated for VoIP media and signalling traffic is all that needs to be determined.

I would say that the most challenging part of configuring a LAN to support VoIP is understanding the capabilities of the network devices, rather than understanding the general design principles, particularly in multi-vendor environments. This is because as mentioned above, QOS configuration is always vendor/hardware/software specific. Different network devices support different types of scheduling algorithms, CoS/DSCP classification capabilities, numbers of queues, default QoS markings, etc. Often it is the QoS capabilities of the LAN infrastructure deployed that will dictate the QoS implementation for VoIP and the other applications deployed.

The problem I am seeing with that picture is you have a voip vlan on 10.33.0.0 and a dmz 10.35.0.0 running in vlan 100, but you look like you are also extending that dmz subnet to your phones. If you are using one nic card you can do one of the following:
1. You will need to keep the trixbox and the phones in the same subnet and setup a 1:1 nat port forward (or dmz) to your trixbox ip. But it is not a good idea to keep the whole subnet as a dmz.
2. Enable 802.1q on your trixbox so you can have your internet coming in on one subnet and the phones connected to another subnet.
3. You could set up routing between the subnets (which probably happens by default on that juniper once it shows as a connected interface, never used one though), in which case, You need to configure a vlan on the switch that you are using to plug in all your phones as the voip vlan #, not vlan 100, the data vlan can stay.
4. You can use two nic cards instead of trunking to the trixbox, one for the phones and one for the dmz connection to the internet.

I went overboard and used three in my last install. One for the data vlan (accessing the trixbox web interface from office, but I am not pulling internet from that port), One for a direct connection to a cable modem, and one to put in the voice vlan with all the phones. I could have used 802.1q on the trixbox, but I read a few about a few issues with 802.1q trunking in cent os (maybe on false grounds, it has been running fine at home for me), so I didn't want to make that client a guinea pig, that is my job.

If the voip vlan is 100, your diagram is wrong. It shows the trixbox in vlan 100 and you carrying that dmz vlan to the ports the phone will plug into. Setting up routing between vlans is ok (see side note). But you will need 3 vlans, the data, the dmz, and the voice. The voice and the data will need to be setup on each port on the bottom switch in that picture that will be plugging into a phone. The voice vlan will have to be routed to the dmz vlan on the juniper so it can talk to the trixbox server. Yes, you will need to tell the phones what vlan number for the phone to use, and what vlan number for the computer to use. Think of the phone as a mini switch with three ports. One being the port going into the phone (the trunk port), One port being inside the phone (the phone vlan), and the port that plugs into the computer (the data vlan).

Side note: Why route between voice and dmz vlan on a small network? I'd just throw a second nic into the trixbox server and put that in a vlan with the phones. It'll make life a whole lot easier for tftping stuff to the phones via dhcp addressing. If you use the built in dhcp server on trixbox, you won't have to be setting dhcp options on the juniper for tftp. OR if you don't want to use a dhcp server, you could manually specify the ip address and tftp server ip on every phone.

Both the trunk to the switch, and the trunks to the phones need to have tagged vlans. Remember, the phone is a mini switch. You can tag both 1 and 100 between the switches and the phones(you will need a new native vlan), or you can leave vlan 1 as the native vlan (untagged) and tag vlan 100. Whichever way you decide, you will need to configure the phone that way. If you somehow managed to get a switch port to belong to both vlan 1 and vlan 100 untagged, they would appear to everyone else as the same vlan and you would have issues everywhere.

Thanks for your responses...Guess Logically I'm getting confused and need to physically test while I'm setting these up to grasp it alittle better. I will be setting this up over this weekend so If i have question I will come back here :)

In regards to the switches netgear allows you to set vlan port as tagged, untagged, and auto detect, what is this auto detect?

Have any of you worked on the netgear switches before? They are confusing the heck out of me....Don't know why this is troubling me :(

In switch GUI via web I go to VLAN config, there already is a "VLAN 1" with all ports selected and all ports on that vlan as untagged.

Jon you say to change the "untagged" to "tagged" on all those ports in the default "VLAN 1" correct?

Then I should create another VLAN "VLAN 100" select all ports (the same ports in vlan 1) and set those up as tagged?

By default all the ports VLAN ID are set to 1 which is default vlan 1?

Or do i need to take a step back :(

Jon,

Ok thanks that cleared things up mostly :)... So for the TRUNK link between switches will I also set that port as "untagged in vlan1" and "tagged vlan 100"? or will that port be set to "tagged vlan1" and "tagged vlan 100"

Thanks again I really appreciate the time you guys are taking to help me understand this stuff.

Thanks again I will report back when I dive into the job