VLANs and Network Design

davidashcroft · 2015-12-01T23:21:45.000Z

Just looking for a bit of advise - as usual!

I do some work for a charity, they are moving offices in the near future, they are staying at the same physical location but they are having new offices built as the old ones are about to fall down!

The location is in the middle of nowhere, and they get around 5Mbps down so not the gratest speed, fibre is not available either!

There are currently 3 buildings and one switch in each building mainly for Data and CCTV.

When the office is moved we will be getting a new VoIP phone system on a separate broadband line - to keep voice and data traffic separate and give us a more reliable line for VoIP traffic so our line is not saturated from data.

Here is where my issues comes…

When the new offices are in place and the phone system in, the phones will actually be split between all three buildings.

There are 12 IP cameras, they are basic and don’t use much bandwidth at all! Probably about 10MB/s in total with them all recording back to a CCTV server - they only record on movement but they are always monitoring.

So with the new system I will be getting all new switches in each building. The phones are PoE, so I was thinking one PoE switch per building and one normal gigabit managed switch per building.
6 switches in total, 3 for VoIP and 3 for data/CCTV. Each building will have 2x cables going back to the next building, so this is how it would look:

Could anyone let me know if this is an efficient/effective way to do it. The VoIP solution is all being provided by one company including the router, they are configuring it in a way that is best for the VoIP solution and it will have DHCP enabled, I don’t want to ask them to turn this off, I will just put everything in connected to their router on the VoIP network.

I know I need to keep this separate to stop DHCP leaking over to the main network and to ensure there is nothing interfering on the main network.

So is the above an acceptable solution?

I have been looking at VLAN’s also, but it is something I have never really had an opportunity to “tinker” with so I don’t want to try that solution and find myself unable to do it.

Advise is appreciated on recommended switches/VLAN setup if this is recommended than my current plan!

Also, we are going to be getting WiFi AP’s that are VLAN aware from Ubiquiti, I am hoping to have two SSID’s on these, one for corporate access to internal servers etc and one that can JUST get to the internet. Is this something I can setup with the diagram listed above? I assume port tagging will be involved for this, could do with a bit of help though. As I said, I have never really done VLAN’s before so I could do with some advise For example: AP’s will be spread across all three buildings so not sure if I can tag ports to allow the guest wifi network to only get access back to the internet.

If you are suggesting products, please remember I am in UK

Thanks very much!

PatrickFarrell · 2015-12-01T23:33:43.000Z

VLANS are the way to go. For example, my wifi/voip/cams/desktops all sit on the same switches, but they are all on separate vlans with different subnets.

If you’re going this way however, you need to understand how vlans work and how you are going to route traffic between them, (if you are at all). You can define a dhcp scope for each vlan on a single dhcp server and it will serve all of the subnets. The details of how you do this will vary depending on which switch vendor you are going with, and also sometimes by the model of the switch. (Smart/Web managed, vs Fully managed that has a CLI).

I don’t see a reason to have separate switches for what you describe. You need POE for your Wifi AP’s, as well as your voip phones (unless you’re going to do poe injectors everywhere which is a bad way to go about it).

You don’t mention the voip provider, or if the phones have an ethernet passthrough (many do but only 100MB, you’d want to make sure it’s gigabit passthrough). If they are gigabit, then you can run them all over the same switches. In that case just make sure you have enough ports and go POE for all of them.

It would help greatly to know what switches you are using. To route data between vlans, you would need one of them to be a layer 3 switch, otherwise you have to do it on your firewall which is not ideal.

davidashcroft · 2015-12-02T00:10:35.000Z

At the moment all of the switches are unmanaged, this is why they will be replaced during the office move.

I am open to suggestions, I would prefer to go with HP Switches to be honest.

We are talking a small scale here too, the office will have 10 PC’s about 15 phones scattered throughout the buildings to put it into perspective.

As far as my limited knowledge goes, Layer 3 switches are expensive right? I don’t think I would get the funding for one of those, could you explain why a layer 3 switch would be required (I am curious), like I said, I am open to switch suggestions though.

Thanks very much!

PatrickFarrell · 2015-12-02T00:14:13.000Z

I’m a big fan of HP, all of my core and distro switches are HP. Layer 3 switches are more expensive but you only need one to do the routing between the vlans. The rest can be layer 2.

Did your voip vendor make switch suggestions?

kevinnicholson · 2015-12-02T02:36:52.000Z

You mention your VoIP provider is providing the router? What kind of router are they providing? Do you have another router and firewall for your internet connection? It’s best to run one router that acts as the gateway for all your vlan interfaces, especially with the VoIP phones as usually you run your computers as pass through, so the VoIP router will need to do vlan tagging and have an interface back to your data vlan. The way to do this will vary based on your design and the specific equipment involved.

The ubiquiti unifi AP’s can do vlan easily. I would suggest make your guest vlan the tagged vlan in your controller. Also, use a Ubuntu system for the unifi controller. Don’t use a Windows one or you will see issues. Ubuntu runs flawless with it.

davidashcroft · 2015-12-02T21:27:54.000Z

VoIP provider is providing a basic Cisco model router, but we cannot access or configure it, they are under full control of it.

For the data network a Draytek 2830 is currently in use, it is capable of VLAN’s if that helps!

PatrickFarrell · 2015-12-03T00:47:26.000Z

Here’s where you will need their input. If you are doing layer 3 routing on your switch, they will need to add some static routes in their router for the additional vlans.

kz650 · 2015-12-18T12:04:42.000Z

Hmmm… I dislike Voip provider putting in a router, and if there’s any way you could go with your own hardware, you’re probably better off. Just can’t manage to wrap my head around that, usually these “routers” are more trouble than they are worth, and having all traffic hit a FW first is the way to go.