Where Do You Get Good IT Advice
-
Advice might be good, or IT advice... but advice by itself will be easier to find.
-
To go beyond the general case, here is a specific example (but we mean to talk generally here).... where do you go to get information about the applicability of VLANs to VoIP? It seems that everything out there says that you need VLANs.
I guess since Cisco has been the one always recommending using a voice vlan for increased security and better qos most people have been following their recommendations without really thinking.
From their documentation
VLAN Concepts and Configuration
After the IP phone has received power, it must determine its VLAN assignment. Because of security risks associated with having data and voice devices on the same network, Cisco recommends isolating IP phones in VLANs dedicated to voice devices. To understand how to implement this recommendation, let's first review a few key VLAN concepts.
VLAN ReviewWhen VLANs were introduced a number of years ago, the concept was so radical and beneficial that it was immediately adopted into the industry. Nowadays, it is rare to find any reasonably sized network that is not using VLANs in some way.
VLANs allow you to break up switched environments into multiple broadcast domains. Here is the basic summary of a VLAN:
A VLAN = A Broadcast Domain = An IP Subnet
There are many benefits to using VLANs in an organization, some of which include the following:
Increased performance: By reducing the size of the broadcast domain, network devices run more efficiently.
Improved manageability: The division of the network into logical groups of users, applications, or servers allows you to understand and manage the network better.
Physical topology independence: VLANs allow you to group users regardless of their physical location in the campus network. If departments grow or relocate to a new area of the network, you can simply change the VLAN on their new ports without making any physical network changes.
Increased security: A VLAN boundary marks the end of a logical subnet. To reach other subnets (VLANs), you must pass through a routed (Layer 3) device. Any time you send traffic through a router, you have the opportunity to add filtering options (such as access lists) and other security measures.
Understanding Voice VLANs
It is a common and recommended practice to separate voice and data traffic by using VLANs. There are already easy-to-use applications available, such as Wireshark and Voice Over Misconfigured Internet Telephones (VOMIT), that allow intruders to capture voice conversations on the network and convert them into WAV data files. Separating voice and data traffic using VLANs provides a solid security boundary, preventing data applications from reaching the voice traffic. It also gives you a simpler method to deploy QoS, prioritizing the voice traffic over the data.
One initial difficulty you can encounter when separating voice and data traffic is the fact that PCs are often connected to the network using the Ethernet port on the back of a Cisco IP Phone. Because you can assign a switchport to only a single VLAN, it initially seems impossible to separate voice and data traffic. That is, until you see that Cisco IP Phones support 802.1Q tagging.
The switch built into Cisco IP Phones has much of the same hardware that exists inside of a full Cisco switch. The incoming switchport is able to receive and send 802.1Q tagged packets. This gives you the capability to establish a type of trunk connection between the Cisco switch and IP phone, as shown in Figure 3-6.
-
@Romo said in Where Do You Get Good IT Advice:
To go beyond the general case, here is a specific example (but we mean to talk generally here).... where do you go to get information about the applicability of VLANs to VoIP? It seems that everything out there says that you need VLANs.
I guess since Cisco has been the one always recommending using a voice vlan for increased security and better qos most people have been following their recommendations without really thinking.
Right, a vendor. And not just a vendor, a vendor that makes a product focused on a market size where the scale guarantees a need for VLANs already for other purposes. And a vendor that uses different protocols from the rest of the market. So reasons that that is bad would be:
- It's a vendor and not a valid source of this guidance from the VoIP perspective.
- It's a vendor and a semi-valid source of this guidance from the network perspective, but only semi and only sometimes and not for many of the reasons below.
- A vendor with gear to sell.
- Equipment only meant for companies of large size.
- A vendor with a track record of reckless guidance (their engineers once told a SpiceCorps in Houston that you need 14Tb/s to the desktop to watch YouTube, Cisco doesn't even make gear that fast today and this was five years ago.)
- A vendor whitepaper - so automatically invalid for this kind of guidance, they have not taken the business needs or network design into account which means that giving the advice in a vacuum is reckless.
- Not an IT vendor.
HOWEVER.....
Even with all of that, Cisco does NOT recommend VLANs for QoS, but for security. A different issue. One that should worry us, why is Cisco depending on LAN based security in this modern age? That's a problem with Cisco phones that they are trying to address with their switches. This is good advice, in context. But the context is everything.
-
@Romo said in Where Do You Get Good IT Advice:
VLAN Concepts and Configuration
After the IP phone has received power, it must determine its VLAN assignment. Because of security risks associated with having data and voice devices on the same network, Cisco recommends isolating IP phones in VLANs dedicated to voice devices. To understand how to implement this recommendation, let's first review a few key VLAN concepts.
Cisco has security concerns about their phones, so they recommend VLANs as an additional cost to fix them. That's the base context here. This isn't a VoIP recommendation in any way, this is a Cisco phone issue. No one should have taken this advice and applied it to QoS, non-Cisco equipment, etc.
-
@Romo said in Where Do You Get Good IT Advice:
VLANs allow you to break up switched environments into multiple broadcast domains. Here is the basic summary of a VLAN:
A VLAN = A Broadcast Domain = An IP Subnet
This information about a VLAN is wrong. You can subnet without VLANs, you can VLAN without subnets. Unrelated concepts.
-
@scottalanmiller said in Where Do You Get Good IT Advice:
@Romo said in Where Do You Get Good IT Advice:
VLANs allow you to break up switched environments into multiple broadcast domains. Here is the basic summary of a VLAN:
A VLAN = A Broadcast Domain = An IP Subnet
This information about a VLAN is wrong. You can subnet without VLANs, you can VLAN without subnets. Unrelated concepts.
It could be good practice in most cases, but like @scottalanmiller said: Unrelated.
-
@Romo said in Where Do You Get Good IT Advice:
Increased performance: By reducing the size of the broadcast domain, network devices run more efficiently.
This is one that gets mentioned a lot and it is a benefit of reducing broadcast domain size, but really only on 10Mb/s unswitched networks from the 1990s. In the 2000s once we had switching and stopped having broadcast issues, companies moved to bigger networks rather than smaller. Their statement is technically correct, but contextually misleading. The issue is not so simple as to make this useful. This is used by shops with networking problems to bandaid broadcast problems rather than addressing them.
This also ignores the overhead of the VLANs themselves AND the bottlenecks between VLANs. So introducing problems to fix problems that people should not have.
-
@Romo said in Where Do You Get Good IT Advice:
Improved manageability: The division of the network into logical groups of users, applications, or servers allows you to understand and manage the network better.
It's increased overhead. For 99% of SMBs, it destroys manageability and is used specifically and famously by Cisco VARs to create a management nightmare requiring external, high cost networking specialists to keep the network working. In a giant environment where broadcast domain splitting is required regardless of VLANs, VLANs can be and normally are beneficial from a management perspective. But doing so in an environment too small to benefit from them does the opposite. This shows that Cisco either disregards this market (making their advice wrong without a stated context, especially as this is the majority of the market), doesn't understand networking (likely as reflected repeatedly by their incorrect information) or is actively looking to mislead people to make a sale. This statement on VLANs is just totally untrue as written and the exact opposite of why we recommend against it for most VoIP deployments.
-
@Romo said in Where Do You Get Good IT Advice:
Physical topology independence: VLANs allow you to group users regardless of their physical location in the campus network. If departments grow or relocate to a new area of the network, you can simply change the VLAN on their new ports without making any physical network changes.
This can be see as general info, or in the context of being listed in why to use VLANs it is marketing. This is a standard marketing ploy: tell what a thing CAN do stated in such a way that the reader assumes that they WANT to do that, even when it makes no sense. In a normal network you would never want to group departments or users, that's only for special cases and enormous environments. The average network does not what this beyond physical groupings by physical device topology. In this context, this is just old fashioned marketing.
-
@Romo said in Where Do You Get Good IT Advice:
Increased security: A VLAN boundary marks the end of a logical subnet. To reach other subnets (VLANs), you must pass through a routed (Layer 3) device. Any time you send traffic through a router, you have the opportunity to add filtering options (such as access lists) and other security measures.
Again, true and good to know, but not applicable to the majority case. LAN level security for voice traffic? LAN level security that having a VLAN alone will fix? For the majority of businesses using phones this isn't just unnecessary, it's utterly ridiculous. Cisco doesn't state in this section that this is necessary or recommended, but it sounds beneficial when, in reality, in most cases it is a negative of unnecessary complexity and fragility rather than a benefit of security.
-
@Romo said in Where Do You Get Good IT Advice:
It is a common and recommended practice to separate voice and data traffic by using VLANs. There are already easy-to-use applications available, such as Wireshark and Voice Over Misconfigured Internet Telephones (VOMIT), that allow intruders to capture voice conversations on the network and convert them into WAV data files. Separating voice and data traffic using VLANs provides a solid security boundary, preventing data applications from reaching the voice traffic. It also gives you a simpler method to deploy QoS, prioritizing the voice traffic over the data.
More "this is true" but out of context. Sure, VLANs protect against that, but so does good LAN security. VLANing here is a dangerous bandaid. And if your LAN is so insecure that you cannot control it in this way, your Voice VLAN will have the same risks. It's like telling someone that "if you can't lock your front door, you could lock your bathroom door." But the bottom line is, no one that struggles with one door lock is not going to struggle with the next one, especially when they both use the same locking mechanism. This is a desperate attempt at finding a positive in a generally negative bit of advice. VLANs don't break security, but the security claims about them are heavily just an illusion based on unlikely, illogical sets of circumstance rather than good design or real world practicality. In an ideal world, VLANs offer no security benefit. In a real world, they very rarely do.
Their QoS information is also incorrect and is contextually only about LAN traffic as this is for a LAN deployed, on premises Cisco PBX context. This assumes that there is no WAN to prioritize, which is 99.99% of what prioritization is for. It's a nominally true statement (it's easy and you can apply QoS rules to it, but it doesn't work well and causes you to miss proper QoS, so in practical terms it is anti-QoS.) It prioritizes voice network over other networks, not data over data.
This information is just not up to par for even entry level networking professionals.
-
@Romo said in Where Do You Get Good IT Advice:
One initial difficulty you can encounter when separating voice and data traffic is the fact that PCs are often connected to the network using the Ethernet port on the back of a Cisco IP Phone. Because you can assign a switchport to only a single VLAN, it initially seems impossible to separate voice and data traffic. That is, until you see that Cisco IP Phones support 802.1Q tagging.
The switch built into Cisco IP Phones has much of the same hardware that exists inside of a full Cisco switch. The incoming switchport is able to receive and send 802.1Q tagged packets. This gives you the capability to establish a type of trunk connection between the Cisco switch and IP phone, as shown in Figure 3-6.
And look, we wrap up with "by buying lots of expensive gear, you can overcome the unnecessary problems we just introduced for the sole purpose of selling you all this extra gear."
-
This is really a perfect example of what we are talking about. Cisco (and this is an example of what we see from pretty much every vendor) has a sale to make here and they make both the PBX and the networking gear. They lead with assumptions that are not stated (that you are a Fortune 500, that your LAN is insecure, that you have all Cisco gear, that you spend tons on networking but can't figure out network basics, that your equipment is on premises, that the one piece that is more important will be ignored or handled by someone else, etc.) and by pushing those as if they are just true, they use their vendor position to give marketing spiel disguised as network advice. Cisco is a vendor, not a network engineering firm - they sell network hardware, not IT services. Not once did they propose the most critical thing that IT does - consideration of the business needs and context. This alone should tell any IT person as well as any business person that this is not advice but marketing from the beginning. Unless that context exists, no advice has purpose in IT.
But this really shows how easily we can find white papers, which is an industry code word for marketing, are dangerous. The vendor has no interest in giving good advice nor is it in a position to do so.
We picked an excellent product category to use as an example.
-
@scottalanmiller Yup, this is why you use Vendors for one thing, and one thing only: purchasing things. That's it. The furthest you should go is asking what features the product has, and how it works. Their goal isn't to make as little money as possible from you because they are taking the interests of your business first. You won't get the best solution if you leave it up to the vendor and let them do your job for you.
-
Excellent post. It's not often one really thinks about things like this, and it's true.
-
@scottalanmiller said in Where Do You Get Good IT Advice:
Doctors... would they get their medical guidance from pill makers?
I know I'm late to this thread, but from what I've known actually knowing an OBGYN, this is exactly what happens way to often.
-
@travisdh1 said in Where Do You Get Good IT Advice:
@scottalanmiller said in Where Do You Get Good IT Advice:
Doctors... would they get their medical guidance from pill makers?
I know I'm late to this thread, but from what I've known actually knowing an OBGYN, this is exactly what happens way to often.
That's incredibly scary.
-
@scottalanmiller said in Where Do You Get Good IT Advice:
@travisdh1 said in Where Do You Get Good IT Advice:
@scottalanmiller said in Where Do You Get Good IT Advice:
Doctors... would they get their medical guidance from pill makers?
I know I'm late to this thread, but from what I've known actually knowing an OBGYN, this is exactly what happens way to often.
That's incredibly scary.
When was the last time you were to a Doctors office in the U.S. and didn't come out with a script for something?
That's not how it's supposed to be, it's just what most people end up actually doing. The big conglomerates actually get their sales pitches certified as continued training time for the docs.
-
@travisdh1 said in Where Do You Get Good IT Advice:
@scottalanmiller said in Where Do You Get Good IT Advice:
@travisdh1 said in Where Do You Get Good IT Advice:
@scottalanmiller said in Where Do You Get Good IT Advice:
Doctors... would they get their medical guidance from pill makers?
I know I'm late to this thread, but from what I've known actually knowing an OBGYN, this is exactly what happens way to often.
That's incredibly scary.
When was the last time you were to a Doctors office in the U.S. and didn't come out with a script for something?
That's not how it's supposed to be, it's just what most people end up actually doing. The big conglomerates actually get their sales pitches certified as continued training time for the docs.
It's true, but even I thought that doctors thought of themselves as something more than drug pushers. Maybe not a lot more, but something more.
-
Leaders of the field will publish their work. That is what furthers the field. That is the entire purpose of a dissertation is to further your field even by a fraction of a millimeter. Then their peers will critique it in order to either solidify or debunk it.
This is essentially what we do here