Getting computers and phones on the correct VLAN regardless of switch port?
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN despite the switch port.
If this is for VoIP, the answer is "you don't". VLANs undermine VoIP traffic. It adds bottlenecks and makes QoS harder.
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
-
@travisdh1 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
VLAN isn't about security. A malicious actor only needs to guess the other VLAN id in order to access the other network quite often.
lol. I continually hear people saying conflicting things like this. VLANs are used for security and management purposes.
-
@travisdh1 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
VLAN isn't about security. A malicious actor only needs to guess the other VLAN id in order to access the other network quite often.
It can be, VLANs can aid in security under the right conditions. In this example, if he moved from tagged to assigned port VLANs, and then added port security to make sure unassigned devices could not be added to the ports, then it could provide some separation security.
All based around LAN security, though, which is inherently insecure, so better to secure the traffic than to use VLANs. But short of going LANless, there are cases where you can make VLANs add a little security.
-
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@travisdh1 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
VLAN isn't about security. A malicious actor only needs to guess the other VLAN id in order to access the other network quite often.
lol. I continually hear people saying conflicting things like this. VLANs are used for security and management purposes.
VLANs CAN be used for that. The most common reason is "error", at least in these examples.
VLANs when used for things like guest networks, that's security for sure, and very effective. Easy to enforce, clear separation of traffic.
When it comes to VoIP, VLANs aren't for security or management, not really. They don't affect security in any meaningful way, and they make management way harder.
-
If you want the phones and computers to get the correct VLAN, you need to then tag every single port on the switches involved and then configure either by DHCP option or manually on each device to get the VLAN assigned to the device. That means a lot of manual work besides using the DHCP option on your DHCP server for the phones at least.
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.
VLANs aren't a singular thing, just a general concept. They can be created in multiple ways. One of which is tagging, which is required for how you are using it here with the phones on shared "trunk" ports with the PCs.
But you can do port based VLAN as well, which has no protocol. This is a "Layer 1" VLAN where the port (on the switch) that is used determines the VLAN instead of a tag. With port based, you can use physical security to enforce the VLAN traffic and devices on the network can't violate the VLAN security to get around it.
-
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.
VLANs aren't a singular thing, just a general concept. They can be created in multiple ways. One of which is tagging, which is required for how you are using it here with the phones on shared "trunk" ports with the PCs.
But you can do port based VLAN as well, which has no protocol. This is a "Layer 1" VLAN where the port (on the switch) that is used determines the VLAN instead of a tag. With port based, you can use physical security to enforce the VLAN traffic and devices on the network can't violate the VLAN security to get around it.
So you mean like, put ports 1 - 10 on VLAN 5 thus forcing any devices plugged into those ports to be on that VLAN?
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.
VLANs aren't a singular thing, just a general concept. They can be created in multiple ways. One of which is tagging, which is required for how you are using it here with the phones on shared "trunk" ports with the PCs.
But you can do port based VLAN as well, which has no protocol. This is a "Layer 1" VLAN where the port (on the switch) that is used determines the VLAN instead of a tag. With port based, you can use physical security to enforce the VLAN traffic and devices on the network can't violate the VLAN security to get around it.
So you mean like, put ports 1 - 10 on VLAN 5 thus forcing any devices plugged into those ports to be on that VLAN?
Right. Ports 1-10 on VLAN 5, 11-24 on VLAN 0. As long as you control what gets plugged into them, the VLANs are essentially air tight.
-
This port ID system is great, too, if you want to be able to move equipment around quickly. Make white wall ports for PCs, yellow for phones. Yeah, it takes twice as many wall ports, but it is SO easy to set up.
-
Also, port enforced VLANs mimic physical LANs better which allows you to transparently move back and forth between VLAN and LAN where it makes sense.
-
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.
VLANs aren't a singular thing, just a general concept. They can be created in multiple ways. One of which is tagging, which is required for how you are using it here with the phones on shared "trunk" ports with the PCs.
But you can do port based VLAN as well, which has no protocol. This is a "Layer 1" VLAN where the port (on the switch) that is used determines the VLAN instead of a tag. With port based, you can use physical security to enforce the VLAN traffic and devices on the network can't violate the VLAN security to get around it.
So you mean like, put ports 1 - 10 on VLAN 5 thus forcing any devices plugged into those ports to be on that VLAN?
Right. Ports 1-10 on VLAN 5, 11-24 on VLAN 0. As long as you control what gets plugged into them, the VLANs are essentially air tight.
Well what about a situation where you have computers that plug into phone sets, and then those phone sets connect to the network port on the wall? You'd need those phones to be tagged and the network traffic from the pc to be untagged, at least in my situation.
-
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@travisdh1 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
VLAN isn't about security. A malicious actor only needs to guess the other VLAN id in order to access the other network quite often.
lol. I continually hear people saying conflicting things like this. VLANs are used for security and management purposes.
VLANs CAN be used for that. The most common reason is "error", at least in these examples.
VLANs when used for things like guest networks, that's security for sure, and very effective. Easy to enforce, clear separation of traffic.
When it comes to VoIP, VLANs aren't for security or management, not really. They don't affect security in any meaningful way, and they make management way harder.
Well, wouldn't one security measure count, such as preventing someone on the data network from sniffing voice traffic? I know it's not the primary solution but it's one additional measure.
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
But, if we go a bit further. What kind of switches do you have?
Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500
No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.
I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.
VLANs aren't a singular thing, just a general concept. They can be created in multiple ways. One of which is tagging, which is required for how you are using it here with the phones on shared "trunk" ports with the PCs.
But you can do port based VLAN as well, which has no protocol. This is a "Layer 1" VLAN where the port (on the switch) that is used determines the VLAN instead of a tag. With port based, you can use physical security to enforce the VLAN traffic and devices on the network can't violate the VLAN security to get around it.
So you mean like, put ports 1 - 10 on VLAN 5 thus forcing any devices plugged into those ports to be on that VLAN?
Right. Ports 1-10 on VLAN 5, 11-24 on VLAN 0. As long as you control what gets plugged into them, the VLANs are essentially air tight.
Well what about a situation where you have computers that plug into phone sets, and then those phone sets connect to the network port on the wall? You'd need those phones to be tagged and the network traffic from the pc to be untagged, at least in my situation.
Correct, that's what was being pointed out above means that your devices (the phone and the PC) can bypass the VLAN security to get to whatever they want as they control the tags. Tagging means that management, but not security, will continue to work. Because if the computer is hacked, for example, the hacker would just tell it to grab the other VLANs' traffic as well, if that is what they wanted.
-
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@travisdh1 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:
@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:
Why are you segregating voice and data traffic?
? The question is about how to get the devices onto their intended VLAN.
Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?
VLAN isn't about security. A malicious actor only needs to guess the other VLAN id in order to access the other network quite often.
lol. I continually hear people saying conflicting things like this. VLANs are used for security and management purposes.
VLANs CAN be used for that. The most common reason is "error", at least in these examples.
VLANs when used for things like guest networks, that's security for sure, and very effective. Easy to enforce, clear separation of traffic.
When it comes to VoIP, VLANs aren't for security or management, not really. They don't affect security in any meaningful way, and they make management way harder.
Well, wouldn't one security measure count, such as preventing someone on the data network from sniffing voice traffic? I know it's not the primary solution but it's one additional measure.
Sort of, but your switch already does that by the nature of being a switch. So the VLAN isn't providing an additional feature in this case.
The ability to sniff traffic on the switch would require the same level of access that bypasses the VLAN. So the switch and VLAN segregations would be breached together as a singular attack.
So VLANs in the port enforced sense, yes. But in this example case, no.
-
ANd before someone forgets and says "well if you didn't have a switch, but had VLANs".... hubs don't support VLANing. A switch is needed for VLANs to exist.
-
Turns out the thing I was looking for was LLDP protocol.
Sometimes, it's all in how you ask the question -_-