Advice on network setup / VLANs

Ironic Namesake · 4 Sep 2014 at 16:33

After a bit of advice on sorting out our office's network.

Current set up is very simple :

Standard BT Business ADSL hub/modem connected to 16 port basic Netgear Switch > 1 x 16 port Netgear PoE connecting to desktop PCs (around 7) + 4 IP Phones.

Few other machines running through first switch and a CCTV NVR.

We'll be getting a new connection installed in around 1-2 months and will be looking to upgrade the overall network.

ISP will be providing the Router (Cisco 1921 + EHWIC-4ESG)

Whilst this is managed there's always a charge for adding port forwards etc.etc. so we're looking to add our own router (Draytek Vigor 2925?) and have a set up using VLANs as below :

1. VLAN 1 = VOIP : 4-5 x SIP Phones
2. VLAN 2 = General Data : 10-15 PCs
3. VLAN 3 = CCTV : 20+ IP Cameras / NVRs (accessible from VLAN 2)
4. VLAN 4 = WiFi (without access to any of the other VLANs)

The ISP was proposing to pre-configure the router as 2 VLANs (1 port for SIP phones, 1 port for remaining data) which in our case wouldn't work as the switch used for phones would also have some desktops connected.

Basically the question is, would we be better off :

1. 1921 configured with 2 VLANs - 1 for Voice - run additional CAT5 cable to existing 8 port PoE switch for Voice only, and additional switch for Desktops. 2nd VLAN into our Draytek router and the remaining 3 VLANs defined from there.

2. Our Draytek router handling all the VLANs, instead of separate voice/data switch just 1 x 16 port managed switch - 4-5 ports Voice, remaining ones data

I'm leaning towards 1 - especially in case we do have issues with VOIP the provider can't blame our own equipment, and just requires laying one additional cable.

Would appreciate any advice / input, Thanks!

Janesy B · 4 Sep 2014 at 21:40

Just setup the VLANs on your kit then you have full management and you don't have to keep going back to them. There's nothing to 'blame' really and you just need the 1 port from the 1921 so they can just use the 2nd GigE routed port rather than charging (?) you £200 or whatever for a HWIC. Just get them to set it up in a passthrough setup and present a public range on the LAN of the 1921 to avoid double NATing.

Caged · 4 Sep 2014 at 22:37

The 1921 is very commonly used to hand service off on, just get them to supply it to perform that role. It will pump internet out of GE 0/0 and you can do what you want after that.

Ironic Namesake · 5 Sep 2014 at 07:19

Thanks for the replies.

Only reason I mentioned "blame" is if there's any VOIP issues the provider can't blame our setup/equipment, whereas if they set this up through their side it'll be 100% their config / equipment (other than the CAT5)

So it wouldn't be a problem to just keep the existing CAT5 run we have and just split some ports off for VOIP VLAN, others to data?

In the case of the switch being for VOIP only, running from the VOIP VLAN port on the 1921 would it need to be 802.1Q, or just a standard PoE switch will do the trick?

Sorry if these questions seem stupid, never really had to work with VLANs before and being such a small company we don't have a dedicated IT department

Janesy B · 5 Sep 2014 at 11:04

.1Q is just the standard for supporting VLANs, if they handoff the VLAN in access mode on one of the switchports on that HWIC then in theory you'll just need a 'dumb' layer 2 to give you the ports you need and to provide the power for the phones. That's if you wanted a dedicated switch for the VOIP phones.

Working with telephone companies before, they'll still probably try and blame your switch and phones if they didn't provide them. They like to arm wrestle you into a fully managed service.

Ironic Namesake · 5 Sep 2014 at 11:43

Janesy B said:
.1Q is just the standard for supporting VLANs, if they handoff the VLAN in access mode on one of the switchports on that HWIC then in theory you'll just need a 'dumb' layer 2 to give you the ports you need and to provide the power for the phones. That's if you wanted a dedicated switch for the VOIP phones.

Working with telephone companies before, they'll still probably try and blame your switch and phones if they didn't provide them. They like to arm wrestle you into a fully managed service.

When you mean a "dumb" layer 2, you mean basically just any standard switch?

That's why I'm thinking of using a dedicated switch for VOIP (provided by ISP) with their own VLAN from the HWIC in case there is any issues on the VOIP side - so they can't push the blame to us if there is an issue. The cost of HWIC is irrelevant as it's part of the installation and as such will be covered by the super connected cities scheme.

We'd then just have a separate switch for desktops and create the remaining VLANs on our own equipment - whilst the VOIP VLAN is set up by them

Janesy B · 5 Sep 2014 at 12:11

Yeah any standard switch as you say, that will suffice for a small office. You can get them to present a private range on DHCP for all the phones and they look after all that side and give you another port with a public range to go into the WAN interface of the Draytek for the rest of the data stuff for you to manage. It's a setup I've done before and you can get them to rate limit the port for data to make sure there's always enough bandwidth for VOIP calls.

Ironic Namesake · 5 Sep 2014 at 15:16

Janesy B said:
Yeah any standard switch as you say, that will suffice for a small office. You can get them to present a private range on DHCP for all the phones and they look after all that side and give you another port with a public range to go into the WAN interface of the Draytek for the rest of the data stuff for you to manage. It's a setup I've done before and you can get them to rate limit the port for data to make sure there's always enough bandwidth for VOIP calls.

Thanks, that makes sense. There'll be a total of 5 ports, so 1 for VOIP then the rest straight through to our own equipment (just 1 router to start, possible extra in the future), our Draytek will handle all the DHCP etc. for everything other than VOIP.

That brings me to the last question (I hope!) - 2925 shows a spec of max. firewall throughput of 200Mb/s - I guess this is both ways combined, under ideal conditions. Would we likely need something that can handle a little more (connection is 100mb)

Thanks for the advice so far, appreciated

Janesy B · 5 Sep 2014 at 20:02

Says 300Mb/s on their website?

Ironic Namesake · 5 Sep 2014 at 20:52

Janesy B said:
Says 300Mb/s on their website?

Ah, maybe the spec has changed.

I was looking at their comparison table, which lists it as 200Mb/s only.

http://www.draytek.co.uk/products/comparison

Janesy B · 5 Sep 2014 at 22:23

Figures like that aren't always useful because they never tell you how they tested the throughput and if that's just with access lists or stateful inspection. Knowing the max session count before the CPU craps out would be more useful. In this case I think that with your amount of users you don't need to go too mad with the router, even if everyone was making calls at the same time that would only use 2-3Mbps depending on the codec.

Ironic Namesake · 6 Sep 2014 at 09:40

Janesy B said:
Figures like that aren't always useful because they never tell you how they tested the throughput and if that's just with access lists or stateful inspection. Knowing the max session count before the CPU craps out would be more useful. In this case I think that with your amount of users you don't need to go too mad with the router, even if everyone was making calls at the same time that would only use 2-3Mbps depending on the codec.

Max sessions according to the comparison graph is 50,000

We're only a few users so I guess won't be an issue , 2-3 Mbps is only 2-3% of the line so that's not an issue.

Will update once this is installed (haven't been given a date yet)