Re: Virtual Routing for Voice Traffic

[John Reilly <reilly.j () GMERCYU EDU>]

Hi John,

We're running an Avaya VOIP system and we run voice on its own vlan. The
phone normally acts as a small switch to the users pc so we run a data vlan
along with the voice on the same switch port. We also trust DSCP along with
a global & port QOS. We didn't see the need along with the cost to setup a
completely separate network just of VOIP. We have 2 remote sites that are
connected to our main campus using MPLS for voice and admin data.

jdr

John D. Reilly, CISSP
Director Enterprise Systems & IT Security
Gwynedd  Mercy University
1325 Sumneytown Pike
Gwynedd Valley, Pa. 19437
E-mail:reilly.j () gmercyu edu
Ph: 215-542-4694

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Curtis, Bruce
Sent: Friday, March 24, 2017 2:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Virtual Routing for Voice Traffic


  For years we have put VoIP phones on the same Vlan as all other devices.

  We configure the switches to trust the DSCP markings from the phones.
QoS will prevent more packet loss than putting phones on a separate Vlan.
QoS will put packets in a different queue on a switch port, Vlan numbers
have no effect on which switch port queue a packet is placed in.

  The VoIP phones now have private IP numbers.  They had public IP numbers
for several years for our initial deployments.
But we don’t have enough public IPv4 numbers and the phones don’t need
access to the Internet.
(But there are now some phone models with a display and a web browser).

  Our state network has many more VoIP phones deployed in state government
offices throughout the state and they also put VoIP phone on the “data”
Vlan.

  One advantage of putting phones on the same Vlan is that even when using
one port to connect both a phone and PC (PC connects through phone) the
switch port can be an access port (non-trunk) port.  Not providing a trunk
port prevents several security and DoS attacks.

  Another plus is that our phones boot faster but that might not be true for
all phones.  The phones from our vendor boot twice when using a separate
voice Vlan.
The phones boot, learn the number for the voice Vlan via DHCP or LLDP and
then reboot and then tag packets for the voice Vlan.



> On Mar 24, 2017, at 7:39 AM, John Center <john.center () VILLANOVA EDU>
> wrote:
>
> Hi,
>
> (I posted this to the NETMAN list, but I thought I'd also ask the
> Security people, since this is one of our concerns.)
>
> We're having a debate about how to best route voice traffic over our data
> network.  Right now, we have a physically separate data & voice
> infrastructure, but want to consolidate for cost savings.  How many
> schools are using virtual routing to separate voice & data over a common
> network infrastructure?  How many are running both without any routing
> separation, except for voice VLANs?  Why?
>
> Inquiring minds want to know...  :-)
>
> Thanks.
>
>    -John
>
> --
> John Center
> Villanova University

---
Bruce Curtis                         bruce.curtis () ndsu edu
Certified NetAnalyst II                701-231-8527
North Dakota State University