VLANs for call center - thoughts?

M

Master Blaster

[H]ard|Gawd
Joined
Nov 23, 2006
Messages
1,442
Hi all,

I'm currently in the planning phase for VLAN rollout sometime in late Fall or Winter. Our environment is a call center and as such we have many computers and many phones. We also share floorspace with another company which I will setup on it's own VLAN.

My issue comes during the planning: All of our employees stations only have one ethernet port meaning that all phones are daisy-chained into the computers. I'd like to have phones on one VLAN and computers on another but that doesn't seem like an option with that setup.

Can this be done? Since we are a strictly a Polycom shop I thought about doing some sort of MAC address filter since it's easy to pull the manufacturer number, but it sounds like a sticky solution.

Things to note about the environment (Phone/PC count):
  • Other Company: ~25 phones, 25 computers (non-daisyed - all have separate drops)
  • Management: 14 phones, 14 computers (non-daiseyed - all have separate drops)
  • Consultants: 234+phones, 234+ PCs (daiseyed, all on one drop)
  • WAPs: 8 drops (I'll be separating this into an employee VLAN and guest VLAN later on)
  • Administration: I'll be setting up a VLAN for all switches, servers, etc.

Additionally, we're on a /22 subnet for the entire network. I'll be dropping that back as it's too big for what we need, hence the VLAN. There is little inter-office traffic between machines in regards to files being sent back and forth between users. Since being a call center most of the traffic is in and out of the building for VoIP calls and such.

Its a very simple environment since we do not have finance, marketing, or other departments that we could potentially split off into a VLANs.

What would be the suggestion for this network with this environment? Shall I attempt to get the big wigs to spend the money on getting additional drops added to each consultant station and would that even help?
 
Last edited:
This is possible, we did this with Shoretel.

All of your ports would need to be Tagged in the Voice VLAN, and Untagged in the DATA VLAN. If the Polycom phones support this at least, then data from the switch port on the phone would be untagged and go to VLAN DATA, and voice would go to the Voice VLAN. It has been over a year and a half since I did this so I might have those backwards, but I don't think I do. I also don't have the configs available as I don't work there anymore.

But I can tell you it is possible.
 
Network card and phone would have to understand vlan tags to seperate them out on consultant phones.

Phone have an extra port and understand vlan to where you could daisy chain computers off them or computers nics understand vlans to daisy chain phone off them?
 
You set your ports as trunks on the switch as they need to carry multiple VLANs. Then you set your untagged VLANs for your PC and the tagged VLAN is your phone VLAN. The PCs won't understand the VLAN tags but the phones will. There's basically a mini 3 port switch inside the VOIP phone.

If you have separate drops for phones and PCs, just set the switch ports to access ports and set the VLANs as appropriate. The trunk ports are for the phones with the ports that go to the PC as well.

What type of switches do you have?
 
Last edited:
Most Polycom phones support VLANS- the phones are actually 2-port switches which support VLAN tagging.
If you haven't already, upgrade the phones to at least UC 4.01 which makes managing the phones a whole lot easier.
 
This can be done, with Cisco switches you just add voice VLAN *number* to each port.
 
So tagging the traffic is what it boils down to - noted.

I'm still not clear on the specifics of VLAN planning and execution. So do I need to give a count of host, then re-subnet away from my /22 network to accommodate - then create a VLAN on the switch with that new subnet IP information? Or are they independent of each other?

Additionally, I have my WS2008 handing out DHCP, I'd create multiple scopes, but how does WS know which VLAN to assign scoped IP addresses to?

As I understand VLANs are for security as subnetting is for speed...

I totally get the theory of VLAN, its my actual execution that I'm not sure of. I've got a test switch to do my stuff on before applying the VLAN config to all switches, but any help and suggestions would be great!
 
I believe you would need a NIC in each subnet for the DHCP server or you can leave it where it is and use dhcp ip helper addresses on the switches. It basically will let the switch forward DHCP offers and requests to the server and back to the client.
 
Here is how this would work on Avaya:
The phone would boot up untagged on the data VLAN -- when the phone boots up on the data VLAN, the DHCP server has option 142/276 configured with "L2QVLAN=xx" where xx = voice VLAN
The phone will now switch to the voice VLAN and boot on the voice VLAN getting its real settings and not simply a "switch VLANs message"

I imagine there is something similar in Polycom land
 
Master Blaster said:
So tagging the traffic is what it boils down to - noted.

I'm still not clear on the specifics of VLAN planning and execution. So do I need to give a count of host, then re-subnet away from my /22 network to accommodate - then create a VLAN on the switch with that new subnet IP information? Or are they independent of each other?

Additionally, I have my WS2008 handing out DHCP, I'd create multiple scopes, but how does WS know which VLAN to assign scoped IP addresses to?

As I understand VLANs are for security as subnetting is for speed...

I totally get the theory of VLAN, its my actual execution that I'm not sure of. I've got a test switch to do my stuff on before applying the VLAN config to all switches, but any help and suggestions would be great!
Click to expand...

Re subnet your network and map the new subnets to VLAN's

Example:
192.168.0.0 /22

Vlan 1 192.168.0.0 /25
Vlan 2 192.168.0.128 /25
Vlan 3 192.168.1.0 /25
Vlan 4 192.168.1.128 /25
Vlan 5 192.168.2.0 /24
Vlan 6 192.168.3.0 /24

Create the scopes on the DHCP server as you would normally. Your switches should have a feature called IP Helper Address that allows them to forward broadcasts as unicasts to specific addresses. You will configure this with the IP address of the DHCP server.

Here is an example of IP Helper address configuration

Code: 
EEUSDS013550#show run int vlan 101
Building configuration...

Current configuration : 188 bytes
!
interface Vlan101
 description Prod_User_Acs_1
 ip address 172.16.0.62 255.255.255.192
 [B][COLOR="Red"]ip helper-address 172.16.0.254[/COLOR][/B]
 standby 11 ip 172.16.0.1
 standby 11 timers 1 3
 standby 11 priority 110
 standby 11 preempt
end
Here is an sample configuration for an access port with a voice vlan and user vlan

Code: 
EEUSAS012950#show run int f0/11
Building configuration...

Current configuration : 349 bytes
!
interface FastEthernet0/11
 description USER ACCESS
 [B][COLOR="red"]switchport access vlan 102[/COLOR][/B]
 [B][COLOR="red"]switchport mode access[/COLOR][/B]
[B] [COLOR="Red"]switchport voice vlan 202[/COLOR][/B]
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 mls qos trust device cisco-phone
 spanning-tree portfast
 ip dhcp snooping limit rate 3
end
If you have any questions please let me know, I have a 5 switch lab sitting right next to me so I can try out almost anything.
 
Last edited:
l3thal6 said:
Re subnet your network and map the new subnets to VLAN's

Example:
192.168.0.0 /22

Vlan 1 192.168.0.0 /25
Vlan 2 192.168.0.128 /25
Vlan 3 192.168.1.0 /25
Vlan 4 192.168.1.128 /25
Vlan 5 192.168.2.0 /24
Vlan 6 192.168.3.0 /24

Create the scopes on the DHCP server as you would normally. Your switches should have a feature called IP Helper Address that allows them to forward broadcasts as unicasts to specific addresses. You will configure this with the IP address of the DHCP server.

Here is an example of IP Helper address configuration

Code: 
EEUSDS013550#show run int vlan 101
Building configuration...

Current configuration : 188 bytes
!
interface Vlan101
 description Prod_User_Acs_1
 ip address 172.16.0.62 255.255.255.192
 [B][COLOR="Red"]ip helper-address 172.16.0.254[/COLOR][/B]
 standby 11 ip 172.16.0.1
 standby 11 timers 1 3
 standby 11 priority 110
 standby 11 preempt
end
Here is an sample configuration for an access port with a voice vlan and user vlan

Code: 
EEUSAS012950#show run int f0/11
Building configuration...

Current configuration : 349 bytes
!
interface FastEthernet0/11
 description USER ACCESS
 [B][COLOR="red"]switchport access vlan 102[/COLOR][/B]
 [B][COLOR="red"]switchport mode access[/COLOR][/B]
[B] [COLOR="Red"]switchport voice vlan 202[/COLOR][/B]
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 mls qos trust device cisco-phone
 no cdp enable
 spanning-tree portfast
 ip dhcp snooping limit rate 3
end
If you have any questions please let me know, I have a 5 switch lab sitting right next to me so I can try out almost anything.
Click to expand...

I thought you had to have CDP enabled on the access port as this is how Polycom's phones determine what is voice and what is data?
 
Lazy_Moron said:
I thought you had to have CDP enabled on the access port as this is how Polycom's phones determine what is voice and what is data?
Click to expand...

Oops my bad, yeah you will need CDP!

I just had it off on that port since I am not using it for anything, I fixed the output.
 
As soon as you want to make stuff become automagic then you will at the same time open up for misuse and other bad things.

I would highly recommend you to verify if you cannot disable both VTP and CDP and at the same time use protected vlan (or private vlan if thats available) along with dhcpsnooping, option82 and dynacl.

This way you will have logs for where and when each ip address existed in your client network (even with DHCP) but also when (and not if) you get a malware into your network it will be slowed down in its possibility of spreading between your clients.

A common problem when using protected/private vlan and voip is that you will need to reconfigure your voip to use a B2B flow (instead of client1 sends data directly to client2 client1 will send its data to the B2B device which then will forward it to client2, since client1 and 2 cannot reach each other directly due to protected/private vlan).

To make stuff even more secure you can also use VPN internally (make sure to not allow split tunneling) - this way even if someone plugs in a rouge AP your data which flows over the network will be protected, specially in your case when you seem to share your physical access equipment with another company.

Using (encrypted) VPN in this case can also be used instead of using 802.1x.

On the other hand this company (I suppose) have physical access to your clientstations anyway?

A great thing for an environment such as this (depending on number of clients and availability demands of course) is if you can afford to setup a lab with the same equipment and for example at least 2 clients to simulate how stuff will work when you enable (or disable) various networkbased features.
 
You must log in or register to reply here.
Back
Top