Local Vlan Questions

dtom · ‎07-30-2012

I am trying to see if I understand how vlan's work and have a few vlan quesiton. We have multiple remote sites that connect to our Main office. Each remote site has a router with the following configuration:

int gi0/0.5

desc Voice Vlan

encap dot1q 5

ip address 10.xxx.5.1 255.255.255.0

At each remote site, the switches have been configured with vlan5.

Vlan5 is used to connect the phones at the remote sites to CallManager which is located at our Main office.

The Main Office has a 3750 metro with the following configuration

int vlan5

ip address 10.xxx.5.1 255.255.255.0

My questions are:

1. Is it true that the network 10.xxx.5.0 exist only at the remote site and other remote sites will not see it (network stops at the remote sites router)?

2. Is it true that voice traffic from the remote site is routed from the remote site's router to the District office?

3. Is there any kind of security risk with the above configuration?

Giuseppe Larosa · ‎07-30-2012

Hello Dtom,

I guess that second byte in District Office is different than that used at Remote Office.

For your questions

1) each remote office has a Voice Vlan for IP phones with associated an IP subnet that is confined in the remote office. IP communication between these IP subnets is required to be able to place and receive phone calls (the bearer voice stream is directly between IP phones, call manager is consulted only for call setup).

2) yes, routing allows the IP phones to register with Call manager at central site.

3) there might be or not there isn't enough information to comment on this.

Generally speaking, some security improvement can be provided by the adoption of VRF lite or MPLS VPN so that the VOIP IP subnets are kept separated. In alternative IP ACLs can be used so that the Call Manager can be reached only by IP phones subnets and from VOIP gateways. In some setup there is a FW or FW pair protecting the Call Manager cluster.

Hope to help

Giuseppe