I have mixed feeling on this subject. I pretty much agree with the last post, some very good points. However in most cases you are not going to have any problems if you do run voice and data on the same subnet. Just make sure you have your QOS setup on your LAN (and especially your WAN) and you shouldn't experience any problems unless you have a ton of broadcasts or virus activity. We have 2 differant IP Phone setups one we setup with separate VLAN's and one with a single VLAN per location for voice and data, no significant differances in quality are experienced between these 2 setups.

I also was recently at a Cisco IP Telephony CallManager course and the Official Cisco book shows that you can setup either a single Vlan or 2 separate ones, both are acceptable.

Some good arguments here....thanks for your response.

Another reason for my side of the argument was that most phones are going to be replaced sooner or later - say 3-5 years - by PDA/Phone devices (ie both voice and data), or softphones with a decent bluetooth or USB handset or wireless IP handsets or something new and better, so I think it may come to pass eventually.

Anyway, thanks for your response and for some decent points that you made.

Can I ask what you believe is the location for the Call Manager server, the Unity or other Voice Mail server and the Voice Gateway?

I did an installation recently where the CCIE put all these devices on the data VLAN, leaving only the physical phones on the voice VLAN. Possibly the CCM would be on the data vlan as this does signalling only, but surely the Voice Gateway should be on the Voice VLAN?

If you have a combined Router/Voice Gateway, would you run the Ethernet as a trunk interface?

Your worries about voice-gateway is valid only if communication path between Voice VLAN and gateway (in data VLAN) too Congested and poor bandwidth links are provided to connect them.

But majority of the networks are implemented with separate voice gateway for each sites.

One of the big advantage i see with Voice VLAN is the Qos made simpler, i have been using a huge hectic list of ports and protocols to prioritize those voice packets. With VVLAN it is a single line command to prioritise everything from that particular voice subnet.

As one of the previuos post mentioned, management made lot more easier with Vocie VLAN.

Regards

kondela

We are running our CallManagers at our central site on our main data vlan without any real issues. We have IP Phones at remote offices in some areas connected via T1 lines and a few local offices connected via gigabit fiber connections. As for the Router/Voice Gateway we have these setup in a couple spots, we are using one vlan in these instances, but if you want more than one, you can setup trunking on your router and set the vlans there. However, if you have multilayer switches behind the router, I would suggest setting up your switches to do the routing to save having to send packets between the vlans through your router. If vlan to vlan communication through the router interface would be minimal that shouldn't cause you any trouble either.

This is part of my point though....

If you're saying Voice has a different/higher set of security requirements, and you need to apply different security to each VLAN, then you need to completely separate traffic from the data VLAN - or at least the audio traffic if not the signalling.

And that implies that you cannot have soft phones, or wireless IP handsets, or Voice Mail servers or Voice Gateways on the data vlan, as they all carry Voice traffic.

And if you do, you got to apply the same level of security to both networks, and you're back to square one.

So if you want to have different security or Virus protection on each VLAN that it makes sense, but I say why not apply the best security and virus protection to a single VLAN, and put what you like on it?

Your totally correct, security should be taken seriously at all levels, and the data VLANS are no exception. But it does no harm to take that a little further and secure the voice network even further. Even though you may secure the data VLAN, its very difficult to prevent DoS/Virus infections coming in by unauthorised CDs, mobile laptops and the *&^% factor introduced by a large PC user population. Because thats extremely unlikely to happen on the voice devices and servers, why not afford your IPT system some additional protection, it doesn't cost anything to implement the additional VLANs if you have all the necessary software version.

No-one is suggesting your approach is not correct for your environment, but you asked for others opinions.

Thanks for your response, hope I didn't come across as rude...I am glad to get your opinion, and your rogue CD/laptop scenario is certainly a good point, as well as others you have made previously.

In fact all my installations to date have been with dual VLANS, but that was because it's "the recommended way", and I was guessing that the original basis for having a separate VLAN was introduced when quality and protitisation on the LAN was non-existent. I wanted to find decent arguments as to why this is still the recommended standard.....this string of conversations has given me a few to ponder.

The other reason I started this was because at a recent installation - quite small just 60 phones, we have SRST as a redundancy, but the CCM, Unity and Gateway were all on the Data VLAN, and the two were separated by a single Layer 3 switch (3750), which I felt was another single point of failure that could be eliminated if we had a single VLAN.

I'd be interested to know what is regarded as the most appropriate location for those devices, but it's probably better to start another conversation for that.

My guess is that single VLANs will be the norm in a few years, but still there are very valid and compelling arguments today to keep things separate in most cases.

I am pleased to get the responses......having a full set of arguments is always good in front of customers!

Thanks again....MS.

MS,

See this latest bulletin for a very compelling argument to seperate VLANs.

http://www.cisco.com/en/US/partner/products/hw/phones/ps379/products_field_notice09186a0080365a93.shtml

@jpwhite3 It is not good practice to answer on a 20 year old post as that will bring it to the top of the list.

Cisco may want to consider closing comments on old threads. Many communities do so. I simply didn't notice the age of this thread. I am only human.