VLANs maximize VoIP investments

Deploying separate networks invites a management migraine

Although there may be no such thing as a dumb question, there is a persistently misguided one involving VoIP deployments: Should VoIP be installed on a dedicated network separate from the data network?

It would seem to make sense, but according to Kevin Kryzda, CIO of Martin County, Fla., a separate deployment negates the primary advantages of VoIP. “The physical considerations of deploying separate networks flies in the face of the whole game, which is convergence,” he says.

When Martin County began to consider adding VoIP, back in 2001, Kryzda’s IT staff explored the idea of separating the voice network and its services from the rest of the county’s IT infrastructure but soon abandoned the idea. Because the county uses 100Mbps fiber-optic cable broadband connections to its VoIP sites and keeps the number of desktop computers to a minimum -- fewer than 10 -- on that segment, bandwidth has not been an issue. In some cases, the IT department used dedicated fiber for voice traffic over its Alcatel-supplied IP PBXes for PBX-to-PBX node connections, which also helps keep voice data moving evenly across the network. “Instead of building a separate network, you build a virtual network, or VLAN,” Kryzda says.

Essentially, you want to place your IP PBXes in different VLANs than your other application servers and put them behind a firewall. This separation doesn’t mean you need two different infrastructures, but it does mean using your switches’ 802.1Q capability. By setting up your VoIP network using VLANs with dedicated QoS resources, IT managers can divvy up traffic into data packets, voice packets, and signaling. In the case of VoIP, the VLAN sits between the desktop and IP phone, and the closest IP-enabled network-attached switch.

IT staffers at Erlanger Health System went through a planning process similar to Martin County’s and asked the same question. The answer was still no. The organization’s voice services switches are isolated in its computer room -- otherwise, it has maintained a unified environment. Although the VLANs prevail, Erlanger is holding out until the technology can support port-level segmentation, says John Haltom, network director at Erlanger.

“All our IP Phones have pass-through hubs built into them, [and] we felt it was just too much of an administrative issue to maintain separate VLANs or voice and data. … Just too much to keep up with for too little benefit,” Haltom says.

He adds, however, that Erlanger’s use of Nortel’s IP Media Gateway -- part of the company’s IP multimedia server products — allows him to “extend analog and digital devices out into the edge closets and choose how best to get the traffic back to the core.”

In the future, Nortel’s Secure Network Access end-point security will help the organization segment voice and data, in effect creating VLANs at the port level, each with its own rules and policies, before an end device such as an IP phone can gain access to network resources. This will allow him to be “a traffic enforcer to interrogate packets and, with threat detection, shut off the port if necessary,” Haltom says.

In the end, nobody seems to savor managing two separate networks for voice and data. “That’s the old line of thinking,” says Hank Lambert, director of product marketing for the voice technology group at Cisco Systems.

William Stofega, VoIP research director at IDC, agrees. “There is no point in deploying VoIP if you do it on a separate network. I have talked to a few folks who considered it, primarily due to security concerns, but the idea was quickly dismissed.”


Copyright © 2006 IDG Communications, Inc.

How to choose a low-code development platform