Polycom VLAN Tag Whitepaper
This whitepaper describes the mechanism for using multiple VLANs with Polycom® SoundPoint® IP telephones as well as several cases for why they might be used.
Security Benefits of using VLANs
By segregating IP phones into their own VLAN(s), security filters can be implemented in the network to block all unnecessary traffic to or from those devices. This helps prevent disruption due to DoS attacks or attempts to compromise the devices. It also allows locking down access to configuration and signaling servers to only allow access from phones.
Using VLANs also allows placing IP phones on the public Internet while the connected PCs remain on a corporate intranet; this can facilitate using IP Centrex-type services from third parties without the complications of NAT between the phones and the Internet. Since phones have a very limited set of ports required for operation, the additional risk of having them exposed to the Internet can be more easily mitigated.
QoS Benefits of using VLANs
Typically, QoS is used to reduce the packet loss, latency, and jitter (variation in latency) that real- time traffic, such as VoIP, experiences in the network. Packets are marked at the source to indicate that they are real-time traffic, and network devices such as routers and switches can be configured to use that marking (or other factors) to determine which packets need special treatment.
Many network administrators are concerned that devices other than phones will try to abuse QoS policies to achieve better performance. Segregating IP phones into a different VLAN allows the administrator to configure their devices to ignore or un-mark packets coming from non-phone VLANs to defeat these attempts. Some administrators find it easier to base the treatment of packets on the source or destination IP address rather than use packet markings; having phones in particular VLANs makes identifying the IP addresses of phones much easier.
Background on 802.1q/p Tagging
The IEEE has defined an optional tag for 802.x networks which can convey additional Layer 2 information. This four-byte tag is inserted between the MAC addresses and Ethertype fields of the Ethernet frame, and the Maximum Transmission Unit (MTU) of a tag-enabled interface is increased by four so that the use of tags does not cause a decrease in the MTU available to Layer 3 protocols (such as IP).
The first two bytes of the tag are statically defined to the Ethertype for tags, so that tagged frames can be distinguished from untagged frames. Twelve bits optionally encode a VLAN number (0-4095), and three bits encode the QoS value (0-7). Each Ethernet link has a “native VLAN” which is assumed for all frames which do not have a tag or which have a VLAN number of 0 in the tag.
General Operation of VLANs
All Polycom SoundPoint IP models support the optional use of 802.1q/p tags both for VLAN separation as well as QoS.
By default, the phone will tag all traffic coming from the phone with a null 802.1q VLAN ID. If a VLAN ID value is configured or learned as described below, it will be inserted into the tag of all packets generated by the phone. A different QoS value may be configured, but this is not recommended.
If a PC is connected to the phone, all packets generated by the PC will be passed through unmodified, regardless of the presence of an 802.1q/p tag or its contents. Since PCs do not typically tag frames, this means they will be on the native VLAN.
Manual Configuration of VLAN ID
In the local Polycom SoundPoint IP’s Network Settings menu, there is a field called “VLAN ID”; this allows configuration of the particular VLAN that the phone should be a member of. It defaults to null, which means that the phone will be on the native VLAN specified in the Ethernet switch.
Because this setting must be known before the phone can obtain an IP address or retrieve its configuration files from its boot server, there is no way to specify the VLAN ID in either those configuration files or via the web configuration interface.
Automatic Configuration of VLAN ID
In the Network Settings menu, there is another field called “CDP”; this controls whether the phone supports the Cisco Discovery Protocol. Among many other things, CDP allows the Ethernet switch to inform an IP phone what VLAN ID it should use without requiring manual configuration of each phone.
If CDP is enabled and a VLAN ID is also manually configured, any value received via CDP will override the manual configuration. If no VLAN ID is received via CDP, the phone will fall back to the configured value, if present, or to the native VLAN.
By default, the phone sends all audio packets with 802.1p tag and IP Precedence values of 5, which is the highest priority level available for user traffic. This can be adjusted via the qos.ethernet.rtp.user_priority and qos.ip.rtp.precedence values in the configuration files. Marking audio packets with DSCP values is currently not supported.
For additional information on how to configure Polycom SoundPoint IP telephones, please see the User Guide for each model and the SIP Administrator’s Guide, both available from Polycom Resource Center.