Tips for Security and Performance
From Trixbox Pro Help
Many customers have concerns about the performance of their data network or are concerned about the potential security of the phones on the corporate LAN. There are a few approaches that Fonality has observed that successfully address these concerns. These approaches are detailed below. Note that all of these solutions involve the separation of computers and phones, physically or logically. trixbox Pro is designed to share your existing network with your computers, but these approaches are sometimes preferred for performance and security reasons.
Contents |
Using a separate LAN for phones and computers
| Pro | Con |
|---|---|
| Physically isolates phone data from computers at layer 1. | Requires a router/firewall to connect the phone network to the internet |
| Performance of phones and computers is independent. | Requires two network drops per workstation. One for the computer, and one for the phone. |
| Unmanaged switches can be used. These are inexpensive. | Two sets of Ethernet switches are required to maintain full separation of the networks. |
This approach is to simply use two separate LAN networks in your office: one for phones and another for computers.
Using a separate VLAN for phones and computers.
| Pro | Con |
|---|---|
| Logically isolates phone data from computers at layer 2. | Requires a router/firewall to connect the phone network to the internet |
| Performance of phones and computers is independent. | Requires two network drops per workstation. One for the computer, and one for the phone. |
| Requires managed Ethernet switches with VLAN support. |
This approach involves configuration of two VLANs (virtual LANs) in your switch equipment. Typically this functionality is only available in managed switches with VLAN support. Each port on each switch can be set to belong to one VLAN or the other. This allows for logical separation of your ports. The new VLAN may use its own DHCP server, and its own connection to the internet if desired.
Using a Tagged VLAN (802.1Q) for phones and computers.
| Pro | Con |
|---|---|
| Logically isolates phone data from computers at layer 2. | Requires a router/firewall to connect the phone network to the internet |
| Performance of phones and computers is separate, depending on QoS support in the LAN switch. | Can be more complex to configure than other options, and requires skilled network administrators to maintain and troubleshoot. |
| Easy to implement 802.1P QoS once 802.1Q is deployed | Requires managed Ethernet switches with VLAN support. |
This approach involves configuration of two tagged VLANs (virtual LANs) in your switch equipment. Your IP phones must also support VLAN tagging, and be individually configured to belong to the correct VLAN number. This functionality is only available in managed switches with 802.1Q Tagged VLAN support. This allows for logical separation of your IP phones and computers, while still allowing a computer and an IP phone to share the same physical port. The new VLAN should use its own DHCP server, and may use its own connection to the internet if desired.
Using a different IP subnet for phones and computers
| Pro | Con |
|---|---|
| Logically isolates phone data from computers at layer 3. | Performance of phones and computers is not separated. |
| Only one network drop per workstation is required. | Firewall must be configured with two rule-sets: one for computers and another for phones |
| Existing unmanaged switches can be used |
Once you decide what configuration is best for you, keep in mind that trixbox Pro requires internet access in order to allow configuration of the system from the web, and to allow remote telecommuter configurations. If you want to use a different internet connection for your computers and your phones, please see Configuring two Internet Providers.
