@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

Yeah, I agree with this. This is all I've really wanted to express. Nobody is maliciously corrupt here, but not everyone is the best at their jobs here either.

Not an option. Either your CIO is competent and corrupt, or incompetent and would welcome your exposure of the problem.

So which is it... are you comfortable telling the CIO and CEO about the situation because they honestly want to do what is right, or do you have ANY fear that they will punish you to silence the exposure of what they plan to do?

You can't have it both ways.

ok. I could make a big stink about this, claiming that Cisco and the Cisco partner are just taking our money when we could be getting something for a lot cheaper, and it would probably work and I could probably convince them to not go with Cisco at all and instead let me find something that would be cheaper. But then, I would be responsible for finding that product and implementing it myself (I assume), such as FreePBX, which I know nothing about. I don't know anything about phone systems and I don't want to get myself into a mess and have my boss say, "see we should have gone with Cisco and had them set it up the right way" or something.

Now I'm sure this will devolve into a discussion about how I'm not fit for my job then and all that, etc... fizzles out

EDIT: side note, we did go down this road with Sh---Tel voip and C------Link ISP where the ISP was responsible for installing the voip but really sucked at it so we pulled out of our contract due to my efforts at showing how they were doing a bad job, etc. So my say does count, but I don't want to make another bad case about Cisco and avoid going with them -- a setup that we know we can get installed correctly and supported well, vs going with some exotic and obscure cheaper voip solution..

@scottalanmiller said in VLAN confusion:

@dashrender said in VLAN confusion:

Because of the lack of knowing their job and these other mentioned things - they don't see themselves as unethical. This is the cornerstone to why I don't see them as corrupt. So to you, they are corrupt because they don't even realize they are corrupt, because they don't understand their role.

People steal music, pirate movies, use Windows without a license... and don't consider themselves unethical. People make all kinds of excuses for their own behaviour because everyone believes that they are ethical and have a good reason for breaching everyone else's ethical believes. Rioters, looters, common thieves almost always feel that "they are good people" with a good reason for what they do.

Are you an angel or something? LOL. No but seriously, I do get what you are saying and I totally see your points.

@dashrender said in VLAN confusion:

I guess it boils down to an understanding of one's job and the actual understanding of adulting and buyer's agents vs seller's agents.

I'm guessing most people, including most IT people (or whomever is making the decisions in general) don't adult.

Because of the lack of knowing their job and these other mentioned things - they don't see themselves as unethical. This is the cornerstone to why I don't see them as corrupt. So to you, they are corrupt because they don't even realize they are corrupt, because they don't understand their role.

Yeah, I agree with this. This is all I've really wanted to express. Nobody is maliciously corrupt here, but not everyone is the best at their jobs here either.

It's a trade off too. We are probably going to get ripped off in some way or another, and we've got to all try to do our best to stay educated and informed so we can ward off the saleswolves.

@scottalanmiller said in VLAN confusion:

@dashrender said in VLAN confusion:

@dave247 said in VLAN confusion:

@dashrender said in VLAN confusion:

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

@coliver said in VLAN confusion:

@dave247 Sounds like your company has made a decision already.

The CIO has failed at one of the most basic life skills...

"Never take advice from a sales person."

Yes, I am aware of this sigh but I can only do so much. I don't want to get into the details of my work dynamic with my boss and all that, and long story-short, I have to do what he says as I am the only sysadmin/low man on the totem pole.

In a healthy company, that statement should get you in trouble - because knowing that you have a security / ethics breach and a rogue actor putting the company at risk should be something that the company doesn't just allow you to expose, but requires you to expose. Does the CEO really not want to know that he has a CIO abusing the company for personal reasons?

It's comments like this that make this hard to accept. It's not that it's not possible - but how do you know his CIO is abusing the company for personal reasons? It's every bit more likely that he's simply failing at his job of researching good solution - and that no reasons other than laziness are really involved here.

Yes, this. I 100% believe this is far more accurate description of what's going on vs corrupt employees "on the take".

Scott considers the act of not protecting a company from sale personal to be on the take/corrupt.

Let's pretend that the CIO is the company's bodyguard. He's paid to protect the company, to watch for danger, to take a bullet if necessary. That's his job.

Now as a bodyguard an assassin comes along and says "I'll buy you lunch if you leave your guard down. Just come sit at this table instead of actively protecting your target." If he takes that lunch, and still gets paid to be the bodyguard but intentionally looks away, that's corrupt. He's getting "favours" or more, in order to "look the other way".

Even worse, it sounds like the CIO likely sought out the assassins in this case. Invited them to make him an offer.

If you put it into a non-technical context - once someone is getting personal benefits (pay, less work, kick backs, free lunches, personal security, recommendations for the next job) in order to let down their guard and not protect something that they are paid to protect... that's the corruption.

More like, the bodyguard has eaten way too many sandwiches over the years and he has become overweight, slow and lethargic, and is now increasingly more unable to quickly get in front of all the bullets that are headed towards the CEO.

@scottalanmiller said in VLAN confusion:

@dashrender said in VLAN confusion:

@dave247 said in VLAN confusion:

@dashrender said in VLAN confusion:

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

@coliver said in VLAN confusion:

@dave247 Sounds like your company has made a decision already.

The CIO has failed at one of the most basic life skills...

"Never take advice from a sales person."

Yes, I am aware of this sigh but I can only do so much. I don't want to get into the details of my work dynamic with my boss and all that, and long story-short, I have to do what he says as I am the only sysadmin/low man on the totem pole.

In a healthy company, that statement should get you in trouble - because knowing that you have a security / ethics breach and a rogue actor putting the company at risk should be something that the company doesn't just allow you to expose, but requires you to expose. Does the CEO really not want to know that he has a CIO abusing the company for personal reasons?

It's comments like this that make this hard to accept. It's not that it's not possible - but how do you know his CIO is abusing the company for personal reasons? It's every bit more likely that he's simply failing at his job of researching good solution - and that no reasons other than laziness are really involved here.

Yes, this. I 100% believe this is far more accurate description of what's going on vs corrupt employees "on the take".

Scott considers the act of not protecting a company from sale personal to be on the take/corrupt.

I think to not feel this way requires an extreme degree of "flexible ethics." If I pay someone to make good decisions and protect my business, and then that person takes that money and turns around and does exactly the thing that they've been paid not to do and even uses their influence to enable it, that's completely corrupt and unethical. Completely. The entire basis for the job is a lie, and the actions taken aren't just to fail to do the job that he is paid to do, but to act completely contrary to the job and actively act as the enemy of the business. He's paid to work for the business, but acts literally against it.

Please explain where the grey area is here that allows this to be a "Scott sees it" way. How does Dashrender see it another way?

I think, to put it simply, if someone is doing their job in an honest and sincere way to the best of their ability, yet still sucks at some or all aspects of their job, then that means that person is just guilty of being bad at their job, not that they are corrupt or on the take.

@dashrender said in VLAN confusion:

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

@coliver said in VLAN confusion:

@dave247 Sounds like your company has made a decision already.

The CIO has failed at one of the most basic life skills...

"Never take advice from a sales person."

Yes, I am aware of this sigh but I can only do so much. I don't want to get into the details of my work dynamic with my boss and all that, and long story-short, I have to do what he says as I am the only sysadmin/low man on the totem pole.

In a healthy company, that statement should get you in trouble - because knowing that you have a security / ethics breach and a rogue actor putting the company at risk should be something that the company doesn't just allow you to expose, but requires you to expose. Does the CEO really not want to know that he has a CIO abusing the company for personal reasons?

It's comments like this that make this hard to accept. It's not that it's not possible - but how do you know his CIO is abusing the company for personal reasons? It's every bit more likely that he's simply failing at his job of researching good solution - and that no reasons other than laziness are really involved here.

Yes, this. I 100% believe this is far more accurate description of what's going on vs corrupt employees "on the take".

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

I know you might then reply with the question of why he's a CIO at all.. he is mainly involved with high level policy and procedure for several of our departments and helps ensure that we meet regulation and pass audits, and he has very good business acumen, but as I said, he's a bit behind in the world of IT these days, regarding the technical/hands-on stuff.

That's fine to say. But the issue we have here is that he is failing at business acumen. That is the sole issue. His technical competence was never mentioned. That he needs help technically is clear. But what you are missing is that we are only discussing his business competence or ethics, and that is the failing.

If you believe he's a skilled businessman, that tells us that you then must believe that he is a crook. Because this is insanely basic business stuff that he's doing wrong in the standard, unethical way that someone on the take does.

Strange how all my posts with you end up at this point. LMAO. Look, a lot of what you are saying is probably true to some extent, but I really don't want to get fired from my first IT gig by trying to prove that my boss is not qualified/on the take/doing things wrong for the business/etc. He and my company owners are good friends so I'm not going to get anywhere by running to the CEO (Our company hierarchy is pretty flat by the way). My company owners and my boss are genuinely good people, and I do get the impression that we get taken advantage of by sales people a lot, but I have a hard time trying to convince my boss of things sometimes due to his lack of IT-knowledge.

I don't know.. I didn't mean for this to devolve into another discussion about the dysfunction of my company.. but that's the thread I pulled again I guess.

I'll do what I can to see about keeping out phones and computers on the same LAN and try not to get RAPED by Cisco sales associates...

in the meantime, are there any good voice solution alternatives that you guys could provide? Part of our requirement for our phones is that we may not want to have it cloud-hosted due to the fact that our internet connection goes down every so often during business hours. YES I get that this is another problem that should be resolved vs applying a bandaid, but we live out in the country and have limited ISP options (Spec---m and Centu---ink).

@scottalanmiller said in VLAN confusion:

@coliver said in VLAN confusion:

@dave247 Sounds like your company has made a decision already.

The CIO has failed at one of the most basic life skills...

"Never take advice from a sales person."

Yes, he has failed at adulting or, far more likely being that he has made it to CIO level, at ethics. The most likely scenario is that there are direct kickbacks going on.

Yes, I've heard a lot of this from you through previous posts on the S****works forums and I hear where you are coming from and get that you probably have a lot of reasons to make that assumption. People are insanely corrupt. That being said, from my impression of everyone that I work with at my company (which is a local family owned business, not a corporation) is that everyone here is pretty nice and trusting. So I think if there is any failure on the part of my CIO, its that he's not very knowledgeable with the current IT industry and he's very trusting in people. I know you might then reply with the question of why he's a CIO at all.. he is mainly involved with high level policy and procedure for several of our departments and helps ensure that we meet regulation and pass audits, and he has very good business acumen, but as I said, he's a bit behind in the world of IT these days, regarding the technical/hands-on stuff.

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

They've mentioned setting up a VLAN for the phone system and setting up a voice router for it.

Of course he has, your CIO decided on this path when he brought in a Cisco networking salesman to screw the company. That decision was made ahead of time. Cisco uses their phones as a leader to get companies to buy inappropriate networking equipment. This is a completely "by the book" unscrupulous sales tactic for VoIP sales people.

Well we are probably going to go with them and I might not have much of a say... so it's going to be difficult for me to try to pressure these people to install a system in a way different than how they usually do it. Is there any material I can reference to "prove" that VLAN's are not needed and that voice and data are fine on the same network? Actually, now that i think of it, our current voice and data are on the same network and we have no issues.

Also, regarding QoS, didn't you mention something about having the QoS set up on the VoIP RTP service rather than the voice VLAN?

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

Also, my CIO is adamant about keeping the voice traffic segregated for "security reasons" as it will satisfy an item on one of our various IT audits (we are a financial institution that has a lot of audits).

That's fine IF he can prove that the audit is legit (normally they are fake) and find some regulation that the auditor is following. I'm not aware of any here, so he's need to produce this. This sounds like collusion to me. If this was an actual security concern, VLANs aren't an option, you have to encrypt the voice traffic. If someone is suggesting a VLAN to meet this audit requirement, something inappropriate is going on. No regulation makes you put in VLANs.

Good point. I will ask for the specific audit request on this and find out more.

@coliver said in VLAN confusion:

@dave247 Sounds like your company has made a decision already.

The CIO has failed at one of the most basic life skills...

"Never take advice from a sales person."

Yes, I am aware of this sigh but I can only do so much. I don't want to get into the details of my work dynamic with my boss and all that, and long story-short, I have to do what he says as I am the only sysadmin/low man on the totem pole.

@coliver said in VLAN confusion:

In Powershell I think it would look something like this.

Set-NetIPAddress -PrefixLength 22

Of course you'd need wrap it in a foreach script that goes over the list of your servers. I'll work on it a bit later today and see what I can come up with.

oh nice.. I haven't done a lot of scripting yet but I've been meaning to learn powershell. I did a bit back in college and a few times at my current job but I really should get cracking on it. I know scripting is essential as a sysadmin...

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

What if that range hypothetically got filled up? Would that be too much traffic?

Networks (subnets in the 1990s terminology) aren't affected by traffic. That's not a thing. If you had "too much traffic" you'd be impacted with VLANs before you were impacted without them because VLANs add extra overhead and bottlenecks. You never segment switched networks due to traffic load, that was a bus-based networking problem when all traffic traveled on a single bus for the entire network. If the bus filled up, the network would slow down.

The thing you are worried about here is saturating your switch backplane, if you do that, VLANs will hurt, not help. And you need bigger, faster switches. It's not related to your address schema.

Ok, I hear you Scott. You make sense and I'm on-board with this thinking. I think I would be up for increasing our IP range at my company to facilitate more addresses.

On another related subject: my company is in the process of finding another phone system (I actually talked with you on the phone about this, remember?). My CIO wants to go with a Cisco VoIP system and we are going through a IT business management/consultant company for this, as they are re-sellers and are going to do the install for/with us. They've mentioned setting up a VLAN for the phone system and setting up a voice router for it. Also, my CIO is adamant about keeping the voice traffic segregated for "security reasons" as it will satisfy an item on one of our various IT audits (we are a financial institution that has a lot of audits).

How can I convince my boss and Cisco that we can keep the the phones and the computers/servers on the same network and VLAN? I may end up just having to follow orders and let my company "waste" a lot of money on this stuff, but I would be willing to make the case for a smarter setup.

@jaredbusch said in VLAN confusion:

Expanding your subnet is simple.

You change your router first.
Then you change your DHCP scope to hand out the /22
But you also add a block in the DHCP assignment to not give out addresses in the new section.
Then you change your few static devices (if you do not have only a few static systems, you have other issues).
Once your static devices are changed, you remove the block in your DHCP assignment.
Process complete.

Well I have about 35 or so servers and appliances that have static addresses. It will be a bit of a pain to manually go through an update all the network settings, but I'd do it. Good thing is that I just changed all of our workstations back to DHCP as the previous sysadmin had put EVERYTHING on static as a band-aid fix for DHCP issues he couldn't solve.

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

Well, actually, here's one thing I just thought of. We currently have a /23 network where I work, and our current phone system exists on the same network as our computers and servers. We have a lot of addresses taken up by phones right now, so it would be nice to have the phones on their own separate subnet, ......

No, it would not. You identified the mistake, but made a bad leap in how to fix it. Let's read that again...

1. We have a /23 network.
2. The /23 is too small for our needs.
3. We should....

Logically the answer is "make a network of the right size for our needs." But instead, you jumped to subnetting.

Yes, I have considered widening our network, but then I would have to make so many changes to devices and I wanted to avoid that. Plus, wouldn't making a /22 subnet be over-kill? This is where I don't have real-world knowledge and experience yet. Is it ok to have a company LAN with a huge address range? What if that range hypothetically got filled up? Would that be too much traffic? 1020 computers, servers, printers, and other devices all on the same subnet not a possible congestion issue?

@coliver said in VLAN confusion:

@dashrender said in VLAN confusion:

As for your Lab network, you have choices, you can create a completely separate VLAN that only has access to itself and the internet via the sonicwall, or you can enable ACLs that allow the two networks to talk to each other and the Sonicwall will route information between the two.

He could setup an ACL that only allows the Lab VLAN to contact the internet, and his workstation. What kind of lab is this going to be though? You could easily do this virtually on a desktop with Hyper-v or KVM.

I have a couple extra servers that I want to set up a Hyper-V lab environment with. That server's in the server room and so I wanted to just have it sitting on it's own VLAN with access to the internet and my workstation only. I could use my local workstation, but what's the fun in that when I have big fat juicy servers I can use?

@dashrender said in VLAN confusion:

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

Like in a case where I have a VoIP set up, with phones on one VLAN and computers on another. The computers and VoIP systems should normally never need to communicate with each other (I assume) unless there is like some VoIP related application installed on a user's workstation. In that case, I assume that at some point, data is crossing over between the two networks, through the two VLAN's.

That would make VLANing crazy in that instance. If you want the networks to be able to talk, what's the purpose of the VLAN? Phones, specifically, are a really bad place to normally have VLANs.

The idea of VLANing phones comes from a misunderstanding of tech at worst and old days of hubs at best. As long as a switch port isn't at 100% utilization, the QoS rules don't apply - the switch will just keeping everything moving. If you have 100% utilization, you probably have other issues you need to resolve before you worry about QoS for phone calls, but phones would definitely feel this pinch faster than other things.

Well, actually, here's one thing I just thought of. We currently have a /23 network where I work, and our current phone system exists on the same network as our computers and servers. We have a lot of addresses taken up by phones right now, so it would be nice to have the phones on their own separate subnet, and my current understanding is that I would want a separate VLAN to use with that separate subnet. Also, in freeing up IP addresses on our company LAN, I've given myself more IP space for my fail over DHCP server should I ever need it.

@jaredbusch said in VLAN confusion:

Your router will should be the only point that connects traffic from one VLAN to another.

At a very basic level:

You will want to have rules in your router's firewall that allows new/established/related connections from the company LAN to the Lab LAN. But from the Lab LAN to the company LAN it should only allow established.

This will allow you to connect in and have the Lab thing respond but the Lab thing cannot initiate a connection to the company LAN.

OOOOH yeah.. ok that seems obvious now. I can just allow myself access to that network through my Sonicwall via the firewall rules..

@dashrender said in VLAN confusion:

VLANs in most cases aren't needed unless you have a security reason to do so, and must share hardware over these networks, i.e. one set of APs but two wifi networks - corporate and guest.
Switches perform their job which can easily allow thousands of devices to be on a single flat IP network without the need to break them down into smaller and smaller segments. So if you don't have a security related reason to keep them separate, then your life will be much simpler if you just have a /23 or /22 network instead of the typical /24 (limited to 256 devices).

Onto your current setup:
From the sounds of it, your Sonicwall is doing the routing between your VLANs at this point, assuming cross VLAN traffic is happening.

You mentioned that you made a VLAN for wifi - then you talk about a guest and corporate wifi - Does this mean your corporate wifi is on the default VLAN and the guest is exclusively on the new VLAN? What provides DHCP to the guest network? What provides DNS to the guest network?

As for your Lab network, you have choices, you can create a completely separate VLAN that only has access to itself and the internet via the sonicwall, or you can enable ACLs that allow the two networks to talk to each other and the Sonicwall will route information between the two.

Ah, I'm an idiot. My brain sucks at recalling information.

So I set up two VLAN's: one for corporate wifi and one for guest wifi. Then Sonciwall handles the routing and DHCP for each network, plus the firewall functionality. DNS to corp is our DC and I just used google's DNS for the guest wifi. Guest wifi doesn't touch our internal systems at all.

Hi guys. I'm hoping someone can help me more fully understand VLAN use and implementation in it's entirety.

Let me start off by saying that I am currently a (green) sysadmin with about two years experience, not so much on the networking aspect yet. I do however understand most networking basics like the OSI model, routing and switching, subnetting and so forth, though I'm a bit rusty.

I have actually already configured one VLAN for my company's wifi. I set up all our switches with a number of access ports for each wifi AP to be connected and then added trunk ports for that VLAN so that all our AP's can reach back to our Sonicwall appliance where they are managed. Then I used the Sonicwall firewall settings to create separate corporate and guest wifi. This all makes sense to me, but it's Sonicwall, so it's not really the "traditional" way VLANs would be set up and managed, etc.

I guess my confusion with VLANs is when it comes while trying to visualize how two different networks on two different VLANs need to communicate. I mean, I get that a VLAN is logically the same as having two separate switches and if there are devices on two different networks trying to communicate, then routing is necessary. And yes, I've heard of "router on a stick".

Like in a case where I have a VoIP set up, with phones on one VLAN and computers on another. The computers and VoIP systems should normally never need to communicate with each other (I assume) unless there is like some VoIP related application installed on a user's workstation. In that case, I assume that at some point, data is crossing over between the two networks, through the two VLAN's.

Also, my main reason for asking this: I am trying to set up a LAB network that will reside on it's own VLAN, completely separate from my company's production systems. But if it's 100% segregated, then I'm not going to be able to access it from my work pc, so I'll have to set up a separate computer that is connected to the lab VLAN. That is, unless I implement some kind of ACL..

Anyway, if someone could give me a bit of clarity or direction on this, I would appreciate it.