White Paper
Stephen Sprunk,
Channel Systems
Engineer
October 2004
VLANs and Polycom® SoundPoint® IP
Desktop IP Telephones
1
Purpose
This whitepaper describes the mechanism for using multiple VLANs with Polycom® SoundPoint® IP
telephones as well as several cases for why they might be used.
Security Benefits of using VLANs
By segregating IP phones into their own VLAN(s), security filters can be implemented in the network
to block all unnecessary traffic to or from those devices. This helps prevent disruption due to DoS
attacks or attempts to compromise the devices. It also allows locking down access to configuration
and signaling servers to only allow access from phones.
Using VLANs also allows placing IP phones on the public Internet while the connected PCs remain on
a corporate intranet; this can facilitate using IP Centrex-type services from third parties without the
complications of NAT between the phones and the Internet. Since phones have a very limited set of
ports required for operation, the additional risk of having them exposed to the Internet can be more
easily mitigated.
QoS Benefits of using VLANs
Typically, QoS is used to reduce the packet loss, latency, and jitter (variation in latency) that realtime traffic, such as VoIP, experiences in the network. Packets are marked at the source to indicate
that they are real-time traffic, and network devices such as routers and switches can be configured
to use that marking (or other factors) to determine which packets need special treatment.
Many network administrators are concerned that devices other than phones will try to abuse QoS
policies to achieve better performance. Segregating IP phones into a different VLAN allows the
administrator to configure their devices to ignore or un-mark packets coming from non-phone VLANs
to defeat these attempts. Some administrators find it easier to base the treatment of packets on the
source or destination IP address rather than use packet markings; having phones in particular VLANs
makes identifying the IP addresses of phones much easier.
Background on 802.1q/p Tagging
The IEEE has defined an optional tag for 802.x networks which can convey additional Layer 2
information. This four-byte tag is inserted between the MAC addresses and Ethertype fields of the
Ethernet frame, and the Maximum Transmission Unit (MTU) of a tag-enabled interface is increased
by four so that the use of tags does not cause a decrease in the MTU available to Layer 3 protocols
(such as IP).
2