Scenario 1

Phone VLAN on a switch and cross connected into a Firebox with desk phones, PCs, and printers in the environment

Questions we actually got:

On Monday, we send over the list of what switch ports are for printers, which are for PCs, and which are for desk phones. Technician says that two of the three phones are not working. We use our awesome switches to find out exactly where these other phones were plugged in. The phones were plugged into the wrong switch ports. Move desk phones, phones work.

Then later, the technician runs a test for the VOIP service from a PC on the PC VLAN not from a PC connected to the phone VLAN. So the test for the VOIP service fails. Security zone profiles exist. It is not acceptable to have an allow everything network security posture. Configures needed to support desk phones are completely different from those that are required to support domain joined Windows computer assets.

Some ITSPs have to pay for expensive add-ons like Auvik to try to compensate for the fact that they have inadequate switching equipment with inadequate design and a sprawl that they have to inventory and keep track of. TCO comes from how much time it takes to maintain, manage, adds/moves/deletes/upgrades, troubleshoot. If I have to physically go to a site to chase some cabling, something is really wrong.

The technician in this scenario also could not believe we wanted two network cables between the switch and core router. They are not the only one. I encountered this lack of vision of understanding in another client IT director earlier in the year. If you don't know why you would have two network cables between a switch and a core router, go figure that out.

Scenario 1

Phone system with desk phones. Each desk phone has its own network cable, which is good. Phone subnet should be a separate VLAN, but the choice is made by ITSP to separate the phones using physically separate switching equipment. That is something I would never do.

Commentary provided by ITSP:

I don’t like VLANs. I would rather setup a network with physical segmentation. Results in:

• Loss of visibility
• Loss of network resiliency
• More expensive because you have more switches to babysit and troubleshoot
• So if you have 20 or 40 VLANs, so does that mean you are going to have 20 or 40 physical switches?
• If you don’t have 20 VLANs then what network security do you really have?
• How do you present virtual servers on the proper microsegmented security zone when you cannot transmit tagged packets?

Let’s just talk minimum VLANs that we typically see here:

• SwitchOOBM
• ServerOOBM
• SwitchMgmt
• WAPMgmt
• Phone
• Surveillance
• CorpWired
• CorpWireless
• GuestWireless
• HVAC
• ElecMon
• Chromebooks
• CaptivePortal
• Tier0
• DCs
• AppGroup1
• AppGroup2
• DeprecatedApps
• Printer
• Storage
• IAM
• RMM

Clearly anything over two becomes ridiculous to do with physically separate switch equipment. The days of this paradigm or strategy are long gone since cybersecurity compliance is requiring microsegmentation. And network security strategies and technical controls are some of the most effective primary and compensating controls for cybersecurity posture for all the protected assets regardless of type.