Can I setup a VLAN passthrough for a VLAN that isn't recognized on my equipment?

[thecomputerguy]

My client has a separate network for their phones on a separate internet circuit. The phone people have their phones connected to their own Gateway with a POE switch. I believe all this equipment is Edgerouter stuff and that Edgerouter stuff is connected to our network, and I'm not even sure why they set it up that way when it has it's own internet connection and all the phones are connected to their equipment, why it needs to also be on our network I have no idea.

I recently swapped out their residential junk ASUS router (VLAN never configured, or not supported) (RT-AC68U) for a full Ubiquiti setup including a UDM Pro and Ubiquiti switches. As of that happening the phone people are saying that the phones are not communicating properly because their equipment is not being passed through properly on our equipment and phone service is degraded. He sent me this email:

We tried to do a completely separate voice and data Network with separate voice and data routers and circuits. However, with the issue that happened with the flooding, the moving around of things, and the expanding into the new suite 10, The Voice circuit is not properly being utilized because the VLAN tag is not passing through your equipment. So we were hoping you could allow VLAN at 30 to pass through your switch?

I emailed him back and I said, I don't understand how you expect my equipment to recognize your VLAN when the VLAN was never created on my equipment. In fact everything worked fine (apparently) using the junky ASUS router and stopped working when I swapped it. I would have known if anything VLAN was setup in the ASUS because the phone people had no access to the ASUS router so they would have had to of asked me to set it up.

I asked him why even connect the phones to our network at all? He said then they would need to come out run all new cabling for the phones even though most of the phones already have their own network port (a few of them are daisy chained to stations).

He eventually said they went in and disabled or enabled some SIP something or other the phones work fine now but this should only be a temporary fix.

Their main internet circuit is like 900mbps/500mbps so they have plenty of internet I'm just confused as to why they are making this so complicated. He hasn't bothered me in awhile so I'm thinking I might just drop it and move on. The only consequence I see is that the client might be paying for an additional internet service they are not using (maybe?). They wouldn't even notice because this company operates at probably $50-$100 million per year and I feel like they are trying to make this my problem when I have nothing to do with the phones at all. Their main network and day to day operations from my standpoint as their IT contact (not voice contact) operate perfectly.

 

[nlinecomputers]

He said then they would need to come out run all new cabling for the phones even though most of the phones already have their own network port (a few of them are daisy chained to stations

That statement means the computer and voip networks ARE connected. Or several PCs are not on your designated network. You can’t daisychain them and be separate.

There’s no way to answer the question until you map both networks. But likely some but not all of the phones are on your network and they probably are the phones with the issues.

 

[nlinecomputers]

Oh if your client had the password to the asus router then they likely gave the phone guy access. They probably did configure it to run the phones behind your back.

 

[thatdude]

I’d bet the VoIP company never configured a DHCP server for VLAN 30 on the old Asus router. They are probably running DHCP for VLAN 30 on their Edgerouter. I could be wrong though.

Bad news, whether you know it or not you broke the stuff with the VoIP phones when you installed those Ubiquiti switches. I’d bet you were using some old unmanaged switches before which would pass the VLAN traffic just fine. But as soon as you put those Ubiquiti switches in and did not configure the VLAN in them, they won’t pass the traffic. Kinda surprised those phones are even pulling IP address for VLAN 30.

Good chance the solution could be pretty simple. You need to configure your Unifi Controller with VLAN 30 and then the switches will get re-provisioned to allow VLAN 30 on your network. You'd also may need to know the subnet the VoIP company is using for VLAN 30.

Not exactly sure on your setup. We always use pfSense for our routing appliance and Ubiquiti equipment for everything else. I know in our environments I would just go into the Unifi Controller-->Settings-->Networks and Create a New Network called VLAN 30 (VLAN Only). Then you need to check all of your switch ports for each switch and make the Switch Port Profile is set to "All". That way each port will pass your LAN and VLAN traffic.

I'm still curious how the phones are even working right now. UNLESS, the VoIP company removed them all from the VLAN and put them on your LAN.

 

[Sky-Knight]

That's actually not true... at least not by default.

Unifi gear has all ports as TRUNC ports by default. So they will pass all VLANs until explicitly configured not to.

If you have a device tagging VLAN30 plugged into a Unifi switch, it'll send that VLAN30 out all ports not directly configured for another VLAN to any device that might process packets on VLAN30.

So in many ways, you could say that pass-through is builtin.

But regardless, all of that is bunk. It needs properly configured.

 

[NETWizz]

I have never configured Unifi, but I have had to do some crazy things. Obviously the phones either send tagged or untagged traffic, and your managed switch needs to know what is expected from the phones and if you are handing off as tagged or untagged to configure a trunk etc.

I once had to make a single phone setup work at two different sites wirh the same network subnet. I made it work by creating the same VLAN a at each side and then using Cisco L2TPv3 and xconnect to encapsulate and send the VLAN over a router WAN circuit.

 

[thatdude]

@Sky-Knight,

You and I have definitely had different experiences with Unifi Switches and VLANs. Wondering if it's because you have complete UniFi systems whereas we never use their Security Gateways. Not sure. A simple Google search of "will ubiquiti switches automatically pass vlan traffic" shows several links on the first page that supports exactly what I thought where users are having issues passing VLAN traffic. The fix, get that VLAN in there under Networks and make sure the ports are set to ALL.

I found a link on reddit where someone explains the exact problem they we have with this. One somewhat common thing is he was using OpenSense. We use pfSense. Maybe that's got something to do with it. Got me.

I could easily test this by pulling a VLAN 20 we've got setup for a 50 phone VoIP environment. As soon as those switches are re-provisioned with the new (non-VLAN) settings, those phones will STOP working and we'll get a lot of angry calls from user's cell phones.

Keep in mind, while I do like Ubiquiti equipment my love for it over the years has faded. So it could simply be a bug in their equipment. As in "Yeah, it's supposed to work like that but your mileage may vary."

 

[Sky-Knight]

@thatdude It's all about the "all" port profile.

That port profile is configured to pass all VLANs all the time. And that's also the default.

So if the switches see a tagged frame, it goes out all ports just the same as if it's untagged. The difference being that whatever is plugged into the switch has to be able to tag on its own, and read the tagged frames on its own.

I also never use USG, if I can utterly avoid it. As far as I'm concerned there's no S in that USG... it's just a gateway. And if I need a gateway, that's fine. But if I want security? That's Arista Untangle NGFW but I'm really familiar with the *Senses too.

All of that being said, I always define all VLANs on a network in the control panel, and I generally leave all ports in the ALL profile unless I need to change something. That way tagged and untagged frames will work without anyone mucking with much. And if I need a tagged port, I can do that quickly. I don't have to do anything on the Untangle / PFSense / OpnSense router I use other than configure the appropriate interface to listen for the tag in question. Then poof... off it goes.

Another thing I do... I NEVER use a "VLAN Only" network. I always use a "Corporate" network. I do this because Unifi doesn't let you convert, and if I should ever want to add a Unifi router into the mix, corporate has all the settings I need to support the VLAN AND configure the layer 3 stuff for that vlan as well. Sure the layer 3 bits aren't active but if I ever need them... there they are. It also serves as backup documentation should something happen to the edge router.

Something is probably not configured correctly in the switch the phone's are connected to. Because that switch needs to know to accept the tagged frames correctly. And if you add that tagging support on the Unifi side, and that switch isn't expecting to handle tagged frames, Unifi won't see the frames being answered and stop shoving them out that port.