I am looking for your opinion on setting up an Epygi M8L. As this is a new installation I am wondering if it is better to put the PBX on a DMZ or on a VLAN. We are using a Sonicwall NSA 240 and I have a managed switch available. I was thinking that putting the PBX on the VLAN with the phones connected to the WAN side of the Epygi would make it a little easier to manage the overall. However, if I put the Epygi on a DMZ in Transparent Mode the phones would be on the LAN side of the Epygi and I can take advantage of the auto provisioning.

Your thoughts are appreciated.

How many extensions? the m8l = under 100 so depending on your setup time would determine which side of the nic you swing.

This is a small installation only 10 phones to start with and I have a 3-4 days until installation begins.

I am trying to get a feel for the better or preferred configuration setup on a fresh network and ip phone system installation. Usually we are trying to fit into and existing infrastructure but not this time. I can add switches if need be, the current thought was to have one 24 port poe managed switch and split the phone from the data using a VLAN. However, if the switch goes out, then both the data and voice is down, where if there were 2 switches, one for voice and one for data it would be more unlikely that both switches would go down at the same time.

If the Epygi is on a VLAN, is it better to have the phones on the WAN side or LAN side? Functionally and operationally is one side better than the other, besides having to manually configure the phones if on the WAN side?

If the Epygi is on the DMZ is the greater exposure to the Epygi worth the risk?

This is a small installation only 10 phones to start with and I have a 3-4 days until installation begins.

I am trying to get a feel for the better or preferred configuration setup on a fresh network and ip phone system installation. Usually we are trying to fit into and existing infrastructure but not this time. I can add switches if need be, the current thought was to have one 24 port poe managed switch and split the phone from the data using a VLAN. However, if the switch goes out, then both the data and voice is down, where if there were 2 switches, one for voice and one for data it would be more unlikely that both switches would go down at the same time.

If the Epygi is on a VLAN, is it better to have the phones on the WAN side or LAN side? Functionally and operationally is one side better than the other, besides having to manually configure the phones if on the WAN side?

If the Epygi is on the DMZ is the greater exposure to the Epygi worth the risk?

Forget DMZ's , VLAN's , it isnt worth the overhead or risks for the alleged savings - keep em seperated - deploy on the Lan, use filtering and port forwarding with ip restrictions.

KISS principal

Vlan vs. DMZ. Setting up your guests on the DMZ would be a lot more secure. How many IDFs do you have?
If it is a small building, then adding a switch for your guest and adding DHCP to the DMZ with the ASA, would be the most controlled solution and recommended one. Do not open rules for inbound!! You are giving them internet access, which means that they open the connection to the outside, don’t let the outside open the connection to them by adding rules for the inbound traffic!!!
VLANs would be a less expensive way to connect them if we are talking about a huge network with multiple IDFs. This solution is less desirable since you have to be really carefull to which vlan you assign each port.