NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

SchoolTST's avatar
SchoolTST
Aspirant
May 17, 2017
Solved

VLAN Configuration

[This is a generic query on the function VLANs on Netgear switches, no specific switch model as I have to work with nearly all variations. Firmware can be updated I have no problem doin that, in the managed section of the community because I suspect some switches will need to be purchased in order to achieve the goals I have in mind.]

 

I have a query regarding VLANs and under what circumstances they will operate to assist me with a separation or segregation of networks that I am attempting to design into an existing infrastructure for a small number of schools. I have attempted some trial and error work but not achieved the results I was looking for, and since this is an infrastructure scale development it would be best to get it right so that it is understood and replicable. I am sure it is not a major issue but I am working alone to achieve this and would be very grateful for help on the problem.

 

The outline of the infrastructure is very simple, a mixture of smart (GS) and managed (GSM) switches form the core of the networks in these schools. If there is a managed switch it will be at the core of the network with the server and the connection to the wide area network (Internet). My challenge is define an architecture that will enable the installation of a mixed use Wi-Fi network in the schools that both allows LAN access to the servers for the users roaming laptops and tablets and also a BYOD SSID that will only have access to the internet not the local area network to increase security from unmanaged devices on guest Wi-Fi SSIDs.

 

Problems I have encountered are many, but sufficient to say the WAPs need to go on the default VLAN along with the sever and curriculum network so that they will pick up a DHCP address and be manageable by the software controller (Ubiquiti) installed on the server. Once this is done, I can setup VLANs and associate SSIDs with each VLAN, but this brings me to the first of two questions…

 

  1. If I create a Curriculum VLAN 500, assign it to the WAP as a Trunk port (T) and associate the Curriculum SSID to VLAN 500; will the connected Wi-Fi devices be able to communicate with the server when I make server port a VLAN 500 access port also (U)?

    The question simply comes up in my mind because the server port will now have two places to send traffic for the same curriculum network, VLAN 1 (the default) and VLAN 500 the Wi-Fi curriculum SSID, is it just a simple matter of the switch looking up where to send the traffic or because the server port is an access port for both VLANs with the traffic just get duplicated or sent to both VLAN 1 and 500 simultaneously. Or will this not work at all?

Please note I am not talking about setting up any VLAN routing (yet), but this question is in the managed switch area for a reason (this might be the reason IDK!) but it is likely DHCP relaying will part of the second question and it is all related.

 

The second question will have to remain unasked for the time being and I have considered that it is a dependent on the way this aspect of the network is configured so I will not give anyone a redundant headache.

 

Any help appreciated and looking forward to understanding a bit more.

  • DaneA's avatar
    DaneA
    Jun 13, 2017

    SchoolTST,

     

    I just want to follow-up on this.  Let us know if you have further questions.

     

    Otherwise, if ever your concern has been addressed / resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!

     

     

    Regards,

     

    DaneA

    NETGEAR Community Team

11 Replies

Replies have been turned off for this discussion
  • DaneA's avatar
    DaneA
    NETGEAR Employee Retired

    Hi SchoolTST,

     

    Welcome to the community! :) 

     

    Question: If I create a Curriculum VLAN 500, assign it to the WAP as a Trunk port (T) and associate the Curriculum SSID to VLAN 500; will the connected Wi-Fi devices be able to communicate with the server when I make server port a VLAN 500 access port also (U)?  The question simply comes up in my mind because the server port will now have two places to send traffic for the same curriculum network, VLAN 1 (the default) and VLAN 500 the Wi-Fi curriculum SSID, is it just a simple matter of the switch looking up where to send the traffic or because the server port is an access port for both VLANs with the traffic just get duplicated or sent to both VLAN 1 and 500 simultaneously. Or will this not work at all?

     

    Answer: Yes, the connected WiFi devices will be able to communicate to the server since they are in the same VLAN 500.  Since the server is a member of both VLAN 1 and VLAN 500, you may create access control lists where you can permit or deny an IP address or IP address range that gets to communicate to the server. 

     

    For more information about access control list, check the article below:

     

    What are Access Control Lists (ACLs) and how do they work with my managed switch?

     

     

    Regards,

     

    DaneA
    NETGEAR Community Team

    • XavierLL's avatar
      XavierLL
      NETGEAR Employee Retired

      Hi SchoolTsT,

       

      I would suggest too that you tag the port on the server side so you seggregate the traffic on port-basis. Most of the Server-NICs support 802.1Q VLAN tagging so if you can set it up this way you will increase the security on the network.

       

      Moreover I would suggest protected ports on the switch and enable wireless isolation on the wifi network to isolate the guess network devices between them.

       

      Regards

       

      Xavier Lleixa

      NETGEAR CBU PLM  

      • SchoolTST's avatar
        SchoolTST
        Aspirant

        Xavier Lleixa,

         

        Thanks for the reply and security advice. I certainly do intend to enable wireless isolation on the guest network but this is a tick box in the wireless contoller software for a single SSID and so no interaction possible with the core school network if it has a designated and work VLAN segragation. What do you mean by a protected port on the switch - is this just the use of a tagged VLAN port for each SSID, if that is what you mean... then for clarification, this infrastructure cannot be rolled out without at least segregated SSIDs and segregated traffic VLANs.

         

        Regarding the server NIC tagging suggestion, I would say that I am trying to keep the configurations down to a minimum and the way I understand VLANs in this scenario is that if assigned to the server port, they will be able to communicate transparently (as if both on the same VLAN). I would not configure the server port for the VLANs associated with the untrusted VLANs, so is this tagging to the server NIC not just additional security on top of the proposed configuration?

        This is of course possibly my fault for not explaining fully the proposed setup, but there is only so much I can write here and presumably you will read too :)

        VLAN 1(Def)   Wired Network         Trusted Devices        Server Access           No Isolation

        VLAN 500       SSID Curriculum      Trusted Devices        Server Access           No Isolation

        VLAN 501       SSID School             Untrusted Devices    No Server Access      No Isolation

        VLAN 502       SSID Guest              Untrusted Devices    No Server Access      Isolation

         

        Hopefully that helps a little, above are more details on the number and intended purpose of the VLANs / SSIDs.

         

        I have to say you have raised a good point though with this idea of tagging to the server NIC: At the uplink port from [our] switch to the internet, (provisioned usually as a Cisco device of some variation) all these VLANs would be configured so that the internet uplink port would be an access port for all VLANs. I am thinking that there is a possibility the Cisco device could learn all the IPs on all the VLANs and act as an inter VLAN router! Do you think I need to ask the ISP (a corporate team) to tag the VLANs on the Cisco port so that I can trunk to that equipment? Will that even stop the inter VLAN routing that I am hoping to avoid?

        Regards
        Chris
        SchoolTST

    • SchoolTST's avatar
      SchoolTST
      Aspirant

      DaneA,

       

      Thanks for the welcome and the response, I have a question regarding these ACLs.

      Do I have to set ACLs up or will this work without ACLs? Will all IP addresses on VLAN500 and VLAN1 be both permitted to the server (and vice Versa) if I don't make additional ACL configurations?

      I am trying to avoid adding as much configuration as possible to the switches so that even people with a basic understanding of networking can get involved with this infrastructure (like me). VLANs have been used on our networks before but not always for the typical reasons like traffic segregation and security, ACLs would be something I have heard of and touched on only once in my time, certainly I would try to avoid using them if at all possible.

       

      Regards

      Chris

      Schools TST

  • DaneA's avatar
    DaneA
    NETGEAR Employee Retired

    SchoolTST,

     

    I understand that you are trying to avoid as much configuration as possible such as setting up ACLs.  With regard to this, you might want to consider setting up Asymmetric VLAN.  

     

     

    Regards,

     

    DaneA
    NETGEAR Community Team

    • SchoolTST's avatar
      SchoolTST
      Aspirant

      DaneA,

       

      I had never heard of this variant of VLANs and that was a usefull excercise to read through. This may be possible but it means changing the default VLAN or at least removing the default VLAN from most of the switch ports to avoid cross communication on all the VLANs... obviously this leads to management issues when you need to remote in to the switch unless there is a dedicated management access port, I also think it will not be possible due to the nature of the WiFi access points as they require trunked VLAN ports.

       

      I think the solution is going to have to include at least VLAN Routing and maybe the ACLs too. I have found that I should be able to configure both on the M4100-D12G switch according to the manual (I'm a bit sketchy when it comes to what is possible on certain Netgear Switches).

       

      I did have trouble with the VLAN routing setup before when I last attempted it, but I am thinking that was caused by trying to setup VLAN interfaces subnetted within the range that was already set as the default VLAN interface (i.e. I didn't realise that the switch IP and subnet was not only the management interface but also the default VLAN interface) so I guess I was trying to subnet a subnet(!) and the switch didn't like that so gave me configuration errors.

       

      Regardless of the issues, all the reading and advice has got me to the point were I am happy to purchase some APs and an M4100 switch and try to simulate what I have been discussing. I will Likely come back and mark one of your posts as an answered. I will however no doubt be posting a specific configuration issue cback here once I actually get down to configuration.

       

      Regards

      SchoolsTST

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More