NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

SchoolTST's avatar
SchoolTST
Aspirant
May 17, 2017
Solved

VLAN Configuration

[This is a generic query on the function VLANs on Netgear switches, no specific switch model as I have to work with nearly all variations. Firmware can be updated I have no problem doin that, in the ...
Before You Buy
Installation
Solutions
  • DaneA's avatar
    DaneA
    Jun 13, 2017

    SchoolTST,

     

    I just want to follow-up on this.  Let us know if you have further questions.

     

    Otherwise, if ever your concern has been addressed / resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!

     

     

    Regards,

     

    DaneA

    NETGEAR Community Team

DaneA's avatar
DaneA
NETGEAR Employee Retired
May 19, 2017

Hi SchoolTST,

 

Welcome to the community! :) 

 

Question: If I create a Curriculum VLAN 500, assign it to the WAP as a Trunk port (T) and associate the Curriculum SSID to VLAN 500; will the connected Wi-Fi devices be able to communicate with the server when I make server port a VLAN 500 access port also (U)?  The question simply comes up in my mind because the server port will now have two places to send traffic for the same curriculum network, VLAN 1 (the default) and VLAN 500 the Wi-Fi curriculum SSID, is it just a simple matter of the switch looking up where to send the traffic or because the server port is an access port for both VLANs with the traffic just get duplicated or sent to both VLAN 1 and 500 simultaneously. Or will this not work at all?

 

Answer: Yes, the connected WiFi devices will be able to communicate to the server since they are in the same VLAN 500.  Since the server is a member of both VLAN 1 and VLAN 500, you may create access control lists where you can permit or deny an IP address or IP address range that gets to communicate to the server. 

 

For more information about access control list, check the article below:

 

What are Access Control Lists (ACLs) and how do they work with my managed switch?

 

 

Regards,

 

DaneA
NETGEAR Community Team

XavierLL's avatar
XavierLL
NETGEAR Employee Retired
May 19, 2017

Hi SchoolTsT,

 

I would suggest too that you tag the port on the server side so you seggregate the traffic on port-basis. Most of the Server-NICs support 802.1Q VLAN tagging so if you can set it up this way you will increase the security on the network.

 

Moreover I would suggest protected ports on the switch and enable wireless isolation on the wifi network to isolate the guess network devices between them.

 

Regards

 

Xavier Lleixa

NETGEAR CBU PLM  

  • SchoolTST's avatar
    SchoolTST
    Aspirant
    May 25, 2017

    Xavier Lleixa,

     

    Thanks for the reply and security advice. I certainly do intend to enable wireless isolation on the guest network but this is a tick box in the wireless contoller software for a single SSID and so no interaction possible with the core school network if it has a designated and work VLAN segragation. What do you mean by a protected port on the switch - is this just the use of a tagged VLAN port for each SSID, if that is what you mean... then for clarification, this infrastructure cannot be rolled out without at least segregated SSIDs and segregated traffic VLANs.

     

    Regarding the server NIC tagging suggestion, I would say that I am trying to keep the configurations down to a minimum and the way I understand VLANs in this scenario is that if assigned to the server port, they will be able to communicate transparently (as if both on the same VLAN). I would not configure the server port for the VLANs associated with the untrusted VLANs, so is this tagging to the server NIC not just additional security on top of the proposed configuration?

    This is of course possibly my fault for not explaining fully the proposed setup, but there is only so much I can write here and presumably you will read too :)

    VLAN 1(Def)   Wired Network         Trusted Devices        Server Access           No Isolation

    VLAN 500       SSID Curriculum      Trusted Devices        Server Access           No Isolation

    VLAN 501       SSID School             Untrusted Devices    No Server Access      No Isolation

    VLAN 502       SSID Guest              Untrusted Devices    No Server Access      Isolation

     

    Hopefully that helps a little, above are more details on the number and intended purpose of the VLANs / SSIDs.

     

    I have to say you have raised a good point though with this idea of tagging to the server NIC: At the uplink port from [our] switch to the internet, (provisioned usually as a Cisco device of some variation) all these VLANs would be configured so that the internet uplink port would be an access port for all VLANs. I am thinking that there is a possibility the Cisco device could learn all the IPs on all the VLANs and act as an inter VLAN router! Do you think I need to ask the ISP (a corporate team) to tag the VLANs on the Cisco port so that I can trunk to that equipment? Will that even stop the inter VLAN routing that I am hoping to avoid?

    Regards
    Chris
    SchoolTST

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More