NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
SchoolTST
May 17, 2017Aspirant
VLAN Configuration
[This is a generic query on the function VLANs on Netgear switches, no specific switch model as I have to work with nearly all variations. Firmware can be updated I have no problem doin that, in the ...
- Jun 13, 2017
I just want to follow-up on this. Let us know if you have further questions.
Otherwise, if ever your concern has been addressed / resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!
Regards,
DaneA
NETGEAR Community Team
XavierLL
May 19, 2017NETGEAR Employee Retired
Hi SchoolTsT,
I would suggest too that you tag the port on the server side so you seggregate the traffic on port-basis. Most of the Server-NICs support 802.1Q VLAN tagging so if you can set it up this way you will increase the security on the network.
Moreover I would suggest protected ports on the switch and enable wireless isolation on the wifi network to isolate the guess network devices between them.
Regards
Xavier Lleixa
NETGEAR CBU PLM
SchoolTST
May 25, 2017Aspirant
Xavier Lleixa,
Thanks for the reply and security advice. I certainly do intend to enable wireless isolation on the guest network but this is a tick box in the wireless contoller software for a single SSID and so no interaction possible with the core school network if it has a designated and work VLAN segragation. What do you mean by a protected port on the switch - is this just the use of a tagged VLAN port for each SSID, if that is what you mean... then for clarification, this infrastructure cannot be rolled out without at least segregated SSIDs and segregated traffic VLANs.
Regarding the server NIC tagging suggestion, I would say that I am trying to keep the configurations down to a minimum and the way I understand VLANs in this scenario is that if assigned to the server port, they will be able to communicate transparently (as if both on the same VLAN). I would not configure the server port for the VLANs associated with the untrusted VLANs, so is this tagging to the server NIC not just additional security on top of the proposed configuration?
This is of course possibly my fault for not explaining fully the proposed setup, but there is only so much I can write here and presumably you will read too :)
VLAN 1(Def) Wired Network Trusted Devices Server Access No Isolation
VLAN 500 SSID Curriculum Trusted Devices Server Access No Isolation
VLAN 501 SSID School Untrusted Devices No Server Access No Isolation
VLAN 502 SSID Guest Untrusted Devices No Server Access Isolation
Hopefully that helps a little, above are more details on the number and intended purpose of the VLANs / SSIDs.
I have to say you have raised a good point though with this idea of tagging to the server NIC: At the uplink port from [our] switch to the internet, (provisioned usually as a Cisco device of some variation) all these VLANs would be configured so that the internet uplink port would be an access port for all VLANs. I am thinking that there is a possibility the Cisco device could learn all the IPs on all the VLANs and act as an inter VLAN router! Do you think I need to ask the ISP (a corporate team) to tag the VLANs on the Cisco port so that I can trunk to that equipment? Will that even stop the inter VLAN routing that I am hoping to avoid?
Regards
Chris
SchoolTST
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!