This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
[This is a generic query on the function VLANs on Netgear switches, no specific switch model as I have to work with nearly all variations. Firmware can be updated I have no problem doin that, in the managed section of the community because I suspect some switches will need to be purchased in order to achieve the goals I have in mind.]
I have a query regarding VLANs and under what circumstances they will operate to assist me with a separation or segregation of networks that I am attempting to design into an existing infrastructure for a small number of schools. I have attempted some trial and error work but not achieved the results I was looking for, and since this is an infrastructure scale development it would be best to get it right so that it is understood and replicable. I am sure it is not a major issue but I am working alone to achieve this and would be very grateful for help on the problem.
The outline of the infrastructure is very simple, a mixture of smart (GS) and managed (GSM) switches form the core of the networks in these schools. If there is a managed switch it will be at the core of the network with the server and the connection to the wide area network (Internet). My challenge is define an architecture that will enable the installation of a mixed use Wi-Fi network in the schools that both allows LAN access to the servers for the users roaming laptops and tablets and also a BYOD SSID that will only have access to the internet not the local area network to increase security from unmanaged devices on guest Wi-Fi SSIDs.
Problems I have encountered are many, but sufficient to say the WAPs need to go on the default VLAN along with the sever and curriculum network so that they will pick up a DHCP address and be manageable by the software controller (Ubiquiti) installed on the server. Once this is done, I can setup VLANs and associate SSIDs with each VLAN, but this brings me to the first of two questions…
If I create a Curriculum VLAN 500, assign it to the WAP as a Trunk port (T) and associate the Curriculum SSID to VLAN 500; will the connected Wi-Fi devices be able to communicate with the server when I make server port a VLAN 500 access port also (U)?
The question simply comes up in my mind because the server port will now have two places to send traffic for the same curriculum network, VLAN 1 (the default) and VLAN 500 the Wi-Fi curriculum SSID, is it just a simple matter of the switch looking up where to send the traffic or because the server port is an access port for both VLANs with the traffic just get duplicated or sent to both VLAN 1 and 500 simultaneously. Or will this not work at all?
Please note I am not talking about setting up any VLAN routing (yet), but this question is in the managed switch area for a reason (this might be the reason IDK!) but it is likely DHCP relaying will part of the second question and it is all related.
The second question will have to remain unasked for the time being and I have considered that it is a dependent on the way this aspect of the network is configured so I will not give anyone a redundant headache.
Any help appreciated and looking forward to understanding a bit more.
I just want to follow-up on this. Let us know if you have further questions.
Otherwise, if ever your concern has been addressed / resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!
Question: If I create a Curriculum VLAN 500, assign it to the WAP as a Trunk port (T) and associate the Curriculum SSID to VLAN 500; will the connected Wi-Fi devices be able to communicate with the server when I make server port a VLAN 500 access port also (U)? The question simply comes up in my mind because the server port will now have two places to send traffic for the same curriculum network, VLAN 1 (the default) and VLAN 500 the Wi-Fi curriculum SSID, is it just a simple matter of the switch looking up where to send the traffic or because the server port is an access port for both VLANs with the traffic just get duplicated or sent to both VLAN 1 and 500 simultaneously. Or will this not work at all?
Answer: Yes, the connected WiFi devices will be able to communicate to the server since they are in the same VLAN 500. Since the server is a member of both VLAN 1 and VLAN 500, you may create access control lists where you can permit or deny an IP address or IP address range that gets to communicate to the server.
For more information about access control list, check the article below:
I would suggest too that you tag the port on the server side so you seggregate the traffic on port-basis. Most of the Server-NICs support 802.1Q VLAN tagging so if you can set it up this way you will increase the security on the network.
Moreover I would suggest protected ports on the switch and enable wireless isolation on the wifi network to isolate the guess network devices between them.
Thanks for the welcome and the response, I have a question regarding these ACLs.
Do I have to set ACLs up or will this work without ACLs? Will all IP addresses on VLAN500 and VLAN1 be both permitted to the server (and vice Versa) if I don't make additional ACL configurations?
I am trying to avoid adding as much configuration as possible to the switches so that even people with a basic understanding of networking can get involved with this infrastructure (like me). VLANs have been used on our networks before but not always for the typical reasons like traffic segregation and security, ACLs would be something I have heard of and touched on only once in my time, certainly I would try to avoid using them if at all possible.
Thanks for the reply and security advice. I certainly do intend to enable wireless isolation on the guest network but this is a tick box in the wireless contoller software for a single SSID and so no interaction possible with the core school network if it has a designated and work VLAN segragation. What do you mean by a protected port on the switch - is this just the use of a tagged VLAN port for each SSID, if that is what you mean... then for clarification, this infrastructure cannot be rolled out without at least segregated SSIDs and segregated traffic VLANs.
Regarding the server NIC tagging suggestion, I would say that I am trying to keep the configurations down to a minimum and the way I understand VLANs in this scenario is that if assigned to the server port, they will be able to communicate transparently (as if both on the same VLAN). I would not configure the server port for the VLANs associated with the untrusted VLANs, so is this tagging to the server NIC not just additional security on top of the proposed configuration?
This is of course possibly my fault for not explaining fully the proposed setup, but there is only so much I can write here and presumably you will read too 🙂
VLAN 1(Def) Wired Network Trusted Devices Server Access No Isolation
VLAN 500 SSID Curriculum Trusted Devices Server Access No Isolation
VLAN 501 SSID School Untrusted Devices No Server Access No Isolation
VLAN 502 SSID Guest Untrusted Devices No Server Access Isolation
Hopefully that helps a little, above are more details on the number and intended purpose of the VLANs / SSIDs.
I have to say you have raised a good point though with this idea of tagging to the server NIC: At the uplink port from [our] switch to the internet, (provisioned usually as a Cisco device of some variation) all these VLANs would be configured so that the internet uplink port would be an access port for all VLANs. I am thinking that there is a possibility the Cisco device could learn all the IPs on all the VLANs and act as an inter VLAN router! Do you think I need to ask the ISP (a corporate team) to tag the VLANs on the Cisco port so that I can trunk to that equipment? Will that even stop the inter VLAN routing that I am hoping to avoid?
I understand that you are trying to avoid as much configuration as possible such as setting up ACLs. With regard to this, you might want to consider setting up Asymmetric VLAN.
I had never heard of this variant of VLANs and that was a usefull excercise to read through. This may be possible but it means changing the default VLAN or at least removing the default VLAN from most of the switch ports to avoid cross communication on all the VLANs... obviously this leads to management issues when you need to remote in to the switch unless there is a dedicated management access port, I also think it will not be possible due to the nature of the WiFi access points as they require trunked VLAN ports.
I think the solution is going to have to include at least VLAN Routing and maybe the ACLs too. I have found that I should be able to configure both on the M4100-D12G switch according to the manual (I'm a bit sketchy when it comes to what is possible on certain Netgear Switches).
I did have trouble with the VLAN routing setup before when I last attempted it, but I am thinking that was caused by trying to setup VLAN interfaces subnetted within the range that was already set as the default VLAN interface (i.e. I didn't realise that the switch IP and subnet was not only the management interface but also the default VLAN interface) so I guess I was trying to subnet a subnet(!) and the switch didn't like that so gave me configuration errors.
Regardless of the issues, all the reading and advice has got me to the point were I am happy to purchase some APs and an M4100 switch and try to simulate what I have been discussing. I will Likely come back and mark one of your posts as an answered. I will however no doubt be posting a specific configuration issue cback here once I actually get down to configuration.
I just want to follow-up on this. Let us know if you have further questions.
Otherwise, if ever your concern has been addressed / resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!
The wireless configuration is all but completed at least to the point of testing, implementation is delayed due to a 3rd party not being available - usual mutil-provider bureacracy that affects all organisations small or large! Below I will state what has been done and the final question for the thread is just a nice to have.
We have configured two VLANs (1 and 500) on the M4100 switch.
Interface for VLAN1 is 10.122.x.11/22 and the gateway for this network is 10.122.x.11/22
Interface for VLAN500 is 10.87.x.2/24 and the gateway for this network is 10.87.x.2/24
DHCP has been configured for these ranges on the Windows Server on VLAN1
Static IP addresses for both networks have been assigned to the NIC on the Windows Server
A Global IP Helper has been configured with the destination set as the Window Server enabling UDP DHCP requests from VLAN500
Once the Windows Server has assigned a DHCP address to a device on VLAN500 in the 10.87 range there seems to be no communication between the networks and this is presumably because the IP Helper is only UDP. I'm not entirely happy with this but setting up IP Helpers on specific DHCP port numbers did not enable the assignment of address.
So we are using the VLAN routing as only a method of network assignment via DHCP. As far as I understand it, more routing configuration would only be required only if the number of VLANs and segregated networks was greater than the number of physical interfaces I am trying to bridge to the WAPs. Currently we do not have to create more than two SSIDs but that will change in the furture, I am unsure if there is more to configure on the M4100 in this scenario apart from additional VLANs, it appears that the additional routing information would have to be configured on the router.
If anyone wants to work on this problem with me them feel free to write a private message, but I think I have gone far enough in this thread.
Anyway, answered or not this question remains but I have a working solution.
