This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Hi there I'm building a network right now and I'm configuring my switch on which leads to the router and then into the network. Short questions about the VLAN: A) Have I configured the VLANs correctly? (see pictures) I want exactly one VLAN per port B) How do I make sure that the different networks can only access the corresponding VLAN? e. g. VLAN 4 = printer Printers should then be connected directly to VLAN 4 on the switch. Does it have to be done on the router?
Ref. the VMs ... it depends on how the interfaces are configured - on the virtualisation host as well as on the VM itself. A system can handle just an untagged network, or multiple services which can talk or offer services to multiple VLANs can be configured for tagging (multiple virtual interfaces), so the port can be either dedicated to one VLAN (untagged), or as a VLAN trunk handling access to multiple VLANs.
B) How do I make sure that the different networks can only access the corresponding VLAN? e. g. VLAN 4 = printer Printers should then be connected directly to VLAN 4 on the switch. Does it have to be done on the router?
Assuming you make use of 802.1Q Advanced settings - because somehow you need to connect all the VLAN to a router, what typically does happen by a VLAN trunk, inlcuding all VLANs. With a PVID 4 set on the port, and set the port to [U] for VLAN ID 4, and no other VLAN being a member of this port - yes, this port does just connct t the VLAN ID 4. And of course, each VLAN must have it's own TCP/IP subnetwork, maintained and supported ie by a DHCP server, from the router. To have the printers discoverable from the client (PC, Mac, mobile device, ....), to have printers reachable from the other VLAN(s), router and the firewall rules must be set accordingly.
Putting printers to a dedicated VLAN does make sense only on a bigger managed environment, where all printing and queueing is handled on a server. For work group or direct printing, this i not the greatest idea. It will mostly prohibit printing from mobile devices like iOS or Android, too.
Tell us a little bit more on the environment (ie. router, servers, VLAN plan, ...).
B) How do I make sure that the different networks can only access the corresponding VLAN? e. g. VLAN 4 = printer Printers should then be connected directly to VLAN 4 on the switch. Does it have to be done on the router?
Assuming you make use of 802.1Q Advanced settings - because somehow you need to connect all the VLAN to a router, what typically does happen by a VLAN trunk, inlcuding all VLANs. With a PVID 4 set on the port, and set the port to [U] for VLAN ID 4, and no other VLAN being a member of this port - yes, this port does just connct t the VLAN ID 4. And of course, each VLAN must have it's own TCP/IP subnetwork, maintained and supported ie by a DHCP server, from the router. To have the printers discoverable from the client (PC, Mac, mobile device, ....), to have printers reachable from the other VLAN(s), router and the firewall rules must be set accordingly.
Putting printers to a dedicated VLAN does make sense only on a bigger managed environment, where all printing and queueing is handled on a server. For work group or direct printing, this i not the greatest idea. It will mostly prohibit printing from mobile devices like iOS or Android, too.
Tell us a little bit more on the environment (ie. router, servers, VLAN plan, ...).
Hello schumaku Thank you very much for your answer, I really appreciate it. A) So are these configurations enough for VLAN on the switch or does it require more? B) Yes I will set some firewall rules Concering my environment: - I will have 3 zones, network (router), DMZ (Webserver, Mailserver and PBX-Server) and LAN zone (Printer, Clients, Phone) Network services: DHCP, DNS, FTP, SMB, HTTP/s, SLP, NTP, SSH, RTP DMZ services: HTTP/s, FTP, IMAP, POP3, SMTP, SMB LAN services: SSH, RTP, FTP, DHCP, DNS, SLP, SMTP, POP3, IMAP, IPP, VOIP, SIP
Router: Edgerouter X
Server: Mailserver Webserver PBX-Server
VLAN-plan: 1: WLAN 2: PC 3: VOIP 4: Printer
Firewallrules: I did it like that: LAN zone - DMZ zone: All zones from LAN zone to DMZ zone will be allowed and the rest will be denied. The rest is deny all. Did it like that with every zone. And outbound to inbound is denied all.
What do you think is this enough safe and professional?
Try to tie Zones, VLANs, and TCP/IP subnetworks together.
While your approach might be well secure, it might be unhandy, depending on the usage again. A "hundred" years ago, where the wireless was for surfing the Internet, and probably accessing some internal mail servers, plus an Intranet server, this set-up was state-of-the-art.
Today, you want the WLAN for your trusted devices, the LAN, NAS, and printers very near together - easily discoverable services, ad-hoc access to the services, say to a multi-function-device form a mobile phone to scan some document pages.
Can I tie up the Zones, VLANs abd Subnets on the router or on the switch. And how can I do this? How can I „connect“ them? Dont really understand this to be honest And B) Is this correct and safe with the firewall rules? C) Do you know how I configure virtuelle machines like a client for the VLAN on a physical switch?
Try to tie Zones, VLANs, and TCP/IP subnetworks together.
While your approach might be well secure, it might be unhandy, depending on the usage again. A "hundred" years ago, where the wireless was for surfing the Internet, and probably accessing some internal mail servers, plus an Intranet server, this set-up was state-of-the-art.
Today, you want the WLAN for your trusted devices, the LAN, NAS, and printers very near together - easily discoverable services, ad-hoc access to the services, say to a multi-function-device form a mobile phone to scan some document pages.
Can I tie up the Zones, VLANs abd Subnets on the router or on the switch. And how can I do this? How can I „connect“ them? Dont really understand this to be honest And B) Is this correct and safe with the firewall rules? C) Do you know how I configure virtuelle machines like a client for the VLAN on a physical switch?
- I will have 3 zones, network (router), DMZ (Webserver, Mailserver and PBX-Server) and LAN zone (Printer, Clients, Phone) VLAN-plan: 1: WLAN 2: PC 3: VOIP 4: Printer
This is what I was talking ref. tie up - wiht a single LAN zone, keep PC, printer, WLAN (your trusted devices), use a single VLAN. Sorry for the confusion.
Ref. the VMs ... it depends on how the interfaces are configured - on the virtualisation host as well as on the VM itself. A system can handle just an untagged network, or multiple services which can talk or offer services to multiple VLANs can be configured for tagging (multiple virtual interfaces), so the port can be either dedicated to one VLAN (untagged), or as a VLAN trunk handling access to multiple VLANs.
