Solved

Need help setting up VLAN, Is this even possible?

Posted on 2010-11-17
2
482 Views
Last Modified: 2012-06-27
We have a client who is wanting to provide internet access to guests in their main building via wireless access points.  Our goal is to be able to provide them with this access while separating them from the rest of the internal network, while also providing ourselves with wireless access to the entire network in the main building.

We are using Engenius EAP 9550 Access Points, I have the choice of using a Netgear ProSafe JFS524E or a Cisco Catalyst 2950 Switch, and a our router/firewall is a Sonic Wall TZ170.

I have explored through all the settings and can not seem to figure out how to make this work.  Is it possible to split a port between two VLANs so that one side can not have access to the internal network.  I feel like I have been beating my head on a brick wall trying to figure this out.  So now I am here, can anyone provide any insight into some possible solutions
0
Comment
Question by:pennelltechs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 2

Accepted Solution

by:
worpx earned 250 total points
ID: 34156049
Yes, you can create a VLAN for this purpose to segragate networks. However, the function that you want is in the firewall. Create an ACL to subnet out the ranges you want passing through the firewall.

I would assign a guest VLAN in your switch, assign a separate DHCP range and create a static NAT for that DHCP range in order to allow access to the internet, but not to the internal network, or vice-versa.

0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 250 total points
ID: 34163401
Your access points has this feature for you to use:

- Multiple SSID with 802.1q VLAN Tagging (up to 4 SSID)(Access Point mode)


You will need to create one SSID for guests and another SSID for yourselves, and then put each SSID into different VLANs.

Each VLAN will have its oen subnet, and you should treat those as different DMZs on the firewall.

If your firewall can handle VLAN the it can be a single connection between switch and firewall - if not you need to have a separate port for each VLAN.

Obviously you will need to configure the VLANs on the switch too - and the port towards the access point needs to be trunk with .1q tagging.

Your firewall need be DHCP server on each subnet - clearly with different IP subnets.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question