• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 529
  • Last Modified:

When do I need a VLAN ID? I want to create 3 VLANs but not reconfigure current LAN.

We currently have 2 networks but everything is on different hardware (firewall, switches, endpoints). What I would like to do is put everything on to the same equipment but VLAN it so each network is functioning as if it were on different physical hardware.

We have Dell switches and I have setup VLANs before. My confusion always comes when picking the VLAN type. Can someone provide some direction on this and I'm sure I will have more questions.
0
ThorinO
Asked:
ThorinO
  • 7
  • 6
4 Solutions
 
John MeggersNetwork ArchitectCommented:
It may be slightly different between different platforms, but basic VLAN configuration on a Cisco switch port is to create the VLAN itself and then assign ports to that VLAN.   Most switches these days will create the VLAN automatically if you assign the switch port to a VLAN that doesn't exist.

interface gig1/0/1
switchport mode access
switchport access vlan 10

If you want the switch to route between VLANs, create a VLAN interface and assign it an IP address from the correct subnet.  If you want VLAN separation with no routing, don't create the VLAN interfaces.

interface vlan 10
ip address 192.168.10.1 255.255.255.0
no shut

 
0
 
Don JohnstonInstructorCommented:
>My confusion always comes when picking the VLAN type.

Can you elaborate on what you mean by "type".
0
 
ThorinOAuthor Commented:
Sorry, what I mean is that there is access, general and trunk. I have attached two basic images of what our current network looks like and what I am trying to get to. Basically we have a 40 port PoE switch that is being used as a WAN switch where an internet connection comes in and breaks off to two firewalls.

Current Network
We need to add more VoIP phones and I would like to just uplink the two switches (PBX) and keep adding phones. I would like to keep traffic separate so that the WAN ports and PBX ports don't communicate.  

Proposed Network
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Don JohnstonInstructorCommented:
Okay. Now I get it.

You're not talking about VLAN types but port (or link) types.

An access port can carry only one VLAN. This is what would go to a PC.

A trunk port can carry multiple VLANs. This would be used between switches or from a switch to a server. They can also be used between a switch and a VoIP phone if the phone allows a PC to connect through it.

0
 
ThorinOAuthor Commented:
So in my scenerio, Do I need to put the WAN ports in 1 VLAN, the PBX ports in another VLAN using access as the type?

What do I do about the uplink ports, do I just need to make them trunk ports?

So I need to create the same VLANs on the other switch 2 also even if they go unused (WAN) and add the PBX LAN ports to the same VLAN name as I used on switch 1?

0
 
Don JohnstonInstructorCommented:
>Do I need to put the WAN ports in 1 VLAN, the PBX ports in another VLAN using access as the type?

You could do that. (although, best practice is to not use VLAN 1 for any user/data traffic)

>What do I do about the uplink ports, do I just need to make them trunk ports?

If the port needs to carry more than one VLAN, yes. Otherwise you could leave it as an access link. But to accommodate future possibilities, I would go with a trunk.

>So I need to create the same VLANs on the other switch 2 also even if they go unused (WAN) and add
>the PBX LAN ports to the same VLAN name as I used on switch 1?

The VLAN only has to exist if it's has to go through the switch. So for example let's say you've got three switches daisy chained together (with trunks):

Sw1 ----- Sw2 ----- Sw3.

Sw1 and Sw3 have ports in VLAN 66. In order for this VLAN 66 traffic to move from Sw1 to Sw3, VLAN 66 must exist on Sw2 (even though there are no ports in VLAN 66 on Sw2).

Now let's say that Sw1 and Sw2 have ports in VLAN 58. Obviously, VLAN 58 has to exist on Sw1 and Sw2, but it does not have to exist on Sw3 (it can, but it doesn't have to).


0
 
ThorinOAuthor Commented:
You are saying I should leave VLAN 1 as default and make 2 for WAN and 3 for Phone and maybe 4 for data?

Do I only use numbers for VLANs or can I give them names to be more descriptive?

If I am going to do it right and just put the same VLANs on all the switches do I just need to make the uplink ports trunk or all ports trunk?

Our data LAN is 10.100.0.x, our PBX network is 192.168.0.x, and then we have ports 1-3 which are public. Do I need a L3 switch or router if I want to selectively allow traffic between the subnets?

For example, what if I want our data network 10.100.0.x to be able to connect to 192.168.0.5 on port 80?
0
 
Don JohnstonInstructorCommented:
>You are saying I should leave VLAN 1 as default and make 2 for WAN and 3 for Phone and maybe 4 for data?

Yep.

>Do I only use numbers for VLANs or can I give them names to be more descriptive?

VLAN ID are numerical. However, you can usually associate a name to the number.

>If I am going to do it right and just put the same VLANs on all the switches do I just need to make the uplink ports trunk or all ports trunk?

You don't have to make the inter-switch links trunks unless they will be carrying multiple VLANs. But I would make them trunks.

>Our data LAN is 10.100.0.x, our PBX network is 192.168.0.x, and then we have ports 1-3 which are public. Do I need a L3 switch or router if I want to selectively allow traffic between the subnets?

Either a router or a multilayer switch is required if you want to move any traffic between VLANs.

>For example, what if I want our data network 10.100.0.x to be able to connect to 192.168.0.5 on port 80?

You need a router or multilayer switch.
0
 
ThorinOAuthor Commented:
Sorry for the delay on this one. A question I was thinking about yesterday/today.

I have all my data on 10.100.0.x and all my VoIP on 192.168.0.x. I would not have enough private IPs on one subnet for everything which means I need to break them down. Since that is the case, is the only way to communicate between the two by doing layer 3 switching or with a router?

Would a SonicWALL firewall be able to route traffic between the two?

If I do route between the two do I need VLANs?
0
 
Don JohnstonInstructorCommented:
>is the only way to communicate between the two by doing layer 3 switching or with a router?
Yes

>Would a SonicWALL firewall be able to route traffic between the two?
Yes

>If I do route between the two do I need VLANs?
The term VLAN is synonymous with IP network. So if you have two networks, you do have two VLANs.
0
 
ThorinOAuthor Commented:
I assume a Juniper SSG-140 would also route the same way a SonicWALL would. I am less familiar with our Juniper but I assume it has the same functionality.

So then with my current setup as pictured above. Could I just create a VLAN for the 3 WAN ports and leave everything else the same then have the Juniper/SonicWALL route traffic?

I would prefer not to get into VLAN tagging or L3 switching if possible and keep configuration and hardware as simple as possible.
0
 
Don JohnstonInstructorCommented:
>Could I just create a VLAN for the 3 WAN ports and leave everything else the same then have the Juniper/SonicWALL route traffic?

Without more detailed information on your network, it's hard to say for certain. But yes, that should work.
0
 
ThorinOAuthor Commented:
So lets assume I had two networks on a SonicWALL, if I am on the 10 network and ping 192.168.0.25 for example the gateway assigned to my system (the SonicWALL) should route it correctly based upon firewall rules correct?
0
 
Don JohnstonInstructorCommented:
Once again, without more information as to the topology of the network (layer 2 and layer 3), I really can't say.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now