How can I set up this VLAN?

I would like to simulate the installation of a VLAN in case this comes up at a future job I may get a contract for.  As I understand it, VLANs allow you to separate individual LANs on a single switch without the need for a router in between each one.  

The job I'm bidding on is a law firm with 30 or so networking devices whose cables culminate into a single server room.  They also have 8 - 10 connections that belong to rooms that are being subleased to other small companies and entrepreneurs.   These connections cannot be allowed access to the Law Firm's computers or servers but, as part of the sublease, they are allowed to use devices like the network printers and scanners.

The equipment they currently have is three 2960 Catalyst switches which each have 24 10/100 ports and 2x Gigabit ports.  They also have an Internet connection.

Is it possible to do this with what the company has?  I don't need the actual IOS commands to run, just a brief overview of how to set it up (ie, 1 VLAN for the law office computers and servers, 1 VLAN for each sublease).
1. Setup up separate VLAN's as you suggest
2. Also add a separate VLAN for network printers and scanners
3. You also need to setup firewall routing to prevent routing between the vlans that you don't want access to be available to.  ie. grant access to the network printers and scanners, but deny access to everything else except it's own vlan.
epichero22Author Commented:
Do I need extra equipment for #3?
I believe the catalust switches you mentioned have that capability
epichero22Author Commented:
What about communication between the switches and uplink to the Internet?  How should I setup trunking?
You can set up ports on different switches as part of a VLAN.  That will depend on your network topology on how trunking is configured.

If all systems get internet access then include it in your printers vlan.
The switches may be setup with an access-list to control what traffic can go where.
The Internet will be through a router, which would normally connect to a dedicated VLAN just for that purpose. Each business would be on their own VLAN, with the shared resources on a sort of DMZ VLAN.

Our office has a somewhat similar configuration. Trunking is typically used only for inter-switch communication and management. Each department is on their own VLAN, but our servers are on a VLAN accessible from all the others. Our engineering team has access to the trunk, as well as devices that are multi-VLAN, such as our Cisco WAPs.
epichero22Author Commented:
Thanks for the info so far.  

But wanted to also ask, if I'm sharing printers across two VLANs, should the VLANs be on the same subnet or different?
You can keep the same subnet for every vlan but the management is more simple if you use something like:
vlan 10 =
vlan 20 =
and so on...
The official documentation from cisco is there:

and you should take a look at this site. It will answer lots of question you could have about private vlan.
