Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 869
  • Last Modified:

VLAN configuration

We have a situation where we want to seperate the wireless network from the physical network, however both will hit the same router for the internet.
(See below for simplistic overview to what I believe we need to do)

vlans.jpg
I know I need to tag the port that the wireless switch uplinks to the HP1820 switch and I'll need to tag the uplink port to the router for VLAN 10 and 50
however, I am not sure what I should do for the other ports on the switch.  Should I leave them untagged including the uplink to the generic switch not capable of VLANing?
I also assume that I'll need to put some sort of restriction on the router to prevent routing between the VLAN's

Thanks
0
trimblenet
Asked:
trimblenet
4 Solutions
 
PredragNetwork EngineerCommented:
Best practice for unused ports is shut them, or put them into separate VLAN as access ports. Unused ports are security risk. You should not leave possibility that someone plugs switch into port and find about VLAN's that you use in your network. That generic switch (depending on who needs to use it) you can put into separate VLAN  with access port on HP1820 for that VLAN.

And of course you need to put some sort of restriction on the router to prevent routing between the VLAN's according to your design.
0
 
AkinsdNetwork AdministratorCommented:
Either shut them down as advised or hard code them as access ports and enable port security on them.

Most people leave vlan 1 as a blackhole, meaning no active port is assigned to vlan 1 and native vlan re-assigned to something else.
0
 
Craig EllegoodCommented:
From looking at your Diagram above you need to tag all client switch ports with VLAN 10 and tag all Wireless AP's with VLAN 50.

The connections between the switches the HP & Meraki and Generic switch should be configured as Trunk Ports. If you want to go further into only allowing certain VLANs across the trunk then you need to enter in trunk allowed vlan 50, 10, etc.. if your switchgear supports that.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
trimblenetAuthor Commented:
Thanks for the suggestions.  99% of the ports on the HP switch will be used for PC's and in use as such based on your comments I should either tag them with VLAN10 if in use otherwise shut them down.  My main concern is what to do with the uplink to the switch which I've labelled generic switch which I don't believe is capable of VLANs (it was installed by another subcontractor and we're trying to get login details so I can confirm this).  I want to ensure no traffic from VLAN50 is capable of accessing resources on VLAN10.
Should I tag the uplink to the generic switch as VLAN10 or untag in case the switch doesn't recognise VLAN packet headers???
0
 
AkinsdNetwork AdministratorCommented:
You may need to filter vlan 50 from accessing vlan 10 with an access list on your router.
eg
OTW-Router(config)# ip accesslist extended DENY-VLAN-50
OTW-Router(config-ext-nacl)#deny ip 10.10.50.0 255.255.255.0 10.10.10.0 255.255.255.0
OTW-Router(config-ext-nacl)#permit any any

OTW-Router(config)#int vlan 10
OTW-Router(config-if)#ip access-group DENY-VLAN-50 in

Or Apply it outbound on int vlan 50

OTW-Router(config)#int vlan 50
OTW-Router(config-if)#ip access-group DENY-VLAN-50 out

You can tag the uplink if you want, just make sure your native vlan is vlan 10. That way any untagged traffic from the generic switch will be directed to vlan 10.
The concern however is, there is a possibility that the native vlan on the generic switch will be vlan 1. If so, you may experience native vlan mismatch errors
0
 
trimblenetAuthor Commented:
Thanks again for all the advice.  I think I have enough to get things underway
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now