Solved

VLAN configuration

Posted on 2014-09-14
6
688 Views
Last Modified: 2014-09-16
We have a situation where we want to seperate the wireless network from the physical network, however both will hit the same router for the internet.
(See below for simplistic overview to what I believe we need to do)

vlans.jpg
I know I need to tag the port that the wireless switch uplinks to the HP1820 switch and I'll need to tag the uplink port to the router for VLAN 10 and 50
however, I am not sure what I should do for the other ports on the switch.  Should I leave them untagged including the uplink to the generic switch not capable of VLANing?
I also assume that I'll need to put some sort of restriction on the router to prevent routing between the VLAN's

Thanks
0
Comment
Question by:trimblenet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 29

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 100 total points
ID: 40322489
Best practice for unused ports is shut them, or put them into separate VLAN as access ports. Unused ports are security risk. You should not leave possibility that someone plugs switch into port and find about VLAN's that you use in your network. That generic switch (depending on who needs to use it) you can put into separate VLAN  with access port on HP1820 for that VLAN.

And of course you need to put some sort of restriction on the router to prevent routing between the VLAN's according to your design.
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 300 total points
ID: 40323211
Either shut them down as advised or hard code them as access ports and enable port security on them.

Most people leave vlan 1 as a blackhole, meaning no active port is assigned to vlan 1 and native vlan re-assigned to something else.
0
 

Assisted Solution

by:Craig Ellegood
Craig Ellegood earned 100 total points
ID: 40323481
From looking at your Diagram above you need to tag all client switch ports with VLAN 10 and tag all Wireless AP's with VLAN 50.

The connections between the switches the HP & Meraki and Generic switch should be configured as Trunk Ports. If you want to go further into only allowing certain VLANs across the trunk then you need to enter in trunk allowed vlan 50, 10, etc.. if your switchgear supports that.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:trimblenet
ID: 40324147
Thanks for the suggestions.  99% of the ports on the HP switch will be used for PC's and in use as such based on your comments I should either tag them with VLAN10 if in use otherwise shut them down.  My main concern is what to do with the uplink to the switch which I've labelled generic switch which I don't believe is capable of VLANs (it was installed by another subcontractor and we're trying to get login details so I can confirm this).  I want to ensure no traffic from VLAN50 is capable of accessing resources on VLAN10.
Should I tag the uplink to the generic switch as VLAN10 or untag in case the switch doesn't recognise VLAN packet headers???
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 300 total points
ID: 40324545
You may need to filter vlan 50 from accessing vlan 10 with an access list on your router.
eg
OTW-Router(config)# ip accesslist extended DENY-VLAN-50
OTW-Router(config-ext-nacl)#deny ip 10.10.50.0 255.255.255.0 10.10.10.0 255.255.255.0
OTW-Router(config-ext-nacl)#permit any any

OTW-Router(config)#int vlan 10
OTW-Router(config-if)#ip access-group DENY-VLAN-50 in

Or Apply it outbound on int vlan 50

OTW-Router(config)#int vlan 50
OTW-Router(config-if)#ip access-group DENY-VLAN-50 out

You can tag the uplink if you want, just make sure your native vlan is vlan 10. That way any untagged traffic from the generic switch will be directed to vlan 10.
The concern however is, there is a possibility that the native vlan on the generic switch will be vlan 1. If so, you may experience native vlan mismatch errors
0
 

Author Closing Comment

by:trimblenet
ID: 40325021
Thanks again for all the advice.  I think I have enough to get things underway
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question