Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VLAN configuration

Posted on 2014-09-14
6
Medium Priority
?
814 Views
Last Modified: 2014-09-16
We have a situation where we want to seperate the wireless network from the physical network, however both will hit the same router for the internet.
(See below for simplistic overview to what I believe we need to do)

vlans.jpg
I know I need to tag the port that the wireless switch uplinks to the HP1820 switch and I'll need to tag the uplink port to the router for VLAN 10 and 50
however, I am not sure what I should do for the other ports on the switch.  Should I leave them untagged including the uplink to the generic switch not capable of VLANing?
I also assume that I'll need to put some sort of restriction on the router to prevent routing between the VLAN's

Thanks
0
Comment
Question by:trimblenet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 31

Assisted Solution

by:Predrag
Predrag earned 400 total points
ID: 40322489
Best practice for unused ports is shut them, or put them into separate VLAN as access ports. Unused ports are security risk. You should not leave possibility that someone plugs switch into port and find about VLAN's that you use in your network. That generic switch (depending on who needs to use it) you can put into separate VLAN  with access port on HP1820 for that VLAN.

And of course you need to put some sort of restriction on the router to prevent routing between the VLAN's according to your design.
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 1200 total points
ID: 40323211
Either shut them down as advised or hard code them as access ports and enable port security on them.

Most people leave vlan 1 as a blackhole, meaning no active port is assigned to vlan 1 and native vlan re-assigned to something else.
0
 

Assisted Solution

by:Craig Ellegood
Craig Ellegood earned 400 total points
ID: 40323481
From looking at your Diagram above you need to tag all client switch ports with VLAN 10 and tag all Wireless AP's with VLAN 50.

The connections between the switches the HP & Meraki and Generic switch should be configured as Trunk Ports. If you want to go further into only allowing certain VLANs across the trunk then you need to enter in trunk allowed vlan 50, 10, etc.. if your switchgear supports that.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:trimblenet
ID: 40324147
Thanks for the suggestions.  99% of the ports on the HP switch will be used for PC's and in use as such based on your comments I should either tag them with VLAN10 if in use otherwise shut them down.  My main concern is what to do with the uplink to the switch which I've labelled generic switch which I don't believe is capable of VLANs (it was installed by another subcontractor and we're trying to get login details so I can confirm this).  I want to ensure no traffic from VLAN50 is capable of accessing resources on VLAN10.
Should I tag the uplink to the generic switch as VLAN10 or untag in case the switch doesn't recognise VLAN packet headers???
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 1200 total points
ID: 40324545
You may need to filter vlan 50 from accessing vlan 10 with an access list on your router.
eg
OTW-Router(config)# ip accesslist extended DENY-VLAN-50
OTW-Router(config-ext-nacl)#deny ip 10.10.50.0 255.255.255.0 10.10.10.0 255.255.255.0
OTW-Router(config-ext-nacl)#permit any any

OTW-Router(config)#int vlan 10
OTW-Router(config-if)#ip access-group DENY-VLAN-50 in

Or Apply it outbound on int vlan 50

OTW-Router(config)#int vlan 50
OTW-Router(config-if)#ip access-group DENY-VLAN-50 out

You can tag the uplink if you want, just make sure your native vlan is vlan 10. That way any untagged traffic from the generic switch will be directed to vlan 10.
The concern however is, there is a possibility that the native vlan on the generic switch will be vlan 1. If so, you may experience native vlan mismatch errors
0
 

Author Closing Comment

by:trimblenet
ID: 40325021
Thanks again for all the advice.  I think I have enough to get things underway
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question