Solved

Guest VLAN using Netgear and Draytek

Posted on 2015-01-02
4
337 Views
Last Modified: 2015-01-20
Hi all,

Please excuse my lack of knowledge here, but VLAN's are totally new to me.

I have the following hardware setup was using Windows 2008R2 as a DHCP server.

Draytek 2960 (GW) <-------> Netgear GS748TP <-----------> Netgear WNAP 320

I would like to add a wireless Guest network, however I totally confused in what I need to do to set this up. For example, does the main network (for employees) need to be a VLAN?

If any one could point me in the right direction it would be much appreciated.

Thanks
Anthony
0
Comment
Question by:anthony_hurley
  • 2
4 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
I'd recommend that you start with the question: "What is a VLAN?"  Then parse it to "Virtual Local Area Network" and then consider what does "Local Area Network" intend to mean?  

It's hard to find definitions which convey this notion that I find suitable.  So here is my own definition (while I take no credit for it).
"A Local Area Network" is an interconnected system of (generally) Ethernet cables which may be interconnected with layer 2 switches to extend and connect those cables.  It's a "copper" network.  By extension, it might include wireless links."
This is to be contrasted with the term "subnet" because one can carry multiple / distinct subnets on the same copper wires.

So, I would say that a *vritual* LAN or VLAN is one that will carry distinct and multiple subnets *as if* it were an interconnected distinct copper network.

Consider how a switch works:
The LAN ports are functionally all connected together.  If it's a smart switch then dynamic data paths are formed between switch ports (device MAC addresses) in order to increase switch total bandwidth and to avoid packet collisions.  This way, pairs of ports (and the computers connected to them) can communicate with each other without interference from traffic between other ports (computers).
Anyway, this idea of "connection" is a bit fuzzed up in a smart switch.
But, the idea of a smart switch rather helps us understand the idea of a VLAN implementation.
It's a way to segregate traffic.

Consider an 8-port Layer 2 switch.  It can handle the traffic of multiple subnets (even though in practice it usually doesn't handle more than one).  So, it's a reasonable component of a LAN.
Now consider that the switch is separated into two 4-port segments.  It's like having two separate switches in the same box.
One segment of ports handles a LAN.  The other segment of ports handles an entirely different LAN.  This is because the switch implements complete isolation between the two.  
Because the two LANs are supported in the same switch and are isolated (in firmware), we call these LANs "virtual".
And that can be pretty handy.

Further, using networking conventions, these VLANs can be handled in bundles by use of packet tagging.  But I think that's beyond your concern right now.

Another perspective is that you never need to use VLANs at all if you are content with simply adding physical LANs.  
This brings up another important topic:  "How do VLANs get connected to other VLANs or the internet?"

Imagine a simple network, without an internet gateway at all, and we want to communicate between LANs.
In this case we could add a router as an inter-LAN gateway which would route packets between the two.
Similarly, we could use a router as an internet gateway:

Here is a simple text diagram of a 2-LAN network with an internet gateway.

LAN1 <> LAN Router <> LAN2 <> Internet Gateway Router.

Here, the LAN router provides inter-LAN connectivity and provides LAN1 with a path to the internet via LAN2.
There are only physical LANs here, no VLANs - and the internet traffic for LAN2 flows through LAN1.

Here's another:

LAN1 <> Internet Gateway Router <> LAN2

In this case we have to assume that the Internet Gateway Router is capable of handling 2 LANs on separate ports.  Some such routers *will* call these VLANs and that's OK as long as we understand that they really are just separate LANs.  Well, that model works until one uses more advanced capabilities.  And, in this case we can assume that the Internet Router is capable of routing between the LANs just as was accomplished in the first case.  But here the LAN1 internet traffic no longer flows through LAN2 wires.

But, most often, a router won't have enough ports.  So we need to add a switch.
If we don't use VLAN capabilities then we'd use two switches; one for each LAN.

LAN1 <> Switch1 <> Internet Router LAN1port(s)
LAN2 <> Switch2 <> Internet Router LAN2 port(s)

But, if we *do* use VLAN capabilities, we could do the same thing in a single switch like this:

LAN1 <> Switch1 VLAN1 ports <> Internet Router LAN1port(s)
LAN2 <> Switch1 VLAN2 ports <> Internet Router LAN2 port(s)
[note that there is now only Switch1 and it's ports are separated into 2 VLANs.  And there are still 2 wires going to the router.]

As you work with various different equipments, the terminology will vary a bit and the capabilities will certainly vary.  But this is a quick overview of what VLANs are and aren't.....

I hope this helps.
0
 
LVL 31

Accepted Solution

by:
Frosty555 earned 250 total points
Comment Utility
All three pieces of equipment you listed support 802.1q VLAN tagging, so you're in good shape.

The idea of 802.1q VLAN tagging is that your network devices can pass traffic for multiple different virtual networks, and the traffic on each virtual network is isolated from each other (unless a router allows data to route between them).

Under normal circumstances, network packets are "untagged", meaning they contain no VLAN information. This is how normal networks work and most computers, and client devices expect to connect to an untagged network.

Inside your switch/router/access points/other core networking equipment, you can "tag" network packets with a particular VLAN which controls where those packets are allows to travel on your network. Some ports can carry multiple VLANs worth of traffic, all "tagged" with the VLAN they belonged to.

Some ports are "access ports" which accept traffic for one VLAN only, and they strip the tag off of it so that clients can connect to the network and read the data without being aware that VLAN tags were involved earlier on.

See the attached diagram, I think this is how you should configure your network.

vlan network example
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 250 total points
Comment Utility
Draytek 2960 (GW) <-------> Netgear GS748TP <-----------> Netgear WNAP 320

 I would like to add a wireless Guest network, however I totally confused in what I need to do to set this up. For example, does the main network (for employees) need to be a VLAN?
So now to answer your question more specifically:

In the context of your access point, the terminology would indicate that you'd set up a 2nd VLAN for guests it appears.  This is the most common way of referring to separate networks.

And, it appears that you'd want to set "Client Isolation" to keep the guests out of the office network (even though using the same IP address range).

What I don't know offhand and without researching further is what happens when a wireless client's packets hit the switch.  If there's no VLAN intercommunication between the switch and the access point then it appears the client isolation wouldn't be effective.  So, I would imagine that there would need to be VLAN implementation in the switch as well.

Then, the same issue would propagate upward to the gateway where, again, it appears you'd need to have two LANs (or "VLANs") on separate ports set up.  Whether there is one or two cables between the gateway and the switch will depend on the capabilities of the two.

It appears that Frosty555 answered those question at the same time....
0
 

Author Closing Comment

by:anthony_hurley
Comment Utility
Guys,

Many thanks for your detailed explanations. Whilst this confirmed my understanding of VLAN's, I find  implementing of them is a different thing. Unfortunately I only had a limited time to test/implement, therefore I will revisit this during my next visit in July.  

Many thanks for your help.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now