vLAN set-up

The simplest way is assign the Wifi users IP addresses in the 10.0.1.0/24 subnet.    Put their default route as 10.0.1.253 and let your router send them where ever they need to go.

This sounds almost too easy!

Won't users be able to ping 172.20.1.x IP addresses if we do it that way? Want to make sure that they cannot access network drives, or ping other devices (but printers).

Since they go thru the switch first from the WIFI access point won't they be able to access everything else going thru that switch before getting to the router so the ACLs set-up on the router will not have an effect?

Not unless the switch is L3 aware and is performing routing functions.  As long as it only knows about L2, or is not configured to do routing it will not forward traffic between the VLAN's.

If the switch is L3 aware and you are having it do routing, then it should also support ACL's so you can put ACL's there also.

If I understand you correctly, with no configuration of the switch other than setting up an IP address to the switch itself, I should be able to have my ISP "setup ACL's so that the 10.0.1.0/24 subnet can only access the host 172.20.1.245 or the IP address of any other printer" and in theory all WIFI users will only have access to internet and printers? This should not affect the remaining user community, correct?

That is correct.  I take it that your ISP manages your router.

What type of switch do you have?

They do...
Router is a Cisco 2900.
I'd like to test this out ahead of time but only have the one production router.
Would it be possible to take one of the switches that I have, default it out and put it on the network and test thru that or will connection to the other switches mess with testing?

It depends on the type of switch and how it is configured.

What type (brand and model) of switch is the one in your diagram and what type of switch (brand and model) are you going to test with.

They are the same.
The switch is a HP 2910al 48-port and same model as what we have running already and in diagram.

That model switch does support L3 (routing) functions and it supports ACL's.  

Since the Switch supports routing, and ACS's,  there are a few more options you have and you might be able to do everything you want on the 2910.   But I need to more a little more detail to see what may be the simplest for you to implement.

What IP address does the WiFi devices use as their default route today, and on which device is that IP address.

We can do whatever configuration is required on the existing WIFI to get what we need.
What is the routing that should be on the device to make this work? I have yet to test out your suggestion from previous comments above.

Currently we aren't even trying to segregate the traffic.

At one time I completely bypassed the switch and plugged the WIFI directly into the 10.0.1.253 interface on the router and traffic was segregated like we wanted (BUT WIFI users did NOT have access to print to printer device on the 172.20.1.x side since it was a direct route to the router)

Currently, the set-up is as follows:
WIFI WAN (automatically assigned from DHCP server)
172.20.1.129

WIFI LAN (DHCP enabled handing out IP address from 192.168.1.100 thru .200)
192.168.1.10/255.255.255.0

I guess one question is do you want to go to your ISP everytime you need an ACL change or would you rather make the changes your self.

If you would like more control, then I would suggest that you do routing on the 2910.  But you need to be comfortable making those changes.  You may want to read the management/admin manual for the 2910.

Do you have VLAN's setup on the 2910 right now?  If so, do the VLAN interfaces have IP addresses?

It looks like my colleague attempted to set-up but it doesn't work. See attached images.
These obviously aren't set in stone since they aren't working. This was an attempt.
Default-VLAN.jpg
VLAN2.jpg

One problem I see is that for VLAN 1 (DEFAULT_VLAN) you have a default gateway of 10.0.1.253.   Since VLAN1's subnet is 172.20.1.0/24 and 10.0.1.253 is in a different subnet, that probably won't work.

Most operating systems, require that the IP address of all gateways/routers be in the same subnet as the host.

Do you really need the Wifi users to use 10.0.1.253 as the route to the Internet, or could they use 172.20.1.253?  

You could leave the Wifi users in the 192.168.1.0/24 subnet.  
Create a VLAN in the 2910 that is on the subnet 192.168.1.0/24 subnet, give the 2910 the address of 192.16.1.20, and set that as the default route for all hosts in 192.168.1.0/24.
Setup the 2910 as a router and make its default route 172.20.1.253.
Configure ACL's to allow 192.168.1.0 hosts access to the printer.

I'd rather leave the switch IP address the same as it is currently since that is the primary LAN IP addressing.
If I did assign the switch an IP of 192.168.1.20, would that interfere with the other 4 switches that exist on LAN? They are all daisy chained.

Also, do I need to make sure every switch has the same VLAN configuration with the only difference on each switch would be the assigned IP address?

I will double check the manual for your switch, but I know on Cisco L3 switches you can create virtual interface for each VLAN and you assign the virtual interface its own IP address.   I am assuming that you can do the same thing on the HP 2910.  Otherwise the 2910 could not act like a real L3 device, a.k.a. a router.

As long as hosts within the VLAN/IP subnet are only on a single switch, only that switch needs to know about the VLAN.

So, if the 192.168.1.0/24 subnet is ONLY on the single WAP, and that WAP is only connected to the 2910.  Then only the 2910 needs to know about that VLAN.   If you make the 2910 your default router, and set it to forward to your ISP's router, then only the 2910 and your ISP's router need to know about the 192.168.1.0/24 subnet, or any other subnets you may have in your network.

However, it starting to sound like your network is bigger than your drawing.  So:

1) How many VLAN's do you have right now?
2) How many subnets do you have right now?
3) Are you doing any routing on any devices you control right now?
4) How many "network" devices do you have?  Meaning routers, switches, or WAP's.
5) If you have more than one WAP, are they all connected to the same switch?  Are  all WifI clients on the same IP subnet?

You may want to look at:
http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02564351-3&docLocale=

On the 2910 each VLAN can have its own IP address.  So IF you want to start managing your own internal routing and ACL's you can do it on the 2910.

If you want your ISP to do it, then:

1) Setup new VLAN on the 2910.
2) Configure the port that the router is on and the port that the WAP is on  this new VLAN and untagged.
3) Setup the WAP to do DHCP with addresses in the 10.0.1.0/24 subnet and set the default route to 10.0.1.253.
4) Tell your ISP to setup an ACL to allow  traffic between 10.0.1.0/24 and 172.20.1.245/32 and block all other traffic between 10.0.1.0/24 and 172.20.1.0/24.

Would it be better to do a protocol based vlan so that only printer traffic (IPP) and internet traffic (HTTP/HTTPS) is allowable for anyone in the 10.0.1.x subnet? (am I understanding that correctly?)

A what?  Never heard of that till now.  Looking at what it is, I'm not sure because I have never used one.

What little I just read the issue is that anybody on the 10.0.1.0/24 network would be able to get to any http/https server on the 172.20.1.0/24 network, but you would still need IP routes defined between the two subnets.

Even using the protocol base VLAN, if you are not sure how your environment is setup now, you may break something or still allow access.

I am assuming you are running Windows, so from a computer connected to the Wifi network can you issue the commands:

tracert -d 172.20.1.245
tracert -d https://www.experts-exchange.com

And post the output?  I would like to see if I can tell how traffic is getting to the printer and to the Internet from the WiFi network right now.

Couple updates

1.  I have put the request in with our ISP to have the ACL for the printers put into the router much like discussed at the beginning of this thread. I am only doing this just so I am familiar with this process and I am curious to see it work. They had to go back and actually research how to do this since the technician didn't quite know how to accomplish.

2. I would much rather control this type of routing in the future like we discussed in the thread as well at the switch level. I have started to set-up my test environment and so currently, the set-up is pretty much the same with the removal of the messed up VLAN: (I plan to add the 10.0.1.x today to the network (interface is unplugged) and point all WIFI traffic to the 10.0.1.253)
WIFI  --> SWITCH (no additional VLANS, only default) -->Router (ISP managed)

What's standard for configurations such as this? To make the changes at the switch level or the router level? I am sure networks need segregate their WiFi traffic but leave access for printing...

3.  tracert -d 172.20.1.245
       1  200 ms     2 ms     1 ms 192.168.1.10 (WIFI)
       2    14 ms     3 ms     1 ms 172.20.1.245 (PRINTER)

     tracert -d 8.8.8.8
       1  200 ms     2 ms     1 ms  192.168.1.10 (WIFI)
       2    14 ms     3 ms     1 ms  172.<router gateway>
       3    14 ms     3 ms     1 ms  <external hops>
       4    14 ms     3 ms     1 ms  8.8.8.8

Update

1. Another possible alternative is to set-up Access Rules on the WIFI device itself.
I have blocked some particular protocols and allowed HTTP/HTTPS. This might be a solution although I would really like there to be a definite segmentation rather than a blocking. See attached for what's blocked/allowed. It seems to stop users from accessing network folders and servers. I can still ping however over a command prompt. And in most cases the devices are not part of the domain.

2 I am also working the ACL piece on the router bc I like that option but do not like having to go to ISP.

3. Ultimately, successfully creating a VLAN on the switch(es) would be the route I would want to go so I have control and true segregation of all WIFI users and their access to the printer.
WIFIAccessRule.jpg
WIFIAccessRule2.jpg

What IP address does the Wifi stuff use at it's default route and which device has that address?

From the trace route it looks like either your switch is doing  routing or your Wifi device is doing it.  Otherwise I would expect to see "172.<router gateway>" as a hop in the path.

Since your WAP supports ACL's,, yes you can code your ACL's on it.   You would want to allow traffic to/from the printer, maybe ping to/from 172.20.0.0/24 subnet, and then block all other traffic to/from 172.20.0.0/24 subnet.

Hi GILTJR -

I have attached the WAN/LAN configs which should show you where everything is routing to. Maybe I have configured incorrectly. The primary DNS/Secondary DNS (redacted) point to our ISPs DNS.

I agree, it looks like something is doing the routing. Perhaps I've missed a step.
WIFI-WAN.jpg
WIFI-LAN.jpg

When you are on the WifI and you issue the command "ipconfig /all" what is the default route?  Is it 192.168.1.10?

It looks like the Wifi is doing the routing between the 192.168.1.0/24 subnet and the rest of the network.

It does look like if you code the ACL's in the Wifi device that it will allow/block what you want.

yes, the default gateway is 192.168.1.10.
Shouldn't it be 10.0.1.253?

No, you can't talk directly to hosts that are not on the same IP subnet as you are.  A router/gateway is a device that sits on two, or more, IP subnets and direct/passes traffic between the two.   Basically what you have is 3 IP subnets;

192.168.1.0/24
10.0.1.0/24
172.20.1.0/24.

The WifI device is on 192.168.1.0/24 and 10.0.1.0/24.  It routes/directs traffic that has to flow between those two networks.

The router is on 172.20.1.0/24, 10.0.1.0/24, and your Public Internet network.  It routes/directs traffic between those 3 networks.

I'm not sure about your switch.  I think it is only on 172.20.1.0/24 and is only setup as a layer 2 device, which means it knows nothing about IP (layer 3) addresses and passes traffic based on Ethernet MAC addresses.

What type of WiFi device do you have?

Cisco RV180W

With the current setup, if you put ACL's on the WiFi you should get what you want without bothering your ISP.

This entire thread got us to the solution.
Multiple options but ultimately went with creating ACLs in the WIFI device allowing access to only the printer and web traffic. Down the road we will want to manipulate thru the switch.
Thank-you for your help GILTJR!

Thanks for the points.  Your switch is quite capable of handing what you want to, its just a matter of designing it and then figuring out how to implement it in the hardware/firmware you have.  Different vendors use different terms for the same think or the same term for different things.

"Trunking" in Cisco world means multiple VLAN's over a single interface.

"Trunking" in other vendors means combining multiple physical interface into a single logical interface to increase bandwidth and availability.  Cisco call this a Etherchannel.  Everybody uses the term link access group (LAG).

Once you get beyond one VLAN/IP subnet, network can get quite complex and confusing