Need help creating/configuring VLAN's to isolate Guest WiFi traffic but still allow some inter-VLAN routing for screen-sharing app Airtame

Hardware:
- (1) Cisco SG250 26P PoE switch
- (2) Ruckus WiFi ZoneFlex R610 access points (using their Unleashed setup)

I'm about to create/implement my first VLAN's, I'm pretty stoked I finally get to play with VLAN's. I've been doing IT/networking since 1991 but never did VLAN's. I've configured Sonicwall firewalls from scratch but this is my first Cisco device I get to admin; thankfully it has a GUI. I've already researched the heck out of VLAN's, trunk ports, tagging, & more, & I feel I'm ready to do it. I have the freedom to create this new network as if it were the original network built for this office. Almost all the employees are out of town for next week so it's an ideal time to build a new network. There are no Windows servers or any network services on this WiFi network; all that stuff is on the "corporate" network. This WiFi network I'm replacing/upgrading is what could be referred to as a "rogue" network that this department installed themselves just so they'd have faster Internet.

I'm creating VLAN's so our business can separate the Guest WiFi traffic to its own VLAN but also allow some inter-VLAN routing to allow our screen-sharing solution (Airtame) that guests will be using to talk to our big screens in the conf rooms, which will remain on our internal/business VLAN.

We currently have a Netgear Orbi Pro WiFi network setup but that's not quite robust/sophisticated enough for what we need to do. I'm keeping this existing Orbi WiFi network hardware as-is so I have a safety net I can go back to in case I have problems creating our new WiFi network.

So, what I need is to know all the little things I need to make sure I do & don't do. For example, in my research on VLAN's, I came across one guy who talked about making sure one VLAN (or maybe it was a port?) was untagged, otherwise you'd have no admin access to the AP. I don't know enough about VLAN's to know if he is correct about that. So I'm asking the Experts here to toss me some guidance please.

My plan is to:

1) Create VLAN20 (business VLAN) & VLAN30 (Guest VLAN) on the Cisco switch (this switch does inter-vlan routing too)

2) Configure the Guest WiFi traffic on the AP's to be tagged for VLAN30 (I'm assuming the "master" Ruckus AP will act as the network's DHCP server(s))

3) Configure any inter-VLAN routing needed to make the Airtame work ( https://help.airtame.com/install-and-setup/deployment-guide/network-integration-setup  )

Some specific things I'm wondering about:

- DHCP: do I need multiple DHCP servers, one for each VLAN?

- IP addressing: does it matter what IP addressing I use? Can I use 192.168.20.0 for VLAN20 & 192.168.30.0 for VLAN30 for example? We're currently using 192.168.1.0 addressing on our WiFi network but I can use whatever I want; not worried about existing printers or other things on the network - I'll reconfigure them as needed once I get the new network operational. We'll probably never lease out more than 80 IP addresses at any given time, it's a small group here, only 20 employees currently.

- Do I need a firewall for any reason to allow/restrict specific access between the VLAN's?

- Do I need a router to handle the inter-VLAN routing? (not if the switch does inter-VLAN routing, right?)


I'll stop here. I'm sure I'll have more questions but this will help me tremendously for the moment. Thanks for your help!
WineGeekAsked:
Who is Participating?
 
Blue Street TechLast KnightCommented:
Hi WineGeek,

Actually it depends on your architecture...if your topology is a Collapsed Core then creating a sub-Interface will work because that would make all the routing occur on the SonicWALL opposed to the switch, however, if you want your topology to be a traditional Core, Distribution, Access or even a two-tier Core/Distribution & Access layer, where you want to the routing to occur on the switch then you would ONLY need to setup a reverse route in the SonicWALL as such:

Source: Any
Destination: VLAN subnet/s
Service: Any
Gateway: the IP of the Switch/Router within the X0 subnet.
Interface: X0
Metric: 5
Click OK to save and close.

Without the route above traffic would not be able to go outbound.

You will need to setup some Address Objects before hand for the Switch's IP and the VLAN network/s.

DHCP: do I need multiple DHCP servers, one for each VLAN?
Ideally, you want a single platform for all your DHCP management. This would provide the most ideal way to manage your network but since this is not a Windows domain environment and you will loose out of the are numerous benefits to having Windows be your only platform for DHCPl you still achieve a single pane management by turning it off in the Ruckus and configuring it on the SonicWALL. Having DHCP in disparate systems/platforms will obviously work but you will loose out on the benefits from a functionality, maintenance and management perspective.

- IP addressing: does it matter what IP addressing I use? Can I use 192.168.20.0 for VLAN20 & 192.168.30.0 for VLAN30 for example? We're currently using 192.168.1.0 addressing on our WiFi network but I can use whatever I want; not worried about existing printers or other things on the network - I'll reconfigure them as needed once I get the new network operational. We'll probably never lease out more than 80 IP addresses at any given time, it's a small group here, only 20 employees currently.
I like associated some octet with the VLAN ID as you have annotated in your example.

- Do I need a firewall for any reason to allow/restrict specific access between the VLAN's?
If you want true security contexting, yes, you would need a firewall to properly inspect and protect the network segments. This would mean you'd have to route all the VLANs in the SonicWALL. You can achieve this by creating Sub-Interfaces on the downstream link to your switches. So if your first switch is populated by the X0 Interface then you'd create your VLANs as Sub-Interfaces where X0 is the Parent. A Sub-Interfaces is a virtualized Interface/network aka VLAN.

- Do I need a router to handle the inter-VLAN routing? (not if the switch does inter-VLAN routing, right?
No, if you create Sub-Interfaces in the SonicWALL, then the SonicWALL would handle all the Inter-VLAN routing.
0
 
Andy BartkiewiczNetwork AnalystCommented:
Routing:
No you don't need anything special, just create a supinterface with the new info. I will assume that gig0/0 is connected between your router and switch you would do something like this:
inter gig0/0.30
encap dot 30
ip address 192.168.30.0 255.255.255.0
description Guest_Network
ip helper DHCP Server Address
Make sure that the switch is set to trunk on the interface going to the router

Switch:
For the switch use something like this:
vlan 30
name Guest_Network
0
 
WineGeekAuthor Commented:
Thanks for jumping in Andy! I understand most of what you're saying here, but I don't speak CLI commands any longer (as much as I can help it) & I don't know what a "supinterface" is. I have not connected any of this equipment yet. This is a project I'm doing next week. Just getting prepared for it now.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
Andy BartkiewiczNetwork AnalystCommented:
Sorry, I meant subinterface
0
 
WineGeekAuthor Commented:
Just fyi - I do not have a Sonicwall here. I just mentioned I've worked with Sonicwalls before. There is no firewall or router in this scenario; just a Cisco switch & the Ruckus AP. The Ruckus AP is the only device that has a DHCP server on it as far as I know.
0
 
Blue Street TechLast KnightCommented:
You do you have firewall in place though, correct?

Regardless, my previous comment addressed all your questions: https:#a42561940

Do you have any followup questions from what I have already addressed?
0
 
WineGeekAuthor Commented:
Not on this network. Currently the Orbi Pro is the firewall. On the new network I'm building to replace the Orbi network, the Ruckus (Master) AP will be the firewall. It's the wild west.
0
 
WineGeekAuthor Commented:
Ok I'm going to close this question.
0
 
Blue Street TechLast KnightCommented:
LOL.

Glad I could help...thanks for the points!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.