Need help setting up separate networks with VLAN

[digityzed]

I'm new at this stuff and very stumped. I have one WAP with multiple SSIDs that support VLAN ID (for a private and guest wireless network) and a managed switch that supports tag or port based VLAN ID. How do I set up the switch so that the networks are separate, but can still reach their own routers to get on the Internet?

Thanks in advance


P.S. - In case details are necessary, the WAP is a Cisco Aironet 1130AG and the switch is a Netgear FS750T2

 

[ngrego]

You would have to create a config for both AP and switch to allow access to each VLAN in a way that suites the use you have planned for them.
I don't want to spoil your plan or anything but a forum is the wrong place to get a solution to the problem you have. The best advise I can offer you is to go to the Cisco and Netgear sites and read up as much as you can on what you need to do.
Good Luck!

 

[bill001g]

You are going to have to read the details in the manuals since how you do it varies greatly from vendor to vendor but in general.

You need to create 2 vlans on both devices, you need to use the same vlan numbers. To make the cisco configuration easier do not use vlan 1 create 2 additional ones.

Next on the port that connects between the AP and the switch you need to define this to transport both vlans. Cisco does not work like everyone else but you should be able to just define the port as a trunk. On the switch you will need to add your 2 vlans to the port tagged, you can add vlan 1 untagged...gets complex to explain vlan1.

Then on a each port that is going to the router you want to add the ports UNTAGGED in their appropriate vlan.

 

[digityzed]

To make the cisco configuration easier do not use vlan 1 create 2 additional ones.

Interesting... why exactly is it easier to not use vlan 1 on the Cisco AP?

You need to create 2 vlans on both devices, you need to use the same vlan numbers...

Next on the port that connects between the AP and the switch you need to define this to transport both vlans. Cisco does not work like everyone else but you should be able to just define the port as a trunk. On the switch you will need to add your 2 vlans to the port tagged, you can add vlan 1 untagged...gets complex to explain vlan1.

Then on a each port that is going to the router you want to add the ports UNTAGGED in their appropriate vlan.

Okay, so the Cisco AP is already configured with the two VLAN IDs, but the switch configuration for VLAN is what's confusing me. Here's my Netgear switch layout:

port 1-45 = network devices for private network
port 46 = Cisco WAP (has private SSID (vlan 5) and guest SSID (vlan 10))
port 47 = Private network router (own public IP)
port 48 = Guest network router (own public IP)

Do I tag 1 - 47 for vlan 5 and untag the rest (48) for the private network? Do I tag port 46 and 48 on vlan 10 and untag the rest for the guest network?

 

[choucove]

I'm not an expert with VLANs really, but from what you are describing this is what I am gathering.

* On your switch, ports 1-45 should be untagged for the VLAN of your private network (remember, do not use VLAN1 for this ideally.)

* On your switch, port 47 should be untagged for the VLAN of your private network (this is where the traffic for that VLAN gets to its default gateway.)

*On your switch, port 48 should be untagged for the VLAN of your public network (again, this is where the traffic for that VLAN gets to its default gateway.)

*Port 46 of your switch needs to be TAGGED for both of the VLANs that you are passing along to the AP. Basically, think of a tagged network port as a trunk carrying ALL of the VLAN data for the necessary VLANS between two switching devices. Untagged ports are access ports, in terms of CISCO switches, while tagged ports are trunk ports in terms of CISCO switches.

*On your AP your LAN port should be configured as tagged for both of the VLANs, again using the same numbers as you had used in your switch, and will connect to Port 46 on your switch.

 

[digityzed]

Sounds easy enough. I'll give this a try after hours later today

Thanks

 

[bill001g]

Interesting... why exactly is it easier to not use vlan 1 on the Cisco AP?

Mostly because cisco "trys" to make it easy by letting you just declare a port a trunk and it magically works. One of the key problems is cisco then uses vlan 1 for what every other vendor calls untagged on a trunk port. Every other vlan is added tagged to all trunk ports. Cisco uses a strange word called NATIVE to change this untagged vlan, this is a hold over from a older vlan tagging system cisco had before the current one was invented.

The key thing is if you get the untagged vlan inconsistent in a installation with lots of switches you get massive loops. For example if you configure it as choucove recommended (which is exactly correct) what vlan is being used on port 46 as untagged on your switch. Since you did not define it there is not one BUT it still always exists and this is the one spanning tree messages are sent on.

Maybe someday cisco will use the same syntax as everyone else but then again they had vlan trunks many years before many of the current vendors even existed.

 

[choucove]

I have a question somewhat along this line actually that I'd also like to pose quickly for those with experience between the two then:

Which would you recommend for a small business looking to utilize VLANs, a CISCO switch, or another vendor like HP, based on their usage, simplicity, and efficiency in learning to configure and utilize VLANs?

 

[bill001g]

If you use all cisco it is trivial. In addition to the auto truck stuff they use a protocol call VTP that ensure all switches have constant vlan definitions, they also use per vlan spanning tree which is much much easier to setup than the industry standard MSTP.

I have seen a number of people who where spoiled by the auto cisco setup go to HP procurve and mess it up bad. The key problem is that for MSTP is if you do not ensure that all the trunk links have the vlans defined consistent with your spanning tree instances you will get strange traffic blocking.

Cisco you can get a good network setup without really knowing what you are doing

 

[digityzed]

Best answer selected by digityzed.

 

[digityzed]

I just discovered the public router for the public SSID does not support VLAN, so I guess VLAN tagging is out...?? Can I do port based VLAN? If so, how? If not, given the equipment the client currently has (one WAP and one smart switch with VLAN support, but two routers with no VLAN support), how can I achieve a separate network for guest wireless clients?

Thanks in advance


P.S. - the client is a non-profit, buying new (or even used) equipment is out of the budget

 

[choucove]

Your routers probably don't need to support VLANs actually. Do you have a single router capable of multiple LANs or zones, or do you have multiple routers?

Let's say you have two separate routers, each one with just a single LAN network (which will be just a single VLAN on your switches.) Each router will have a single ethernet uplink connection to the switch, and that switchport will need to be configured as UNTAGGED for that VLAN. The two routers are then connected back to a single router to get access out to the internet.

ROUTER1
======
LAN IP Address: 192.168.1.254
WAN IP Address: 10.0.0.1

ROUTER2
======
LAN IP Address: 192.168.2.254
WAN IP Address: 10.0.0.2

ROUTER3
======
LAN IP Address: 10.0.0.3
WAN IP Address: Dynamic or Static by your ISP/Modem

SWITCH
======
Eth1 (To Router1): UNTAGGED VLAN101
Eth2 (To Router2): UNTAGGED VLAN102

It's a little easier if you are able to get a router capable of multiple internal LAN networks, such as a Sonicwall TZ 100 firewall or other small-business routers. In this situation, you would configure one LAN port on the router with the default gateway for the first VLAN (even though the network port doesn't know it has a VLAN connected to it) and then set a second LAN port on the router with the second network zone and default gateway for the second VLAN. Again, each of these ports will be connected to the switch with the switchport set to UNTAGGED for the appropriate VLAN.

ROUTER
======
LAN1 IP Address: 192.168.1.254
WAN IP Address: Dynamic or Static by ISP/Modem
LAN2 IP Address: 192.168.2.254

SWITCH
======
Eth1 (To Router Interface1): UNTAGGED VLAN101
Eth2 (To Router Interface2): UNTAGGED VLAN102

 

[digityzed]

They actually have multiple public IP addresses from their ISP and they also one of the routers is a soho/small business wired router - Watchguard Firebox X55E. Its comparable to a Sonicwall TZ 100 as it does have support for an optional network (walled off from the trusted/private network), but it does not support multiple public IP addresses. I prefer one of public IP addresses be assigned to the guest network for added security, so I guess I'll go with the 1st option you're suggesting minus a 3rd router... is this the way to do it?:


ROUTER1 (Private)
======
LAN IP Address: 192.168.1.254
WAN IP Address: 64.x.x.17

ROUTER2 (Guest)
======
LAN IP Address: 192.168.2.254
WAN IP Address: 64.x.x.18

SWITCH
======
PORT 47 (To ROUTER1): UNTAGGED VLAN101
PORT 48 (To ROUTER2): UNTAGGED VLAN102


The thing that continues to confuse me is the VLAN and tagging part of it; UNTAGGED the ports ROUTER1 and ROUTER2 are physically connected to and TAG all the other ports (which again are the private network devices)? What about PORT 46 with the Cisco VLAN enabled wireless access point?


P.S. - The Firebox X55E is listed as supporting VLAN, but that's in the current version of the firmware - this particular router has an older version and it'll cost $300 to update it and that also is not in the client's budget.

 

[choucove]

The untagged/tagged part of this is confusing, it took me some time playing with it to really understand it as well. But look at it this way. Each VLAN has to have its own default gateway to get out to. In some high-end routers, you can have sub-interfaces all assigned to a single physical interface, so one ethernet port on the switch is considered three, four, or more virtual ethernet ports, each one being a default gateway for one of the VLANs. In this situation, you'd have to use a trunk port from the switch to the router, or a TAGGED port, which would send all of the VLAN traffic through a single line to the router, tagged with the number of the VLAN that traffic is coming from, to get to the right default gateway.

Now, in most situations you're not going to have a router that can do multiple sub-interfaces on a single physical interface. Instead, you're going to have a device like what you've got where you can assign only a single address or physical network to a single physical interface. That means that one physical interface can only be the connection for one VLAN default gateway. In that case, you don't need a trunk port, it's going to be considered an access port, or UNTAGGED port, just like any others on the switch. You want all the computers in that VLAN to get to the proper default gateway, so the router which has the proper default gateway address must be UNTAGGED for that VLAN to pass data out to the IP address. No other VLANs are passing traffic along that interface. The other VLANs will have to pass traffic to their own router and interface directly.

Obviously if you have many VLANs, this gets to be prohibitive which is why the have high end routers capable of multiple sub-interfaces on a single physical interfaces.

 

[digityzed]

Success! I finally got around to actually trying your first set of instructions. I think the missing piece for me was the fact I didn't know the ports not mentioned should be neither tagged or untagged, but blank (i.e., not a member). I initially had port 48 on the private VLAN and ports 1 - 45 & 47 on the guest VLAN untagged when they have to be blank.

Thanks everyone for your help. I very much appreciated it!