Hey everyone,
I’m currently experimenting with some Cisco hardware that I get to use in my free time at school since I’m really interested in networking. I was given a Cisco C9200L switch, a C9800 WLC, and a C9105AXI-E AP to work with. I also got permission to bring them to the clubroom, where I usually spend most of my free time.
The clubroom has a separate network from the school network, with its own static public IP. However, when we first set up the clubroom two years ago, we didn’t have a budget for decent networking equipment, so I used a spare TP-Link Archer C6 v2 home router. The downside is that it doesn’t support VLANs and is quite limited in functionality.
### Current Setup:
For my first test, I managed to connect the C9200L switch to the router and then connected the WLC and AP to the switch. I configured everything on a single VLAN since it seemed like the easiest approach for a beginner. I successfully got the AP connected to the WLC and set up a working WLAN.
### Planned Setup:
For my next step, I want to segment the network properly using VLANs. Here’s what I’m aiming for:
- **VLAN 10 (WiFi)** – For wireless clients
- **VLAN 20 (Wired)** – For wired clients
- **VLAN 30 (Management)** – For managing networking devices
- **VLAN 99 (Router Connection)** – Connecting to the TP-Link router
**Subnetting Plan:**
- VLAN 10: **10.10.10.0/24** (Gateway: 10.10.10.1)
- VLAN 20: **10.10.20.0/24** (Gateway: 10.10.20.1)
- VLAN 30: **10.10.30.0/24** (Gateway: 10.10.30.1)
- VLAN 99: **192.168.99.0/24** (Gateway: 192.168.99.2)
The TP-Link router operates on **192.168.0.0/16**, and I don’t want VLAN 10 or VLAN 20 clients to access this network. My goal is for wired and wireless clients to only communicate with their default gateway (e.g., 10.10.10.1 for WiFi clients) and not with each other. However, devices on the management VLAN should be able to communicate with each other.
For internet access, clients will send packets to their respective gateways, and the switch will forward traffic to the router via VLAN 99. The switch will use a default route:
```bash
ip route 0.0.0.0 0.0.0.0 192.168.99.1
```
The TP-Link router will have a static route to reach the **10.10.30.0/24** network via VLAN 99’s IP.
### Switch Configuration:
```bash
vlan 10
name WiFi_VLAN
vlan 20
name Wired_VLAN
vlan 30
name Management_VLAN
vlan 99
name Router_VLAN
interface Vlan10
ip address 10.10.10.1 255.255.255.0
no shutdown
interface Vlan20
ip address 10.10.20.1 255.255.255.0
no shutdown
interface Vlan30
ip address 10.10.30.1 255.255.255.0
no shutdown
interface Vlan99
ip address 192.168.99.2 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.99.1
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.20.1 10.10.20.99
ip dhcp excluded-address 10.10.30.1 10.10.30.99
ip dhcp pool WiFi
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool Wired
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool Management
network 10.10.30.0 255.255.255.0
default-router 10.10.30.1
dns-server 8.8.8.8 8.8.4.4
! Wired Clients (VLAN 20)
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 20
! Trunk Ports for APs and WLC
interface GigabitEthernet1/0/3
switchport mode trunk
switchport trunk allowed vlan 10,30
switchport trunk native vlan 30
interface GigabitEthernet1/0/4
switchport mode trunk
switchport trunk allowed vlan 10,30
switchport trunk native vlan 30
! Router Connection (Untagged VLAN 99)
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 99
! Security: Block WiFi Clients from Communicating with Each Other
ip access-list extended BLOCK_WIFI_CLIENTS
deny ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip any any
interface Vlan10
ip access-group BLOCK_WIFI_CLIENTS in
! Security: Block VLANs from Accessing the Router’s LAN
ip access-list extended BLOCK_ROUTER_LAN_ACCESS
deny ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.10.20.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
interface Vlan10
ip access-group BLOCK_ROUTER_LAN_ACCESS in
interface Vlan20
ip access-group BLOCK_ROUTER_LAN_ACCESS in
```
### Questions:
1. **Will this configuration work as expected, or are there any improvements I should make?**
2. **Are there any security concerns I should be aware of?**
3. **Should I use a different method to isolate VLANs given my current hardware?**
I’m still a beginner in networking, so any advice would be greatly appreciated. Thanks in advance!
I’m currently experimenting with some Cisco hardware that I get to use in my free time at school since I’m really interested in networking. I was given a Cisco C9200L switch, a C9800 WLC, and a C9105AXI-E AP to work with. I also got permission to bring them to the clubroom, where I usually spend most of my free time.
The clubroom has a separate network from the school network, with its own static public IP. However, when we first set up the clubroom two years ago, we didn’t have a budget for decent networking equipment, so I used a spare TP-Link Archer C6 v2 home router. The downside is that it doesn’t support VLANs and is quite limited in functionality.
### Current Setup:
For my first test, I managed to connect the C9200L switch to the router and then connected the WLC and AP to the switch. I configured everything on a single VLAN since it seemed like the easiest approach for a beginner. I successfully got the AP connected to the WLC and set up a working WLAN.
### Planned Setup:
For my next step, I want to segment the network properly using VLANs. Here’s what I’m aiming for:
- **VLAN 10 (WiFi)** – For wireless clients
- **VLAN 20 (Wired)** – For wired clients
- **VLAN 30 (Management)** – For managing networking devices
- **VLAN 99 (Router Connection)** – Connecting to the TP-Link router
**Subnetting Plan:**
- VLAN 10: **10.10.10.0/24** (Gateway: 10.10.10.1)
- VLAN 20: **10.10.20.0/24** (Gateway: 10.10.20.1)
- VLAN 30: **10.10.30.0/24** (Gateway: 10.10.30.1)
- VLAN 99: **192.168.99.0/24** (Gateway: 192.168.99.2)
The TP-Link router operates on **192.168.0.0/16**, and I don’t want VLAN 10 or VLAN 20 clients to access this network. My goal is for wired and wireless clients to only communicate with their default gateway (e.g., 10.10.10.1 for WiFi clients) and not with each other. However, devices on the management VLAN should be able to communicate with each other.
For internet access, clients will send packets to their respective gateways, and the switch will forward traffic to the router via VLAN 99. The switch will use a default route:
```bash
ip route 0.0.0.0 0.0.0.0 192.168.99.1
```
The TP-Link router will have a static route to reach the **10.10.30.0/24** network via VLAN 99’s IP.
### Switch Configuration:
```bash
vlan 10
name WiFi_VLAN
vlan 20
name Wired_VLAN
vlan 30
name Management_VLAN
vlan 99
name Router_VLAN
interface Vlan10
ip address 10.10.10.1 255.255.255.0
no shutdown
interface Vlan20
ip address 10.10.20.1 255.255.255.0
no shutdown
interface Vlan30
ip address 10.10.30.1 255.255.255.0
no shutdown
interface Vlan99
ip address 192.168.99.2 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.99.1
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.20.1 10.10.20.99
ip dhcp excluded-address 10.10.30.1 10.10.30.99
ip dhcp pool WiFi
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool Wired
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool Management
network 10.10.30.0 255.255.255.0
default-router 10.10.30.1
dns-server 8.8.8.8 8.8.4.4
! Wired Clients (VLAN 20)
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 20
! Trunk Ports for APs and WLC
interface GigabitEthernet1/0/3
switchport mode trunk
switchport trunk allowed vlan 10,30
switchport trunk native vlan 30
interface GigabitEthernet1/0/4
switchport mode trunk
switchport trunk allowed vlan 10,30
switchport trunk native vlan 30
! Router Connection (Untagged VLAN 99)
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 99
! Security: Block WiFi Clients from Communicating with Each Other
ip access-list extended BLOCK_WIFI_CLIENTS
deny ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip any any
interface Vlan10
ip access-group BLOCK_WIFI_CLIENTS in
! Security: Block VLANs from Accessing the Router’s LAN
ip access-list extended BLOCK_ROUTER_LAN_ACCESS
deny ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.10.20.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
interface Vlan10
ip access-group BLOCK_ROUTER_LAN_ACCESS in
interface Vlan20
ip access-group BLOCK_ROUTER_LAN_ACCESS in
```
### Questions:
1. **Will this configuration work as expected, or are there any improvements I should make?**
2. **Are there any security concerns I should be aware of?**
3. **Should I use a different method to isolate VLANs given my current hardware?**
I’m still a beginner in networking, so any advice would be greatly appreciated. Thanks in advance!