Help with Basic VLAN Setup - LAB

[RaiderJ]

I'm looking for input on how best to set up a network here at the office. I have an idea of what I need to do, but don't think I have quite all the details figured out.

Here's a picture:

What I'd like to have the setup do:

1. Provide basic internet access for guests, but no LAN access
2. Have two separate networks, VLAN1 for corp, VLAN2 for lab - each with its own IP subnet
3. Wifi access to corporate network, maybe lab network?
4. Internet access for both Lab & Corp networks

What I'm not clear on, is there a way to generally control access so that Lab devices can't access the Corp network? Assuming VLANs would be the best option for this with the equipment we have. However, is there a way to where I could still allow authorized devices on either the Lab or Corp network to talk to both VLANs?

 

[lif_andi]

Essentially, using VLANs, you can apply them to ports and control access through access-lists between VLANs. This is assuming a wired network.

With wireless you can have two (or more) SSIDs for whatever access you want a group to have, which you can also assign to VLANs, and control it through that.

Neither of these solutions scale well and are difficult to manage with many users. Any kind of an authentication server would be helpful, RADIUS or whatever, although 802.1x is really becoming popular and seems very scaleable. Using authentication you can give access per user, rather than per-port or per-VLAN, through wired or wireless. I have little experience with this, but this is used at my workplace and works extremely well, although managed by people far more knowledgeable than me.

This also depends greatly on what kind of equipment you have and how well you can manage it.

 

[gus6464]

Basically you can do 3 VLANs.

VLAN
1 - lab
2 - corp
3 - special vlan that can talk to 1 and 2 and only for some devices.

Wifi wise all enterprise access points will allow you to create multiple SSID and then you can assign a specific VLAN to that SSID. Then also have a guest SSID with access to nothing. The guest SSID will not need a vlan.

Hardware wise all you need is a router and have the VLAN's configured. Then a managed switch or two depending on how many users you got and their location. Then you just configure the ports individually to connect to correct VLAN. Security wise to keep it simple just do port security with mac sticky so people can't just unplug their machine and connect whatever they want. 802.1x is an option but requires more hardware and unless you have a gigantic network I wouldn't really recommend it.

How many users are trying to connect?

 

[RaiderJ]

Thanks for the input.

I don't expect more than about 30 users across all VLANs, although the number of devices might grow. Off the main layer 3 switch, it would be only a couple of ports that would be on the Lab VLAN, but there would be downstream switches.

gus6464 - For the three VLAN approach, where would an internet-only wifi access point for guests sit? It would just be on its own not assigned to a VLAN?

 

[SecurityTheatre]

I'm looking for input on how best to set up a network here at the office. I have an idea of what I need to do, but don't think I have quite all the details figured out.

Here's a picture:

What I'd like to have the setup do:

1. Provide basic internet access for guests, but no LAN access
2. Have two separate networks, VLAN1 for corp, VLAN2 for lab - each with its own IP subnet
3. Wifi access to corporate network, maybe lab network?
4. Internet access for both Lab & Corp networks

What I'm not clear on, is there a way to generally control access so that Lab devices can't access the Corp network? Assuming VLANs would be the best option for this with the equipment we have. However, is there a way to where I could still allow authorized devices on either the Lab or Corp network to talk to both VLANs?

Just remember, if you're drawing a diagram, a VLAN can be drawn as a separate switch (with a common uplink where you have a trunk port).

A VLAN *never* talks to another VLAN within a switch.

The only way traffic gets between VLANs is via a router.


But if you want to limit the traffic passing between VLANs, you will need your router to also be a firewall.

The router can pass traffic between the subnets on different VLANs and then the firewall component can block all that traffic, except those which you want to allow.

 

[gus6464]

Thanks for the input.

I don't expect more than about 30 users across all VLANs, although the number of devices might grow. Off the main layer 3 switch, it would be only a couple of ports that would be on the Lab VLAN, but there would be downstream switches.

gus6464 - For the three VLAN approach, where would an internet-only wifi access point for guests sit? It would just be on its own not assigned to a VLAN?

Good wifi access points have a guest ssid option already with a web prompt if you choose to activate it. You do not need another vlan for it.

I also forgot to mention what securitytheatre said that for the traffic to pass across vlans you will need to create them on the router. Take a look at Cisco 300 series small business managed switches for easy vlan and port security support.

 

[SecurityTheatre]

Good wifi access points have a guest ssid option already with a web prompt if you choose to activate it. You do not need another vlan for it.

I also forgot to mention what securitytheatre said that for the traffic to pass across vlans you will need to create them on the router. Take a look at Cisco 300 series small business managed switches for easy vlan and port security support.

The VLANs can be created on a switch. But if they are, then there needs to be a trunk port (a port containing all VLANs, tagged with the ID) back to the router.

 

[kevnich2]

OP - do you already have the Layer 3 switch, router and access points already or are you looking at purchasing them? As far as what to do with them, the other posters should have answered that question. Use vlan's to separate the networks with ACL's to filter what vlan's can access what. By default, if you enable routing on a vlan, it can access every other vlan on the router unless you use an ACL with rules in place for what they can and can't access.

If you are still looking at purchasing equipment, what equipment did you have in mind for the switch and access points?

 

[RaiderJ]

OP - do you already have the Layer 3 switch, router and access points already or are you looking at purchasing them? As far as what to do with them, the other posters should have answered that question. Use vlan's to separate the networks with ACL's to filter what vlan's can access what. By default, if you enable routing on a vlan, it can access every other vlan on the router unless you use an ACL with rules in place for what they can and can't access.

If you are still looking at purchasing equipment, what equipment did you have in mind for the switch and access points?

We already have the L3 switch (Cisco) and the modem/router from the ISP. I have several wifi routers, but they're all residential grade. I don't believe any of the wifi APs have the option for a "guest" access page, but that would be very handy.

At the moment, our setup is everything on the switch, regardless of the network, and no VLANs. There was some extremely basic separation by using different IP networks (10.1.10.xxx & 192.168.1.xxx), but I do not think that actually provides any protection, which is why I'm pushing to setup VLANs on the gear we have as a better option.

 

[SecurityTheatre]

Set your guest network on a dedicated port with a VLAN. Make sure that port is only set to route outbound to the internet and configure routing for this subnet to make sure the guest can't gain access to your 10.1.10 and 192.168.1. networks.

That should do it.

Now, if the guest needs selective access to certain things on your network, a more comprehensive firewall configuration may be required.

 

[RadiclDreamer]

The only way traffic gets between VLANs is via a router.


But if you want to limit the traffic passing between VLANs, you will need your router to also be a firewall.

The router can pass traffic between the subnets on different VLANs and then the firewall component can block all that traffic, except those which you want to allow.

This is true, but it does confuse some folks as there are layer 3 "switches" that have a routing component built it.