+ Post New Thread
Results 1 to 13 of 13
Wired Networks Thread, VLAN Questions in Technical; Hello everyone, We are currently looking at VLANning our school network, and have a couple of questions. First off, I ...
  1. #1

    Join Date
    Jan 2012
    Posts
    114
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    VLAN Questions

    Hello everyone,

    We are currently looking at VLANning our school network, and have a couple of questions. First off, I will state what VLANs we want:

    VLAN 5 - INTERNET_FEED
    VLAN 10 - SERVERS
    VLAN 20 - CURRICULUM
    VLAN 30 - ADMIN
    VLAN 40 - iMACS
    VLAN 50 - CASHLESS
    VLAN 60 - WIRELESS
    VLAN 99 - MANAGEMENT

    So, my questions are:

    1). Does VLAN 1 (Default) need to be used and should it be untagged on the switch uplinks?

    2). For the INTERNET_FEED VLAN, it will consist of a /30 network with one IP on the SVI of the Layer 3 and the other IP on the pfSense box. Is this a viable solution to allowing all VLANS access to the internet?

    3). For our Wireless APs (Aruba AP-105) do those links need to be Trunk (Tagged)? What about setting IP addresses on the APs themselves? How would they be able to use an IP in the MANAGEMENT VLAN range?

    I hope the above makes some sense.

  2. #2

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by J_Worth View Post
    Hello everyone,

    We are currently looking at VLANning our school network, and have a couple of questions. First off, I will state what VLANs we want:

    VLAN 5 - INTERNET_FEED
    VLAN 10 - SERVERS
    VLAN 20 - CURRICULUM
    VLAN 30 - ADMIN
    VLAN 40 - iMACS
    VLAN 50 - CASHLESS
    VLAN 60 - WIRELESS
    VLAN 99 - MANAGEMENT

    So, my questions are:

    1). Does VLAN 1 (Default) need to be used and should it be untagged on the switch uplinks?

    2). For the INTERNET_FEED VLAN, it will consist of a /30 network with one IP on the SVI of the Layer 3 and the other IP on the pfSense box. Is this a viable solution to allowing all VLANS access to the internet?

    3). For our Wireless APs (Aruba AP-105) do those links need to be Trunk (Tagged)? What about setting IP addresses on the APs themselves? How would they be able to use an IP in the MANAGEMENT VLAN range?

    I hope the above makes some sense.
    I would create a NETWORK or SWITCH VLAN rather than an INTERNET vlan. You will want your switches, routers, firewalls, APs, and web filters to all to be untagged be on the NETWORK vlan.

    Your WiFi APs should be untagged on the NETWORK VLAN and tagged on all of the VLANs used for any WLANs (SSIDs).

  3. Thanks to seawolf from:

    zag (3rd March 2014)

  4. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,054
    Thank Post
    888
    Thanked 1,729 Times in 1,492 Posts
    Blog Entries
    12
    Rep Power
    454
    1) It is recommended not to use it. Uplinks would be trunk ports anyway so this wouldn't apply.
    2) What side of the PFsense will it be? Is it the internal network?
    3) Not 100% but i think they will be trunk yes. You will set an IP on them individually and configure them to use a specific VLAN for management.

  5. #4
    rob_coles's Avatar
    Join Date
    Mar 2007
    Location
    Hull
    Posts
    108
    Thank Post
    15
    Thanked 14 Times in 10 Posts
    Rep Power
    18
    Quote Originally Posted by J_Worth View Post
    Hello everyone,

    We are currently looking at VLANning our school network, and have a couple of questions. First off, I will state what VLANs we want:

    VLAN 5 - INTERNET_FEED
    VLAN 10 - SERVERS
    VLAN 20 - CURRICULUM
    VLAN 30 - ADMIN
    VLAN 40 - iMACS
    VLAN 50 - CASHLESS
    VLAN 60 - WIRELESS
    VLAN 99 - MANAGEMENT

    So, my questions are:

    1). Does VLAN 1 (Default) need to be used and should it be untagged on the switch uplinks?

    2). For the INTERNET_FEED VLAN, it will consist of a /30 network with one IP on the SVI of the Layer 3 and the other IP on the pfSense box. Is this a viable solution to allowing all VLANS access to the internet?

    3). For our Wireless APs (Aruba AP-105) do those links need to be Trunk (Tagged)? What about setting IP addresses on the APs themselves? How would they be able to use an IP in the MANAGEMENT VLAN range?

    I hope the above makes some sense.
    1. It's recommended.

    2. not sure about that one.

    3. If you are pushing more than one vlan down your ap's they would need to be trunked.

    Also,

    We used location based vlan's/

    eg IT Suite, Upper School, etc etc, and then Guest Wifi internal etc etc.

  6. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,054
    Thank Post
    888
    Thanked 1,729 Times in 1,492 Posts
    Blog Entries
    12
    Rep Power
    454
    @rob_coles why would you be using an access port tagged to VLAN 1 and not trunks for uplinks?

  7. #6
    rob_coles's Avatar
    Join Date
    Mar 2007
    Location
    Hull
    Posts
    108
    Thank Post
    15
    Thanked 14 Times in 10 Posts
    Rep Power
    18
    It was something I read while implementing vlan's on our site.

    VLAN Security White Paper [Cisco Catalyst 6500 Series Switches] - Cisco Systems

  8. #7

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,054
    Thank Post
    888
    Thanked 1,729 Times in 1,492 Posts
    Blog Entries
    12
    Rep Power
    454
    Quote Originally Posted by rob_coles View Post
    It was something I read while implementing vlan's on our site.

    VLAN Security White Paper [Cisco Catalyst 6500 Series Switches] - Cisco Systems
    Sorry I miss read the OP. I thought they where saying leave it tag not untag it. In that case we are on the same page

  9. #8
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,801
    Thank Post
    215
    Thanked 265 Times in 215 Posts
    Rep Power
    68
    Hey, can I tack a question on. These are logical VLANs does anyone use geographic VLANs?

  10. #9

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Yes, we use both logical and geographical VLANs. We have at least two VLANs per building one for desktops and one for VoIP phones. In buildings with computer labs we have a VLAN per lab as well. We have 13 buildings.

    The we also have the logical VLANs such as network, server, admin, backup, printer, and multiple WiFi VLANs.

  11. #10

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,054
    Thank Post
    888
    Thanked 1,729 Times in 1,492 Posts
    Blog Entries
    12
    Rep Power
    454
    Quote Originally Posted by chazzy2501 View Post
    Hey, can I tack a question on. These are logical VLANs does anyone use geographic VLANs?
    We don't use geographic. For client VLAN each stack has one or the bigger stack that has 2. No client VLAN exists on more than 1 stack. For many cases the stacks are hosted in geographic points, so it would work out that way, but one hub room has 2 stacks so doesn't work out there.

  12. #11

    Join Date
    Jan 2012
    Posts
    114
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by FN-GM View Post
    2) What side of the PFsense will it be? Is it the internal network?
    It will be the internal (LAN) side. Something like this:

    Layer 3 Switch --> pfSense --> LEA Router

    The layer 3 switch will have a SVI of 10.10.255.253/30 and pfSense LAN interface will have 10.10.255.254/30

    The layer 3 switch will have a default route of: 0.0.0.0 0.0.0.0 10.10.255.254

    The pfSense box will have static routes back to the individual VLAN subnets. For example:

    10.10.10.0 255.255.255.0 10.10.255.253

    I have set this up using Cisco Packet Tracer by configuring a router to use NAT (to loosely emulate the pfSense box) and it works as expected, but I wasn't sure if it is the best way to do this.

    Thanks.



    Sent from my iPhone using EduGeek

  13. #12

    Join Date
    Jan 2012
    Posts
    114
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by FN-GM View Post
    3) Not 100% but i think they will be trunk yes. You will set an IP on them individually and configure them to use a specific VLAN for management.
    Having looked through some Aruba forums, it would appear that you set the ports for the APs to be untagged on a specific VLAN (VLAN 60) and then other VLANs can be tunnelled down through that VLAN. Therefore, the AP gets an IP address within the subnet for VLAN 60 but the SSIDs can be on different VLANs and the controller is connected to the layer 3 switch as a trunk.

    This probably explains it much better than I have above: Multiple VLAN setup with AP 105's - Airheads Community

  14. #13

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,878
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    Quote Originally Posted by chazzy2501 View Post
    Hey, can I tack a question on. These are logical VLANs does anyone use geographic VLANs?
    Yup, we have both.

    We have geographic ones for ICT suites (to allow for broadcast based imaging), and logical for everything else.

SHARE:
+ Post New Thread

Similar Threads

  1. Quick Vlan question
    By Simcfc73 in forum Wired Networks
    Replies: 0
    Last Post: 19th October 2011, 12:59 PM
  2. VLAN Question
    By vlan2 in forum Wireless Networks
    Replies: 0
    Last Post: 22nd June 2011, 10:37 AM
  3. HP Vlan Question
    By jwc1972 in forum Wireless Networks
    Replies: 0
    Last Post: 1st March 2011, 03:07 PM
  4. VLan question
    By Simcfc73 in forum Wireless Networks
    Replies: 7
    Last Post: 22nd October 2010, 11:50 AM
  5. QUICK VLAN QUESTION
    By andydis in forum Wireless Networks
    Replies: 3
    Last Post: 19th August 2010, 10:07 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •