+ Post New Thread
Results 1 to 10 of 10
Wireless Networks Thread, Setting up a VLAN in Technical; I need a bit of guidance. I understand VLANs, but I have never set one up in practice, and am ...
  1. #1

    Join Date
    Jan 2007
    Location
    The Console
    Posts
    236
    Thank Post
    22
    Thanked 29 Times in 23 Posts
    Rep Power
    22

    Setting up a VLAN

    I need a bit of guidance. I understand VLANs, but I have never set one up in practice, and am a little unsure of a few things especially with our LEA managed network.

    Politics/PAT testing/antivirus aside for a moment, we have been asked to look in to the possibility of setting up wireless access for after hours governors meetings, and students. I don't want these on our network as you would expect, so, I presume we would want to set up a VLAN to put them on a private network. Even if we don't implement this, I'd still like to try it out as a learning exercise.

    Our main network switches are provided by and managed by our LEA, but we have a few HP1800-24G switches which we can control.

    How do I go about setting this up? If I put a port on one of our switches on to a private VLAN in one area of the school, how do I route this to our network for internet access? We also run Censornet for filtering, so would I need a second Censornet box on this new VLAN to provide the filtering?

    Any pointers welcome.

  2. #2

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,646
    Thank Post
    49
    Thanked 467 Times in 339 Posts
    Rep Power
    141
    Far too big a subject for a single post.

    Keep it simple to begin with and work your way up.

    Every data packet on your network adheres to an addressing scheme all ports on all your switches belong to a Default VLan.

    So start with the idea that all packets belong to the native VLan regardless of where they come from.
    This is the "Green VLan" (0 or 1)
    So by default all of your links are Green and all ports are Green Members.
    I use colours because it's easier to visualize that numbers.

    Lets make a new VLan call this the "Blue VLan" (10)
    Use matching patch cords to help with the logic.

    Now lets have another new VLan call it the "Red VLan" (20)

    So I take my 24 +2 Port switch and I can make 1-12 Ports a member of the "Blue VLan" and 12-24 ports members of the "Red VLan"

    Any body connected with a blue wire can see anyone else on the "Blue VLan" likewise with the "Red VLan"

    Packets hop freely between members but are invisible to others on the same switch.
    Thats where the simple port based VLan ends!

    What happens when you want to link two switches together?

    Well easy, just use a Red Uplink and a Blue uplink cable taken from either group of ports and connect the two switches together.

    But what if I only have one uplink to join the switches together?

    Now we enter the mysterious world of Tagged and Untagged VLans......

    Imagine the uplink between two switches was a dual carraigeway.
    We need all packets leaving the switches in either direction to be coloured either "Blue" or "Red" depending on the VLan they came from.

    That way when the packet arrives at the other switch it can be immediately recognised by it's couterpart as either "Blue or Red"
    Now we have two switches both divided into banks of 12 ports all of the Reds see each other all of the Blues see each other.
    Packets are "Tagged" Blue or Red as they leave the switches via the dual carraigeway.

    Using this analogy you can divide your Physical single network of copper and fibre links into seperate networks.

    Sketch your simple LAN topology and draw your VLans using a Red and Blue pen.
    Remember to "Tag" uplinks with both VLan ID's
    A Tagged port is not really a member of either VLan it just dabs each passing packet with the correct colour paint as it leaves the switch!
    An uplink port needs to "Tag" all leaving packets so they can be recognised on "the other side"
    Likewise any responding packet coming back will need to have been tagged the correct colour as it comes back the other way.

    Remember, You only tag outbound packets!

    Once you have grasped the basics you can move on, for instance put the Blue Vlan on a different IP Range.
    You can have all you students on a Blue VLAN and your Admin on a Red one.
    Two entirely seperate LANS but sharing the same topology and switches.

    Keep it simple, use coloured pens and patch leads and your first VLan is a snip!

    Remember, you always need a management VLan, this could just as easily be the Blue or the Red VLan it doesn't matter as long as you can reach all of the switches from wherever you may be plugged in!

    Without any management you will be limited to console connections and serial cables!

    To connect your VLans running different IP Ranges together you need to use a router.
    Start with a simple ethernet cable router or a PC with two NIC's
    Later you can look into Routing between VLans using L3 Switching to eliminate unwanted hardware.

    A typical VLan Project for school is CCTV.
    Put the school LAN on the Blue VLan put the CCTV on the Red VLAN
    Blue = 10.x.x.x
    Red = 192.x.x.x
    On the CCTV server have 2 NIC's one connected to the RED Lan the other to the Blue one.

    Like using a water analogy when studying electrical circuits, using colours to Visualise your VLANs is half the battle.
    Document them in a way that you can see them easily on a drawing and suddenly managing them becomes easy too.

    Hope that helps.

  3. 41 Thanks to m25man:

    actech (12th August 2010), altecsole (30th November 2012), AngryTechnician (12th August 2010), bandgeekmafia78 (18th October 2010), ben604 (12th March 2013), browolf (4th November 2009), Butuz (13th August 2010), Cache (5th February 2011), cheesypete (23rd October 2012), computer_expert (15th August 2010), cromertech (9th March 2011), dave.81 (2nd December 2010), dblight (13th April 2011), dfriday (15th January 2013), FragglePete (28th November 2010), Gaz (12th February 2014), Greenbeast (21st September 2010), GTX (31st May 2013), Heebeejeebee (4th November 2009), Iosoma (10th March 2012), iSteve (4th November 2009), Jackd (8th November 2010), Jawloms (30th January 2013), jdoldridge (15th June 2013), Jobos (12th March 2013), john (12th August 2010), jpaterson (8th November 2010), kmount (4th November 2009), mac_shinobi (4th November 2009), maniac (4th November 2009), mattx (12th November 2010), Miscbrah (6th February 2013), MWT (15th June 2012), Nick_Parker (8th November 2010), plexer (4th November 2009), randle (2nd August 2012), robk (4th November 2009), Sibrows (7th June 2013), simpsonj (2nd July 2014), Sir (5th March 2014), tonyd (4th November 2009)

  4. #3


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,699
    Thank Post
    352
    Thanked 804 Times in 719 Posts
    Rep Power
    348
    Hope that helps.
    VERY good post mate, +rep.

  5. Thanks to kmount from:

    puliramesh (12th August 2010)

  6. #4

    Join Date
    Jun 2010
    Location
    chennai
    Posts
    5
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    very nice post....

  7. #5
    Butuz's Avatar
    Join Date
    Feb 2007
    Location
    Wales, UK
    Posts
    1,579
    Thank Post
    211
    Thanked 220 Times in 176 Posts
    Rep Power
    63
    Quote Originally Posted by m25man View Post
    Far too big a subject for a single post.
    But you thought you'd give it a damn good go anyway!!! Excellent post!

    Butuz

  8. #6

    Join Date
    Nov 2010
    Location
    Campbell River
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hello,

    I was lookng up information on setting up VLANs and came accross this posting. Wow...you must be a good teacher, becuase after searching through a lot of convoluted blurbs about VLAN networking, this posting was like a breath of fresh air. Crystal clear explanation for a new learner!

    I have a question for you. Recently we set up an IP surveillance system that connected a bunch of IP cameras, a NAS box running on an iSCSI ethernet connection, and a basic office network that had access to the NVR recorder. The NVR, cameras and office are on the same network range. The iSCSI storage appliance is on a different network range. Both of these networks are connected to the NVR with two seperate NICs. I have these connections converging into a gigabit switch that is in turn connected to the two NVR network cards.

    Is this the type of setup that should be using a VLAN capable switch (maybe also with QoS) to ensure smoother operation of both networks converging into one switch, or does it matter? I am wondering if there is inefficient data flow or collisions occurring because I have all this data streaming from cameras on one IP range, and a constant stream of data going to the NAS box on another IP range, all through an inexpensive D-Link switch. Perhaps I need to revisit this and set it up with a better switch to ensure smoother networking?

    Hopefully you can give me your thoughts on this.

  9. #7

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,646
    Thank Post
    49
    Thanked 467 Times in 339 Posts
    Rep Power
    141
    Im afraid I can't go into specifics here as each design is dependent on local topolgies and your internal politics!

    But your ISCSI , Cameras and Office should be on different VLANs for sure.

    It sounds like you have the ISCSI on a different IP range but still connected to the same switch as everything else?

    This is far from ideal as even though the devices dont see each other at Layer 3 (IP) the switch will still see everyting at Layer2 (MAC)
    So intensive ISCSI read/write operations is being chopped up by normal LAN traffic and vice versa.

    If practical I would simply connect the ISCSI array directly to the NVR (ISCSI) NIC with a direct cable connection. If thats not possible (eg the NVR is too far away from the NAS) use a dedicated VLAN to isolate the traffic on the switch.

    All of my LAN nodes are allowed to access our NVRs, we have 90 cameras connected to the NVR array VLAN_CCTV
    The NVR Array has a LAN facing NIC with an IP address on our data network, VLAN_DATA
    All camera traffic is contained on VLAN_CCTV

    To view any camera a user logs in to the NVR and selects the camera(s) to be viewed this is then streamed to that user on the VLAN_DATA.

    Hope that helps.

  10. Thanks to m25man from:

    jahilton2002 (13th December 2012)

  11. #8

    Join Date
    Nov 2010
    Location
    Campbell River
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks that does help. It shouldn't be a big deal to connect the iSCSI directly. I will do that.

    As far as the office goes there is only 2 computers not including the NVR. I suppose it would be ideal to have them on seperate VLANS, but as far as traffic goes, it's pretty much mostly the cameras streaming to the NVR.

    I think we will just look at getting the iSCSI traffic off of the switch and leave it at that. Next time we do something like this, I'll be installaing a smart switch for sure.

    Marc.

  12. #9
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    469
    Thank Post
    100
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    @m25man, your explanation was excellent and helped me understand VLANs much better than any other site or explanation I've read. Thank you!

    I do, however, have one question for you please?
    I'm using UniFi WiFi points which allow me to create multiple SSIDs. I've created a "DainfernCollege" SSID (with no VLAN) and a "Guest WiFi" SSID (With a VLAN ID of 5). What do I tag the ports that these points are connected to as?
    And what about the uplink ports? If I tag the outgoing traffic as 5, what about the rest of the traffic on the switch that isn't VLAN'd?

    VLAN Diagram.jpg
    Last edited by Nick_Parker; 1st July 2014 at 03:04 PM. Reason: Spelling... whoops!

  13. #10
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    469
    Thank Post
    100
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    Here is the current VLAN setup on the ToughSwitch, am I on the right track?

    ToughSwitch Config.JPG



SHARE:
+ Post New Thread

Similar Threads

  1. Setting network save setting in Kar2ouche
    By Little-Miss in forum Windows
    Replies: 3
    Last Post: 12th December 2011, 04:44 PM
  2. VLAN CONFIGURATION
    By cgorms in forum Wireless Networks
    Replies: 9
    Last Post: 16th April 2009, 08:26 PM
  3. Procurve VLAN help
    By meastaugh1 in forum Wireless Networks
    Replies: 8
    Last Post: 4th September 2008, 09:29 PM
  4. To Vlan or not Vlan?
    By Theblacksheep in forum Wireless Networks
    Replies: 33
    Last Post: 19th August 2008, 04:22 PM
  5. vlan and dhcp
    By Uraken in forum Wireless Networks
    Replies: 2
    Last Post: 17th March 2008, 12:18 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •