Wireless Networks Thread, UniFi, VLANs, Switches to all go together in Technical; Hi;
I was wondering if I could get a sanity check for my design for a UniFi, Netgear with VLAN ...
23rd July 2012, 09:31 AM #1
UniFi, VLANs, Switches to all go together
I was wondering if I could get a sanity check for my design for a UniFi, Netgear with VLAN ACLs and Lightspeed content filtering setup.
Pulling numerous threads of mine together, and with a lot of good help, I'm getting there. If you have a look at the diagram
lightspeed vlans b.jpg
VLANS IP Range and ACLs
vlan design b ACLs.jpg
Does this look ok?
The IP range was chosen for the amount of students we have (1100) and staff (200) to give a bit of headroom for the future
One thing I'm puzzled with is do I assign the UniFi APs the IP addresses in the 10.18.96.xxx range, same as the defualt wired network?
and also how does this tie together if I have my DC + DHCP server (Windows 2008 r2 box ) to handle the different scopes, eg do I set scopes up in DHCP and add the helper address (IP address for the Win2008 r2 DC+DHCP server) somewhere in the Core switch settings?
So the goal is for the Netgear Core to do the routing and ACLs..and pass traffic onto the Lightspeed Unit then internet via the Sonicwall(this would replace the Content Filtering running on the Sonicwall I would hope.)
Many thanks as always.
IDG Tech News
23rd July 2012, 11:16 AM #2
First off I'd make smaller VLANs, even if you have Block1Student, Block2Student etc. so that you bring the broadcast domain down meaning less broadcasts, this is especially important on the wireless network, this also segments things like ARP poisoning. 2000 devices on a single broadcast domain over wireless will choke it with broadcasts.
I have not dealt with the UnFi stuff but from what I know it does its best to support most of the features of larger products. As such the idea would be have the APs setup to take traffic from multiple VLANS. Personally I'd look to have a managment VLAN specificly for managment interfaces, probably VLAN1 for all network managed stuff that only tech people can get to. I'd put the config portion of the wireless on this and assign the various WLAN SSIDs to the required VLANs, students, staff etc.
23rd July 2012, 11:18 AM #3
Oh, yes and you are right, you want to set up the various scopes on your DHCP server then use a DHCP helper address in the core VLAN config for each VLAN in order to point them at the address of your DHCP server.
23rd July 2012, 03:34 PM #4
- Rep Power
Generally a wireless network will be confgured in such as way that the APs/Controllers are trunked to all VLANs and client VLAN assignment is done by SSID or dynamically via RADIUS. I have little experience with UniFi but I believe they only support 4 VLANs and I don't know if they can do dynamic VLAN assignment. I'd be apprehensive about implementing what is essentially a enterprise network design on non-enterprise hardware.
In order for the UniFi APs to get management addresses you'll need to look into 802.1q tagging and setting a native VLAN for the APs.
Thanks to paulfinlay from:
23rd July 2012, 07:39 PM #5
I guess I can reduce the hosts to 1022 for student VLAN
Yes it is a limitation of 4 VLANS for UniFi, but a lot of larger schools are using them. So will have a look t how they set theirs up.
23rd July 2012, 07:48 PM #6
I am sure it is 4 per AP not 4 per system.
23rd July 2012, 11:39 PM #7
Correct, there is no limit to the number of VLANs supported by Unifi only to the number of SSIDs per AP (4)
Originally Posted by nicholab
Technically there is no reason why the hardware wouldnt support any more than 4 VLans its just that the Ubiquiti Gurus have decided 4 is more than adequate for the cpu and ram available.
24th July 2012, 07:36 AM #8
So in a secondary school environment, 4 SSIDs would be adequate? (Staff,Student,Guest) other than being mindful of the IP range I assign not being too large per VLAN, too many SSIDs might confuse things.
24th July 2012, 09:54 AM #9
Yes, you should be good, if you end up with many wireless clients across the site you may benifit from segmenting behing the scenes connecting the student SSID to a couple of smaller VLANs. That may cause other issues though. You'll have to see how well it works in your environment but the more hosts you have in a single broadcast domain the more traffic is used bouncing broadcasts back and fowards.
Originally Posted by MrWu
24th July 2012, 10:02 AM #10
Staff,Student,Guest gives you one spare I don't under stand having a separate staff SSID. I would have SSIDs as BYOD, Guest and Managed clients. I would only allow the 4 VLAN's on to that port of the switch (wireless management, Staff, Student and Guest).
24th July 2012, 01:00 PM #11
- Rep Power
Splitting up BYOD gives you the opportunity to set limitations differently for staff and students. Eg the time range the SSID is being broadcast, bandwidth limiting etc.
By maniac in forum Hardware
Last Post: 13th July 2012, 09:35 AM
By ZeroHour in forum General Chat
Last Post: 5th March 2011, 05:57 PM
By talksr in forum Wireless Networks
Last Post: 28th September 2010, 05:16 PM
By tech_guy in forum General Chat
Last Post: 22nd April 2010, 11:00 AM
By maniac in forum Wireless Networks
Last Post: 10th April 2009, 03:44 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)