+ Post New Thread
Results 1 to 11 of 11
Wireless Networks Thread, UniFi, VLANs, Switches to all go together in Technical; Hi; I was wondering if I could get a sanity check for my design for a UniFi, Netgear with VLAN ...
  1. #1

    Join Date
    Dec 2011
    Posts
    404
    Thank Post
    368
    Thanked 45 Times in 33 Posts
    Rep Power
    13

    UniFi, VLANs, Switches to all go together

    Hi;

    I was wondering if I could get a sanity check for my design for a UniFi, Netgear with VLAN ACLs and Lightspeed content filtering setup.

    Pulling numerous threads of mine together, and with a lot of good help, I'm getting there. If you have a look at the diagram

    Overall design:

    lightspeed vlans b.jpg

    VLANS IP Range and ACLs

    vlan design b ACLs.jpg

    Does this look ok?

    The IP range was chosen for the amount of students we have (1100) and staff (200) to give a bit of headroom for the future

    One thing I'm puzzled with is do I assign the UniFi APs the IP addresses in the 10.18.96.xxx range, same as the defualt wired network?

    and also how does this tie together if I have my DC + DHCP server (Windows 2008 r2 box ) to handle the different scopes, eg do I set scopes up in DHCP and add the helper address (IP address for the Win2008 r2 DC+DHCP server) somewhere in the Core switch settings?

    So the goal is for the Netgear Core to do the routing and ACLs..and pass traffic onto the Lightspeed Unit then internet via the Sonicwall(this would replace the Content Filtering running on the Sonicwall I would hope.)

    Many thanks as always.

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,170
    Thank Post
    868
    Thanked 2,698 Times in 2,288 Posts
    Blog Entries
    11
    Rep Power
    772
    First off I'd make smaller VLANs, even if you have Block1Student, Block2Student etc. so that you bring the broadcast domain down meaning less broadcasts, this is especially important on the wireless network, this also segments things like ARP poisoning. 2000 devices on a single broadcast domain over wireless will choke it with broadcasts.

    I have not dealt with the UnFi stuff but from what I know it does its best to support most of the features of larger products. As such the idea would be have the APs setup to take traffic from multiple VLANS. Personally I'd look to have a managment VLAN specificly for managment interfaces, probably VLAN1 for all network managed stuff that only tech people can get to. I'd put the config portion of the wireless on this and assign the various WLAN SSIDs to the required VLANs, students, staff etc.

  3. Thanks to SYNACK from:

    MrWu (23rd July 2012)

  4. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,170
    Thank Post
    868
    Thanked 2,698 Times in 2,288 Posts
    Blog Entries
    11
    Rep Power
    772
    Oh, yes and you are right, you want to set up the various scopes on your DHCP server then use a DHCP helper address in the core VLAN config for each VLAN in order to point them at the address of your DHCP server.

  5. Thanks to SYNACK from:

    MrWu (23rd July 2012)

  6. #4

    Join Date
    Dec 2009
    Location
    Woking
    Posts
    94
    Thank Post
    0
    Thanked 17 Times in 17 Posts
    Rep Power
    12
    Generally a wireless network will be confgured in such as way that the APs/Controllers are trunked to all VLANs and client VLAN assignment is done by SSID or dynamically via RADIUS. I have little experience with UniFi but I believe they only support 4 VLANs and I don't know if they can do dynamic VLAN assignment. I'd be apprehensive about implementing what is essentially a enterprise network design on non-enterprise hardware.

    In order for the UniFi APs to get management addresses you'll need to look into 802.1q tagging and setting a native VLAN for the APs.

  7. Thanks to paulfinlay from:

    MrWu (23rd July 2012)

  8. #5

    Join Date
    Dec 2011
    Posts
    404
    Thank Post
    368
    Thanked 45 Times in 33 Posts
    Rep Power
    13
    Thanks guys

    I guess I can reduce the hosts to 1022 for student VLAN

    Yes it is a limitation of 4 VLANS for UniFi, but a lot of larger schools are using them. So will have a look t how they set theirs up.

  9. #6
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,493
    Thank Post
    4
    Thanked 97 Times in 93 Posts
    Blog Entries
    1
    Rep Power
    50
    I am sure it is 4 per AP not 4 per system.

  10. Thanks to nicholab from:

    MrWu (24th July 2012)

  11. #7

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,625
    Thank Post
    49
    Thanked 460 Times in 336 Posts
    Rep Power
    140
    Quote Originally Posted by nicholab View Post
    I am sure it is 4 per AP not 4 per system.
    Correct, there is no limit to the number of VLANs supported by Unifi only to the number of SSIDs per AP (4)

    Technically there is no reason why the hardware wouldnt support any more than 4 VLans its just that the Ubiquiti Gurus have decided 4 is more than adequate for the cpu and ram available.

  12. Thanks to m25man from:

    MrWu (24th July 2012)

  13. #8

    Join Date
    Dec 2011
    Posts
    404
    Thank Post
    368
    Thanked 45 Times in 33 Posts
    Rep Power
    13
    Thanks;

    So in a secondary school environment, 4 SSIDs would be adequate? (Staff,Student,Guest) other than being mindful of the IP range I assign not being too large per VLAN, too many SSIDs might confuse things.

  14. #9

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,170
    Thank Post
    868
    Thanked 2,698 Times in 2,288 Posts
    Blog Entries
    11
    Rep Power
    772
    Quote Originally Posted by MrWu View Post
    Thanks;

    So in a secondary school environment, 4 SSIDs would be adequate? (Staff,Student,Guest) other than being mindful of the IP range I assign not being too large per VLAN, too many SSIDs might confuse things.
    Yes, you should be good, if you end up with many wireless clients across the site you may benifit from segmenting behing the scenes connecting the student SSID to a couple of smaller VLANs. That may cause other issues though. You'll have to see how well it works in your environment but the more hosts you have in a single broadcast domain the more traffic is used bouncing broadcasts back and fowards.

  15. #10
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,493
    Thank Post
    4
    Thanked 97 Times in 93 Posts
    Blog Entries
    1
    Rep Power
    50
    Staff,Student,Guest gives you one spare I don't under stand having a separate staff SSID. I would have SSIDs as BYOD, Guest and Managed clients. I would only allow the 4 VLAN's on to that port of the switch (wireless management, Staff, Student and Guest).

  16. #11

    Join Date
    Feb 2008
    Posts
    105
    Thank Post
    0
    Thanked 9 Times in 9 Posts
    Rep Power
    15
    Splitting up BYOD gives you the opportunity to set limitations differently for staff and students. Eg the time range the SSID is being broadcast, bandwidth limiting etc.

SHARE:
+ Post New Thread

Similar Threads

  1. Adding a switch to a VLAN'd network.
    By maniac in forum Hardware
    Replies: 7
    Last Post: 13th July 2012, 08:35 AM
  2. Replies: 9
    Last Post: 5th March 2011, 04:57 PM
  3. Good switches to go for...
    By talksr in forum Wireless Networks
    Replies: 57
    Last Post: 28th September 2010, 04:16 PM
  4. We're All Going To Die
    By tech_guy in forum General Chat
    Replies: 69
    Last Post: 22nd April 2010, 10:00 AM
  5. Just when you think it's all going to plan . . .
    By maniac in forum Wireless Networks
    Replies: 16
    Last Post: 10th April 2009, 02:44 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •