Setting up a VLAN
I need a bit of guidance. I understand VLANs, but I have never set one up in practice, and am a little unsure of a few things especially with our LEA managed network.
Politics/PAT testing/antivirus aside for a moment, we have been asked to look in to the possibility of setting up wireless access for after hours governors meetings, and students. I don't want these on our network as you would expect, so, I presume we would want to set up a VLAN to put them on a private network. Even if we don't implement this, I'd still like to try it out as a learning exercise.
Our main network switches are provided by and managed by our LEA, but we have a few HP1800-24G switches which we can control.
How do I go about setting this up? If I put a port on one of our switches on to a private VLAN in one area of the school, how do I route this to our network for internet access? We also run Censornet for filtering, so would I need a second Censornet box on this new VLAN to provide the filtering?
Any pointers welcome.
Far too big a subject for a single post.
Keep it simple to begin with and work your way up.
Every data packet on your network adheres to an addressing scheme all ports on all your switches belong to a Default VLan.
So start with the idea that all packets belong to the native VLan regardless of where they come from.
This is the "Green VLan" (0 or 1)
So by default all of your links are Green and all ports are Green Members.
I use colours because it's easier to visualize that numbers.
Lets make a new VLan call this the "Blue VLan" (10)
Use matching patch cords to help with the logic.
Now lets have another new VLan call it the "Red VLan" (20)
So I take my 24 +2 Port switch and I can make 1-12 Ports a member of the "Blue VLan" and 12-24 ports members of the "Red VLan"
Any body connected with a blue wire can see anyone else on the "Blue VLan" likewise with the "Red VLan"
Packets hop freely between members but are invisible to others on the same switch.
Thats where the simple port based VLan ends!
What happens when you want to link two switches together?
Well easy, just use a Red Uplink and a Blue uplink cable taken from either group of ports and connect the two switches together.
But what if I only have one uplink to join the switches together?
Now we enter the mysterious world of Tagged and Untagged VLans......
Imagine the uplink between two switches was a dual carraigeway.
We need all packets leaving the switches in either direction to be coloured either "Blue" or "Red" depending on the VLan they came from.
That way when the packet arrives at the other switch it can be immediately recognised by it's couterpart as either "Blue or Red"
Now we have two switches both divided into banks of 12 ports all of the Reds see each other all of the Blues see each other.
Packets are "Tagged" Blue or Red as they leave the switches via the dual carraigeway.
Using this analogy you can divide your Physical single network of copper and fibre links into seperate networks.
Sketch your simple LAN topology and draw your VLans using a Red and Blue pen.
Remember to "Tag" uplinks with both VLan ID's
A Tagged port is not really a member of either VLan it just dabs each passing packet with the correct colour paint as it leaves the switch!
An uplink port needs to "Tag" all leaving packets so they can be recognised on "the other side"
Likewise any responding packet coming back will need to have been tagged the correct colour as it comes back the other way.
Remember, You only tag outbound packets!
Once you have grasped the basics you can move on, for instance put the Blue Vlan on a different IP Range.
You can have all you students on a Blue VLAN and your Admin on a Red one.
Two entirely seperate LANS but sharing the same topology and switches.
Keep it simple, use coloured pens and patch leads and your first VLan is a snip!
Remember, you always need a management VLan, this could just as easily be the Blue or the Red VLan it doesn't matter as long as you can reach all of the switches from wherever you may be plugged in!
Without any management you will be limited to console connections and serial cables!
To connect your VLans running different IP Ranges together you need to use a router.
Start with a simple ethernet cable router or a PC with two NIC's
Later you can look into Routing between VLans using L3 Switching to eliminate unwanted hardware.
A typical VLan Project for school is CCTV.
Put the school LAN on the Blue VLan put the CCTV on the Red VLAN
Blue = 10.x.x.x
Red = 192.x.x.x
On the CCTV server have 2 NIC's one connected to the RED Lan the other to the Blue one.
Like using a water analogy when studying electrical circuits, using colours to Visualise your VLANs is half the battle.
Document them in a way that you can see them easily on a drawing and suddenly managing them becomes easy too.
Hope that helps.
VERY good post mate, +rep.
But you thought you'd give it a damn good go anyway!!! Excellent post!
Originally Posted by m25man
I was lookng up information on setting up VLANs and came accross this posting. Wow...you must be a good teacher, becuase after searching through a lot of convoluted blurbs about VLAN networking, this posting was like a breath of fresh air. Crystal clear explanation for a new learner!
I have a question for you. Recently we set up an IP surveillance system that connected a bunch of IP cameras, a NAS box running on an iSCSI ethernet connection, and a basic office network that had access to the NVR recorder. The NVR, cameras and office are on the same network range. The iSCSI storage appliance is on a different network range. Both of these networks are connected to the NVR with two seperate NICs. I have these connections converging into a gigabit switch that is in turn connected to the two NVR network cards.
Is this the type of setup that should be using a VLAN capable switch (maybe also with QoS) to ensure smoother operation of both networks converging into one switch, or does it matter? I am wondering if there is inefficient data flow or collisions occurring because I have all this data streaming from cameras on one IP range, and a constant stream of data going to the NAS box on another IP range, all through an inexpensive D-Link switch. Perhaps I need to revisit this and set it up with a better switch to ensure smoother networking?
Hopefully you can give me your thoughts on this.
Im afraid I can't go into specifics here as each design is dependent on local topolgies and your internal politics!
But your ISCSI , Cameras and Office should be on different VLANs for sure.
It sounds like you have the ISCSI on a different IP range but still connected to the same switch as everything else?
This is far from ideal as even though the devices dont see each other at Layer 3 (IP) the switch will still see everyting at Layer2 (MAC)
So intensive ISCSI read/write operations is being chopped up by normal LAN traffic and vice versa.
If practical I would simply connect the ISCSI array directly to the NVR (ISCSI) NIC with a direct cable connection. If thats not possible (eg the NVR is too far away from the NAS) use a dedicated VLAN to isolate the traffic on the switch.
All of my LAN nodes are allowed to access our NVRs, we have 90 cameras connected to the NVR array VLAN_CCTV
The NVR Array has a LAN facing NIC with an IP address on our data network, VLAN_DATA
All camera traffic is contained on VLAN_CCTV
To view any camera a user logs in to the NVR and selects the camera(s) to be viewed this is then streamed to that user on the VLAN_DATA.
Hope that helps.
Thanks that does help. It shouldn't be a big deal to connect the iSCSI directly. I will do that.
As far as the office goes there is only 2 computers not including the NVR. I suppose it would be ideal to have them on seperate VLANS, but as far as traffic goes, it's pretty much mostly the cameras streaming to the NVR.
I think we will just look at getting the iSCSI traffic off of the switch and leave it at that. Next time we do something like this, I'll be installaing a smart switch for sure.
@m25man, your explanation was excellent and helped me understand VLANs much better than any other site or explanation I've read. Thank you!
I do, however, have one question for you please?
I'm using UniFi WiFi points which allow me to create multiple SSIDs. I've created a "DainfernCollege" SSID (with no VLAN) and a "Guest WiFi" SSID (With a VLAN ID of 5). What do I tag the ports that these points are connected to as?
And what about the uplink ports? If I tag the outgoing traffic as 5, what about the rest of the traffic on the switch that isn't VLAN'd?
Here is the current VLAN setup on the ToughSwitch, am I on the right track?