VLAN's

[dawks]

We have a few VLAN's established on our switches (before my time) for our VoIP and data traffic (HP Procurve switches). I am trying to establish an additional VLAN dedicated to WiFi traffic. We have Untangle running as our internet gateway, so all of our internet traffic runs out of one port on our HP switch. I'd also like to pass our dedicated WiFi VLAN out the same port and through Untangle, but I can only set that port to Untagged for one VLAN. How would I go about doing this otherwise? (Untangle supports alias's so one NIC can handle multiple subnets AFAIK).

Also, I have one port on another switch that connects to a smaller switch for less important devices (non-POE, printers, etc), and I'd like to connect our WiFi AP's to that switch. But again, our data VLAN is untagged on that port, so I can't also add the WiFi VLAN. Would I need to get a managed switch with VLAN support, then Tag the uplink to that external switch with both data and WiFi VLAN's? then untag the ports for each separate VLAN on the breakout switch?

Edit: also, thinking this through some more, if I were to plug the Access Point straight into our Procurve switch, how can I pass it multiple VLAN's? would each VLAN be Tagged for the AP's switch port? Or Untagged? But I can only have one VLAN tagged for a port...

VLAN Rookie here!

Thanks

 

[kevnich2]

Well to address a few of your issues. A port can only belong to one untagged vlan. That's just how it is. Any non tagged frames will belong to whatever the PVID is for that port. If you have another switch that's communicating to your managed switch with vlan info on it, then yes I'd recommend having all of your main switches be vlan aware switches and just make the uplink ports on both of them tagged on whatever vlans need to cross both switches. Does untangle support vlan's? If so you may need to just make that one port it's connected to a tagged port and add additional interfaces to talk to your wireless or if you have multiple physical interfaces, just take another one, program it up for your wireless and plug it into another vlan port that's on the wireless subnet.

As far as your vlan questions. To support multiple vlan's, it has to be tagged data. That's how it identifies what vlan the frame belongs to. Tagged ports are mainly used if your needing to transfer vlan information from switch to switch to switch or in your case from switch to switch to WAP. Enteprise access points should handle tagged vlan's so you can put multiple SSID's for different uses on the same WAP.

 

[dawks]

Thanks champ,

Untangle does not support VLANs, but it does support IP alias'ing so from what I've gathered over at the Untangle forums is I should be able to set the internal (LAN) NIC on the untangle box to have IP's for each subnet and it should be able to handle it fine. The only question is how can(if) I get multiple subnets/VLAN's to put traffic out one port to untangle.. Not possible?

Or put another way, if I plug the AP's directly into our managed switch, how do I pass multiple VLAN info to it? If the AP is plugged in directly to a port, can I then Tag the ports for each VLAN? (right now if I tag a port with a laptop plugged in, no traffic passes, I assume because its an end-device, not a VLAN aware NIC).

So if I were to take one port on the managed switch and 'Untag' it for WiFi VLAN, then just attach an unmanaged break-out switch for all the AP's, would that work? or will the unmanaged switch drop the VLAN info before the AP's can recognize it and direct traffic based on SSID's?

 

[kevnich2]

Let's first see what your infrastracture is. For vlan's to communicate together and pass packets, you need a L3 switch or router. Can you list all the switches you have in your main area as well as how many ports each one has?

Second - on your untangled box, how many physical NIC's do you have? It needs to have more than one physical NIC if it doesn't support vlan's to be able to communicate with other subnets. How else would the frames make it to the NIC of the system?

 

[dawks]

Let's first see what your infrastracture is. For vlan's to communicate together and pass packets, you need a L3 switch or router. Can you list all the switches you have in your main area as well as how many ports each one has?

Second - on your untangled box, how many physical NIC's do you have? It needs to have more than one physical NIC if it doesn't support vlan's to be able to communicate with other subnets. How else would the frames make it to the NIC of the system?

🙂

1) We have 3 24-port Procurve managed switches with VLAN's already on them (at this location). The one switch I'm looking at right now only has 3 ports free (these ports are powered and we may need 2 in the future for IP phones - hence wanting to break out to another (cheap) switch).

2) Untangle box only has 2 NIC's one External, one Internal. I was hoping I could simply add an alias on the one NIC for each subnet, and let Untangle process the traffic that way. (Similar to the way I have 6 IP's on one physical NIC with VM's). My only question is how to get the different subnets/VLANs (if possible) out of one port on the switch. Its beginning to look like this isn't possible. One VLAN per port when going to an 'end' device like a computer/gateway(untangle)?

3) Simply put one VLAN per port (Untagged) if its a destination/end device. Multiple VLANs on a port (Tagged) if they are uplinks to other switches. Yes?

Thanks

 

[LegneDivad]

What kind of access points are you using? Do they support VLANs? Just about every vendor will require a different setup depending on if a wireless controller is being used or not. My assumption is no and they are stand alone WAPS. Let's just say the access points support VLANs and they have a single NIC. Trunk the NIC on the access points and the switch port interfaces they connect to. You should be able to assigne SSIDs to VLANs. That VLAN, think of it as a conduit, will have to run all the way back to a layer 3 device, for internet connectivity. Connecting switches will need to be tagged with that VLAN.

Seeing as how your Untangle doesn't support VLANs, which is crazy to me in this day and age, use your ProCurve to do all the routing, which I believe they are all L3 switches by default. Setup all the VLANs on the ProCurve and setup ACLs between them to permit or deny traffic from one VLAN to another, as well as routes. The interface between the switch and the Untangle can live on the default VLAN, so it can be untagged. To route, from the WiFi VLAN, to the internet, the ProCurve will need a route and ACL to route traffic from the WiFi VLAN to the default VLAN. (Which kind of defeats the purpose of separating the networks, unless you create 3 VLANs, one for default, one for data, one for WiFi, and only allow WiFi to default, and not your data network to protect it.)

So for example, your Untangled can be 10.128.0.1/24, the switch port it connects to can be untagged (VLAN1 on ProCurve), and have an IP of 10.128.0.2/24. Your WiFi VLAN, can be configured as VLAN 2 on this switch, with IP address of 10.129.0.1/24 (this will be your gateway IP address). You can have a default route on the ProCurve "ip route 0.0.0.0 0.0.0.0 10.128.0.1", and an ACL to allow the traffic from WiFi to default. Essentially your default VLAN is your routing VLAN. Of course, you can tweak routes as needed.

If you have switches that don't support VLANs that are connecting to your WAPS, get some, or use the ProCurve.

My firewalls support VLANs, but we have a very similar setup. We use a default VLAN (kind of) to route all the traffic from our core network to the internet. All, routing is done on our layer 3 switches, and not the firewall. The interface that connects our switch to our firewall is not tagged, it's an untagged port.

I hope this makes sense and helps.