Help Needed With Network and VLANs

[rosco]

We currently have a 10.10.x.x network setup. This is because there are so many devices on the network and I don't have any VLANs setup. We use Unifi APs with their guest mode turned on so that even though they draw a IP address from our secured network's DHCP server, they are only allowed out on the internet.

This is for a school so we have about 280 students, plus additional guests. So, I now want to do things right and split up the network, mainly the wireless clients using VLANs.

Here is what I have in mind:


Does that look right to you guys? The main difference from what our existing config is would be the VLAN section. Everything else is how we actually have things setup now.

I could use some help on the VLAN config mainly. I'm still fuzzy on the tagged/untagged idea and which ports need to be which etc.

I appreciate the help.

 

[Cmustang87]

VLAN concepts for tagged and untagged traffic is just telling your switch where you expect VLAN traffic.

You will only need to tag switchports if you are carrying VLAN information over them. This is typically used when you want to uplink a switch to another switch.

With your setup, you will want to have your access ports be configured for VLAN access on the HP Toughswitch.

Example
Toughswitch 8 port:
Port 7: VLAN 20 Access
Port 8: VLAN 30 Access
Port 1: VLAN Tag (this is called "Trunk" port with Cisco)

(Core?) HP Switch:
Port 1: Tagged
Port X: Untagged 10.10.0.230 (Cisco calls this "Access") VLAN used for networking infrastructure network

The purpose of your core switch is to receive all VLAN traffic and uplink it to your edge devices. That's the way I always see it and work with it.

 

[Cmustang87]

This is the best answer I can come up with, provided your information. I'm assuming the 10.10.0.0 is a /24 network. There's still some information missing, but it looks like you're on the right track.

 

[rosco]

So, lets say my Unifi APs are plugged into ports 1, 2, and 3 on the toughswitch. Those should be untagged for VLAN 20 and 30? My choices on the toughswitch are tagged, untagged, excluded, and there is a separate trunk box I can check which greys out my tagged/untagged/excluded option.

The unifi APs can tag traffic on each SSID with the appropriate vlan.

Then, let's say port 8 on the toughswitch links to port 24 on the HP Procurve. How do I configure those two ports? Both as trunk ports?

How about the rest of the ports on the HP Procurve that have other devices like the server, my untangle firewall etc?

 

[berky]

see this: http://community.ubnt.com/t5/ToughSwitch/Official-Vlan-Tagging-Definitions/td-p/536946

So, lets say my Unifi APs are plugged into ports 1, 2, and 3 on the toughswitch. Those should be untagged for VLAN 20 and 30? My choices on the toughswitch are tagged, untagged, excluded, and there is a separate trunk box I can check which greys out my tagged/untagged/excluded option.

The unifi APs can tag traffic on each SSID with the appropriate vlan.

imo, always plan for the future. if the device supports tagging, do it. less down time in the future for adding new functionality

Then, let's say port 8 on the toughswitch links to port 24 on the HP Procurve. How do I configure those two ports? Both as trunk ports?

yes, both must be trunk ports that allow 20, 30 and whatever VLAN you are calling "Wireless 1".

How about the rest of the ports on the HP Procurve that have other devices like the server, my untangle firewall etc?

untagged if it's a server. tagged if it supports tagging. since you're adding new vlans, what is your gateway? if it's the firewall, then you will have to tag and create 3 sub-interfaces to correspond to each VLAN's gateway.

 

[rosco]

Sorry, I am still a little confused on when/when to use tagged vs untagged etc.

So, in my example, the toughswitch ports 1, 2, 3 will have a unifi AP plugged directly into each of those ports. The unifi AP will be tagging traffic from devices associated with the two SSIDs. It will tag the traffic as VLAN20 or VLAN30 depending which SSID they are connected to.

Do I need to set ports 1,2,3 as VLAN20=tagged, VLAN30=tagged so the port knows to accept/expect traffic already tagged with those VLANs?

My gateway is my Untangle firewall. I'm planning on setting up those VLANs on my internal interface. Here is the untangle wiki on doing that:
http://wiki.untangle.com/index.php/Network_Configuration#VLANs

 

[MysticRyuujin]

Rosco,

You tag a port when the device connected to that port understands and can use tags and you need more than 1 vlan to transit that path.

You don't tag a port when a) the device doesn't use/understand vlans, b) only one vlan needs to cross the link (but you CAN if you want) or c) it's the native VLAN.

If only one VLAN is going to transit a link then the downstream device doesn't need tags because it doesn't need to distinguish what VLAN the traffic belongs to.

If there is two VLANs on the line, one of them is usually untagged and one is tagged, however you could just tag both. It doesn't matter so long as the device knows what is what.

The whole point of a TAG is to separate the traffic passing over a link.

 

[bman212121]

You'll probably want more vlans than what you have even on your configuration. A common scenario would be to have a vlan dedicated just to the servers, another vlan or two for your wired pcs, and separating student pcs from staff pcs. Then have another vlan for managed wireless, and one more for guest wireless.

In a real world scenario you're going to end up with a lot of vlans but it's going to be the ideal way to keep thing separated long term. You certainly don't want students to be on the same network as your servers or your staff, as they will be more likely to have viruses and run things they shouldn't be doing on your network.


So here is an example I might suggest:

Vlan 1: switches, access points and the gateway, IE 10.10.0.x/24
Vlan 2: servers, 10.10.2.x/24
Vlan 3: staff pcs, 10.10.3.x/24
vlan 4: student pcs, 10.10.4.x/24
vlan 5: student pcs 2, 10.10.5.x/24
vlan 6: staff wireless, 10.10.6.x/24
vlan 7: student/guest wireless, 10.10.7.x/24
vlan 8: IT management, 10.10.8.x/24

If you're working with managed equipment the management IP does NOT (and should not) be on the same vlan as other traffic on the device. Using vlans you can still manage
the toughswitch and access points because it will route the traffic correctly from a vlan which has access to that vlan. Example being allow access from IT Vlan 8 to Vlan 1 and 2. That way you can administer your servers, but someone who manages to get access to your servers still can't compromise the network. (server vlan shouldn't have access to the switch vlan other than your untangle gateway.)

It's a bit difficult to get this setup properly at first but if you're already administering for 300+ people it's definitely time to start segregating it more.

So when you use tagged vlans which you'll need to do for any port used by a switch and access point you specify which vlans that port can use. So for your access points plugged into the toughswitch you need to tag 1,6, and 7 in my example. Then on the unfis setup those vlans so the management uses vlan 1 with a 10.10.0.x IP and say one SSID is for staff for vlan 6 (and gets 10.10.6.x IPs from your DHCP server) and another SSID is for students/guests on vlan 7 (receiving 10.10.7.x IPs from the same DHCP server, there are configuration steps to allow this). This might give you an idea how to configure it: http://www.michaelriccioni.com/how-to-multiple-vlans-single-dhcp-server-multiple-dhcp-scopes-2/


You are correct that you would need to tag ports 1,2, and 3 with the vlans you stated so the port communicates that traffic on those vlans. Basically any time that there will be a link from one device to another that is going to handle multiple subnets you'll need to tag the interface. Switches and access points are most likely tagged. Servers may or may not depending upon what they are doing (A virtual host like ESX or HyperV with multiple servers might need multiple vlans, a normal server likely only needs to be on one network and routed to the others) client pcs, printers, and other devices most likely will be untagged. (On the switch you will specify a vlan for them, but the client isn't going to be aware what vlan it's on or that's it's on a vlan at all)


You can handle all of the routing on your HP switch if it has the power, which would likely be ideal since the majority of the traffic going from one vlan to another is most likely headed to your server or to the internet. A good set of ACLs limiting access to only the essentials on the server, (UDP port 53 for DNS, UDP port 67 and 68 for DHCP, and TCP port 445 for network sharing. And possibly ports 137, 138, and 139 if you really need NetBIOS name resolution via WINS. (Probably not though)) That way once again people can't just hammer away at your server looking for open ports.