VLANs and Wired Networks

[kschachn]

Does anyone know how a VLAN works? I have a wireless access point (Cisco WAP4410N) that is connected to a Netgear GS108E switch (will pass VLAN traffic) which is finally connected to a Netgear FVS318G firewall. I also have a wired network connected to the firewall ports.

I know the wireless access point that is creating the VLANs adds bits to the packets that identify which VLAN they go to, but what keeps any of the VLANs from seeing the wired network? How does that work? What keeps the wired network secure? Does the wired portion of the network reside on one of the VLANs?

Does it make a difference if the wired portion of the network is connected to the switch or the firewall in terms of security?

 

[SuperDave456]

Vlans are just "Virtual lans".
They are for security.

How is your organization set up?
Most home offices don't need them.

Lets say you have Marketing, Sales, and Testing all on the same LAN.
You don't want them to access each other's data, Intentionally or unintentionally.
So you set up 3 Vlans. It enables each LAN not to talk to each other unless it first passes through a router. The Router controls who can do what.
Otherwise a switch would just forward data where it would want to go.

Another use is that you can also provide a "Customer" access point and so that customers that show up with their own device have access to the internet, yet you are better protected from their prying eyes.

Think of a VLAN as a tunnel. It goes to the Router and the Router controls what devices on that network are able to access.

 

[OVERKILL]

A VLAN is, as the name implies, a Virtual LAN (Local Area Network).

The key components in any network using VLAN's are the pieces of equipment that are VLAN aware. These pieces of equipment are setup to pass or isolate VLAN traffic depending on how you want the network setup.

On a switch, the two main types of port configurations that are relevant here are trunk and access ports. A trunk port carries all VLAN information for the network, meaning that anything plugged into the trunk port has access to all of the VLAN's.

An access port on the other hand is chained to a specific VLAN as defined in your switch configuration.

A VLAN-aware Access Point is basically a wireless switch. It's main feed is a trunk port from your switch, so it has all the VLAN information, and the VLAN's are setup for each SSID. So if you had wireless SIP phones, you'd put them on their own VLAN, you had a public WiFi network for guests, you'd put it on its own VLAN, and a private network, again, on its own VLAN.

Devices plugged into the switch would be on access ports. Each device would be limited to whatever VLAN you wanted it to have access to.

The caveat here is L3 switches. These switches can route. Which means that, unless you define restrictions on the switch, it will route between the VLAN's. So a computer on VLAN1 trying to access information on the subnet that VLAN2 resides on, will be routed there by the switch unless you explicitly tell it not to.

With an L2 switch, this is not an issue.

So, your VLAN's are then defined again on the router. A trunk port from the router to the switch is what passes the information between them. On the router again, you have to explicitly define whether you want routing between VLAN's or not. You can, at least on Cisco gear, block routing between specific VLAN's, whilst allowing routing between others. This can be useful.

If the above is not clear enough, please let me know and I can elaborate further.

 

[kschachn]

I think I didn’t word my question properly and that’s probably because I’m a bit sketchy on what I’m doing. Sorry.

We have one Internet connection which is connected to the Netgear FVS318G firewall. Connected to that firewall is the Netgear GS108E switch. The last item is the Cisco WAP4410N wireless access point which is plugged into the switch. At this time I am setting up the wireless access point with one SSID although it can create more if I wanted. I may wish to do so later but one will do for now.

My biggest concern and question is about my wired network. Since there are unused ports on both the switch and the firewall, does it make a difference where I plug in the wired network? The switch is managed so I can tell it that certain Ethernet ports are one VLAN and others are another. I’m thinking that is what I should do – put the wireless traffic on one VLAN and the wired on another. And yes – I will set the settings so that the two cannot communicate. But what would happen if I connected the wired network to an unused firewall port (rather than a switch port)? Could wireless traffic see the wired network since the wired network is connected after the switch?

Does that make any sense?

 

[OVERKILL]

No, not really, LOL!

Does your Firewall/Router do VLAN's too?

 

[kschachn]

Heh, ya I was afraid of that.

Take a look at this, particularly the sample setup picture lower down on the page:

http://www.netgear.com/business/products/switches/prosafe-plus-switches/gs108e.aspx#

This is pretty much what I have except the wireless access point is a Cisco unit, not a Netgear.

OK, see all those open Ethernet ports on the firewall? What happens if I plug something (like a computer) into one of those ports? Are they separate from/protected from any of those VLANs?

And no I don't think the firewall does VLANs as such, at least from what I can read online. I can buy a different firewall if I need to. I just was going on what the pretty picture showed...

Originally Posted By: OVERK1LL
No, not really, LOL!

Does your Firewall/Router do VLAN's too?

 

[OVERKILL]

For this to be setup properly, anything participating in the VLAN setup needs to be VLAN aware. That includes your router/firewall.

We recently had a "post your network setup" thread on here, so I'll post my picture from that thread to give you an idea of what you should be shooting for:

 

[OVERKILL]

Just to add, the setup they depict doesn't include a VLAN aware firewall/router.

The firewall/router would be on the default VLAN, VLAN1.

The server and NAS are shown to have access to both VLAN's, the AP is isolated to VLAN2.

Unless the switch is Layer 3 (which, given the vagueness of Netgear's terminology, it may very well be) then it won't be routing between VLAN's. On the other hand, the topology they depict would work (properly) with an L3 switch, since it can handle the inter-vlan routing with the Internet connection on VLAN1.

Definitely not how I would design it, but then I'm a Cisco guy.

 

[kschachn]

First off thanks for the help. I think the Netgear switch is the only VLAN capable thing in the setup, and I think they show everything hooked to the switch for this very reason. I think anything downstream of that switch is ambiguous in terms of what happens, maybe you know more but that's what I suspect. The firewall router in this setup should only have that switch connected to it and nothing else.

The switch does allow or restrict inter-VLAN traffic. In my setup I will prohibit it since the WAP is for guest wifi in a cafe.

I was just pretty much just wondering what would happen if you connected something to that firewall router, I think the answer is it could be bad. I might try it if I have time and see what a wifi client can see of the rest of the network.

But thanks for your responses.

 

[OVERKILL]

Well, an easy way to check to see what is going on is if they are all on the same subnet. See if you can ping from one of the wireless clients to one of the wired clients. If you can, well..... LOL

For this config I'd have a 1921 (or something similar) with VLAN1 and VLAN2. gi0/0 would be my WAN port, gi0/1 would be LAN and trunked.

Switch would be a 2960 (layer 2) with whatever ports you wanted to be private assigned as access ports in VLAN1.

Assuming a VLAN aware AP, it would be on a trunk port.

Assuming a non-VLAN aware AP and the clients are public, it would be on an access port assigned to VLAN2.

Both VLAN's would have their own DHCP pools (as indicated in my diagram) as they are on completely separate subnets.

You could have a bank of access ports assigned to VLAN2 as well, which would then be on the same subnet as the AP.




But giving this topic a little more thought here.


If one were forced into the confines of using the equipment listed, one could obtain network segregation by leveraging two separate internet connections.

Port 0 on the switch is VLAN1
Port 1 on the switch is VLAN2

These are both feeds from two separate routers. They could both be connected to the same cable modem if you were assigned more than one IP from your ISP........

Ports 3-5 are on VLAN1. These are your private network ports.
Ports 6-8 are on VLAN2. You put your AP on port 8, 6 and 7 are access ports for VLAN2.

This gives you isolation and privacy, two separate subnets, and still retains the cheap equipment

 

[Colt45ws]

Im using an Cisco SG200-8. I have it set up kinda like you are wanting.
Though I also have wireless for my lan along with the separate guest access wifi.
http://colt45.ws/misc/NetworkMap.jpg