[jc-pro]

Hi all, new to the forums and I'm looking for some friendly suggestions on how I can achieve this:

1) Segregate private network from public wireless network using VLANs?
2) Allow public wireless network clients on a VLAN to get DHCP info from a server?

Basic diagram of physical network layout:


I have a couple questions:

1. I want to create a VLAN just for the public wireless network and leave the rest of the network traffic alone. Can I tag/untag all ports on all switches with the VLAN created specifically for the public wireless network?
2. What happens to traffic that is not tagged with a VLAN ID?
3. I'm a little confused as to what the default VLAN actually does and how it works into my scenario above. Any light on that would be great!

I have a combination of various switch brands and wireless AP's from Cisco SG30028P, Netgear FS752TPS to Dlink DAP-2553 in place, everything supports VLAN's, I know its disparate technology but budget to replace everything is non existent, as much as that would be a smooth solution I have to work with what I've got. The Cisco and Netgear switches are both Layer 2 capable.


Any input would be appreciated.

[zx10guy]

What are you using as a router and where is it in your topology?

[jc-pro]

I have a Sonicwall as the firewall. The main switch plugs into it.

Going a bit deeper into this it seems my issue here is really understanding the implementation of VLAN's using a Cisco SG300, I'm sure once I figure out their interface/terminology I'll get this resolved.

I'll also need to configure the appropriate VLAN on the Sonicwall and setup the built-in DHCP server to hand out IP's to that VLAN.

Great learning experience.

[zx10guy]

You would need to create sub-interfaces for each VLAN you configure to route traffic out to the internet or possibly between each subnet. You would also need to define objects and security zones on the Sonicwall. I recently swapped out a Juniper SRX210 from being my edge firewal to a Sonicwall TZ215W (originally a TZ210W).

You'll need to define your VLANs and ensure the IDs for which subnet and security enclave is consistent across all switches and your network. The concept of tagged and untagged traffic stems from how IEEE 802.1Q VLANs work. SMB web managed switches typically make configuration of VLANs more complicated than necessary. These switches have a concept of PVIDs or port VLAN IDs. This is a definition set on the switch to tell the switch which VLAN to associate untagged/naked frames received on that port....ingress. The configuration on the switch for egress traffic would be to define whether frames leaving that port are from a particular VLAN and if they are tagged or untagged.

Tagging frames allows a frame to carry an identifier in the frame header stating which VLAN that frame belongs to. Tagging of frames allows frames from multiple VLANs to be carried over what is called a trunk. This allows a huge amount of scalability and flexibility in how a switche network is set up. But because the header of the frame is modified, a device has to be able to understand 802.1Q tagging or the frame gets dropped. This is why unmanaged switches can never pass tagged traffic. It just doesn't know how to read the frame. On trunk ports set up to carry multiple VLAN traffic, another concept of native VLANs comes to play. Native VLANs is basically the same as the PVID mentioned above. But the difference is that on trunk, any untagged/unassigned traffic will automatically be dropped into this native VLAN and sent across the trunk link. Other communications are sent between switches over this native VLAN as part of various management overhead so the native VLAN is pretty important in switch operation and also in security design as there are various exploits that take advantage of how native VLANs operate.