[ale] Off topic but we're already almost there: VLANS?

Thu Feb 25 14:07:58 EST 2021

I have never worked with VLANS before.

My understanding is the simple (ha!) way of doing VLAN is to let the 
wired switches (NetGear) assign it based on what port into which things 
are plugged.

Imagine a church with offices and sanctuary upstairs, community schools 
and distance Learning downstairs, printers for each, and Wifi hotspots 
here and there. And now everything is getting a 192.168.1.x address 
assigned by the DHCP on the Firewall Router.

And there are some obvious reasons you might not want students 
downstairs having access to office computers, or the audio mixer in the 
sanctuary, but they might need to print something on occasion.

Ergo the outline of Routers/VLANS I'm thinking of is below.  Indented 
generally means "I'm plugged into this device above".

Main Firewall Router: (now Cisco, but likely Ubiquity soon)
     - Comcast VoiceEdge Server (No VLAN)
     - Office Switch (NetGear)
         - VLAN1
             - PolyCon Office phone-sets
                 - Computers Connected to them
             - Computers wired direct to switch
             - Office Wifi Hotspot
         - VLAN2
             - Sanctuary Switch
                 - Propresenter PC
                 - Streaming encoder
                     - Camera
                 - X32 Wifi Hotspot
                     - X32 Audio Mixer
                     - Mixer Control Tablets
         - No VLAN assigned
             - Office HP Printer
             - Office Toshiba Printer
             - Hanberry Hall Wifi Hotspot

     - Downstairs Switch (NetGear)
         - VLAN3
             - Community Schools phone-sets
                 - Computers Connected to them

             - Downstairs Hallway Wifi Hotspot
                 - Students doing Distance Learning
             - Shepherd's Hall Wifi Hotspot?? (do we have to move cable? 
Or can that hotspot claim VLAN3?)
                 - Students doing Distance Learning
         - No VLAN assigned
             - Community Schools Toshiba Printer

My understanding is that each switch will add the VLAN tag, and that by 
default the Firewall Router will not pass data from one VLAN to another 
VLAN.  Thus:
- Any device can obtain internet NAT service;
- Any device can print to any printer NOT on a VLAN;
- Any device can access the VoiceEdge server;
- No devices outside the Sanctuary VLAN2 can access it;
- No devices outside the Office VLAN1 can access it;
- There is no need to enforce the Guest logins on the downstairs Wifi, 
as there are no resources to compromise other than paper and toner.

How Comcast voice behaves is important to know.  Do phone-sets only talk 
to the voice server?  or do they talk to each other?   I shall attempt 
to beat an answer out of them on this.

Am I thinking right on this?  what Firewall Router feature requirements 
are needed to support this?

regards,

Neal