[ale] Off topic but we're already almost there: VLANS?

neal at mnopltd.com neal at mnopltd.com
Tue Mar 2 10:59:03 EST 2021 

Thanks for bursting my bubble.   Psychologist talk about networks of 
"supporting" people, who make you feel better, and "challenging" people, 
who tell you .... otherwise.

And thanks to all that advised me that VLANS can be a world of hurt that 
maybe we don't want to get into.   I vastly prefer to be told I'm wrong 
at the hypothetical stage.

We're looking at using one of the smaller Ubiquiti EdgeRouters, which 
appear to directly provide firewall packet inspection on the LAN ports, 
and seem to have an article which directly addressed our scenario of a 
Trusted LAN versus Guest Wifi, and still allowing selected Guest Wifi 
clients to access specific devices on the trusted LAN.   Their example 
is webserver, and ours would be printers.

https://help.ui.com/hc/en-us/articles/218889067

This seems to be far less complex.

regards,

Neal


On 2021-02-27 17:55, Phil Turmel via Ale wrote:
> Hi Neal,
> 
> On 2/25/21 2:07 PM, Neal Rhodes via Ale wrote:
>> 
>> I have never worked with VLANS before.
> 
> A key behavior that your notes suggest you are missing is that VLANs
> are implemented with an extra ethernet header (that happens to do
> double duty with packet prioritization, but that's a side note).
> 
> Switches that support VLANs generally designating a physical port as
> either "access" mode--no VLAN header aka "untagged", or "trunk"
> mode--always a VLAN header aka "tagged".  Standard 802.1Q vlans can
> have VLAN tag numbers from 1 to 4095.
> 
> Untagged ports have all incoming packets assigned to a single
> configured VLAN (default == 1) before forwarding to the switch fabric,
> and filter out packets from the switch fabric that don't belong to
> that VLAN.
> 
> Tagged ports are assigned a list of allowed VLAN numbers.  They expect
> incoming packets to have an 802.1Q tag having one of the numbers,
> dropping any that don't belong before forwarding to the switch fabric.
> Similarly, only sending out from the switch fabric packets that have
> one of the allowed VLAN numbers, and always including the header.
> 
> There is no such thing as "No VLAN assigned".  A VLAN-capable switch
> will always place every packet in a VLAN.  Most such switches default
> to "access" mode on all ports with all ports using VLAN 1.  Which
> *looks* like no VLAN.
> 
>> My understanding is the simple (ha!) way of doing VLAN is to let the 
>> wired switches (NetGear) assign it based on what port into which 
>> things are plugged.
> 
> Pretty sure you are going to have to configure your VLANs deliberately.
> 
>> Imagine a church with offices and sanctuary upstairs, community 
>> schools and distance Learning downstairs, printers for each, and Wifi 
>> hotspots here and there. And now everything is getting a 192.168.1.x 
>> address assigned by the DHCP on the Firewall Router.
> 
> DHCP is only going to cover the VLAN it is attached to.  You will need
> a DHCP server for each VLAN, and a separate subnet for each.
> 
>> And there are some obvious reasons you might not want students 
>> downstairs having access to office computers, or the audio mixer in 
>> the sanctuary, but they might need to print something on occasion.
> 
> Somewhere in this mix you will need a router to let users reach the
> printers.  If they can reach the printers, they can reach other
> computers in the same subnet as the printers, unless your router is
> also a firewall with strict rules.
> 
> Onwards to your diagram:
> 
>> Ergo the outline of Routers/VLANS I'm thinking of is below.  Indented 
>> generally means "I'm plugged into this device above".
>> 
>> Main Firewall Router: (now Cisco, but likely Ubiquity soon)
>>      - Comcast VoiceEdge Server (No VLAN)
>>      - Office Switch (NetGear)
>>          - VLAN1
>>              - PolyCon Office phone-sets
>>                  - Computers Connected to them
>>              - Computers wired direct to switch
>>              - Office Wifi Hotspot
>>          - VLAN2
>>              - Sanctuary Switch
>>                  - Propresenter PC
>>                  - Streaming encoder
>>                      - Camera
>>                  - X32 Wifi Hotspot
>>                      - X32 Audio Mixer
>>                      - Mixer Control Tablets
>>          - No VLAN assigned
>>              - Office HP Printer
>>              - Office Toshiba Printer
>>              - Hanberry Hall Wifi Hotspot
>> 
>>      - Downstairs Switch (NetGear)
>>          - VLAN3
>>              - Community Schools phone-sets
>>                  - Computers Connected to them
>> 
>>              - Downstairs Hallway Wifi Hotspot
>>                  - Students doing Distance Learning
>>              - Shepherd's Hall Wifi Hotspot?? (do we have to move 
>> cable? Or can that hotspot claim VLAN3?)
>>                  - Students doing Distance Learning
>>          - No VLAN assigned
>>              - Community Schools Toshiba Printer
> 
> You will have to specify what ports on each switch are what kind.
> Your main router will have to connect to your secondary routers via
> "trunk" ports if you want multiple VLANs to interconnect.
> 
> Linux can do trunk ports if needed (for your multiple DHCP support
> and/or routing, perhaps).
> 
> 
>> My understanding is that each switch will add the VLAN tag, and that 
>> by default the Firewall Router will not pass data from one VLAN to 
>> another VLAN.  Thus:
>> - Any device can obtain internet NAT service;
> 
> Nope.  Only the VLAN that is on the default VLAN for the router,
> unless you deliberately configure more route rules.
> 
>> - Any device can print to any printer NOT on a VLAN;
> 
> Nope.
> 
>> - Any device can access the VoiceEdge server;
> 
> Nope.
> 
>> - No devices outside the Sanctuary VLAN2 can access it;
> 
> Nope.
> 
>> - No devices outside the Office VLAN1 can access it;
> 
> Nope.
> 
>> - There is no need to enforce the Guest logins on the downstairs Wifi, 
>> as there are no resources to compromise other than paper and toner.
>> 
>> How Comcast voice behaves is important to know.  Do phone-sets only 
>> talk to the voice server?  or do they talk to each other?   I shall 
>> attempt to beat an answer out of them on this.
> 
> 
>> Am I thinking right on this?  what Firewall Router feature 
>> requirements are needed to support this?
> 
> Any VLAN-capable switch will handle the packets.  You need router
> features in the switch or in a separate device on a trunk port to
> handle the traffic between VLANs.
> 
>> 
>> regards,
>> 
>> Neal
> 
> Sorry to burst your bubble.
> 
> Phil
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list