1. Home
  2. Cisco Systems
  3. VLAN Design

VLAN Design

I need to add a couple of VLANs for wireless trusted machines and wireless guests. Wireless trusted machines may connect to anything; guests may not connect to servers but may reach the Internet.

Right now, everything is 192.168.1.0/24. The wireless trusted network could be 192.168.2.0 and the wireless guests 192.168.3.0.

DHCP is running on a Windows 2003 server and I've been told that the MAC address of wireless trusted hosts can be used to give these machines static addresses in the 192.168.2.0 range. The wireless guests would get their address from the access point. This seems a bit convoluted. Is there a better way to set this up?

The routers, switches, servers, and printers are all on the same network as trusted wired hosts. I believe this means that the default vlan, the native vlan, and the management vlan would all be vlan 1. Is this considered acceptable design?

Reply to
Bob Simon
Loading thread data ...

What you are referring to is 802.1 X which allows you to give certain IPs based on MAC or certain authentication credentials. If they don't pass the right stuff, they can be put into a 'guest' vlan which you then want to make sure is locked down via ACLs or whatever as appropriate. I believe this requires additional hardware and authentication mechanisms....as well as APs that support 802.1X...but someone on here may be able to correct me there.

Acceptable enterprise design is the segmentation of the unauthorized (guest) users. How you design your other networks is up to you (servers vs. users, server type, geography, floor, etc), I just encourage you to pick a design that logically makes sense and is scalable. In my company (very very large), we segment by function and geography, depending on the situation.

If this is a small office, and your looking for a cheap solution, buy another AP, minimize the signal for its coverage, and configure it as open authentication. Make sure you ACL it off and only allow external web traffic (http, https). Anything that goes on it will be protected, and your real trusted users can authenticate to the other AP using proper credentials.

802.1X is definitely supported on Cisco APs, just not sure what kind of authentication server you need if any on the backend, in addition to trunked networks of course.

formatting link

Reply to
Trendkill

Since there are under 75 devices on this entire network, I only need to segment off the guests and apply ACLs to keep them off the main network.

Unfortunately, this approach will not work because the company is on four floors and both trusted hosts and untrusted guests will need wireless network access on all floors. I think I'm stuck with using MAC credentials because we don't have time to investigate and implement other authentication protocols.

Thanks for the pointer. Bob

Reply to
Bob Simon

Cisco APs can advertise / run different SSIDs and link them onto different VLANs trunked across your switches.

Then all you need to do is keep those VLANs segregated (ie take them as VLANs into a firewall and apply different rule sets).

good place to start:

formatting link

and one that explains how to do what you want:

formatting link

acceptable yes - good no (although processors in switches have got better / faster along with everything else, so not as big a deal as it used to be).

Ideally the default VLAN (usually VLAN 1) should only have mgmt protocols and NMS.

everything else should be on other VLANs.

There must be a best practice guide on the cisco site somewhere - try

formatting link
or do a search.

Reply to
stephen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.