Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
6
Helpful
4
Replies

Assistance with VLAN Design/Implementation

Jimstigator
Level 1
Level 1

‎03-29-2013 09:54 AM - edited ‎03-07-2019 12:32 PM

Hey there,

I am looking to introduce multiple VLANs to my network to improve security.  I understand the easy concepts, but I am having trouble figuring out how I would set up what I am looking for on my switches, router, etc.  Below is the layout of what I am trying to create... would love some input on how this is achieved.

Switches - Four connected SG500-52Ps.  Switches are stacked, with the top plugging into an Edgemarc 4550 router.  All devices in the buildings go into one of these 4 switches.

1) Use primary and guest VLAN that is auto determined based on MAC.  When a user plugs into a data jack anywhere in the building, the switches will read MAC and either put it on the corporate network, or put them on a guest VLAN with internet only access.

2) For wireless AP's, use the built-in VLAN tagging feature on the AP to tag all data connected to the "GUEST" ssid and put it on the guest VLAN.

3) For remote cameras streaming to the office.  Have two to three cameras that come into the building put on the guest, or another guest type VLAN (not corporate network).

I understand the concepts, somewhat, but am getting lost.  On the router, I have the default VLAN1, and created guest VLAN2.  On the switch, I have created a new VLAN2, but I get utterly lost trying to figure out the "Access, general, trunk" and "tagged" vs "untagged".  The tabs "Interface", "Port to VLAN" and "Port VLAN Membership" get my head spinning.

Any advice would be greatly appreciated!

-Jim

Labels:
0 Helpful
4 Replies 4

blau grana
Level 7
Level 7

‎04-01-2013 12:10 PM

Hello Jim,

I have no experience with these type of switches, but after looking into manual it should be straightforward to configure ports and VLANs.

I do not know if you read it, but mentioned phrases are explained there.

http://www.cisco.com/en/US/docs/switches/lan/csbms/Sx500/administration_guide/500_Series_Admin_Guide.pdf

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

paul driver
VIP
VIP

‎04-01-2013 03:38 PM

Hello Jim

Welcome to CSC!

what you are asking is achievable, but the first thing is to understand the current topology - is this a new topology you are wishing to create or an existing one which you want to change?

Regards your requirements, applying IBNS dot2.1x authentication  would be a viable solution, but this is not just a simple configuration it requires some planning and testing including host/switch/access control server.

please review this link and also Blau grana link above.

http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jimstigator
Level 1
Level 1
In response to paul driver

‎04-02-2013 06:21 AM

Apprecaite the responses! 

I think I just bit off more than I should have for my first implementation.  This is an existing network, that has none of the above implemented.  I was able to do the wireless VLAN in a matter of minutes, but that was the easy part.

As for the cameras, I think the better solution is to just physically seperate them.  I don't know why I didn't come up with that to begin with.  Seperate router/firewall, done.

Where I am stuck is the data ports all around the building that strangers could plug into.  I could use a MAC allow/deny list, but what does that really get me?  I know how to spoof an IP address, so I imagine anyone who really wanted my data could as well.  So maybe the ultimate solution is some kind of authentication/RADIUS server?  That takes me even deeper into technology I don't understand yet.  Is it tought to get one implemented?

-Jim

0 Helpful

blau grana
Level 7
Level 7
In response to Jimstigator

‎04-02-2013 07:16 AM

Hello Jim,

It depends, First I would start to study technology, do some labbing and test what you want to deploy.

Your switches should support everything you need [link to manual is int my previous post]

This can help you start with studying:

http://tldp.org/HOWTO/html_single/8021X-HOWTO/

I think that if you look into this for a few days, you will be able to configure everything you need. Good Luck!

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful
Customers Also Viewed These Support Documents