Re: Creating virtual LANS

cainl · ‎11-12-2018

I'm a newfer and I know enough to be dangerous.

I have a classroom lab, with an ISP upstream supplying DHCP services. I want to use my Catalyst 2950 to support a classroom full of PCs and also allow Internet access for student cell phones. I want to use a WAP to run DHCP for the cell phones, but not for the PCs. (PCs are on 10.1.10.0/24, cell phones are on 192.168.1.0/24).

My thinking is that I can use VLAN 1 for the PCs and VLAN 2 for the WAP. I have assigned Fa0/33 and Gi0/1 to VLAN 2. My Internet connection currently goes to Gi0/2, but I plan on moving it to Gi0/1 if I can get everything working.

I have set up Gi0/1 as a trunk port, which I thought would allow me to associate it with both VLAN 1 and VLAN 2, but somehow I moved Gi0/1 from VLAN 1 to VLAN2.

My question is, is my concept sound, and if so, how do I set up GI0/1 so that I can move my Internet connection to it and both VLAN 1 and VLAN 2 will have access to the Internet?

Richard Burts · ‎11-12-2018

Conceptually the plan of having a vlan for PCs, a vlan for wireless for phones, and a vlan for Internet access is fine. But the main issue in your plan is the switch that you have. A 2950 should be able to configure and operate several different vlans. But the 2950 is a layer 2 switch and so is not capable of routing between the vlans. For your plan to work you need either to upgrade to a different switch which would be capable of layer 3 routing, or you need to provision a layer 3 device (router or layer 3 switch) to enable communication between the vlans.

There are several things that you should consider as you decide which option to choose. For one thing you are using private addressing in your lans (as you should). For them to be able to communicate with the Internet you will need address translation. Perhaps the ISP might provide that service. But the better thing would be for you to use a router which can do address translation for your private addressing. Note that until you get up to the level of 6500 switches the Catalyst switches do not support address translation. Another thing to consider in your choice of what to use is the question of security. Do you want your networks to be open to the Internet with no protection? You should think about what kind of device would provide a level of protection for your network and a router (or perhaps a firewall) probably give you more options for protecting your network than a switch would.

HTH

Rick

HTH

Rick

cainl · ‎11-12-2018

In my schools horde of antiquated equipment is a 2611 router with two ethernet ports. So if I connect my Internet connection to a port on VLAN 1 on the 2950 switch, connect another port on VLAN1 to fa0/0 on the router, connect fa0/1 on the router to a port on VLAN 2 on the 2950 switch, and connect my WAP to VLAN2, I should get Internet access for cell phones connecting to the WAP (the WAP has it's own security, and my PCs are members of a domain). I'll need to configure the fa ports with IPs and subnet masks on their respective networks. Does this sound workable? Probably not very elegant, but this is a classroom setting.

Richard Burts · ‎11-13-2018

There is an issue with what you are suggesting. If I am understanding correctly you plan to have 2 subnets in your classroom (10.1.10.0 and 192.168.1.0) and I assume that your connection to ISP probably is on a third subnet (and probably uses a Public IP rather than private). The way that you suggest connecting the 2611 will certainly provide routing and connectivity for the classroom subnets. But I do not see how it would also provide routing to the ISP for Internet access, and am not sure about it providing address translation.

I do understand that in a school situation we sometimes have to make do with what is available. But I am afraid that in this situation what is available is not sufficient for you to accomplish what you need to accomplish. It looks to me like you need either a router that supports dot1q trunking or you need a router with 3 Ethernet interfaces.

HTH

Rick

HTH

Rick

cainl · ‎11-13-2018

Not exactly. The ISP is supplying DHCP addressing with a scope in the 10.1.10 range. So my connection to the ISP goes to a Gigabit port on my switch and from there to the PCs connected to the switch. That is one subnet.

My WAP hands out addresses on the 192.168.1 wirelessly, as long as nothing is plugged in to the ports. That's for cell phones, and that is the second subnet.

I'm proposing to connect a port on the WAP to an fa port on the router, which I will configure to be on the 192.168.1, and I'll connect a port on the switch to the other fa port on the router, which I will configure to be on the 10.1.10.

The WAP will hand out a default gateway of the fa address, and DNS addresses on the 10.1.10 as well as the ISPs DNS. I suppose I'll have to put a static address into the router (to get to the ISPs DNS 75.75.75.75).

Address translation is taking place upstream, and is transparent to me.

Any thoughts?

Richard Burts · ‎11-13-2018

Thanks for the additional information. If the ISP is providing DHCP assignments in10.1.10.0 network and is providing address translation for that subnet then it does resolve some of the issues that I mentioned. Will the ISP also provide address translation for the 192.168.1.0 addresses?

HTH

Rick

HTH

Rick

cainl · ‎11-13-2018

I think so. Last year we used the WAP as a router and brought the Internet connection in and let the WAN side of the WAP/router accept a 10.1.10 address, used the default 192.168.1.1 address for the LAN side of the WAP/router, and used the DHCP on the WAP to assign 192.168.1.0/24 addresses to everyone downstream. This year we're experimenting with putting the PCs on their own network separate from cell phones. Since the PCs are members of a domain, they will have access to network resources, while phones will only have access to the Internet. I'm sure that there are more wrinkles in this than I have accounted for, but it's a learning-while-doing scenario.

Thanks for your help. Any comments are always welcome. I'll let you know how things work out.

Richard Burts · ‎11-13-2018

Thanks for the additional information. The one wrinkle that occurs to me has to do with your statement that the phones in the 192.168.1.0 should not have access to resources in the 10.1.10.0 network. Since the ISP device is in that subnet you can not just deny access from 192.168.1.0 to 10.1.10.0. You would need to filter traffic on the router interface where 192.168.1.0 is connected, allowing incoming traffic to access the IP of the ISP and then denying access from 192.168.1.0 to the rest of 10.1.10.0.

HTH

Rick

HTH

Rick

cainl · ‎11-14-2018

My network resources consist of two domain controllers with active directory, also functioning as DNS providers as well as file servers. My goal is to keep phones belonging to students who do not have domain accounts from accessing the servers. As long as they know the pre-shared key, they can access the WAP and therefore the Internet. If they happen to be students that also have an account on the domain, then I'm not concerned about them accessing the servers.