Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
0
Helpful
3
Replies

Question regarding multiple VLANs with 1 router

jonathanbaird
Level 1
Level 1

‎09-19-2015 01:45 AM - edited ‎03-08-2019 01:51 AM

Hi,

Wonder if anybody can help me. We have a client that owns a business centre and has around 15 companies within this business centre. We have been asked to implement a solution which allows for all the businesses to share an internet connection, but each company needs to be separate from one another. Please correct me if I'm wrong but I think the way to do this would be using 802.1Q tagged VLANs. 

There are around 100 outlets, so for the switches I am thinking of a couple of Cisco Catalyst 2960S-48TS-L switches to handle the VLANs. I am fine up to here, however I am unsure of what the router needs to be in terms of trunking multiple VLANs. They currently have a Draytek 2930 there at the minute, which does support tagged VLANs but will only allow for 4 subnets. We are looking for 15+ subnets if possible. I suspect we are going to need to move away from that router to something which supports sub-interfaces or VLAN interfaces. Could anybody please offer some suggestions here, I am not sure if we go with a Cisco router or a SonicWall and all the model numbers are confusing to say the least!

Any guidance or advice on this would be highly appreciated.

Thank you.

 
 
Labels:
0 Helpful
3 Replies 3

John Blakley
VIP Alumni
VIP Alumni

‎09-19-2015 06:54 AM

Generally, to support tagging from a routers perspective, you'd create subinterfaces and tag those:

Lan interface g0/1:

int g0/1

ip address 10.1.0.1 255.255.255.0

int g0/1.10

encapsulation dot1q 10

ip address 10.10.0.1 255.255.255.0

int g0/1.20

encapsulation dot1q 20

ip address 10.20.0.1 255.255.255.0

 

Then on your switch you would create vlans 10 and 20, and trunk the port that the router connects to. Then you would either add trunk ports or access ports to the appropriate vlans to support your other companies. A thing to note would be that this isn't a secure config above meaning that you'll still need acls / firewall to truly segment everything. For example, if a user from vlan 10 decided they wanted to see if there was a 10.20.0.0, they could ping something on that subnet with no issues since they'll go to their default gateway and the router will just happily route them. Having vlans is not a total security answer, so it shouldn't be left to just that....

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Richard Bradfield
Level 6
Level 6
In response to John Blakley

‎09-20-2015 01:57 AM

following on from John's reply, you would need Access Control Lists(ACLs) on all the clients subinterfaces stopping them from accessing other clients networks.

You don't say how many Public addresses you have, would there be enough to have one for each client?

0 Helpful

devils_advocate
Level 7
Level 7

‎09-21-2015 02:40 AM

There are several different ways this can be achieved but it really depends on two things:

A) Your budget
B) Your level of technical knowledge when it comes to networking.

If you are looking at 15 vlans/subnets then you need a device which can act as the default gateway for this amount. 

You have three options as I see it:

1. A Layer 3 Switch - This can act as your default gateway for all 15 subnets and you could use Access Lists to prevent each of them talking to each other. A default route up to the Draytek will allow internet access. The model will depend on your budget and what sort of performance you require. Bear in mind (non chassis based) switches usually have 48 ports maximum so if you need 100+ ports then you are going to need maybe two more Layer 2 switches for the rest of your hosts to plug into. If you are just looking to block complete access between each of the VLAN's and allow access to the 'Internet' then it should be fairly straight forward but you need to understand ACL's.

2. A Firewall device that does subinterfaces and 802.1q trunking - The FW would act as the default gateway for your clients. You would then have maybe three layer 2 switches for your hosts and a 802.1q trunk up to the Firewall which would sit in between the Draytek and one of the L2 switches. This may be slightly easier than option 1 as FW's tend to have a GUI but you still need to know how to configure L2 switches and work the GUI of the FW.

3. A Cisco Router to replace the Draytek - This would be a mixture of Option 1 and Option 2 in that you would use L2 switches for your hosts but instead of a FW, you would create an 802.1q trunk up to the Cisco Router and use ACL's to prevent traffic going between your Vlans.

Any option is going to require networking knowledge and skill to configure it to work properly.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents