VLans?

GiB

GiB

GiB

Associate
Joined
18 Oct 2002
Posts
154
Location
in a house
I have a network with over 200 pc's and a wireless managed switch a dws3024 now I want to setup a seperate wireless ssid for guests.

1 what's the easiest way to do this? Do I need to setup another dhcp server to do this or is there an easier way obviously do not want the two talking. Can the dlink wireless switch do this?

2 would creating VLans across the network give me better performance? Probably around 350 machines in total. About 12 switches throughout the building.

Cheers
 
Get another internet line. Purchase a solid off the shelf router or even if you want put a firewall (with the router or fiber modem etc) on the end of it like pfsense. Then you need to set up wireless routers with dhcp disabled around the building and patch them in to the router/firewall. This way the dhcp is handled by the one router on the separate line and the wireless routers around the building just act as wireless access points. I have used this set up at a few sites with no problems. Cheap and easy and you don't have to worry about opening up your internal network to other people.

TIP: What i do is make the main router 192.168.1.1 then set up the dhcp range as 100-150 for example and then make all the other routers in the same range with static ips 192.168.1.50-60. That way you can connect to the wireless network anywhere in the building and manage all the wireless routers.
 
Last edited:
I did this by setting up a new VLAN on the switches/WAPs creating a new sub interface on the firewall in the DMZ and setting up the guest SSIDs all in the above VLAN
 
groen said:
Get another internet line. Purchase a solid off the shelf router or even if you want put a firewall (with the router or fiber modem etc) on the end of it like pfsense. Then you need to set up wireless routers with dhcp disabled around the building and patch them in to the router/firewall. This way the dhcp is handled by the one router on the separate line and the wireless routers around the building just act as wireless access points. I have used this set up at a few sites with no problems. Cheap and easy and you don't have to worry about opening up your internal network to other people.
Click to expand...

Jesus, this is appalling advice.

A separate line? Why on earth? In the nicest possible way I can't see why you'd ever do that unless you didn't know how to do it properly.

Just set up a second zone on your firewall for the new VLAN, dump the access points in that VLAN and have the firewall do DHCP. Set some intelligent policies to allow internet access and to allow access to harmless internal stuff from the wireless (HTTPS to your exchange frontend etc)

In theory multiple VLANs will offer better performance as they restrict your broadcast domain and minimise broadcast traffic. But below 250 machines I'd say don't bother unless you want the security benefits - my informal rule is to restrict LAN ranges to at most a /24.

The features required are all basic for proper network gear, I don't know the Netgear and Dlink products though (to be honest I'm not a fan...) but they should do it.
 
It is not recommend to put wireless networks on your internal network. How is that appalling advice? you can get a new line for like £20 a month. What is appalling advice is to think that vlans will sufficiently prevent people on the wireless vlan from accessing the internal network.

There is more than one way to do it. I offered my recommendation. I don't realy appreciate being told it is appalling.
 
Last edited:
Sorry groen but but that's tosh. Corporate level equipment has features designed for this exact situation - I'm afraid you have no idea what you're talking about.

BRS has already said what I was going to advise, no need to type it twice.

- GP
 
http://www.google.com/search?num=30...1.1.0.0.0.0.128.128.0j1.1.0...0.0.CArynMNvyT0

I still would not recommend plugging a wireless access points in to your internal network on another vlan. if the network has its own switches and goes directly in to the firewall then sure. But to plug wap in to the same physical network but on a different vlan is a security risk.

But yea i don't know what i am talking about...
 
I'm not sure what you expect to see by that link. All I see if people """hacking""" VLANs that somebody has not set up correctly - again my original statement stands, you don't know what you're talking about

- GP
 
As BRS and GP rightly say, there is no issue having wireless on your internal network(s).

The device at the Distribution layer can block off the guest wireless network (specified by the OP) with a handful of ACLs which will stop it talking to the internal network. There's no way around properly configured ACLs without a more fundamental attack on the device's software.

Converged infrastructure was a big deal a few years ago and this kind of thing is exactly what it was designed for.

You can set up a separate network physically, but the cost of doing so makes it pointless. Especially if this guest wireless network doesn't generate any revenue etc.
 
groen said:
You can go right a head with plugging wireless access points in to your internal network. I don't mind. But I will continue recommending against it.
Click to expand...

It's not technically your internal network if done properly. We have one here for guests and whatnot - there's no routing between the VLANs.
 
Well what I suggested does not require a separate network, usually i just use the already existing patch cabinets to patch the WAP's (which you will have to purchase regardless) to the server room where I have a router which the wap go in to. Does not cost that much at all (you can get adsl for like £10 a month). Plus you have the added benefit of people on that network not using up bandwidth of the main network. I never said that this was the only way to do it. I just recommended it against it. Because from what I was aware using vlans on switches to segment a wireless network was a security risk.
 
groen said:
You can go right a head with plugging wireless access points in to your internal network. I don't mind. But I will continue recommending against it.
Click to expand...

Do you understand what a VLAN is? It's not on an internal network, it's a different VLAN, that's the entire point. This is how every large corporate does their wireless, seperate VLAN, seperate security zone, seperate policies. SAME hardware. That's the entire point, that it can be separate without needless hardware duplication.

There is precisely one circumstance where this is a risk and you've completely failed to identify it. That is that in some circumstances, some vendors hardware, under extreme (100Gbps+) load, will leak packets into the default VLAN from others. However that affected one vendor and was only every shown to be possible in a lab environment. And even then it's a inconsequential flaw because nobody competent ever uses the default VLAN.

There is zero security risk from having wireless on a seperate VLAN in your infrastructure. Having a seperate line is pointless, needless and just poor design.

I hope you aren't doing networking for anything critical, I really do.
 
groen said:
Because from what I was aware using vlans on switches to segment a wireless network was a security risk.
Click to expand...

It isn't. That's just false. I'm sorry but that view has no redeeming features, it's just wrong. You need to think about doing at least a basic Cisco network design course, seriously.
 
I have never come across a corporate network that has their guest wireless on their internal network segmented with vlan. Most corporate networks that i have been on, the network engineers refuse to put wireless on to the physical network under any circumstances. This is why they always have it on a separate line, from what i am aware it is pretty common.
 
You must log in or register to reply here.
Back
Top Bottom