VLAN help please

[Mpegger]

I understand the basics on VLANs, and have equipment that can be configured for it. What I don't understand is how I can make it so that I can have a "main" VLAN, that can access all other VLANS, but not vice-versa. I want to put all other devices (that aren't mine) on a separate VLAN that does not have access to my servers, but I also have services and devices (such as a network printer and DNS) that needs to be accessible from either VLAN. How do I setup the VLANs and network to make this possible, or is it not possible at all?

 

[Janus67]

That is very possible, I believe you have to setup permissions.

http://www.cisco.com/c/en/us/td/doc...I_Configuration_Guide_2_1_chapter_010001.html

I'm not a network engineer (I'd like to eventually get ccna or at least network+ certified to be a bit better at it) just going by how I understand the network at my college where we have vlans for attached devices (printers), students, servers, faculty, and admin (to name a few) where certain groups can access the others but not the other way around.

 

[Silver_Pharaoh]

This can be done on Cisco I know that.
Did some reading quickly and some of what I learned in college has returned to me.

VLAN 1 you cannot modify in cisco hardware however. So you must use VLAN 2 to start.
Here's how to create VLANs via command line (the only way I was taught):
http://www.cisco.com/c/en/us/td/doc...on/guide/cli/CLIConfigurationGuide/VLANs.html

You simply create VLANs, name them, then add ports to the VLANs. You can say add ports 1 and 2 to VLAN 2 and add ports 3-8 (or whatever) to the main VLAN AND VLAN2. IIRC, that means ports 1 and 2 can talk to each other, but not ports 3-8, but ports 3-8 can talk to everyone on the main VLAN AND VLAN2.

I'm pretty sure DD-WRT can do something similar as well if you are using it.

EDIT: Okay more involved than I though. For cisco anyway. Looks like adding vlan trunks will do what you want. But of course, I don't remember how to do this... Damn. I'll keep reading and trying things in packet tracer.

EDIT2: Inter-vlan routing might help, if you are doing this on one cisco switch. http://www.cisco.com/c/en/us/suppor...-routing/41860-howto-L3-intervlanrouting.html

oof getting tired here - is your equipment cisco or something else?

 

[Mpegger]

Dell PowerConnect 5224 is my switch, which I believe is not fully Layer 3 capable. Just some Layer 3 functions.

Astaro UTM 9 (now known as Sophos UTM) is my firewall/router, which should be capable of Layer 3.

ESXi 5.5 is the host for Astaro.

I also have 2 Ubiquiti UniFi AC Lite AP (wifi access points) that can handle multiple VLANs via multiple SSIDs. The routing would still need to be handled on other network equipment.

The rest is mostly consumer hardware; cell phones, tablets, laptops, VoIP phone, etc, etc, most of which connects via WiFi to the network. My PC's and servers are what I want to keep separate from the rest, and it's only my PC's and server that are wired, though I also have a phone and tablet that would need WiFi access to my segment. Both segments would need access to a network printer. In the future though, I may finally setup a central media/TV server that both segments would also need access to, as well as a central NAS for backups and such for every PC in the home. Planning out how to setup the VLANs in such a setting is where I get confused.

I am not 100% sure how the VLAN setup on Astaro would go (https://community.sophos.com/kb/en-us/118999), but I think it's dependent on the switch it's connected to. I do not believe the Dell switch can tag packets with the VLAN, which I think would mean I would need separate physical network connections for each VLAN? This is basically where I start to get confused, as I'm not sure where the routing would happen or how to properly setup my hardware to get it all working properly.

 

[Silver_Pharaoh]

5224 support Dot1q so i think it should be able to tag vlan frames: https://cs.uwaterloo.ca/~brecht/servers/docs/Dell-5224/pc5224cf.htm

 

[TransformedBG]

Honestly i dont know what your running ESXI on does it have multiple nic's on it? If not you could always buy the cheap ubiquity switch.. vLans are easy on it. Ive beeen playing with mine. But if you have a few nic's on your pc you could run the Vlans through ESXI which works just is a little more time consuming to set up.

https://www.amazon.com/gp/product/B00YFJT29C/ref=oh_aui_detailpage_o05_s00?ie=UTF8&psc=1

 

[Mpegger]

5224 support Dot1q so i think it should be able to tag vlan frames: https://cs.uwaterloo.ca/~brecht/servers/docs/Dell-5224/pc5224cf.htm

Interesting read. I just skimmed it but it looks like it has the info I need to setup my network properly just using the Dell switch. I'll need to read through it thoroughly to get a better understanding, and I might still come up with questions.

Honestly i dont know what your running ESXI on does it have multiple nic's on it? If not you could always buy the cheap ubiquity switch.. vLans are easy on it. Ive beeen playing with mine. But if you have a few nic's on your pc you could run the Vlans through ESXI which works just is a little more time consuming to set up.

https://www.amazon.com/gp/product/B00YFJT29C/ref=oh_aui_detailpage_o05_s00?ie=UTF8&psc=1

The ESXi is running on the Dell r710 in my signature. It has 4x1Gb ports, and I also have 2 4x1Gb NICs I could toss in it if needed. Since the majority of the devices in the home now are all WiFi devices, I could just run with 12 ports on the r710, and do all the routing in ESXi, but I think that would require their highest offering as it needs the Enterprise Plus which would allow making and use of a Distributed Switch, and also require VCenter., now that I think about it, I might actual have to do some routing on ESXi as some of the servers that would need access from both VLANs are on the r710.