VLAN Implementation

Question

I'm trying to separate a wireless guest network from an internal network.

I made a little drawing of what I did to separate it:

Before, there existed no VLANs so this is what I'm trying to introduce.

Right now the whole .2.x network (no/default VLAN, green) is working. I just can't get the mobile clients to connect to any further than the distant end of the access point (named "WLAN Router" in the drawing).

So ping from a wireless client to the access point is fine (.1.5), ping to the distant side of the access point is fine (.2.2) but I can't reach the Cisco switch (.2.106). All devices use .2.1 (internet router) as a gateway, subnet masks are /24.

From what I understand all access ports should be untagged (here, there is only one which is not on the default VLAN) and the trunk between the switches should be tagged, no? (BTW: VLANS 1 & 5 both go over the trunk)

What am I missing here?

I hope I provided enough explanation.

Answer 1

Currently, you have a nasty situation.

• Think of VLANs as separate cables. Currently there is no path for the data between the .2.2 interface of the WLAN router, and the rest of the .2.x network. All of these hosts should be on the same network/VLAN.
• If you were to connect them to the same VLAN, then all of the guest / public / untrusted Wifi clients would be able to access your "internal" network - not good.

---

I would recommend that you rearrange your network, as shown in the diagram below.

Don't forget that in the consumer space a "Router" typically refers to the following network components in a single box:

• Modem (possibly... if you're on DSL, then likely, otherwise you'll probably have a separate cable modem)
• NAT-ing Router
• DHCP Server & DNS Relay
• Switch
• Wifi Access Point

Split the network into "Trusted" and "Untrusted" zones, and as you get deeper, the trust levels go up (the reverse of what you've proposed).

You might need to get couple of extra bits of hardware to accomplish this. The router on the border of Trusted / Untrusted could be what is often referred to as a "Cable Router" in the consumer space. This means that it has an Ethernet / RJ45 WAN port, not a DSL port.

Using one of these would probably give you the behaviour that you're after - Internal Hosts would not be accessible from your Guest Wifi (without setting up port forwarding / NAT), but the internal hosts can still access the internet, and potentially the Guest Wifi hosts.

---

NOTE: this architecture also negates the need for VLANs, unless you need to run multiple guest Wireless Access Points through your site.