Ok, I have a basic understanding of VLAN's but I am trying to do the following setup which seems way more complicated than it should be because of things I am not sure of. I am doing this because we had a professional hacker come in and they said that I need to separate the Guest Wi-Fi from the secured Wi-Fi.
I have Netgear switches in my environment. The non PoE switches are either GS724TS or GS748TS. The PoE switches are all GS728TPS switches. These all connect back to a M5300-28GF3 via fiber.
What I am trying to setup is the following VLAN's 1 Default Netgear VLAN 260 Management VLAN 360 HS VLAN (high school) 460 JH VLAN (junior high school) 560 Elementary VLAN 660 Guest Wi-Fi VLAN
What I think I should do is create these VLAN's on all switches. Then on each switch I should Tag all uplink ports on all switches. Then on each switch I should change all PVID to be the main VLAN (Except for the uplink ports which will remain PVID 1) so for HS VLAN 360 would be the PVID and JH VLAN PVID would be 460 and the Elementary VLAN would be 560. Then on the GS7xxTS switches all other ports except the uplink ports should be untagged. Then on the PoE switches, any port that is connected to an Access point should be Tagged on the main building VLAN and VLAN 660 for the guest Wi-Fi.
Then on PoE switches don't have Access Point I should set the ports as untagged. Then on the fiber switch I should tag the port for each building as the building VLAN, and both the 260 and 660 VLAN's.
Now is where it gets really fuzzy for me. I have 3 ports going back to our internet connection which hooks to Cisco switches. I want to change it to one port over a 10GB connection on my fiber switch so I am guessing that I just need to tag all VLAN's on that port. I know that currently the cisco switch is setup like the below on 2 of the ports
port 4 Elementary untagged vlan 560
port 5 Junior high untagged vlan 460
So here are where my questions start to arise. Question 1: To do what I want will the Cisco accept the traffic if it is set to untagged when I am sending tagged traffic? Or do they need to switch to tagged.
Question 2: How does the VLAN ID 1 fit into this whole thing? Tagged ports are going to be left as PVID 1 right? If so how do I set the other ports? Tagged or untagged on PVID 1?
Question 3: Should the main VLAN for each building have the ports as untagged for all but the uplink or access point ports?
Question 4: Should VLAN 1 ports remain untagged for some reason?
Before the new setup I only have PVID 1 on all switches except the M5300-28GF3 which also has VLAN's for each building.
Question 5: For VLAN 260 which I want to be the management VLAN am I correct to assume that it only needs to be on the uplink ports as tagged?
