Designing a VLAN network

[Bionic]

Yes but you are somewhat missing the point that to enable that you need separate DHCP ranges and entirely separate networks with different access levels.

The location where they are access should be kind of irrelevant.

So you’d have something like...

VLAN - Infrastructure
VLAN - Guest
VLAN - Employees.

So you’d put your server room and say printers or other devices on your floors inside the infrastructure VLAN and therefore it’s underlying network regardless of where it is.

Guest you would then assign to points in the board room or the Wireless SSID ID there.

You don’t make a VLAN for a location, you make it for a privilege level and then use that VLAN for its purpose wherever.

OK got you. Thanks.

Out of interest, how do we Vlans work on wireless? We have a physical controller on site. For VOIP, my understanding is that they have to plug into ethernet to get the correct vlan? So for normal internet they will use MPLS vlan and Seacom vlan for voice. with wireless how does it know. My concern is that if someone doesn't plug into cable, we can't guarantee optimal voice.

 

[SauRoNZA]

OK got you. Thanks.

Out of interest, how do we Vlans work on wireless? We have a physical controller on site. For VOIP, my understanding is that they have to plug into ethernet to get the correct vlan? So for normal internet they will use MPLS vlan and Seacom vlan for voice. with wireless how does it know. My concern is that if someone doesn't plug into cable, we can't guarantee optimal voice.

Just like on Ethernet you would configure a VLAN to an interface you will be setting it up on the wireless controller to assign a VLAN to an SSID.

I’ve almost never run VOIP on anything wired and never had a problem. Just run a proper wireless network.

Only wired VoIP devices are usually those switchboard type phones at reception etc.

Everyone else is wireless or soft phones off the back of wireless.

 

[deweyzeph]

OK got you. Thanks.

Out of interest, how do we Vlans work on wireless? We have a physical controller on site. For VOIP, my understanding is that they have to plug into ethernet to get the correct vlan? So for normal internet they will use MPLS vlan and Seacom vlan for voice. with wireless how does it know. My concern is that if someone doesn't plug into cable, we can't guarantee optimal voice.

Most good quality business-quality access points will allow you assign a VLAN tag to specific SSIDs. For example, in my house, I've got a TP-Link EAP245 access point connected to a Mikrotik RB750GR3 router. On the access point I've got the following SSIDs setup:

Main network - untagged
IOT network - VLAN 10
Guest network - VLAN 20
Kids Network - VLAN 30

Then there is one ethernet cable running from the AP to a port on the Mikrotik router (let's called it ether3). Then I've setup a virtual VLAN interface for each VLAN tag connected to the ether3 port. Then it's a simple matter of setting up a separate subnet for each VLAN, a separate DHCP server for each VLAN, and all the corresponding firewall filter rules to keep the different networks from being able to communicate with each other (with some exceptions).

So it's actually quite easy to setup many VLANs running off of one AP if the AP supports VLAN tagging.

 

[Bionic]

Just like on Ethernet you would configure a VLAN to an interface you will be setting it up on the wireless controller to assign a VLAN to an SSID.

I’ve almost never run VOIP on anything wired and never had a problem. Just run a proper wireless network.

Only wired VoIP devices are usually those switchboard type phones at reception etc.

Everyone else is wireless or soft phones off the back of wireless.

Agreed. With Wifi6, cables will be obselete eventually

 

[Bionic]

Most good quality business-quality access points will allow you assign a VLAN tag to specific SSIDs. For example, in my house, I've got a TP-Link EAP245 access point connected to a Mikrotik RB750GR3 router. On the access point I've got the following SSIDs setup:

Main network - untagged
IOT network - VLAN 10
Guest network - VLAN 20
Kids Network - VLAN 30

Then there is one ethernet cable running from the AP to a port on the Mikrotik router (let's called it ether3). Then I've setup a virtual VLAN interface for each VLAN tag connected to the ether3 port. Then it's a simple matter of setting up a separate subnet for each VLAN, a separate DHCP server for each VLAN, and all the corresponding firewall filter rules to keep the different networks from being able to communicate with each other (with some exceptions).

So it's actually quite easy to setup many VLANs running off of one AP if the AP supports VLAN tagging.

Great thanks. Just had a chat with our controller specialist and they say the same.

 

[SauRoNZA]

Agreed. With Wifi6, cables will be obselete eventually

Don’t need WiFi 6, just proper WiFi installed and operated correctly.

I run a company of 500 odd clients all on wireless without issue.

Only backbone static infrastructure is cabled.

 

[deweyzeph]

Don’t need WiFi 6, just proper WiFi installed and operated correctly.

I run a company of 500 odd clients all on wireless without issue.

Only backbone static infrastructure is cabled.

100%. Most WIFI issues I've come across are because of bad configuration of AP's, especially in a high user environments. Things like power levels set too high, channels interfering with each other, overzealously high channel widths set, etc.

A lot of people mistakenly think that more is better when configuring AP's, so they crank the power output way too high, they set the maximum channel width possible, etc.

 

[SauRoNZA]

100%. Most WIFI issues I've come across are because of bad configuration of AP's, especially in a high user environments. Things like power levels set too high, channels interfering with each other, overzealously high channel widths set, etc.

A lot of people mistakenly think that more is better when configuring AP's, so they crank the power output way too high, they set the maximum channel width possible, etc.

Yeah it’s nice to say we’ll put 850Mb link at every desk, but if it’s not actually required nor sustainable then what’s the point?

Scale it back and provide a better network overall.

But more often than not people also just like to be cheap but then expect the world at the same time.

 

[quovadis]

Agreed. With Wifi6, cables will be obselete eventually

Don’t need WiFi 6, just proper WiFi installed and operated correctly.

I run a company of 500 odd clients all on wireless without issue.

Only backbone static infrastructure is cabled.

Generally, perhaps. But wireless will always introduce limitation. It all depends on the environment and the use case.

 

[SauRoNZA]

Generally, perhaps. But wireless will always introduce limitation. It all depends on the environment and the use case.

Yeah I mean specifically end point user devices, there’s little reason to have them wired these days.

Also I feel very very sorry for all those companies still rolling out cheap desktops instead of laptops for their employees when all this COVID stuff happened.

Hardcore workstations fit for purpose excluded of course.

 

[Bionic]

Yeah I mean specifically end point user devices, there’s little reason to have them wired these days.

Also I feel very very sorry for all those companies still rolling out cheap desktops instead of laptops for their employees when all this COVID stuff happened.

Hardcore workstations fit for purpose excluded of course.

With the pandemic, desktops will definitely take a plunge in sales. We have already swopped out desktops for laptops to allow ppl to work remotely. Only issue now is that for you are introducing more risk to your data as it's moving now. Glad we adopted cloud services for most parts.

 

[SauRoNZA]

With the pandemic, desktops will definitely take a plunge in sales. We have already swopped out desktops for laptops to allow ppl to work remotely. Only issue now is that for you are introducing more risk to your data as it's moving now. Glad we adopted cloud services for most parts.

It’s why I’m very glad we were all mobile from the start.

And no risk to begin with as it’s all locked down.

In most cases I’ve found cloud services are the real risk often left wide open and easy for people with otherwise fully locked down machine to transfer data too.

Second to that being able to connect to any VPN services as the ports are usually left wide open but not restricted and an easy means of data transfer.

There is a level of employee trust in play however to be reasonable and the really secure stuff therefore lives only on the cloud and nowhere else.