2

I am by no means an expert when it comes to networking but I recently inherited a network setup which is using wireless Access Points that clients can connect to (usually via a wireless device used in station mode.

The problem is the existing setup is not using VLANs to break down broadcast domains. I would like to introduce them, but I am not really sure how to tackle it.

Network diagram

In simplified form, the network looks like this:

enter image description here

  • Network is using static IPs (3 subnets)
  • I have very little to no access to the Access Points to modify any settings

  • I have very little to no access to the devices used by clients to connect to Access Points

  • FreeBSD router (Fa0/0)

    • 10.10.10.1 netmask 255.255.255.0
    • 10.10.20.1 netmask 255.255.255.0 alias
    • 10.10.30.1 netmask 255.255.255.0 alias

  • L3 Switch_1

    • supports 802.1Q VLAN
    • supports Private VLAN
    • supports Port Isolation (is it the same thing as Port-VLAN?)

  • L2 Switch_1

    • supports 802.1Q VLAN
    • supports Port-VLAN

  • L2 Switch_2

    • supports 802.1Q VLAN
    • supports Port Isolation (is it the same thing as Port-VLAN?)

What I want to do

Ideally I don't want any subnet to see one another.

I can easily setup VLANs in the FreeBSD router (instead of using ip aliases (or secondary ips depending on the terminology)

For example:

  • VLAN10 for 10.10.10.0/24
  • VLAN20 for 10.10.20.0/24
  • VLAN30 for 10.10.30.0/24

Then I can setup port Fa0/4, Fa0/3 and Fa0/2 on L3_SWITCH_1 to be a trunk.

But at this point I seem to get stuck and have no idea what to do. Both L2_SWITCH_1 and L2_SWITCH_2 can carry traffic from any subnet on each port (because any client can connect to any Access Point).

L1_SWITCH_1 port Fa0/1 and port Fa0/2 is carrying traffic from potentially all 3 subnets at the same time.

The same situation is with L2_SWITCH_2 port Fa0/1.

So would I potentially need to setup every existing port in each switch to be a trunk for VLAN10, VLAN20 and VLAN30?

But does it still make sense to do it that way? Would I still benefit from VLANs? (Isolation, separate Broadcast domains, etc.)?

What should I do?

Improve this question
2
  • 1
    How many wireless clients to you have/anticipate at one time? Broadcasts may not be such a big problem. Commented Mar 20, 2015 at 20:40
  • Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer. Commented Aug 11, 2017 at 14:41

4 Answers 4

Reset to default
2

You would need your APs to support VLANs, and extend a trunk to them. Then operate a different SSID per VLAN/broadcast domain, or use 802.1x for VLAN assignment.

Improve this answer
1

Throwing in different ideas:

  • If there is no need for the clients behind each access point to get an IP address from different subnets, you can have the ports connected to the APs to be in different VLANs.
  • If all you have is three different subnets, you can consider one other option of having three different SSIDs for the three subnets.
  • If you have access to more APs, you can have 3 APs each one dedicated for each subnet.
Improve this answer
1
  • I have very little to no access to the Access Points to modify any settings
  • I have very little to no access to the devices used by clients to connect to Access Points

I think you need to step back and ask yourself a couple of questions.

  1. Are you solving a real problem here or is this just change for the sake of change? Is there a compelling security reason for the machines on different subnets to be more isolated or are all the subnets routed to each other with no firewall in-between anyway? is the broadcast traffic actually significant enough to cause a noticable performance hit?
  2. Do you have the needed buy-in from the rest of your organisation to implement this change?

There are ways to put different clients of the same access point on different VLANS but they will require significant reconfiguration or even possiblly replacement of the access points. They will also require minor reconfiguration of the clients.

Therefore to make this a success requires buy-in from the people who do have the authority to make such changes. That is probablly going to mean demonstrating a real problem.

Improve this answer
1
  • 1
    Certainly smells like @zyash may be "solving" a "problem" that doesn't actually exist. Commented Nov 3, 2015 at 15:13
0

By keeping setup as it is as mentioned in diagram we can introduce Vlans ..

Create Vlans and Configure Switch virtual interfaces(SVI) in layer3 switches and enable inter-Vlan routing in layer3 switch and Configure default route in layer3 switch pointing towards gateway of upstream router . As mentioned below .

Layer3switch (config)# int Vlan 10 Layer3switch(config)#ip address 10.10.10.1 255.255.255.0 Layer3switch(config)no shutdown

Layer3switch(config)#int Vlan 20 Layer3switch (config)#ip address 10.10.20.1 255.255.256.0 Layer3switch (config)#no shutdown

Layer3switch (config)#int Vlan 30 Layer3switch (config)#ip address 10.10.30.1 255.255.255.0 Layer3switch (config)#no shutdown

Layer3switch (config)#int f0/2 Layer3switch (config) Switchport mode trunk Layer3switch (config) Switchport trunk encapsulation dot 1Q Layer3switch (config)#no shutdown

Layer3switch (config)#int f0/3 Layer3switch (config) Switchport mode trunk Layer3switch (config) Switchport trunk encapsulation dot 1Q Layer3switch (config)#no shutdown

Layer3switch (config)#ip route 0.0.0.0 0.0.0.0 pointing towards router ingress interfàce

Layer3switch (config)#IP routing

In upstream router

Router(config)#ip route 10.10.0.0 255.255.0.0 pointing towards gateway of L3 switch egress interfàce

Now on down stream access-switches Configure access port on links connected to access points and pass Vlan as per requirement .

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.