IT Knowledge Exchange Community Update for 02/17/09 - ITKE Community Blog 
0 pts. | Feb 17 2009 3:50PM GMT
[...] VLAN basics step by step [...]
Q:
VLAN basics step by step
Currently have a Windows 2003 enviornment using DHCP with Cisco switches in a single subnet with no VLAN's.
Want to take the Layer 3 switch and Layer 2 switches and configur it all with 4 VLAN's. (Servers, users, printers, guests)
My users will need to access the servers (file, e-mail, etc..) so how does the user vlan get access to the file server? Since this is for security, what part am I missing for how security is implemented. Right now with the single subnet, the users just access the file servers by name or IP and get to their files. Once the there are say two separate vlans how will they access the servers? And since vlans are about security how do you implement security between the users Vlan and the servers Vlan?
Want to take the Layer 3 switch and Layer 2 switches and configur it all with 4 VLAN's. (Servers, users, printers, guests)
My users will need to access the servers (file, e-mail, etc..) so how does the user vlan get access to the file server? Since this is for security, what part am I missing for how security is implemented. Right now with the single subnet, the users just access the file servers by name or IP and get to their files. Once the there are say two separate vlans how will they access the servers? And since vlans are about security how do you implement security between the users Vlan and the servers Vlan?
ASKED:
Feb 13 2009 6:18 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
A:
RATE THIS ANSWER
0
Click to Vote:
0
Click to Vote:
- 1
-1
The most secure way to allow your user to access the server is to put in a route that only allows one users IP to route to the server. Or if you need a range of desktops put the route in the switch to allow the range to go to the destinations.
Now that being said, I think you are worried about the guest traffic on your network and with good reason. If guest access is all you are worried about create a domain VLAN(10) and a guest VLAN (20)on your layer 3 switches.
With this setup you will not need routes/ACL/filtering. I am going to program one switch controlling all your VLANs. You will need to have all of your guest access runs going to the main switch. Now in cisco terms you will need to untrunk (Untagg) the ports for the needed VLANS. So, If a guest connection is plugged into port one you will untrunk (untagged) the port for vlan 20 (GUEST). Untagg all of your guest run ports. Now (Untrunk)untagg all of theother ports for VLAN 10 (Domain). This will completely separate the 2 VLANS. You will need to plug your guest VLAN into a firewall or a DMZ that will supply IP as it wil lnot see your DHCP server.
Thats it. Your guest users can not see your Domain and still get internet access.
If you want to spread out the ports across several switches you will have to trunk(tag) all inter-connecting runs for all VLANS NO UNTAGGED BETWEEN LAYER3 INTERCONNECTED SWITCHES. There are many ways to do this and it is a complex topic but hopefully this will get you started.
Cheers!
AndOrTech
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
