VLAN basics step by step

35 pts.
Cisco switches
LAN Security
Microsoft Windows Server 2003
VLAN configuration
VLAN management
Currently have a Windows 2003 environment using DHCP with Cisco switches in a single subnet with no VLANs. I want to take the Layer 3 switch and Layer 2 switches and configure it all with 4 VLANs. (Servers, users, printers, guests). My users will need to access the servers (file, e-mail, etc..) so how does the user VLAN get access to the file server?

Since this is for security, what part am I missing for how security is implemented. Right now with the single subnet, the users just access the file servers by name or IP and get to their files. Once the there are say two separate VLANs how will they access the servers? And since VLANs are about security how do you implement security between the users VLAN and the servers VLAN?

Answer Wiki

Thanks. We'll let you know when a new response is added.

The first thing that you have to remember is VLANs are a way to separate the networks. VLAN’s basicly just isolate the different traffic. All of your security comes from your switch/router routes, ACL’s,or filtering on the switch/router. As well as integrated security on your srevers/domain. The other thing to note is layer 2 switches generally do not support VLANS.

The most secure way to allow your user to access the server is to put in a route that only allows one users IP to route to the server. Or if you need a range of desktops put the route in the switch to allow the range to go to the destinations.

Now that being said, I think you are worried about the guest traffic on your network and with good reason. If guest access is all you are worried about create a domain VLAN(10) and a guest VLAN (20)on your layer 3 switches.

With this setup you will not need routes/ACL/filtering. I am going to program one switch controlling all your VLANs. You will need to have all of your guest access runs going to the main switch. Now in cisco terms you will need to untrunk (Untagg) the ports for the needed VLANS. So, If a guest connection is plugged into port one you will untrunk (untagged) the port for vlan 20 (GUEST). Untagg all of your guest run ports. Now (Untrunk)untagg all of theother ports for VLAN 10 (Domain). This will completely separate the 2 VLANS. You will need to plug your guest VLAN into a firewall or a DMZ that will supply IP as it wil lnot see your DHCP server.

Thats it. Your guest users can not see your Domain and still get internet access.

If you want to spread out the ports across several switches you will have to trunk(tag) all inter-connecting runs for all VLANS NO UNTAGGED BETWEEN LAYER3 INTERCONNECTED SWITCHES. There are many ways to do this and it is a complex topic but hopefully this will get you started.


Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • IT Knowledge Exchange Community Update for 02/17/09 - ITKE Community Blog
    [...] VLAN basics step by step [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: