Darkrage, please go ahead and give me your input but I think I resolved the confusion I was initally having. My problem was that I was trying to subnet my existing network, I.E. I was trying to subnet off a subnet block. I wasn't thinking about routing between the subnets, for whatever reason. I tend to make things more difficult than I need to.
So I just setup my routing tables on the L3 switch and it's like this:
VLAN 10 server room: 10.1.54.0/24 VLAN 100 access points: 10.1.56.0/24 VLAN 200 printers: 10.1.56.0/24 VLAN 300 LAN hosts: 10.1.57.0/24 VLAN 500 public wifi: 192.168.1.0/16
I use a printer server so if I only route between the 54.0 and 56.0 and not between the other two, the server will do the work and print for me and send to that VLAN, correct, or should I just go ahead and route the workstation to the printer VLAN as well?
I have DHCP setup as well for these zones.
VLAN 500 is DMZ'd and has only access to our redundant WAN interface (our crappy 25 Mbps ATT service.)
I have some other ideas that are more robust than what I'm giving you here, but if I got this right I know I'd have a good understanding on what I'm doing and those will come easily. (i.e. I'm wanting to break the server room and LAN computers up a bit to a more department oriented idea like you suggested.)
This is a concept that really helped me a while back when I was first dealing with VLANs. VLANs are often portrayed as being a specific range of IP addresses, but literally all you're doing is dividing switches into sub-switches and telling the switch which ports belong to which "virtual switch".
Routers are the only reason VLANs can talk. From a switch's point of view, they are totally separate. The way that things can happen between different VLANs is because the router is acting like a gatekeeper between the VLANs (that's why there's often specific firewall rules for communication between two VLANs).
VLANs on a router seem complex, but they're really not. It's similar to switches; you're dividing a single Ethernet interface into sub-Ethernet-interfaces. If you've got 5 VLANs set up on your router to act like 5 different networks, each with their own range of IPs, then it's functionally the same as if you had 5 different physical interfaces on your router and 5 different switches.
Edit: @DeusQain and @wendell, you guys should do a tutorial on pfSense/VLANing. Maybe even a series. I know lots of people who'd love to get this sort of thing up and running on their home network so they can screw around with fancy network stuff, but it's hard to wrap your head around if you've never dealt with it before.
Excellent @HelloMrOwl , things are starting to look nice :)
Now, first off, you can't selectively "route". If you have all your VLANs terminated at the CORE switch, it will route between ALL vlans. The only way to limit access is through access lists.
VLAN 168 - 192.168.0.0/16 - Public WiFi (your suggestion is an address, not a network, as 192.168.1.0/16 falls in 192.168.0.0/16 range)
VLAN 172 - 172.20.172.0/24 - Management, as I didn't see you mentioning that, but it's necessary. Put all your managed switches and other networking hardware in it for ease of management. Later on you will be able to secure that network and limit access to it only from the IT deparment.
Configure the CORE to have IPs for every network. Use either the first (.1) or the last (.254) address of each subnet. These are your gateways for the hosts in each VLAN.
I did not see you mentioning exactly what brand/type of switches are the managed ones, but if you tell me I can give you more advices, because there are some very useful features that some switches support that can come in handy.
Good information there, but that's pretty basic networking material there. I'd hope, since I am talking about VLANing a network, that I'd know that much. The reason I started this thread was because I haven't had to touch subnetting in 2 years and confused myself attempting to divide up the network.
@Darkrage Well I was actually building the routing index on the Sonicwall firewall just for keeping it because I don't have command line interface from my home computer through VPN so I created it there to make the transition easier to the switch later on. Your IP suggestions are spot on. I suppose you are right on the 192 network though. Anytime I start to type "192.168" the rest gets filled in automatically I suppose.
So your suggestion is to put all managed devices on their own VLAN then? I can mange that.
I got my DHCP stuff setup as well. I was expecting setting up DHCP for a VLAN to be a little more complicated than it was, though.
You got a Sonicwall? You should've started with that :)
So, we are expanding the schema.
Even though you can lift up the Layer 3 routing to be done on the firewall, I tend to prefer each device to do work that it's best suited for, meaning:
Now, all the LAN routing is done on the CORE. Guest WiFi VLAN 192 is terminated on the firewall, so you can restrict access to the LAN.
I this case you need one more network - a "transport network" between the CORE and the Sonicwall. Come up with a /29 network for that, it's enough.
Put the DHCP scopes on the Sonicwall and use DHCP relay on the CORE to forward DHCP requests to the Firewall. Switches are not good at DHCP-ing :)
Yes, Management VLAN is a must IMHO, and it also needs to be terminated on the firewall and secured there. Do not use DHCP here. Use static addresses.
You also need to do Static Routing on the Sonicwall to point at the CORE transport network address for the LAN subnets. The CORE has to be configured with a Default Route (Gateway) pointing the Inside address of the Sonicwall (the transport network address)
@Darkrage Yeah, that's why I'm doing it on the L3 switch. It just "feels" better to have it doing the routing on the LAN.
The way it's looking now is almost exactly how you described it. The public network goes straight through to the firewall and out the X2 interface, which is the WAN so it never touches any network data otherwise.
So create some arbitrary additional network, like a 10.1.60.0? Makes sense, might as well do it while I"m digging around to avoid additional management later on.
And DHCP scopes are already added on the firewall, and it was so damned easy. You can directly import the VLAN interfaces you created in the "Interfaces" menu and it imports all the IP addresses and such for you. I'm not enabling DHCP on the AP/printer networks since those are manually created. I've been wanting to recreate the IP schema for printers for a while now, as of right now it's all over the place and I like all my stuff to be sequential. I came into this network a year and a half ago and it "just worked." It had no management capabilities, no auditing, wasn't HIPPA compliant or anything. Getting this VLAN network complete will be the last goal I need to accomplish to be happy with my network.
Oh, and straightening up the server room. Shits a rats nest.
I forgot Sonicwall cannot act as a true DHCP server. So you either have to use your Domain Controller DHCP capabilities for VLANs 154-157 and use DHCP relay on the CORE, or configure the DHCP for those subnets on the CORE itself.
Exactly, I just didn't have a visio, or equivilent, to put it into a visible format. I didn't think about the default gateway, that'll just be the assigned IP address, correct, which is just the 1st available IP address for all intents and purposes?
But yeah, pretty much exactly how you put it. I suppose it's easier for me to read it in my head since I know what I'm 'looking' at.
Why would the sonicwall be unable to do DHCP functions?
Well, I do not know how the SonicWall will handle the relayed as Unicasts DHCP request from the CORE switch.
I suppose that the firewall is clever enough to process those based on the Scopes configured.
In any case you can try it out :)
One additional note - the way things are configured, because the CORE has IP addresses in all VLANs, you cannot restrict accessing the management interfaces of the managed devices. The CORE will route packets regardless. That is why you also need to configure the managed switches to only accept SSH/telnet/HTTPs connections from certain IP addresses (the IT computers).
As of right now that's the way it is, the only individuals that can access anything, switches, firewall, APs are me and my boss who was the old IT before he took a management position.
No, i actually didn't trunk the 154 VLAN to the L3 switch, I'll tack that on, and yeah the router icon is the L3 switch. Closest thing I found. Also forgot to add the 155 VLAN in there, but we all know that it's there.
Oh, and the way you have configured the DHCP scopes is incorrect. You have configured address ranges like 56.1-56.157. This means the DHCP server will give out the 56.1 address (if it's not smart enough), and that address should already be configured on the CORE switch :) Adjust that.
Aye, that's because I just migrated the information over and initially had it setup to use the .150 address as the default gateway (which is what we use now.) but that also gave me an error when trying to add the remaining IP addresses. I changed the gateway to 10.1..1 on all of them so the DHCP scope is now 10.1..2-254.
Now it's the time for you to "forsee" and add one more VLAN to the picture - Voice VLAN ;) Then go to the management and ask for money and implement it ^^
Also, you can check your APs if they support multiple SSIDs and configure them with trunks to the switches with 157+192 VLANs there and then bind 192 VLAN to the GuestWiFi SSID and 157 VLAN to the Users SSID. Also, it's best to hide that SSID from broadcasting (the Users one) and have it configured manually on their devices ;)
We'll never get VOIP. The cost is too much and our current pots/PBX systems works too well and is too easy to maintain.
Our current APs do support individual SSID to VLAN assignment but the way some of the devices on our network run I don't have the luxury of doing that. When I get approval to purchase the last 3 cisco APs I need I'll have enough old HP procurve APs to give us a public network though.
Since we're on the topic, what's the best practice to implement a VOIP VLAN? Just set it up as normal and do QoS on the switch side?
