1

Topic: How to differentiate a network? (VLAN)

http://images.vfl.ru/ii/1505801637/bf31 … 655032.jpg [off] (1041x688, 93.1Kb) [/off]
There is here such a network.
The switches of 3 pieces controlled, from HP. In between a trunk it is made.
From them eats both office computers and 6  with which managers, with manual terminals (dashes-input readers) work. Access to 1 bases is necessary to them only.
_ Work in a cluster, as one uniform.
Local clients too work with 1, and also there are branches which on VPN are connected to us and too work with these servers.
Now there is their necessity to restrict that even if you had an access to wi-fi could not get not local a network, not the Internet and not other servers.
I so thought that approaches VLAN more likely, but practically never dealt VLAN_.
What can advise? How to solve this task and at what level?

2

Re: How to differentiate a network? (VLAN)

kayser
For understanding - VLAN is the VIRTUAL NETWORK.
Here present that at you not 3 switches in which are included all simultaneously, and 3 smile, but only in one at you are included , in another - local users, in the third - the server 1.
Here each of them forms the VLAN. It is necessary for you to connect and provide them passage of packets. Well also exterior users from the Internet to connect.

3

Re: How to differentiate a network? (VLAN)

Dzhamal
The router at us is not present. There is one boundary microtic which is connected to the Internet more precisely.
Well also I will not be ashamed to ask - what for a router? After all all in one subnet are. If to put a router I think it is possible without VLAN to manage, though . I not so understand operations VLAN

4

Re: How to differentiate a network? (VLAN)

aMster
Dzhamal
In, now understood what for a router))
Even if a switch 3 layer, it cannot such do itself, without a router?
Well also can VLAN probably do at level ? At them in characteristics it is written that there is a possibility to work VLAN. Or anyway without a router not to organize to me such?

5

Re: How to differentiate a network? (VLAN)

Dzhamal
Probably, but it means that the traffic of a wireless network will be packed in specified , no more that.
That is it will be necessary 1 the server too yes  in this VLAN? But then the server it will not be accessible to other participants of a celebration.
As do not twist, the router is necessary.
And the router goes any? What can advise for such task?

6

Re: How to differentiate a network? (VLAN)

kayser
Router,  smile You here here look - http://www.d-link.ru/ru/faq/62/186.html and here here - http://www.d-link.ru/ru/faq/62/187.html , can what thoughts and appear. There, truth, d-link, but an essence from it does not change.

7

Re: How to differentiate a network? (VLAN)

kayser
L3 The switchboard - can. But frequently not in full and not all. BUT! For the majority of tasks normal L3 the switchboard quite replaces the selected router.
Time at you is a microtic - can force to work to you it?
I did not potter with them ( this bowl), but depending on models they like as much that is able.
Basically you should select a separate network for VPN clients, a network for mobile subscribers, the network for local, separately can in any type a-lja DMZ [off] (to esteem on the Internet that this such) [/off] to issue a network with a server 1.
To adjust rules - to whom where and what for it is possible. Well and basically all smile

8

Re: How to differentiate a network? (VLAN)

aMster
Well it would not be desirable to touch a microtic. It is the device of the provider. It gives us the Internet + connects VPN (site to site) to other branches.
And you suggest in DMZ to a zone of whom to allocate? Wi-Fi clients?
Well and nevertheless, the router what is better for buying for this task? It would be desirable with the clear interface, and that would not be desirable to be at war with Cisco-like again, well them .

9

Re: How to differentiate a network? (VLAN)

Dzhamal
Well and time is already switchboards it is possible to take RB3011UiAS-RM. I understand that a warp very strong between named , but I therefore wrote that it is necessary to know demanded productivity that something acceptable to advise.
There special productivity also is not present. About 20 mobile data terminals. They walk and check the goods, the prices, periods etc.
Now on what way to go, on DMZ or router> VLAN?

10

Re: How to differentiate a network? (VLAN)

Well I wrote - a-lja DMZ.
Generally, sense DMZ and its difference from an internal network - in an internal network it is impossible to start up generally anybody. In DMZ - only to those services which are resolved.
Well and outside - from DMZ only the allowed services, and from  - at will.
Selection of a separate network for VPN clients than well - we them can again   and restrict to certain services.
That is roughly speaking - if to consider as an example hotel -  is a restaurant. In it walk as visitors of hotel, and from street can come.
Reception - VPN. From street we can occupy the visitor. Well and the internal network is a staff. Those walk everywhere.
If you do not safeguard - that can be made easier. But it seems to me that the majority of the modern routers offers turned out enough variants and recipes of creation of a network to invent a bicycle.

11

Re: How to differentiate a network? (VLAN)

Dzhamal
VLAN is all a logical method of sharing of networks. For physically they remain connected in the same devices, but logically, at level L2, they are divided.
Routing (and including DMZ) it is valid more high level. I.e. at least L3. When there are rules of redirection of packets from one network in another.

12

Re: How to differentiate a network? (VLAN)

Dzhamal
Nevertheless if would not be  the author should not put three switchboards, and six or eight.
It seems to me even if 10 switchboards to put, my task not to dare.
I repeat the task.
IT IS GIVEN:
- The server 1 (192.168.1.10). All work with this server
- Local ethernet users (192.168.1.20-192.168.1.100)
- Local wireless users (wi-fi APs, 6 pieces. 192.168.1.100-192.168.1.150)
-Remote client users (VPN) subnets different
IT IS NECESSARY:
To isolate WI-FI a network that clients wi-fi for limits of the allowed server (1) did not reach.
Here such here not the challenging task seems, but I see there are no accurate decisions. Is necessary that that to invent.

13

Re: How to differentiate a network? (VLAN)

kayser
Here such here not the challenging task seems, but I see there are no accurate decisions.
All canonically, all wireless users to tire out in separate , to replace it a subnet,   on the L3-switchboard, to draw ACL with rules to whom from them where it is possible to walk, hang up this ACL on .
Subtlety in the one who it will produce IP addresses now. It is possible to entrust this process to access points, it is possible for the L3-switchboard, it is possible to leave on the DHCP-server, but here it is more difficult.
The second subtlety that points of access (and in an amicable way any other equipment) will need to be carried out in . management vlan, with the separate addressing. Well it best practice for any network, even the small.

14

Re: How to differentiate a network? (VLAN)

kayser

There are no accurate decisions.

is. To you told. Do 3 networks:
192.168.1.1/24 place there the server 1 (192.168.1.10). All work with this server
192.168.2.1/24 local ethernet users (192.168. 2 .20-192.168. 2 .100)
192.168.3.1/24 - local wireless users (wi-fi APs, 6 pieces. 192.168. 3 .100-192.168. 3 .150)
The first IP is an address of the gateway with these networks. FOR CONTENTS of the NETWORK is will be default gateway
Put a router, register in it networks and routing. Register where to whom it is possible to walk.
For example in a network with the server it is possible to walk everything smile though it and not on .

15

Re: How to differentiate a network? (VLAN)

Switches at us such (4 pieces): https://naobzorah.ru/router/hp_v1910-24g_switch
But I as understood, it is the second level. So on any without a router not to manage, I as understood.
In a network is AD, accordingly, is and AD with DHCP.
Now with what to begin?
P.S. On boundary still we plan to put a firewall (NGFW), a hardware-software complex that that of type of it:
https://www.paloaltonetworks.com/produc … all/pa-200
But it will not manage to be used as a router though it has a routing. It will stand after  in local a network.

16

Re: How to differentiate a network? (VLAN)

kayser
HP 1910 is able static routing (i.e. manually it is necessary to register routes).

17

Re: How to differentiate a network? (VLAN)

seack
HP 1910 is able static routing (i.e. manually it is necessary to register routes).
A from what took? In the description it is written:

- Static routing: Is not present

Adding from 9/22/2017 09:30:
Though here found the official documentation:
https://www.hpe.com/h20195/v2/GetDocume … =c05051651
There it is written that Layer3 the switch and supports it:

* Static IPv4/IPv6 routing
provides basic routing (supporting up to 32 static routes and 8 virtual VLAN interfaces); allows manual configuration of routing

18

Re: How to differentiate a network? (VLAN)

kayser
Well that means which is included in  the gateway do by a router and gradually drag on VLAN subscribers.
Not bad also DHCP to stir up to minimize . But it already other subject

19

Re: How to differentiate a network? (VLAN)

aMster
Not bad also DHCP to stir up to minimize . But it already other subject
So in a network already is DHCP. On the controler the domain.
Wireless  are connected in different switches.
That means which is included in  the gateway do by a router
And can tell that it is necessary to route? To whom whence where? There there will be a static routing

20

Re: How to differentiate a network? (VLAN)

Dzhamal
Pancake as that all is tangled. Gradually it is possible to do or from an once it is necessary to do at once VLAN+routing?

21

Re: How to differentiate a network? (VLAN)

kayser
All works for you? Then it is simple.
1. Create , adjust networks and routing.
2. Lift on dhcp some areas, adjust dhcp relay on interfaces
3 take port on the switchboard, thrust it in new  and check as works
4. Drag all necessary ports in new . If all above made correctly and on  - that all should earn.
Adding from 9/23/2017 19:31:
kayser
And can tell that it is necessary to route? To whom whence where? There there will be a static routing
To begin with on a router there should be only one route - 0.0.0.0 0.0.0.0 <the internal interface of the gateway in the Internet>
That is a route by default in the Internet.
On the Internet gateway it is necessary to register routes in internal networks.

22

Re: How to differentiate a network? (VLAN)

On switches the free ports are. Only did not understand how many pieces are necessary? Only for  to transfer?
That is it is necessary to create VLAN on the free ports, to register all necessary and access points there to connect at once?

2. Lift on dhcp some areas, adjust dhcp relay on interfaces

it on the controler the domain yes it is necessary to do? Or it is necessary to lift separate dhcp?
dhcp relay it is necessary on new VLAN interfaces for ?
Not including all these to me not clear circuits of operation, still I will not understand how local clients will get access to 1 to the server too? After all on idea if 1 the server too to deliver in VLAN with WI-FI clients, it too will be inaccessible to all remaining.

23

Re: How to differentiate a network? (VLAN)

kayser
Dzhamal
1. No, it is not necessary to drag the server with 1 to addresses. And generally servers to drag - the last business.
It is necessary to drag  clients.
How to differentiate a network? (VLAN), #19 - here somehow so
Then all adjustments of servers remain with ALL clients.
kayser
2. If at you is DHCP it is unambiguous on it.
dhcp relay it is necessary to adjust on a router, on the specific interface that it  DHCP messages of clients on the server, and it is reverse.
3. The free ports are necessary to you for sanity check. Enough one. Push there  (or an experimental computer), adjust automatic obtaining of addresses and look that turned out...

24

Re: How to differentiate a network? (VLAN)

Nevertheless I do not understand all this circuit, VLAN> routing> DHCP relay.
On an example of other switch:
https://images.vfl.ru/ii/1506343115/1ab … 735902.jpg
https://images.vfl.ru/ii/1506343115/199 … 735901.jpg
https://images.vfl.ru/ii/1506343115/e02 … 735900.jpg
https://images.vfl.ru/ii/1506343115/4af … 735899.jpg
https://images.vfl.ru/ii/1506343115/32e … 735898.jpg
In these tabs it is necessary to do all?
Only here that that did not find anything on  (DLink DGS-1210-28)

25

Re: How to differentiate a network? (VLAN)

kayser
I can  explain to you on an example, but it helps you?
Here on the circuit