VLAN for WiFi traffic separation (new to VLANing)

Posted by Philip on Server Fault See other posts from Server Fault or by Philip
Published on 2011-07-17T14:26:20Z Indexed on 2012/09/17 21:41 UTC
Read the original article Hit count: 283

Filed under:
|
|

I run a school network with switches in different departments. All is routed through to a central switch to access the servers.

I would like to install WiFi access points in the different departments and have this routed through the firewall (an Untangle box that can captive-portal the traffic, to provide authentication) before it gets onto the LAN or to the Internet.

I know that the ports that the APs connect to on the relevant switches need to be set to a different VLAN. My question is how do I configure these ports. Which are tagged? Which are untagged? I obviously don't want to interrupt normal network traffic.

Am I correct in saying:

  • The majority of the ports should be UNTAGGED VLAN 1?
  • Those that have WiFi APs attached should be UNTAGGED VLAN 2 (only)
  • The uplinks to the central switch should be TAGGED VLAN 1 and TAGGED VLAN 2
  • The central switch's incoming ports from the outlying switches should also be TAGGED VLAN 1 and TAGGED VLAN 2
  • There will be two links to the firewall (each on its own NIC), one UNTAGGED VLAN 1 (for normal internet access traffic) and one UNTAGGED VLAN 2 (for captive portal authentication).

This does mean that all wireless traffic will be routed over a single NIC which will also up the workload for the firewall. At this stage, I'm not concerned about that load.

A rough sketch of the network

© Server Fault or respective owner

Related posts about networking

Related posts about wireless-network