Looking for Instructions/Steps to Configure VLAN

[onyxlinkia]

I just bought an used 24 ports Cisco 3560V2 from Ebay. I'm planning to set up VLAN instead of using dual NICs on the BI machine. Any pointers on how to achieve this? Just want to make sure the cameras have no access to internet.

Thanks.

 

[TonyR]

I wouldn't call this a tutorial, per se, but it should answer many of your questions ==>> What is VLAN? Types, Advantages, Example

 

[The Automation Guy]

Let Me Google That

For all those people that find it more convenient to bother you with their question than to google it for themselves.

letmegooglethat.com

(PS - I'm not trying to be snarky with this response. It's just an easy way to give out Google results....).

 

[biggen]

The basics are:

1. You will have to make sure your router can do VLAN routing (which most modern routers should).
2. Create two subnets on your router (you already have one so create one more). The second one needs to be assigned a VLAN number (e.g. VLAN 10). It will need a different subnet than the one you use now. So if you currently use 192.168.1.0 than the newly created subnet for VLAN 10 could be on 192.168.2.0. This will be your newly tagged VLAN subnet. Your first subnet you have been using is probably untagged (or it defaults to VLAN 1 on some routers)
3. On the new switch, you will need to set the switch ports you desire to be in this VLAN to VLAN 10. These are generally referred to as tagged ports. The ports you don't want tagged (e.g. the subnet you use now) can be left untagged (also called access ports).
4. The uplink port on the switch back to the router needs to be set as a "trunk" so it will carry tagged and untagged vlan traffic.
5. The port on the router may/will also need to be set to trunk.

That is the gist of it. Setup and terminology can vary but that are the basic steps.

After everything is working and you can route (connect) to things in VLAN 10 from your untagged VLAN then it's time to create some firewall rules that blocks all outbound traffic from VLAN 10 to the WAN.

 

[TonyR]

Let Me Google That

For all those people that find it more convenient to bother you with their question than to google it for themselves.

letmegooglethat.com

(PS - I'm not trying to be snarky with this response.

On the contrary...I've used that before also, but quite a while ago.

 

[onyxlinkia]

Thanks for these helpful info. Unfortunately, my router (ASUS RT-AX86U) won't be able to do VLAN I guess I will go with the dual NIC route.

The basics are:

1. You will have to make sure your router can do VLAN routing (which most modern routers should).
2. Create two subnets on your router (you already have one so create one more). The second one needs to be assigned a VLAN number (e.g. VLAN 10). It will need a different subnet than the one you use now. So if you currently use 192.168.1.0 than the newly created subnet for VLAN 10 could be on 192.168.2.0. This will be your newly tagged VLAN subnet. Your first subnet you have been using is probably untagged (or it defaults to VLAN 1 on some routers)
3. On the new switch, you will need to set the switch ports you desire to be in this VLAN to VLAN 10. These are generally referred to as tagged ports. The ports you don't want tagged (e.g. the subnet you use now) can be left untagged (also called access ports).
4. The uplink port on the switch back to the router needs to be set as a "trunk" so it will carry tagged and untagged vlan traffic.
5. The port on the router may/will also need to be set to trunk.

That is the gist of it. Setup and terminology can vary but that are the basic steps.

After everything is working and you can route (connect) to things in VLAN 10 from your untagged VLAN then it's time to create some firewall rules that blocks all outbound traffic from VLAN 10 to the WAN.

 

[biggen]

Thanks for these helpful info. Unfortunately, my router (ASUS RT-AX86U) won't be able to do VLAN I guess I will go with the dual NIC route.

Buy a new router or see if it's flashable with dd-wrt.

 

[SpacemanSpiff]

I guess you could always build your VLANS then use ACL's to allow only the IP of the BI server over to the data VLAN and out to the Internet.

That would make for a pretty big/deep puddle of networking to 'fall' into

 

[biggen]

I guess you could always build your VLANS then use ACL's to allow only the IP of the BI server over to the data VLAN and out to the Internet.

That would make for a pretty big/deep puddle of networking to 'fall' into

He still has to provide routing though. Are you talking about rolling your own router like building a pfSense server?

 

[onyxlinkia]

Buy a new router or see if it's flashable with dd-wrt.

Just bought the router last yr, i checked that dd-wrt doesn't support vlan on this router. Dual NIC is much easier for me.

 

[SpacemanSpiff]

He still has to provide routing though. Are you talking about rolling your own router like building a pfSense server?

I was thinking layer 3 switches. I just reviewed the specs on the 3560, and it looks like they are L3 capable.

 

[onyxlinkia]

I was thinking layer 3 switches. I just reviewed the specs on the 3560, and it looks like they are L3 capable.

It's a layer 3 switch.

 

[The Automation Guy]

It's a layer 3 switch.

Then you could handle the VLANs on the switch but as SpacemanSpiff mentioned, that is a pretty big leap. Certainly adding a second NIC would be much easier!

 

[biggen]

I was thinking layer 3 switches. I just reviewed the specs on the 3560, and it looks like they are L3 capable.

Now we are getting fancy! Yeah, a L3 switch would do it.