First Attempt at VLANs; Need Help!
Posted: Sat Aug 17, 2019 3:37 am
I run a network at my church as a volunteer and as a learning project. I'm trying to break up the various devices for security and to get familiar with subnetting and VLANs. Currently everything is on a /24 private IP address range. I have defined several subnets and, using the Wiki, have assigned interfaces and IP addresses to them. Where I'm getting lost is implementing the subnets, assigning trunk lines to my main switch (an Adtran NetVanta 1534P), and activating the new configuration without losing connectivity.
Current configuration: ISP Gateway (public static IPs, /29) >ether1> MikroTik RB3011 Router >ether2> Netvanta 1534P > devices. (Note: several devices are currently plugged directly in to the spare ports of the RB3011; I'm intending to move them after everything is up and running properly.)
Where I'd like to get to:
Current configuration: ISP Gateway (public static IPs, /29) >ether1> MikroTik RB3011 Router >ether2> Netvanta 1534P > devices. (Note: several devices are currently plugged directly in to the spare ports of the RB3011; I'm intending to move them after everything is up and running properly.)
Where I'd like to get to:
- Data subnet, /24, for trusted devices...some wired, some Wi-fi...which should be able to access everything on the internal network plus access to Internet.
- Guest subnet, /25, for guest WI-fi access through a Unifi portal. Should only have access to the Internet...filtered access, at that (we use SafeDNS).
- IoT subnet, /25, for smart thermostats and similar devices, on a separate WI-fi SSID. Should only have access to the Internet.
- VoIP subnet, /26, for wired PoE IP phones. Needs access to Internet. Interesting complication, some computers are plugged into IP phones and should have access to the data subnet. Is there a way to allow the same switch port to access two separate VLANs?
- Camera subnet, /26, for wired PoE surveillance cameras. Needs to communicate with the surveillance controller which is on the data network but should not have direct access to or from the WAN.