Help with VLan

I require some help with setting up a VLan system. I have read all the how to's and other posts on this site, which are extremely helpful, but my situation is not the same as what I've read and therefore require further help.

I run a small business from within my home which has a business internet service with no ports blocked. This enables my VPN, RDP and other internet resources to function when I travel. I have a second internet service from a different ISP, a residential service, with all but the standard internet ports blocked, which the kids and their friends use. And lastly, I've committed to hosting an FTP server from my home on the business ISP because the ports are not blocked.

My current business set up is a flat network. From my ISP modem I have a DLink DIR-655 router which has DHCP disabled. I have a Windows SBS 2003 server which handles the DHCP and DNS.

The schema looks like this:
ISP----> DLink DIR-655-----> Linksys 24 port unmanaged switch----> Hosts including SBS 2003 providing DHCP and DNS. The D-Link router is set up as the firewall and, as mentioned, does the routing. In this set up, the D-Link router was given a LAN address of 192.168.XXX.1/24 and DNS is pointed to the SBS 2003. The SBS was set up with an address of 192.168.XXX.XXX/24 and DNS of 192.168.XXX.XXX. This set up works well for a flat network, business only.

In order to host the FTP server, I need to use the business ISP, as their ports are not blocked, but I need to keep it separate from the business network. Through reading ALOT, I've resolved to believe that a VLAN is the best solution. This also got me to thinking that I could reduce costs and move the kids network onto another VLAN and eliminate the residential ISP.

I've purchased a NetGear GS108T smart switch to build the VLAN with but after several attempts, I cannot get it to function the way I want it to. The business network has internet access but the FTP VLAN and kids VLAN do not. This leads me to believe that I have my hardware placement incorrect and possibly even some of the VLAN details incorrect.

By following NetGear's instructions, I put the NetGear switch between the D-Link router and the Linksys switch, so it could get an LAN IP address for management and set up purposes. But I now think this is what's caused all my failures. Remember, the D-Link is part of the flat business network, therefore, the NetGear received an LAN IP of the flat business network.

My goal is to have three VLANs in my network, 1 for business, 1 for FTP and 1 for kids. The 3 should not be able to communicate with each other but should each have access to the internet. This setup would provide the necessary security for the business information. However, I use a business rated anti-virus/ internet security software that I'd like on all the hosts. This would require that the anti-virus Admin Console on the SBS server would need to communicate with all hosts across all LANs. It would be nice if one host on the business network had limited access to the FTP server to upload files.

I hope someone here can help me and work with me to build this system. I would first need to know all the hardware required and where it gets placed within the entire LAN, kind of like a topography. Then some help in setting up the VLANs would be great.

Thank you to everyone who cares to get involved.

The exact steps of configuring VLANs are specific to the switch you use.
This article contains some basic principles that can help you understand what to do.
VLAN How To: Segmenting a small LAN

In your configuration, keep in mind that anything connected to the unmanaged switch is part of the VLAN on the port on the managed switch that it is connected to.

Thank you for your reply.

I've read that article before, many times, along with the others on that topic posted here on this site.

I certainly understand that all of the hosts behind the unmanaged switch are on the same VLAN. However, the FTP server is on a port by itself on the VLAN switch on a separate vlan.

I am using the NetGear GS108T vlan smart switch, the same as in the article. But here's what I've found and can't resolve.

The DHCP server is on VLAN 2 with all the other corporate equipment, behind the unmanaged switch. The FTP server is on VLAN 6. If I don't allow VLAN 2 and VLAN 6 to communicate, the FTP server drops and does not renew it's IP address because it cannot communicate with the DHCP and DNS on the SBS server. So, although they are on different LANs, they still need to be connected for DHCP and DNS.

My greatest concern is that the FTP server contracts a virus and it spread throughout the entire network, even though they are on different VLANs but communicating for DHCP services.

I know I don't fully understand all of this stuff. I'm really good at small network configuration and router security, port forwarding and all that fun stuff. I've managed my corporate network for a number of years now and believe I understand the general concept.

But this VLAN is a very new idea for me and I need to make sure that my corporate files are not going to be in any danger should something manage to get through.

I appreciate any more suggestions you can make, thoughts you may have, ideas, concerns that would help me decide if I should proceed or shy away.

I know these forums are here for all to learn from, but if you'd like to PM me or email me, let me know. I'm sure you can understand that there are certain corporate network details that I cannot divulge on a public forum. But if you need more detailed information, we can certainly do that privately.

Thank you so much again for your valued input.

A diagram of your setup would really help sort this out.

I can make up a diagram and scan it in to attach. How much detail do you need for this? What kind of information would you like to have contained in it so I can be sure to provide you with what you'd be looking for?

Thanks again for staying involved and working to help me out.

Doesn't need to be fancy. Show basic topology with key devices , i.e. modem, router, switch, server

Hi and thanks again. You should find a drawn sketch of the topography.

I've been working with this NetGear switch all through this, hoping to find additional information that will be useful in sorting this out.

I've learned that I can create a variety of VLAN Memberships by assigning different ports together, much like you show in the Linksys SRW2008 switch in your article. I use "untagged" in all of the associations. I cannot find the similar setting you have on the SRW2008 to include "Trunk", "Access" and "General".

And this could very well be where the issue is arising. As soon as I assign port 7 (FTP) to PVID 2, it looses ALL communication with the DHCP server.

As long as all the PVID's are on 1, the system works, but they all communicate with one another, just like they were on a flat network.

I did call NetGear and they're best solution was to add DHCP scopes to the SBS server in order to get "other" IP addresses for PVID 2. Sounded way out there to me, because your article uses only a router with 1 IP address scope to work with and you created what you did.

I'll await your feedback, but my gut is telling me this VLAN switch isn't going to work in my application without a whole lot of wrasslin' with the DHCP server.

Once again, thank you so much for your help and expertise.

By the way, the user manual for the GS108T is available online, all 270 pages of it. If you want it, but can't locate it, I can send you a PDF of it.

Ed -

I looked through your posts and diagram, as well as the manuals on your equipment. Unfortunately, I don't think your equipment will meet your requirements.

My VLAN article discusses an example of port based VLANs. It looks like you have the GS108T_v2, which only supports 802.1q VLANs. (Ironically, the older GS108T_v1 supports both port based and 802.1q VLANs.)

To meet your requirements, you'll need a switch that supports port based VLANs or a router that supports 802.1q VLANs.

Doug

Thanks Doug for your reply. The manual does state that this GS108T_v2 does port based vlan. But it makes logical sense to me that something isn't right with it.

I've spent more than two weeks fighting with it, messing something up, having to reset it and start from the beginning.

I've since removed it from my system, reset it one last time and have packaged it up in it's box. Hopefully I can resell it to someone who has a use for it.

I've also been doing some research online and found the DLink DGS-1100-24 - 24 port VLAN switch I'm considering. The reviews are good and the user manual is only 40 some pages long. Any thoughts on this model or would you care to make a suggestion of your own?

Thanks again.

I forgot to mention in my last reply that I found, over the weekend, a document from Microsoft detailing the "how to" of setting up vlan capabilities in the small business server 2003 domain.

I've attached it for you for a read but also for any other person dealing with the same or similar issues as myself.

I'll need to set up my box as they instruct, get a new VLAN switch and see what becomes of it.

I wish i would have read this post before buying my router. I also bought the same router thought it would be easy to configure. I'm us assign the port permission that way. This new way of doing thing is screwing me up.

Did you ever find a good router ?

VLANs with 802.1q will work fine. I think it is easier to assign separate network IP addresses to each VLAN. Then you only need to think of VLANs as if you had separate switches with different networks. If a member of one VLAN needs to talk to another VLAN a router is required to route between the 2 VLANs. In your Microsoft DHCP server you need to setup a scope for each VLAN, network. DHCP relay will need to be turned on to handle DHCP requests for all networks but local. You could add a NIC for each network in the Microsoft server but I would add DHCP relay and only use the sever in one network. You will need to setup static routes for each VLAN network on the router so the members of each VLAN can share resources and talk to each other.

Thank you both for helping me out and explaining this to me. I notice @coxhaus you mean that I need other switch/router, and setup DHCP for the vlans to talk to each other. It's weird i never learned this way. I guess my old switch i had from linksys i had vlans assign to certain ports on the switch. They had a option to assign certain ip ranges to the vlan. Like if vlan 1 had all my media junk and I needed to access vlan7 all i would do is configure vlan7 to talk to vlan1 and vlan1 give access to vlan7. HOpe that makes sense.. But I put something together on what I"m trying to do ... let me know what you think.

http://imgur.com/90OsTiL

Cert77 said:

Thank you both for helping me out and explaining this to me. I notice @coxhaus you mean that I need other switch/router, and setup DHCP for the vlans to talk to each other. It's weird i never learned this way. I guess my old switch i had from linksys i had vlans assign to certain ports on the switch. They had a option to assign certain ip ranges to the vlan. Like if vlan 1 had all my media junk and I needed to access vlan7 all i would do is configure vlan7 to talk to vlan1 and vlan1 give access to vlan7. HOpe that makes sense.. But I put something together on what I"m trying to do ... let me know what you think.

http://imgur.com/90OsTiL

Click to expand...

I like your diagram software. It makes nice diagrams.

It looks like you have created a bunch of VLANs and divided your network on a layer 2 switch using an ISP's router which I think is a good thing. The problem I see is the ISP's router is not going to have VLAN support. My thought is the traffic VLAN tags from the switch are going to be stripped off at the router and router will not know how to return the traffic because the VLAN tags are gone so you will not have internet access. You need a router which supports VLANs or you need a layer 3 switch to process VLANs.

PS
You can run a free software router like pfsense or Untangle UTM firewall on an old PC. They both handle VLANs with tags.

So I read the Microsoft Server 2003 pdf you posted. It looks like Microsoft IAS will handle the VLANs. For this to work this is what I think. You will need 2 NICs in the server 2003. One NIC will connect to the router this NIC will not have VLANs. The second NIC you will define the VLANs on it and it will feed your switch on a trunk port on the switch. Server 2003 will provide the processing for the VLANs. I would think you need to turn on routing in Microsoft Server 2003 for the NICs.
Here is what I found in the pdf...
When you use VLAN-aware network hardware, such as routers, switches, and access controllers,
you can configure remote access policy in Internet Authentication Service in Windows Server 2003 to instruct the access servers to place members of Active Directory groups on VLANs. When you configure the profile of an IAS remote access policy for use with VLANs, you must configure the attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, Tunnel-Type,and Tunnel-Tag. This ability to group network resources logically with VLANs provides flexibility when designing and implementing network solutions.