Welcome, Guest

Author Topic: 802.1q VLANs  (Read 5721 times)

jfischer

  • Guest
802.1q VLANs
« on: July 29, 2006, 09:42:35 am »
Any hardcore old-school geeks out there who speak BGP,
read alt.sysadmin.recovery, know how to fusion-splice fiber,
and and continue to use vi just to drive the youngsters insane?

The local library system wants to SECURE their public wireless
network, and create two VLANs within the same physical
collision domain, one for (unauthenticated) patron users of wireless
computers, and one for (authenticated with Radius) staff, all to
keep patrons away from their internal systems, for which the
only actual security is (gag!) Microsnot Active Directory.  (Why
they can't use vanilla LDAP like grown-ups is a matter for follow-up.)

This should be trivial for a half-dozen site network, but they have Cisco
1602 type routers deployed at every branch, which have been EOL'ed by
Cisco, and have no IOS upgrade path that would include 802.1q, so I'm
looking for a "cheaper than Cisco" router (Netopia, et al) that will do a
decent job of being the gateway for the 801.2q VLANs.

And no, the access points themselves cannot act as gateways,
because the sites are connected with fractional T-1s over frame
relay, so the "site routers" have to be the gateways to route the
traffic back to the main library, where Radius and most all the
servers live.

Any suggestions?  Any warnings about problematic implementations
by specific vendors?  As usual, this is a pro-bono project, and as usual,
the library system will likely raise money for hardware with bake sales.

Offline Understudy

  • Galactic Bee
  • ******
  • Posts: 4641
  • Gender: Male
    • http://www.understudy.net
Re: 802.1q VLANs
« Reply #1 on: July 29, 2006, 11:23:29 pm »
Quote from: jfischer
Any hardcore old-school geeks out there who speak BGP,
read alt.sysadmin.recovery, know how to fusion-splice fiber,
and and continue to use vi just to drive the youngsters insane?

vi stands for Very Intimidating editor
Quote from: jfischer

The local library system wants to SECURE their public wireless
network, and create two VLANs within the same physical
collision domain, one for (unauthenticated) patron users of wireless
computers, and one for (authenticated with Radius) staff, all to
keep patrons away from their internal systems, for which the
only actual security is (gag!) Microsnot Active Directory.  (Why
they can't use vanilla LDAP like grown-ups is a matter for follow-up.)

Secure it with mac and wep settings.
Create the vlans in the router.

Quote from: jfischer

This should be trivial for a half-dozen site network, but they have Cisco
1602 type routers deployed at every branch, which have been EOL'ed by
Cisco, and have no IOS upgrade path that would include 802.1q, so I'm
looking for a "cheaper than Cisco" router (Netopia, et al) that will do a
decent job of being the gateway for the 801.2q VLANs.

So I see you like pain. Please contunue to bang head against concrete wall.
If you are going tou want a cheaper router build an OpenBSD box and use it as a router. It is simply the best out there.
Quote from: jfischer

And no, the access points themselves cannot act as gateways,
because the sites are connected with fractional T-1s over frame
relay, so the "site routers" have to be the gateways to route the
traffic back to the main library, where Radius and most all the
servers live.


Nor should the APs act as gateways they should simply be an extension of the dhcp server built into your openbsd router.
Quote from: jfischer

Any suggestions?  Any warnings about problematic implementations
by specific vendors?  As usual, this is a pro-bono project, and as usual,
the library system will likely raise money for hardware with bake sales.

Vlans can be a pain. You must use mac numbers wit the authentication for them to be assigned to a specfic lan unless you are going to static ip the machines in library that are suppose to have special access.
I am sorry to hear about the limited ot non existant budget, look around on ebay for wireless access points and then go to the website of the manufaturer and learn more.

You are going to need to do a lot of very ugly research before you can implement anything. Stay away from dlink and other "home" networking routers and APs they will not be suitable for your needs. Try to see about setting up 4 APs. One for each corner of the building with a long antenna. If the library is to big for that. Place 4 more halfway between the center point of the building and the premeter APs.

You will need to make sure you have hubs/switches that will alllow more than 1 ip across a port. because the wireless as a dhcp extension (not a gateway, or dhcp server ) needs to be able to handle multiple ips being requested of the AP and then run back to the switches.

Set a time limit on non authentic users of 30 min for laptop wireless. The users and library may whine about this but the first time someone crashed the network because they were able to overload it and they will want it back.

You have a lot of work ahead of you.

Sincerely,
Brendhan
The status is not quo. The world is a mess and I just need to rule it. Dr. Horrible

Offline Apis629

  • Field Bee
  • ***
  • Posts: 835
  • Gender: Male
    • A Hobbyist's Beekeeping Adventures
Re: 802.1q VLANs
« Reply #2 on: January 14, 2007, 12:29:10 pm »
They should give foreign language credits for this in highschool and college...

 

anything