VLAN Configuration for networking scrub

[EvilNeverSleeps]

Hello everyone!

As i'm a scrub when it comes to networking (still learning the ropes) i have a question how should i configure my devices so everything would work as presented on diagram.

Question is, how should i configure the ports on switches? Which ones should be trunks (tag, untag?) I never set up a VLAN before so i'm kinda lost on it.

What i want is depending on MAC adress, device connected to one of APs would get put into VLAN it belongs. What i want is that VLAN 1 and VLAN 2 would not see each other ever (kinda idea of VLAN, isn't it? )

I'm not asking for someone do it for me but just provide some tips where should i begin so i could get a grasp on topic and start working on it

Regards and Thank you in advance!

 

[theevilsharpie]

For the most part, network devices that are expected to work with multiple VLANs (i.e. your switches and access points) will interlink using tagged ports, and the network will expect those devices to insert the appropriate VLAN tags before sending traffic upstream. Hosts usually want untagged ports, although you can tag additional VLANs to an untagged port if needed.

If you want to make VLAN assignments based on certain criteria, you'll want to use 802.1x. 802.1x works in conjunction with RADIUS and some type of directory service (e.g., Active Directory) to authenticate users and devices, which you can leverage to place users/computers in the appropriate VLAN. Normally, authentication (and subsequent placement decisions) are done using passwords or certificates, but you may be able to use MAC address instead.

 

[spidey07]

True about the radius and AP integration, you can do it but will be more complicated than need be.

How about using two SSIDs? SSID1 maps to vlan 1, SSID2 maps to vlan 2. Then each interswitch link would be a trunk and each AP switchport would also be a trunk. This would have two completely seperate layer2 networks (really what a vlan is). APs have no trouble running multiple SSIDs if they are business class.

How you route things depends on capabilities of your router and/or layer3 switch. You'd need a router to have interfaces into vlan 1 and 2.

 

[RadiclDreamer]

An easy way to think about it is this. If you need a vlan to retain its dot1q tag across a link then it needs to be a trunk on both sides. Otherwise with an access port the traffic is not tagged.

For example, i need vlan 1,2,3 to go across a link. I would trunk both sides
If i set the port to access port and assign it to vlan 2 but dont trunk, the traffic will be seen on the other side, but it will just be in whatever vlan it was tagged on the receiving side since the tagging is not kept in tact.

 

[spidey07]

A frequent method to have mutliple SSIDs on an AP is to trunk to the AP, map and tag each individual SSID to a vlan.