Routing – How to introduce VLANs to an existing setup with wireless Access Points

routingswitchvlanwireless

I am by no means an expert when it comes to networking but I recently inherited a network setup which is using wireless Access Points that clients can connect to (usually via a wireless device used in station mode.

The problem is the existing setup is not using VLANs to break down broadcast domains. I would like to introduce them, but I am not really sure how to tackle it.

Network diagram

In simplified form, the network looks like this:

enter image description here

  • Network is using static IPs (3 subnets)
  • I have very little to no access to the Access Points to modify any settings

  • I have very little to no access to the devices used by clients to connect to Access Points

  • FreeBSD router (Fa0/0)

    • 10.10.10.1 netmask 255.255.255.0
    • 10.10.20.1 netmask 255.255.255.0 alias
    • 10.10.30.1 netmask 255.255.255.0 alias

  • L3 Switch_1

    • supports 802.1Q VLAN
    • supports Private VLAN
    • supports Port Isolation (is it the same thing as Port-VLAN?)

  • L2 Switch_1

    • supports 802.1Q VLAN
    • supports Port-VLAN

  • L2 Switch_2

    • supports 802.1Q VLAN
    • supports Port Isolation (is it the same thing as Port-VLAN?)

What I want to do

Ideally I don't want any subnet to see one another.

I can easily setup VLANs in the FreeBSD router (instead of using ip aliases (or secondary ips depending on the terminology)

For example:

  • VLAN10 for 10.10.10.0/24
  • VLAN20 for 10.10.20.0/24
  • VLAN30 for 10.10.30.0/24

Then I can setup port Fa0/4, Fa0/3 and Fa0/2 on L3_SWITCH_1 to be a trunk.

But at this point I seem to get stuck and have no idea what to do. Both L2_SWITCH_1 and L2_SWITCH_2
can carry traffic from any subnet on each port (because any client can connect to any Access Point).

L1_SWITCH_1 port Fa0/1 and port Fa0/2 is carrying traffic from potentially all 3 subnets at the same time.

The same situation is with L2_SWITCH_2 port Fa0/1.

So would I potentially need to setup every existing port in each switch to be a trunk for VLAN10, VLAN20 and VLAN30?

But does it still make sense to do it that way? Would I still benefit from VLANs? (Isolation, separate Broadcast domains, etc.)?

What should I do?

Best Answer

You would need your APs to support VLANs, and extend a trunk to them. Then operate a different SSID per VLAN/broadcast domain, or use 802.1x for VLAN assignment.

Related Topic