Okay, I'm doing some volunteer work for my son's school and I'm at the edge of my understanding here. I've never worked with VLANs before but I think they are the right solution here. I'm looking for somebody to tell me whether I'm on drugs or not!

Here's a picture:
http://www.woodsconsulting.ca/img/ccs_physical.gif

We have a single fiber connection between the two school buildings. The goal is to put a managed switch on each end of the fiber and then create a teacher VLAN and a student VLAN.

I'm led to believe that I can put a layer 2 managed switch on each end of the fiber connection and then assign ports on the switch for each VLAN. Once I've done that, I can connect the two switches using the fiber connection. Is this called trunking?

Please let me know if I'm on the right track and if I'm missing something here.

Also, we're on a limited budget. Could you recommend some managed switches? Could I do this by replacing the managed switches with linux boxes (w/3 NICs)?

Thanks!

I honestly only know a little bit about VLANs myself, but your understanding seems correct to me. Linux does have VLAN support, so I suppose you could use it to run as such a switch.

Matir: In this case, the hardware would be doing the switching. Client computers would just see this as an ordinary ethernet port carrying the traffic that the computers on the same VLAN are generating. They wouldn't ``hear'' the other VLAN connections.

teamchachi, yes, you're definitely headed on the right path. I personally have had excellent experiences with Netgear's switches [both managed and unmanaged].

If you're going to use Linux to do it, it would certainly be cheaper to have a few unmanaged switches and have Linux act as a router. For something this large, I recommend using quagga and its BGP for dynamic routing. Quagga's OSPF implementation leaves something to be desired, however the topology you describe would certainly work best with BGP.

If you need any help with any of this stuff, reply in this thread or PM me.

Good to know that I'm not off my rocker. I think I'd rather go with managed switches if only for the reliability of the hardware. And it will be easier for somebody coming into the environment to administer.

I'm pretty clear on how to assign ports on the managed switches to the appropriate VLANS. What I'm still foggy on is how I go about configuring the ports that connect the two managed switches? What do I need to do to tell those ports to trunk all the VLAN traffic over to the other switch?

I'm looking at using either the FSM726 or the GSM7224 if it makes a difference. I'm assuming both while work in this instance?

If you have a look at the diagram, I'm planning on building a 4 NIC Linux box to route traffic between the VLAN subnets, the servers, and the internet. And I'm using m0n0wall on the firewall and to run the DMZ.

Thanks!

*drools over the managed switch*

I want one to play with, lol.

Have you considered smoothwall instead of monowall?

I have played with smoothwall. I've also messed around with IPCOP.

However, I think that m0n0wall is a much more flexible solution. It just has a lot more options. And I'm running it on a Soekris net4801 which means its rock solid from a reliability perspective. Everything is loaded on to a CF card so there are no fans or hard drives.

I have a number of clients running m0n0wall and I'm really happy with it.

http://www.m0n0.ch/wall

http://www.soekris.com/net4801.htm

Those soekris boards actually seem kind of expensive, or am I misreading their price chart?

$256 w/power supply + case seems pretty reasonable to me!

Keep in mind that these things are bomb-proof. No moving parts. No fans + no hard drives. It's the cost of a cheezy hardware firewall but the software is light years ahead and totally upgradeable.

Just burn m0n0wall onto a CF card, install the CF card on the board, and then forget about it. This thing is WAY more reliable than putting an old PC into duty (which works too).

The thing I love about m0n0wall is the super helpful mailing list, superior VPN support, and the super flexiblie NAT and rules features.

Yea VLANs sound like they fit the bill for what is in your picture, and that m0n0wall sounds handy as well. Managed switches that do VLANs should have an option to set up a port as a "VLAN trunk" and the commands will vary by vendor. You want a VLAN trunk for the connection between the switches, and can possibly use one for the connection to the Linux router as well. With the port set up as a trunk, you also need to specify a VLAN tagging protocol (is this the right name?) and you can use 802.1q since it is an industry standard and will work between different brand switches or to a Linux box. Some switches only use 802.1q but some, like Cisco, have their own propriatary protocol as an option as well. Each port that is set up as a trunk needs to have the ports on both ends configured as VLAN trunk ports or they will not recognize any network traffic; The same is true for a Linux box in that if you set up a trunk port and plug the Linux router into it, Linux needs to know it's a VLAN trunk and then the one interface can be set up to see, and route between, all VLANs.

Aside from that, most of the specifics of the config will probably vary by the switch you use, and I'm only vaguely familiar with VLANs on 3Com and Cisco switches .

This is the switch that I'm hoping to use:
http://www.netgear.com/products/details/FSM726.php

I'd love to go with a Cisco Catalyst switch but we're on a really tight budget. From what I can tell, the Netgear switches should work. Can anybody tell me differently?

With regard to m0n0wall: You all should know that it also works great running on a bootable cd-rom in a PC (config save to a floppy - no hard drive required), or you can also burn the m0n0wall image to a hard drive (my home setup). It is pretty sweet. You don't have to buy a Soekris box to run it.

Ok, I must've misread the chart, because I thought I saw $600+ pricing on that one. $256 is quite reasonable.

Out of curiousity, if I were looking for one of these just to play with, which would you reccomend? (Sorry if this is getting a bit far afield from your VLAN question)

The net4501 and net4801 both work with m0n0wall. If you have high traffic or a lot of VPN users then the net4801 would be the best choice. For goofing around and test purposes the net4501 is more than adequate from what I understand.

http://www.soekris.com/net4501.htm (cheaper)
http://www.soekris.com/net4801.htm

Both have 3 NICs.

They seem to have usb connectors, so I would guess I could even hook up a usb drive to them... Hrrm... Portable IDS using ethernet bridging.

The netgears will be fine for VLANs. Be wary of the terminology though as what most manufacturers refer to as a trunk is a switch interconnection running a VLAN taggingprotocol such as 802.1q, but Nortel refer to this as a "tagged" port.

Nortel uses the name "trunk" for multiple physical ports set up as a single ethernet connection, what the normal world refers to as an "etherchannel".

So you need to configure your user ports into one vlan or the other, then the switch interconnection as "tagged" ports. That should see you right.

You only need to configure a Nortel "trunk" if you want to run both Gig interfaces between the same two switches and have 2G bandwidth between them.

Good conversation here... I'm looking into getting Linux routers to understand VLANs too.

One thing that I see here concerned me, BGP as your routing proticol when you have only two networks. No, this is not the way to go. BGP is a routing protocol when your network is being used as a transit. That is, if your network is a conduit where traffic comes through you to get to another autonimous system then BGP is your protocol.

In your case, simple static routes are the way to go. Your student machines need a static route to the IP of their firewall interface, and your teacher ones need the same. That's all it requires. Your firewall will know of the two addressing spaces, so it will do a simple route/nat/whatever you set to move the packet from one VLAN to the next.

Other than that, the help you've gotten is righ on. I'd have suggested Linksys for your managed switch, but I'm a Cisco guy so it's purely bias.

You could so this with Cisco 2950s and the price wouldn't be all that high. You could even use 1900 or 2900 switches too, though I wouldn't recommend it.

MrKnisely