Charles Marcus put forth on 9/23/2010 6:57 AM:
Stan - if you don't mind an OT question...
I'll give it a shot.
Given your obvious expertise in the Enterprise Storage arena (enjoyed reading some of your past posts on the subject, though much of it was over my head) - what would you recommend as a 'quality managed switch' that doesn't break the bank? I'd like to get one that doesn't require a CISCO CCNA to configure/manage (relatively easy to understand Web UI)...
Experience with enterprise storage doesn't necessarily make one an ethernet switch expert, especially considering that the vast majority of my storage network experience is with fiber channel networks. Fiber channel switch configuration and management has little, if anything, in common with ethernet. I do have a little ethernet experience, as most IT folk do. But WRT iSCSI SANs, the few I've done used dedicated switches on a separate storage network, so there was no reason to implement VLANs. My VLAN experience is rather limited.
All I'm looking for is a way to provide some separate VLANs with ACLs - specifically, I need one VLAN that is our general internal LAN, one VLAN that is totally segregated (to provide Guest Wireless internet-only access), and one VLAN for our Accountants, that blocks access from other workstations on the internal network, but allows the users on it to access resources on the internal network.
It sounds like you're attempting to solve a security problem with a technology primarily designed to allow moving equipment from one network segment to another--VLAN. VLANs function primarily at OSI layer 2. The only ACL functionality here is based on MAC addresses. In your "guest wireless" case, VLANs gain you almost nothing. What a VLAN _can_ give you in this case is the ability to restrict a given layer 3 IP subnet to one VLAN which only has access to the the wireless APs and internet router.
_However_, you can do the same thing with an IP router and proper use of DCHP. You can also do the same for the internal networks you mentioned, with a router and DHCP. It seems that using VLANs to solve your problem is a "poor rich man's" solution. By that I mean VLANs are a "poor" technical solution in this case, and you must be "rich" to buy all the layer 2 gear vs. implementing a single router, which can be a Linux server with iptables rules and a dhcpd running on it. This would also give you much richer functionality and control.
In summary, you don't need VLAN capable switches to do what you want, and if you went this route, it's a suboptimal solution. An IP router/dchp server can do the job better and with much greater flexibility/functionality.
The one hitch in all of this is that you'll need two different WEP/WAP keys assigned to each AP, and the combination of the AP and DHCP server will need to assign an IP from the proper subnet pool to regular users and guest users based on which key they auth with. I've never set this up before but I know it can be done as colleagues have done it. It may or may not require replacing all of your current APs. It depends on whether your APs can do multiple keys and subnets.
Acquiring VLAN capable managed switched with an easy to use GUI is the least of your worries Charles. The difficult aspect of setting up what you want to do is in the education and planning stage. Whether the gear you end up using has a GUI or not is the least of your worries. :(
What you describe is not an easy setup at all. And it can't be solved with better switches. Your DHCP server will play a big role in this. If you choose to go the VLAN switch route, you will most likely need to replace all your APs with new units that do VLANs, and it would probably be a very smart idea to get the APs and switches from the same vendor.
Or, you can just put in a new router/dhcp server and be done with all this. The learning curve here could be just as steep, but you'd save a boat load of cash compared to replacing all your switches and APs.
-- Stan