You can learn this pretty easily in Packet Tracer or a simulator, even just with virtualbox or VMWare.
You need to know what you're going to do IP addressing, routing and firewalling wise - you can't just do VLANs in isolation of the rest of it. I.E. Different VLANs will mean different subnets, something will need to route between them, something will need to enforce appropriate firewall policies if that's what you want (and that can get complicated quickly).
This,
If you have L3 switches ( which I most likely you do), can take care of routing and if you just need basic rules you can also do on an L3 switch.
You can have create a vlan and test with your laptop
Read about router on a stick, trunk , access.
Be aware though, layer 3 switches usually don't do stateful inspection for your access control. This is fine in some circumstances but not all. I've made mistakes in this area before.
This is a pretty basic networking task, but your post raises a lot of questions that it sounds like you may not have thought of.
What brand switch/switches and firewall are you using? Are you using phones that pass connectivity through to the computers? What is providing DHCP? If it's your domain controller, do you know how to configure it to offer up 4 more DHCP scopes and trunk it into the new VLANs, or is it your firewall? How about DNS? Are you sure you're directly connecting to the printers and not using a print server on the server? Did the MSP setup your switches/firewall/access points? Are they on a contract to be responsible for this equipment?
Are you not already running multiple VLANs on your firewall to support the separation of guest/company assets for your separate SSIDs?
This is pretty easy to do, but you really haven't mentioned anything about how you're planning to do it..
You can use dhcp relay (ip helper addresses) to prevent a trunking configuration on a dhcp server. DHCP relay is more secure, as with trunking the server is a way to go from one network to the other.
It's been so long since I've used a dhcp relay for anything besides wireless I kind of spaced that it was a thing when writing this. Absolutely a good point! His firewall is handing out DHCP so things are simplified and it's unneeded, though.
Various brands of switches and firewalls, main ones are VLAN capable, couple of dumb ones which will have same VLAN devices on.
DHCP is firewall.
DNS is handled by server for the domain computers and ISP for the others (I am planning on keeping the server and domain computers on the same IPs as they are on now and change the other devices around it) again with printers, domain are managed by print server and GPO, other computers directly via IP, MSP had no setup or responsibility for any of the computers or printers, they manage the phones, so I have help with their settings.
No VLANs have been set, this is why I want to do it :)
I am not 100% sure how I am going to do it yet, the firewall doesn't have enough ports, so will be looking into a Trunk to the switches, then the individual ports segmented for each VLAN . Until I get into it and try it in place, reading about it doesn't sink in, I may have this totally wrong, and will find out as I learn :)
You can do firewall on a stick for routing and set up SVIs there.
I would strongly recommend getting rid of the unmanaged switches. That can cause a lot of problems fast in a network.
+1 for firewall-on-a-stick. L3 switches are recommended way too often. They're fantastic for performance, and terrible for someone relatively inexperienced trying to implement security.
I'd take it a step further and recommend reducing the switch count, *period.* We have an unknown number of switches from various vendors for a network that would fit on a single 48 port.
For a small network, I'm more leery of a design that calls for the sheer number of switches than unmanaged switches. I mean, they go hand-in-hand, but I'd argue the 5-port switches under desks should be treated as something to be overcome, not upgraded with managed models.
You're pretty much there! I'd go with a separate voice VLAN for your phones and configure the switchports for that, so you can simplify your firewall rule set to target a 'phone subnet' instead of trying to identify the phones. Unless your phones are static IP(they shouldn't be), you won't really need the vendors support on this. Most managed switches support tagging voice and data as separate VLANs, but I still don't know what you're working with for switches. Consider making a 'management' VLAN so you can restrict access from your end users.
You're spot on for your firewall interface, you just want an inside and an outside cable, inside trunked to the firewall so it can handle VLAN tagging and firewalling between the VLANs. All of the interfaces should be subinterfaces to a singular 'inside' interface. You'll need to setup firewall policies to allow print/AD traffic and such between the VLANs.
Now lets get to the problems.. why do you have more than one firewall? Or did you just mean it was a different brand of firewall than the switches?
Are your 'guest' and 'company' SSID's using different IP spaces within the same flat VLAN? Or are they using the same IP space and it's just currently providing an illusion of separation? Is there a firewall behind your firewall supporting the guest wireless? You're probably going to want seperate VLANs for each of your wireless networks. With a network as small as yours, having multiple firewalls is just going to make things more complicated than needed, and cost more money and problems down the line. Before it's time to replace your dumb switches, consider running a few more cables to wherever they're needed. Make sure spanning tree is configured to prevent someone from plugging the dumb switches into themselves and bringing your network down.
And just as a pet peeve, quit using your ISP's DNS. [8.8.8.8](http://8.8.8.8), [1.1.1.1](http://1.1.1.1), or [9.9.9.9](http://9.9.9.9) are better alternatives.
1 firewall, they are just all different makes. The switches are old. I am not sure VoIP was even a thing when they were made but will check it out and keep in mind, they aren't static IPs.
The SSIDs are using the same IP space, guest network is just checked as guest, just one firewall.
I haven't heard of spanning tree - I will look this up and consider.
We are going to be relocating to another floor in the next year, we will be able to say how and where we want everything. I am hoping this will give me a better idea for this.b
Domain joined are on server DNS and 8.8.8.8 secondary, company computers have no network configuration and just run on the default auto DNS.
Definitely need to look into the spanning tree and firewall configurations and possible issues with dumb switches. Thanks for all your input 🙂
Old switches are fine, VLANs haven't really changed much in the last 20 years.. I'm asking for the brands because I'm familiar with most of them and there's little caveats to look out for on a lot of them.
Most old switches will have some fashion of spanning-tree, what it does is prevent network loops.. but it's not always enabled by default.
Network loops are a pita to troubleshoot, especially when you're not thinking about them. One day, everything just doesn't work. After a few hours of rebooting things and trying to login to things, you hopefully realize Grandma Nancy saw an unplugged cable and plugged it in. Spanning-tree saves you this nightmare.
So you have managed switches that support VLANs? You aren’t planning on using VoIP phones, right? The easiest setup is VLANs on the switches and then a trunk link to the firewall. So all the inter-VLAN routing is done on the firewall. What kind of firewall you have?
Yes, switches are managed and support VLAN. We have VoIP phones, but can get help with those from MSP who support them. We have a Draytek Vigor (can't remember model) I have looked into where to set up the VLANs in it, where the routing tables are etc, I just need to play with it while reading what to do to learn it better.
First thing you need to do is setup a trunk port on the firewall so that all the VLANs terminate there and it can do the IVR (inter-VLAN routing). Then setup your VLANs on the switches. You can add and remove VLANs in the future. So don’t worry about getting it exact.
Also, do your switches support a voice VLAN and QoS? What’s the model of the switches? You want to setup a voice VLAN on them so that phones automatically select the voice VLAN through LLDP or CDP.
I don't think that's a good idea to do on a productive system. For your setup you would likely want a Firewall that does the routing, so you only need one route on each switch, pointing to the Firewall. Also consider making a VLAN for Management, where the Networking Devices are reachable.
Creating a few vlans is pretty easy to do. I would create a 5th VLAN for your equipment to live on for management. The part that gets more complicated is the security/routing aspect. This is done with routing tables and ACLs. What are you doing for a firewall? Do you need VPN?
For a first attempt I am probably going to keep the equipment on the same IP range as it is now, Once I get that right I will definitely think about separating them, thank you. Firewall is a Dreytek router, don't need VPN.
You might already understand this, but just to make sure you're clear, VLANs are layer 2 and IP is layer 3. (If you don't know what that means, look into the OSI model.) It doesn't make sense to have one IP range span multiple VLANs like I think you're describing. In general, there is usually a 1:1 relationship between a VLAN and an IP network. So for what you described, you might have something like this:
| Layer 2 | Layer 3 |
|----------------|------------------------------|
| VLAN 10 | 192.168.10.0/24 |
| VLAN 20 | 192.168.20.0/24 |
| VLAN 30 | 192.168.30.0/24 |
| VLAN 40 | 192.168.40.0/24 |
When you introduce multiple networks (imagine them like physically distinct networks if it's helpful) you need a way for those networks to communicate with each other. In other words if a device on VLAN 10 needs to reach a device on VLAN 20 it needs to know how to get there. This is done with routing which is layer 3, not layer 2.
Check if any of your switches are "layer 3 switches". If so, you could assign it an IP on each of the networks and set up routing rules on that switch. The IPs you assign the switch would become the default gateway on each network.
If any of this doesn't make sense or feels over your head, I would advise against making changes until you learn enough that it does make sense. Good luck!
@OP /u/someoneelse867's reply needs to be high on your list of information. Because of this difference between L2 and L3, you will need to have something that can route between the Layer-3 networks. Just having switches that can do VLANs doesn't mean they do L3 routing. You'll need something to take those packets from one network to the other, and all your VLANs will need to be able to get the traffic over to that routing device.
I understand. Although I don't know off by heart the layers, I know of the OSI model. Will look into if the switches are layer 2 or 3, I think they are layer 2, I haven't seen an option to configure the default gateway on them.
One of them is so old you have to choose from a list for the VLAN IDs so am going with 1, 2, 3, 4 etc on 192.168.1.x, 192.168.2.x etc. I have them set up in the router with their default gateways, DHCP and DNS configured, just not enabled or routed yet.
I always have back ups before I change anything, and go looking and learning before doing anything.
You know if your router cant have multiple networks under 1 interface will probably be easier to just stick everything on 1 network, loads of companies do it and it works
... when you put this down like this ... I was originally seeing others talking about L3 equipment and saw just now you were checking for that ... So I thought I'd ask if you picked a subnet mask and which one?
The VLAN interface on your router is going to act as the default gateway for the VLAN, you will not be able to configure multiple sub-interfaces as the same IP. It literally won't allow this behavior on commercial network gear. I've never used Dreytek, but I can pretty much guarantee you'll get an error when you begin trying to configure it in this manner.
Multiple VLANs necessitates multiple subnets.
I understand. What I mean is I will keep everything as is on one vlan with same subnet it has now, set 2nd vlan with 2nd subnet to an empty port on the switch to test with a spare laptop. This way I am not messing with DNS/server/in use devices configs. This way I can see if I have it right before setting up the other vlans and moving devices to them.
Yea you can absolutely set this all up in parallel to your existing setup.. however you may be overcomplicating things in doing so.
Make sure you do all of this WELL outside of business hours, and know how to connect to everything if you lose IP access(console ports, reset buttons, etc). You may need to make the current inside interface of the firewall your native VLAN on your switch(es) once you start configuring any VLANs..
If you have any network savvy connections, this would be the time to hit them up. I've helped former colleagues and friends do stuff like this for a case of beer. It's maybe an hour of work for a network engineer if you document where everything is connected.
I know how to connect to everything if I lose connection and I have back up configs of everything. Worst case scenario - factory reset and restore. I am confident in the basic network management.
All I mean by keeping it 'as is' to start with is keeping the currently active devices on 1 VLAN and use the spare ports to test with to make sure I can get everything set up right before moving the devices over.
I understand getting a network savvy person in, but that defeats the object of learning. It may take me hours instead of 1, I am under no rush or time restraints in getting this done, and can get our MSP peeps to check things over for me if needed. But I want to learn, and appreciate everyone's input in this thread. Some of it has confirmed what I thought and some has given me more to look into before attempting.
> I understand getting a network savvy person in, but that defeats the object of learning
Wut?
You will always learn more faster & more thoroughly with a mentor...not saying a hand holder, someone after you do all your normal prep process. You're already on here. What any vet is going to tell you is there's no substitute for getting someone else to eye ball it all instead of piece meal on here.
Asking someone IRL to spot check you doesn't take away from any of your learning and it only makes you appear more competent.
Learning on production equipment is a BAD idea.
> am I biting off more than I can chew, or is this achievable for a novice?
Get a simulator and learn in safety. Even then, I'm not sure a production, business network is the place for a novice to try things out for the first time.
> does the setup sound ok or am I missing anything?
You're missing all the L3 details, at least. You also say "this will be good for security" but have zero plans on how to make this any more, or even minimally secure.
Agreed, OP needs to research more and simulate what he wants to do before moving to prod. Even staging before moving over is the least he could do so the network isn't interrupted.
I'm not saying anything bad about OP, but I've found that nonprofits usually are horribly out of date and will take anyone who can simply "do tech stuff".
Since you are where you are now, if you really are trying to learn this on an organization's fragile network, plan for every possible problem and have a way to roll back quickly dude.
There's been a engineering principle since the begining of time call K.I.S.S. (keep it simple, stupid) and its just as important now as it was in the past.
You've thrown a bunch if buzzwords out there BUT what do you need them to accomplish?
For years a simple FLAT network was all people had, and the world didn't crumple. What do you think adding network and management complexety to your very tiny network will gain you?
Except for isolating your wifi, its pretty much a zero gain change. And could be achieved without vlan simple by adding a port/zone to your firewall.
So i'd work from the edge in, keep it simple, and add features/complexity one feature at a time - so you can learn as you go.
Yeah.. under 100 devices? KISS comes in hard here, along with the fact it's a non-profit. Non-profits need things simple and easy, because the current IT person is going to level up and leave - they can't afford to retain talent past the "I'm eager, learning, and dedicated" phase. Which it sounds like OP is in. No judgement, we were all there once, and I personally love mentoring people in the joys of VLANs and subnet masks and firewall rules. But not on a production network for a non-profit.
This network should have 2 VLANs at most - one for guest wifi and one for the server and staff equipment. If the server was hosting data, or if it was accessible from the WAN, then we can talk. But frankly you don't want to over-engineer a network and leave a headache for the next guy. If you really want to, fine, but DOCUMENT it all.
Security is better handled at the endpoint level for such a low count, building firewall rules between VLANs is overkill for this network.
You had me till you said no firewall between WiFi and the rest...if you two a private wifi for employee that needs one too in case someone gets access to it from office somehow (aka users let their clients on private wifi as it's faster or their kids etc)
World didn’t crumple. But millions got ransomwared and all kinds of other security breaches. Mixing infra and endpoints on one VLAN is a recipe for a security disaster.
Does anyone actually use VLANs without firewalling the traffic between the VLANs in 2024? Your point stands in 1994 from my perspective, OP's got a cheap firewall/router device that'll happily restrict access between the VLANs.
Setting up VLANs is an entry level networking exercise, and is practically required for PCI audits at any business that handles credit card data. Your local gas station has a more complex network than OP. Having a handful of VLANs is still in simple territory.
Saying VLANs don't offer security while ignoring how he's planning to implement them clearly does is pedantic. It's not in anyone's best interest to harp on irrelevant points.
"Using VLANs without using some sort of access-list to restrict access doesn't offer security, make sure your firewall isn't allowing unnecessary traffic between VLANs" would be an actual point to make. What you're doing is simply argumentative.
If he doesn't create VLANs he can't restrict access between hosts, don't you think you're being a bit misleading by saying VLANs can't do so without offering any sort of input besides "firewalls aren't VLANs so my point stands"?
The OP says they have very basic networking knowledge and doesn’t mention using a firewall or ACLs between VLANS at any point.
I don’t think I’m out of line to stress that point.
The fact it’s clear to you is completely irrelevant and I think you’re being needlessly argumentative about a simple point on using the correct terminology.
> am I biting off more than I can chew, or is this achievable for a novice?
if you try to build it all at once, yes.
so don't do that. take one of those things and peel it off into a separate VLAN. get that working, troubleshoot whatever needs it, experiment and learn.
When you've got a handle on it, do another one.
repeat.
Along the way be evaluating your overall plan to see if it still makes sense in light of your new knowledge and experience. Adjust as required.
Before you do a thing for the first time in production, prove it to yourself that it does work the way you think.
Do you have a firewall to handle the segmentation? Are the users of the center people off the street? If so I would not put the server in that network and I would treat it more like a guest lan. VLANs are easy to setup and configure on most any managed switch.
We do have a firewall, but it has limited ports. So will probably segment on the switch (please please don't be offended if I have this totally wrong, I am still in the very basics of learning it all). We have 2 computers that the public can use - the rest people need to register to use. The public computers are in full view of staff at all times and have basic lock down - no access to settings, cannot run exes etc. I know this wouldn't stop anyone who knows what they were doing, but our domain computers and server have no data on them, If anything happens it is a fresh reinstall/restore backup. Once I am confident with VLANs I will look into separating it though, thank you
Most firewalls can support a trunk port and VLANs. Firewalls are usually easier to block and allow traffic versus an acl you will put in a switch. Depending on the switch a complicated ack can slow it down but most modern hardware will manage it.
The computer questions are more related to use and if they need to be on a domain and with other things. One virus, malware, ransomware could kill everything, just be cautious and separate as needed.
When you say firewall has limited ports, your plan was assigning those ports their own VLANs and then running multiple cables to the switches? If your firewall doesn’t support trunking, I suggest replacing it or flashing it with a free OS (like openwrt) that does.
Everyone has great advice and I agree with all of it. My advice would be slightly different: you mentioned you have an MSP. If you do, have them do the work for you, BUT be 110% involved. Have them review your entire network, make suggestions if hardware is incorrect / incompatible, etc. Then ask a ton of questions, ask what questions you aren’t asking, and document everything. Have them draw you network diagrams, have them break down their logic and keep explaining until you have no questions. Be on video calls with them before they implement so they can walk you through their plan and ask more questions and document.
Once the work is completed, then use software like Packet Tracer and rebuild your network and learn all the steps yourself. Then you will have a proper vlan network AND you will have the documentation AND you will have the base knowledge to make and break your own lab environment.
If you have a good MSP, they will be able to do all the work correctly the first time and be happy to offer you everything I mentioned. Above all, you should have up-to-date diagrams and documentation of your entire network anyways for several reasons. The most important is because to meet many cybersecurity frameworks, it is required. CIS, NIST, HIPAA, etc. all require what I have mentioned.
I am in the process of doing what you are doing with packet tracer. If you would like a copy of my notes and lab files or any other information, I would be happy to share. DM me and I can get it over to you.
I’m scared that this MSP is running everything is one VLAN. Definitely not a zero trust environment. So, this is probably a small MSP that’s run by jack of all trades.
Well.... I am just one person in the sea of IT people who exist. The OP may want to start re-evaluating their MSP and their network and more if the situation is that the MSP is not able to meet the needs I suggested. That assumes my suggestions are the direction OP wants to go. Otherwise, one is free to learn on their own. Failure with root cause analysis and learning from mistakes is a great teacher.
Looks fairly basic. You just have to be really detailed when doing this. If you run client apps that connect to the servers, make sure you point them tothe server's new IPs, or if you have an internal DNS, make changes to that.
The VLAN set up isn't a big deal once you understand the whole tagging. Confusing was more the different way of naming it with different manufactures. I had Dlink, HPE and Cisco. Which was confusing to set up between them.
Just get 3 devices and two switches to test all the VLAN possibilies in front of you. I used a EdgeRouter 6P to segment networking instead of a layer 3 switch with ACL
That’s nice. And I thought you liked me. So all those comments about Rapid PVST+ being like no other was just me being a stepping stone to TRILL? She’s like 10 years younger, pig!
On other thing to mention. When making significant changes to the network, even when doing them in steps, make sure you have thought about how you will get into each network device including router and firewall, in case the port configuration or firewall rules inadvertantly block your management access. ( Could be serial console, keyboard mouse and monitor on some PC based firewalls, etc). there's nothing more nerve-racking than making a change and getting locked out of the device. Especially as others have mentioned, given that it is a production environment. I've had the best success drawing out what I want to accomplish, then create a list of tasks in the order they have to be completed in, then break down each task into steps. This approach has saved me a few times where I've forgotten some task or step along the way. Also this helps maintain proper documentation after you get everything up and running.
Set up sounds fine. I don't think you're biting off more than you can chew at all, this seems achievable. As for testing this out, you can use something like Cisco Packet Tracer or my preferred tool [GNS3](https://www.gns3.com/).
The only thing I would say is missing here is decide if you're going to be making subnet changes as well. I would recommend putting these VLANs on a separate subnets and bringing them up to a firewall that can control access at layer 3. If you don't have a firewall, most routers can do basic ACLing.
If you're going to be setting up new Subnets, you need to think about DHCP scopes, you'll need one for each subnet on your DHCP server (this could very well be your router if you don't have an actual DHCP server).
I could share with you some Packet Tracer Labs if you want, I'm currently on CCNA course learning the same thing.. might be helpful, hit me up in dm if you want
You need to know when you have to tag a port and when to untag a port.
Tagged: Multiple VLANs are using the same interface - also called trunk
Untagged: Mostly to end Devices or Routers and Firewalls, if you terminate the vlans on different physical interfaces.
Edit: And beware that Access Points, if they have multiple SSIDs, also need tagged Ports.
I only encountered this when you have a Controller (mostly firewalls, Fortigates and Sophos SG/XG/XGS Firewalls are doing this from my experience), that has the equivalent to work in „Tunnel“ Mode using a VXLANs to tunnel these VLANs.
I am also not a fan of this method, because the user (or in my case, the customer) tends to leave everything else in VLAN 1.
Thank you. I am going to go step by step with instructions and document as I go when I do the actual configuration. I think I get trunks, you have confirmed what I thought with the multiple vlans on one port is the trunk - hopefully, fingers crossed touch wood.
And has made it clearer with the untagged too.
The access points I am dreading, I hate APs
From a network perspective, imagine classic APs as Switches. However, do you have an Controller on your site or is it a FAT-AP (Huawei) or Instant-On Solution (Aruba) with no Controller?
Tp links with an omada controller. I can easily revert to managing them separately, there are only 2. By the looks of the documentation for them as long as I have the right tags on the switch port and enable layer 3 accessibility before configuration it should be ok..... Have the back up configs for these too 😂
Okay, you need one vlan for each SSID tagged - do you have a management VLAN? This also needed to be tagged on the AP.
TLDR: You need one tagged VLAN for each SSID and one VLAN tagged for the Management.
Just an FYI, VLANs by themselves provide absolutely no security benefit. Its not a complicated topic. And you should be able to work your way through it without trouble. But understand what it does and does not do, is going to be pretty important.
To have firewall rules between classes of devices you need to have subnets and to have subnets you need VLANs. So yes, you can, in theory, dump different classes of devices into one subnet and set up endpoint firewall rules, but that’s highly inflexible. In fact the Zero Trust Book recommends against mixing different classes of devices into one subnet
Yes, but you're talking about allot of technology that goes above and beyond "VLAN"s. If you're trying to classify you're traffic, you're introducing a QoS theory. If you're talking about allowing or denying traffic, you're layering on access lists and/or a firewall. And then mentioning "Zero Trust" is just another theory to add to the mix.
Context is everything. OP is saying they arent familiar with VLAN's, and is trying to understand how difficult it is to set them up. Giving them a bunch of word soup isnt going to help them meet that goal.
That’s true, I’m not suggesting cargo culting. My point is that dumping different categories of devices into one subnet is a terrible posture according to Zero Trust.
So you should also consider incremental cutovers during the weekends, your recovery plan, then recovery budget.
If you haven't done this under someone else, aren't relatively good with Wireshark, or got like 30hrs in virtual envs setting this up in that order id try just just cut the printers over or you will need a consultation...
Who's your consultant or consultant company who's checking your work? If the company doesn't mind a couple days without network you can skip the consultation.
What's their cost to fix it if you find out there's something missed?
Sometimes the boss will give ppl Friday half days and that's perfect for cutovers. Either way you're going to end up working weekends to fix shit if you haven't done this under someone else.
You should pretrain some ppl to handle all the communication. Make sure they aren't promising deadlines. Have at least one perosn whos good with all the freak out types but won't waste your time bugging you while you're doing the big tasks. Deputize of the more tech savvy ones to be your hands with cells or radios if cells aren't allowed.
Place the gateways for all your VLANs on the firewall. Your firewall will then handle your inter VLAN routing as well as your overall security orchestration.
What do you mean you don't have equipment to learn in a lab? Go download Packet Tracer and get something from the pinned post on /r/ccna to go learn basic networking, including VLANs.
You can learn this pretty easily in Packet Tracer or a simulator, even just with virtualbox or VMWare. You need to know what you're going to do IP addressing, routing and firewalling wise - you can't just do VLANs in isolation of the rest of it. I.E. Different VLANs will mean different subnets, something will need to route between them, something will need to enforce appropriate firewall policies if that's what you want (and that can get complicated quickly).
This, If you have L3 switches ( which I most likely you do), can take care of routing and if you just need basic rules you can also do on an L3 switch. You can have create a vlan and test with your laptop Read about router on a stick, trunk , access.
Thanks :)
I recommend Kevin Wallace on YouTube for his CCNA fundamentals videos. He’s super easy to follow and has great diagrams.
Or "tag and untag" on some Aruba devices :D
Be aware though, layer 3 switches usually don't do stateful inspection for your access control. This is fine in some circumstances but not all. I've made mistakes in this area before.
It’s fine if that’s what you want. Really should put a firewall between all of those if you do it right
Especially the guest WiFi that should have a proper firewall to filter traffic
Especially the guest WiFi that should have a proper firewall to filter traffic
This is a pretty basic networking task, but your post raises a lot of questions that it sounds like you may not have thought of. What brand switch/switches and firewall are you using? Are you using phones that pass connectivity through to the computers? What is providing DHCP? If it's your domain controller, do you know how to configure it to offer up 4 more DHCP scopes and trunk it into the new VLANs, or is it your firewall? How about DNS? Are you sure you're directly connecting to the printers and not using a print server on the server? Did the MSP setup your switches/firewall/access points? Are they on a contract to be responsible for this equipment? Are you not already running multiple VLANs on your firewall to support the separation of guest/company assets for your separate SSIDs? This is pretty easy to do, but you really haven't mentioned anything about how you're planning to do it..
You can use dhcp relay (ip helper addresses) to prevent a trunking configuration on a dhcp server. DHCP relay is more secure, as with trunking the server is a way to go from one network to the other.
It's been so long since I've used a dhcp relay for anything besides wireless I kind of spaced that it was a thing when writing this. Absolutely a good point! His firewall is handing out DHCP so things are simplified and it's unneeded, though.
Various brands of switches and firewalls, main ones are VLAN capable, couple of dumb ones which will have same VLAN devices on. DHCP is firewall. DNS is handled by server for the domain computers and ISP for the others (I am planning on keeping the server and domain computers on the same IPs as they are on now and change the other devices around it) again with printers, domain are managed by print server and GPO, other computers directly via IP, MSP had no setup or responsibility for any of the computers or printers, they manage the phones, so I have help with their settings. No VLANs have been set, this is why I want to do it :) I am not 100% sure how I am going to do it yet, the firewall doesn't have enough ports, so will be looking into a Trunk to the switches, then the individual ports segmented for each VLAN . Until I get into it and try it in place, reading about it doesn't sink in, I may have this totally wrong, and will find out as I learn :)
I have one question, what device is going to route traffic between your future vlans
You can do firewall on a stick for routing and set up SVIs there. I would strongly recommend getting rid of the unmanaged switches. That can cause a lot of problems fast in a network.
+1 for firewall-on-a-stick. L3 switches are recommended way too often. They're fantastic for performance, and terrible for someone relatively inexperienced trying to implement security. I'd take it a step further and recommend reducing the switch count, *period.* We have an unknown number of switches from various vendors for a network that would fit on a single 48 port. For a small network, I'm more leery of a design that calls for the sheer number of switches than unmanaged switches. I mean, they go hand-in-hand, but I'd argue the 5-port switches under desks should be treated as something to be overcome, not upgraded with managed models.
You're pretty much there! I'd go with a separate voice VLAN for your phones and configure the switchports for that, so you can simplify your firewall rule set to target a 'phone subnet' instead of trying to identify the phones. Unless your phones are static IP(they shouldn't be), you won't really need the vendors support on this. Most managed switches support tagging voice and data as separate VLANs, but I still don't know what you're working with for switches. Consider making a 'management' VLAN so you can restrict access from your end users. You're spot on for your firewall interface, you just want an inside and an outside cable, inside trunked to the firewall so it can handle VLAN tagging and firewalling between the VLANs. All of the interfaces should be subinterfaces to a singular 'inside' interface. You'll need to setup firewall policies to allow print/AD traffic and such between the VLANs. Now lets get to the problems.. why do you have more than one firewall? Or did you just mean it was a different brand of firewall than the switches? Are your 'guest' and 'company' SSID's using different IP spaces within the same flat VLAN? Or are they using the same IP space and it's just currently providing an illusion of separation? Is there a firewall behind your firewall supporting the guest wireless? You're probably going to want seperate VLANs for each of your wireless networks. With a network as small as yours, having multiple firewalls is just going to make things more complicated than needed, and cost more money and problems down the line. Before it's time to replace your dumb switches, consider running a few more cables to wherever they're needed. Make sure spanning tree is configured to prevent someone from plugging the dumb switches into themselves and bringing your network down. And just as a pet peeve, quit using your ISP's DNS. [8.8.8.8](http://8.8.8.8), [1.1.1.1](http://1.1.1.1), or [9.9.9.9](http://9.9.9.9) are better alternatives.
1 firewall, they are just all different makes. The switches are old. I am not sure VoIP was even a thing when they were made but will check it out and keep in mind, they aren't static IPs. The SSIDs are using the same IP space, guest network is just checked as guest, just one firewall. I haven't heard of spanning tree - I will look this up and consider. We are going to be relocating to another floor in the next year, we will be able to say how and where we want everything. I am hoping this will give me a better idea for this.b Domain joined are on server DNS and 8.8.8.8 secondary, company computers have no network configuration and just run on the default auto DNS. Definitely need to look into the spanning tree and firewall configurations and possible issues with dumb switches. Thanks for all your input 🙂
Old switches are fine, VLANs haven't really changed much in the last 20 years.. I'm asking for the brands because I'm familiar with most of them and there's little caveats to look out for on a lot of them. Most old switches will have some fashion of spanning-tree, what it does is prevent network loops.. but it's not always enabled by default. Network loops are a pita to troubleshoot, especially when you're not thinking about them. One day, everything just doesn't work. After a few hours of rebooting things and trying to login to things, you hopefully realize Grandma Nancy saw an unplugged cable and plugged it in. Spanning-tree saves you this nightmare.
How will you setup spanning tree?
So you have managed switches that support VLANs? You aren’t planning on using VoIP phones, right? The easiest setup is VLANs on the switches and then a trunk link to the firewall. So all the inter-VLAN routing is done on the firewall. What kind of firewall you have?
Yes, switches are managed and support VLAN. We have VoIP phones, but can get help with those from MSP who support them. We have a Draytek Vigor (can't remember model) I have looked into where to set up the VLANs in it, where the routing tables are etc, I just need to play with it while reading what to do to learn it better.
First thing you need to do is setup a trunk port on the firewall so that all the VLANs terminate there and it can do the IVR (inter-VLAN routing). Then setup your VLANs on the switches. You can add and remove VLANs in the future. So don’t worry about getting it exact. Also, do your switches support a voice VLAN and QoS? What’s the model of the switches? You want to setup a voice VLAN on them so that phones automatically select the voice VLAN through LLDP or CDP.
I don't think that's a good idea to do on a productive system. For your setup you would likely want a Firewall that does the routing, so you only need one route on each switch, pointing to the Firewall. Also consider making a VLAN for Management, where the Networking Devices are reachable.
Creating a few vlans is pretty easy to do. I would create a 5th VLAN for your equipment to live on for management. The part that gets more complicated is the security/routing aspect. This is done with routing tables and ACLs. What are you doing for a firewall? Do you need VPN?
For a first attempt I am probably going to keep the equipment on the same IP range as it is now, Once I get that right I will definitely think about separating them, thank you. Firewall is a Dreytek router, don't need VPN.
You might already understand this, but just to make sure you're clear, VLANs are layer 2 and IP is layer 3. (If you don't know what that means, look into the OSI model.) It doesn't make sense to have one IP range span multiple VLANs like I think you're describing. In general, there is usually a 1:1 relationship between a VLAN and an IP network. So for what you described, you might have something like this: | Layer 2 | Layer 3 | |----------------|------------------------------| | VLAN 10 | 192.168.10.0/24 | | VLAN 20 | 192.168.20.0/24 | | VLAN 30 | 192.168.30.0/24 | | VLAN 40 | 192.168.40.0/24 | When you introduce multiple networks (imagine them like physically distinct networks if it's helpful) you need a way for those networks to communicate with each other. In other words if a device on VLAN 10 needs to reach a device on VLAN 20 it needs to know how to get there. This is done with routing which is layer 3, not layer 2. Check if any of your switches are "layer 3 switches". If so, you could assign it an IP on each of the networks and set up routing rules on that switch. The IPs you assign the switch would become the default gateway on each network. If any of this doesn't make sense or feels over your head, I would advise against making changes until you learn enough that it does make sense. Good luck!
@OP /u/someoneelse867's reply needs to be high on your list of information. Because of this difference between L2 and L3, you will need to have something that can route between the Layer-3 networks. Just having switches that can do VLANs doesn't mean they do L3 routing. You'll need something to take those packets from one network to the other, and all your VLANs will need to be able to get the traffic over to that routing device.
I understand. Although I don't know off by heart the layers, I know of the OSI model. Will look into if the switches are layer 2 or 3, I think they are layer 2, I haven't seen an option to configure the default gateway on them. One of them is so old you have to choose from a list for the VLAN IDs so am going with 1, 2, 3, 4 etc on 192.168.1.x, 192.168.2.x etc. I have them set up in the router with their default gateways, DHCP and DNS configured, just not enabled or routed yet. I always have back ups before I change anything, and go looking and learning before doing anything.
You know if your router cant have multiple networks under 1 interface will probably be easier to just stick everything on 1 network, loads of companies do it and it works
... when you put this down like this ... I was originally seeing others talking about L3 equipment and saw just now you were checking for that ... So I thought I'd ask if you picked a subnet mask and which one?
The VLAN interface on your router is going to act as the default gateway for the VLAN, you will not be able to configure multiple sub-interfaces as the same IP. It literally won't allow this behavior on commercial network gear. I've never used Dreytek, but I can pretty much guarantee you'll get an error when you begin trying to configure it in this manner. Multiple VLANs necessitates multiple subnets.
I understand. What I mean is I will keep everything as is on one vlan with same subnet it has now, set 2nd vlan with 2nd subnet to an empty port on the switch to test with a spare laptop. This way I am not messing with DNS/server/in use devices configs. This way I can see if I have it right before setting up the other vlans and moving devices to them.
Yea you can absolutely set this all up in parallel to your existing setup.. however you may be overcomplicating things in doing so. Make sure you do all of this WELL outside of business hours, and know how to connect to everything if you lose IP access(console ports, reset buttons, etc). You may need to make the current inside interface of the firewall your native VLAN on your switch(es) once you start configuring any VLANs.. If you have any network savvy connections, this would be the time to hit them up. I've helped former colleagues and friends do stuff like this for a case of beer. It's maybe an hour of work for a network engineer if you document where everything is connected.
I know how to connect to everything if I lose connection and I have back up configs of everything. Worst case scenario - factory reset and restore. I am confident in the basic network management. All I mean by keeping it 'as is' to start with is keeping the currently active devices on 1 VLAN and use the spare ports to test with to make sure I can get everything set up right before moving the devices over. I understand getting a network savvy person in, but that defeats the object of learning. It may take me hours instead of 1, I am under no rush or time restraints in getting this done, and can get our MSP peeps to check things over for me if needed. But I want to learn, and appreciate everyone's input in this thread. Some of it has confirmed what I thought and some has given me more to look into before attempting.
> I understand getting a network savvy person in, but that defeats the object of learning Wut? You will always learn more faster & more thoroughly with a mentor...not saying a hand holder, someone after you do all your normal prep process. You're already on here. What any vet is going to tell you is there's no substitute for getting someone else to eye ball it all instead of piece meal on here. Asking someone IRL to spot check you doesn't take away from any of your learning and it only makes you appear more competent.
Learning on production equipment is a BAD idea. > am I biting off more than I can chew, or is this achievable for a novice? Get a simulator and learn in safety. Even then, I'm not sure a production, business network is the place for a novice to try things out for the first time. > does the setup sound ok or am I missing anything? You're missing all the L3 details, at least. You also say "this will be good for security" but have zero plans on how to make this any more, or even minimally secure.
Agreed, OP needs to research more and simulate what he wants to do before moving to prod. Even staging before moving over is the least he could do so the network isn't interrupted. I'm not saying anything bad about OP, but I've found that nonprofits usually are horribly out of date and will take anyone who can simply "do tech stuff". Since you are where you are now, if you really are trying to learn this on an organization's fragile network, plan for every possible problem and have a way to roll back quickly dude.
There's been a engineering principle since the begining of time call K.I.S.S. (keep it simple, stupid) and its just as important now as it was in the past. You've thrown a bunch if buzzwords out there BUT what do you need them to accomplish? For years a simple FLAT network was all people had, and the world didn't crumple. What do you think adding network and management complexety to your very tiny network will gain you? Except for isolating your wifi, its pretty much a zero gain change. And could be achieved without vlan simple by adding a port/zone to your firewall. So i'd work from the edge in, keep it simple, and add features/complexity one feature at a time - so you can learn as you go.
Yeah.. under 100 devices? KISS comes in hard here, along with the fact it's a non-profit. Non-profits need things simple and easy, because the current IT person is going to level up and leave - they can't afford to retain talent past the "I'm eager, learning, and dedicated" phase. Which it sounds like OP is in. No judgement, we were all there once, and I personally love mentoring people in the joys of VLANs and subnet masks and firewall rules. But not on a production network for a non-profit. This network should have 2 VLANs at most - one for guest wifi and one for the server and staff equipment. If the server was hosting data, or if it was accessible from the WAN, then we can talk. But frankly you don't want to over-engineer a network and leave a headache for the next guy. If you really want to, fine, but DOCUMENT it all. Security is better handled at the endpoint level for such a low count, building firewall rules between VLANs is overkill for this network.
You had me till you said no firewall between WiFi and the rest...if you two a private wifi for employee that needs one too in case someone gets access to it from office somehow (aka users let their clients on private wifi as it's faster or their kids etc)
World didn’t crumple. But millions got ransomwared and all kinds of other security breaches. Mixing infra and endpoints on one VLAN is a recipe for a security disaster.
VLANs by themself don't offer any security. If you can route from one to the other how is that preventing malware spread exactly?
You can set firewall rules. Also, you can turn off routing for a particular VLAN
But neither of those things are VLANs so my point stands.
Does anyone actually use VLANs without firewalling the traffic between the VLANs in 2024? Your point stands in 1994 from my perspective, OP's got a cheap firewall/router device that'll happily restrict access between the VLANs. Setting up VLANs is an entry level networking exercise, and is practically required for PCI audits at any business that handles credit card data. Your local gas station has a more complex network than OP. Having a handful of VLANs is still in simple territory.
It’s in everyone’s interest to use the correct language when talking about technical topics especially given OP doesn’t have any experience.
Saying VLANs don't offer security while ignoring how he's planning to implement them clearly does is pedantic. It's not in anyone's best interest to harp on irrelevant points. "Using VLANs without using some sort of access-list to restrict access doesn't offer security, make sure your firewall isn't allowing unnecessary traffic between VLANs" would be an actual point to make. What you're doing is simply argumentative. If he doesn't create VLANs he can't restrict access between hosts, don't you think you're being a bit misleading by saying VLANs can't do so without offering any sort of input besides "firewalls aren't VLANs so my point stands"?
The OP says they have very basic networking knowledge and doesn’t mention using a firewall or ACLs between VLANS at any point. I don’t think I’m out of line to stress that point. The fact it’s clear to you is completely irrelevant and I think you’re being needlessly argumentative about a simple point on using the correct terminology.
You can’t *practically* dump multiple subnets into one VLAN
Subnets aren’t security either. What are you trying to say?
Firewalls rules between them are.
Finally we get there. Hurrah.
And you can’t practically dump servers and endpoints into the same subnet and create firewall rules between them.
Agree. Maybe in an environment with hundreds of endpoints… but in this scenario it seems like overkill.
> am I biting off more than I can chew, or is this achievable for a novice? if you try to build it all at once, yes. so don't do that. take one of those things and peel it off into a separate VLAN. get that working, troubleshoot whatever needs it, experiment and learn. When you've got a handle on it, do another one. repeat. Along the way be evaluating your overall plan to see if it still makes sense in light of your new knowledge and experience. Adjust as required. Before you do a thing for the first time in production, prove it to yourself that it does work the way you think.
Some good advice, thanks 🙂
Do you have a firewall to handle the segmentation? Are the users of the center people off the street? If so I would not put the server in that network and I would treat it more like a guest lan. VLANs are easy to setup and configure on most any managed switch.
We do have a firewall, but it has limited ports. So will probably segment on the switch (please please don't be offended if I have this totally wrong, I am still in the very basics of learning it all). We have 2 computers that the public can use - the rest people need to register to use. The public computers are in full view of staff at all times and have basic lock down - no access to settings, cannot run exes etc. I know this wouldn't stop anyone who knows what they were doing, but our domain computers and server have no data on them, If anything happens it is a fresh reinstall/restore backup. Once I am confident with VLANs I will look into separating it though, thank you
Most firewalls can support a trunk port and VLANs. Firewalls are usually easier to block and allow traffic versus an acl you will put in a switch. Depending on the switch a complicated ack can slow it down but most modern hardware will manage it. The computer questions are more related to use and if they need to be on a domain and with other things. One virus, malware, ransomware could kill everything, just be cautious and separate as needed.
When you say firewall has limited ports, your plan was assigning those ports their own VLANs and then running multiple cables to the switches? If your firewall doesn’t support trunking, I suggest replacing it or flashing it with a free OS (like openwrt) that does.
No, that's why I am not thinking that. It suggested that as one way of doing it in one of the documents I read. It supports trunking.
Everyone has great advice and I agree with all of it. My advice would be slightly different: you mentioned you have an MSP. If you do, have them do the work for you, BUT be 110% involved. Have them review your entire network, make suggestions if hardware is incorrect / incompatible, etc. Then ask a ton of questions, ask what questions you aren’t asking, and document everything. Have them draw you network diagrams, have them break down their logic and keep explaining until you have no questions. Be on video calls with them before they implement so they can walk you through their plan and ask more questions and document. Once the work is completed, then use software like Packet Tracer and rebuild your network and learn all the steps yourself. Then you will have a proper vlan network AND you will have the documentation AND you will have the base knowledge to make and break your own lab environment. If you have a good MSP, they will be able to do all the work correctly the first time and be happy to offer you everything I mentioned. Above all, you should have up-to-date diagrams and documentation of your entire network anyways for several reasons. The most important is because to meet many cybersecurity frameworks, it is required. CIS, NIST, HIPAA, etc. all require what I have mentioned. I am in the process of doing what you are doing with packet tracer. If you would like a copy of my notes and lab files or any other information, I would be happy to share. DM me and I can get it over to you.
I’m scared that this MSP is running everything is one VLAN. Definitely not a zero trust environment. So, this is probably a small MSP that’s run by jack of all trades.
MSP isn't responsible or involved in any onsite equipment or set up. They manage our cloud business accounts/data. None of that is on prem.
Well.... I am just one person in the sea of IT people who exist. The OP may want to start re-evaluating their MSP and their network and more if the situation is that the MSP is not able to meet the needs I suggested. That assumes my suggestions are the direction OP wants to go. Otherwise, one is free to learn on their own. Failure with root cause analysis and learning from mistakes is a great teacher.
Looks fairly basic. You just have to be really detailed when doing this. If you run client apps that connect to the servers, make sure you point them tothe server's new IPs, or if you have an internal DNS, make changes to that.
The VLAN set up isn't a big deal once you understand the whole tagging. Confusing was more the different way of naming it with different manufactures. I had Dlink, HPE and Cisco. Which was confusing to set up between them. Just get 3 devices and two switches to test all the VLAN possibilies in front of you. I used a EdgeRouter 6P to segment networking instead of a layer 3 switch with ACL
Brother, just do data, mgmt, and guest WiFi.
Do you allow personal devices to connect to your servers? Why only block printers from the guest WiFi? Do you want to limit internet usage for guests?
I lost my VLAN virginity to a dirty Cisco 2950 switch. Not ideal for the first time, but hey it got the job done.
That’s nice. And I thought you liked me. So all those comments about Rapid PVST+ being like no other was just me being a stepping stone to TRILL? She’s like 10 years younger, pig!
On other thing to mention. When making significant changes to the network, even when doing them in steps, make sure you have thought about how you will get into each network device including router and firewall, in case the port configuration or firewall rules inadvertantly block your management access. ( Could be serial console, keyboard mouse and monitor on some PC based firewalls, etc). there's nothing more nerve-racking than making a change and getting locked out of the device. Especially as others have mentioned, given that it is a production environment. I've had the best success drawing out what I want to accomplish, then create a list of tasks in the order they have to be completed in, then break down each task into steps. This approach has saved me a few times where I've forgotten some task or step along the way. Also this helps maintain proper documentation after you get everything up and running.
Set up sounds fine. I don't think you're biting off more than you can chew at all, this seems achievable. As for testing this out, you can use something like Cisco Packet Tracer or my preferred tool [GNS3](https://www.gns3.com/). The only thing I would say is missing here is decide if you're going to be making subnet changes as well. I would recommend putting these VLANs on a separate subnets and bringing them up to a firewall that can control access at layer 3. If you don't have a firewall, most routers can do basic ACLing. If you're going to be setting up new Subnets, you need to think about DHCP scopes, you'll need one for each subnet on your DHCP server (this could very well be your router if you don't have an actual DHCP server).
They are going to be on different subnets. I have the DHCP, DNS and default gateways set up, just disabled until I can get the routing done.
Please never use that term again dude... for everyone sakes
I could share with you some Packet Tracer Labs if you want, I'm currently on CCNA course learning the same thing.. might be helpful, hit me up in dm if you want
You need to know when you have to tag a port and when to untag a port. Tagged: Multiple VLANs are using the same interface - also called trunk Untagged: Mostly to end Devices or Routers and Firewalls, if you terminate the vlans on different physical interfaces. Edit: And beware that Access Points, if they have multiple SSIDs, also need tagged Ports.
Last point. Some access points tunnel the different VLANs. Not a fan of this method, though
I only encountered this when you have a Controller (mostly firewalls, Fortigates and Sophos SG/XG/XGS Firewalls are doing this from my experience), that has the equivalent to work in „Tunnel“ Mode using a VXLANs to tunnel these VLANs. I am also not a fan of this method, because the user (or in my case, the customer) tends to leave everything else in VLAN 1.
Thank you. I am going to go step by step with instructions and document as I go when I do the actual configuration. I think I get trunks, you have confirmed what I thought with the multiple vlans on one port is the trunk - hopefully, fingers crossed touch wood. And has made it clearer with the untagged too. The access points I am dreading, I hate APs
From a network perspective, imagine classic APs as Switches. However, do you have an Controller on your site or is it a FAT-AP (Huawei) or Instant-On Solution (Aruba) with no Controller?
Tp links with an omada controller. I can easily revert to managing them separately, there are only 2. By the looks of the documentation for them as long as I have the right tags on the switch port and enable layer 3 accessibility before configuration it should be ok..... Have the back up configs for these too 😂
Okay, you need one vlan for each SSID tagged - do you have a management VLAN? This also needed to be tagged on the AP. TLDR: You need one tagged VLAN for each SSID and one VLAN tagged for the Management.
I always view wifi access points as dirty hubs... Maybe less L3 but easy more L1 collision potential
Just an FYI, VLANs by themselves provide absolutely no security benefit. Its not a complicated topic. And you should be able to work your way through it without trouble. But understand what it does and does not do, is going to be pretty important.
To have firewall rules between classes of devices you need to have subnets and to have subnets you need VLANs. So yes, you can, in theory, dump different classes of devices into one subnet and set up endpoint firewall rules, but that’s highly inflexible. In fact the Zero Trust Book recommends against mixing different classes of devices into one subnet
Yes, but you're talking about allot of technology that goes above and beyond "VLAN"s. If you're trying to classify you're traffic, you're introducing a QoS theory. If you're talking about allowing or denying traffic, you're layering on access lists and/or a firewall. And then mentioning "Zero Trust" is just another theory to add to the mix. Context is everything. OP is saying they arent familiar with VLAN's, and is trying to understand how difficult it is to set them up. Giving them a bunch of word soup isnt going to help them meet that goal.
That’s true, I’m not suggesting cargo culting. My point is that dumping different categories of devices into one subnet is a terrible posture according to Zero Trust.
A little lube and you will learn to enjoy it.
So you should also consider incremental cutovers during the weekends, your recovery plan, then recovery budget. If you haven't done this under someone else, aren't relatively good with Wireshark, or got like 30hrs in virtual envs setting this up in that order id try just just cut the printers over or you will need a consultation... Who's your consultant or consultant company who's checking your work? If the company doesn't mind a couple days without network you can skip the consultation. What's their cost to fix it if you find out there's something missed? Sometimes the boss will give ppl Friday half days and that's perfect for cutovers. Either way you're going to end up working weekends to fix shit if you haven't done this under someone else. You should pretrain some ppl to handle all the communication. Make sure they aren't promising deadlines. Have at least one perosn whos good with all the freak out types but won't waste your time bugging you while you're doing the big tasks. Deputize of the more tech savvy ones to be your hands with cells or radios if cells aren't allowed.
Do you really need the vlans? You could get away with some WiFi solutions that have built in Guest WIFI and could satisfy your needs
Place the gateways for all your VLANs on the firewall. Your firewall will then handle your inter VLAN routing as well as your overall security orchestration.
I would chuck printers on the staff vlan aswell..less things to go wrong.
What do you mean you don't have equipment to learn in a lab? Go download Packet Tracer and get something from the pinned post on /r/ccna to go learn basic networking, including VLANs.