Using VLAN to create guest network on shared resources

  • So @BRRABill and I were talking and he asked why I was using VLANs when @scottalanmiller is generally so against them.

    Here's my situation.

    I have two buildings connected by fiber.

    Building 105
    corporate ISP connection

    Building 111
    Guest ISP connection

    I have two VLANs (really I have several - but let's not worry about the additional ones)
    The default VLAN is my corporate network. All things that matter corporate wise are here.
    VLAN 200 is the Guest VLAN

    The ports for the fiber connection between buildings is trunked for both VLANs
    All ports in the 105 building are non-tagged on the default VLAN and tagged Guest VLAN (for security, this could be reduced to only the AP ports)
    Port 2, switch 1 in the 105 building is non-tagged default VLAN
    Port 2, switch 1 is connected to the corporate firewall, which is connected to the corporate ISP.
    All ports except port 1, switch 1 in the 111 building are also non-tagged default VLAN and tagged Guest VLAN
    Port 1, switch 1 in 111 is non-tagged Guest VLAN only
    Port 1 plugs into a firewall, which is then connected to my guest ISP connection.

    All APs have two SSIDs, the corporate one puts people on the corporate network, the guest one puts people on the Guest VLAN.

    So - would you do anything different, if so, what and why?

  • Now I didn't need to use a separate ISP for the Guest network, I could have setup VLAN trunking on the corporate firewall connection, and then setup rules inside the corporate firewall to split the traffic as desired.

