New to Vlans.

Deleted74295

My brain is not working tonight, this should be simple but I'm missing the obvious.

Existing network 192.168.1.1 for private LAN (I know the range is bad, going to change it)

Looking to add a new network on 10.0.0.1 to go from Unifi APs to the internet with no access to the LAN, whilst having the hidden SSID for private LAN enabled.

DHCP/DNS for the LAN is already provided by the windows server, my plan was to use the gateway firewall as the DHCP for the guest network using a separate VLan.

I have already set this up on my Sonicwall Gateway to provide DHCP on VLan 100.

When I get to the HP Managed switches between the Sonicwall, this is the bit my brain goes "wha"

VLAN.tiff

These switches were pre-set before I got near them, You can see I've added NGuest below as ID-100 but the tagged/untagged concept confuses me, I've done reading on various sites explaining how a VLAN adds a "tag" to a packet so that the switch keeps them separate when going across the network, what I can't work out is how tagged/untagged works.

Thanks in advance. This is probably a bit too basic for some

Tagged means it has to be tagged to be on that clan. Generally, your VLANs will be tagged on trunk ports (this may be uplinks, ports to Aps routers etc.) Untagged vlan on the trunk port will be where traffic that hasn't been tagged goes. This will generally be your native vlan 1 and you want to disable any kinda of routing on this vlan.

Access ports are always untagged ports in the vlan you set it to.

Voice Vlans are trunk ports with untagged for the end device on the port and auto voice vlan by OUI of the phone vendor.

tonyshowoff

Since your new, please don't get obsessed with VLANs, in fact most of the time in offices they're not even really necessary, but often I see people creating 10, 15, 20 of them for sometimes even less computers. Use them when necessary or fitting a standard or security policy. That's just a warning.

Deleted74295

Yeah, just because the feature exists don't over-use it. I've seen enough of that with AD security groups and folder permissions.

I'll have a play and see if I can get it working, I think I've got it now, brain still is still a bit foggy.

There's really only a few reasons you need to logically separate networks. Most are for security.
The most common are:
Seperating Public Network from Private.. Staff/Guest/Public Vlans etc.
DMZ Internet public Vlan (generally with an additional firewall)
Voice (though this isn't always needed, especially if you are very small and don't have compliance issues).

Some people will use it for increasing network size. This is not the proper use of a VLAN you should increase your scope/subnet size in that case.

When you have departments that you need to secure from each other you can use VLANs as well. but the need for that will be rare in SMBs.

Deleted74295

@thecreativeone91

So in essence, would the below be true.

Ports 1-20 are lan devices
Ports 21-23 are wifi for private and guest
Port 24 is the gateway router.

VLAN 2 = Ports 1-20 are Tagged port 24, with untagged 1-20 for
VLAN 2 = Ports 21-23 Tagged port 24, with untagged 1-23 for
VLAN 3 = Ports 21-23 are tagged port 24, with untagged ?

If you are using multiple SSIDs from the same APs and using vlans they need to be tagged in those ports. Depending on the ap it may not have a managment VLAN setting so you either need to make it untagged on your staff network or mamagment vlan depending on how your network is setup.