Chapter 6

Designing a LAN

VLANs intro, gateway, DNS on LAN, Wi‑Fi vs wired.

Learning objectives

  • Sketch a small-business LAN with gateway and DNS
  • Separate guest Wi‑Fi from trusted office traffic
  • Place wired vs wireless devices logically

Physical layout → logical design

Workshop Co.’s Edmonton shop has a front office, open shop floor, and storage. Cabling runs to a closet with the fibre handoff, router/firewall, switch, and NVR.

                    [ Internet ]
                         │
                   198.51.100.44
                         │
              ┌──────────┴──────────┐
              │  Firewall / Router  │
              │  DHCP, NAT, VLANs   │
              └──────────┬──────────┘
           ┌─────────────┼─────────────┐
           │             │             │
      [ Switch ]    [ AP office ]  [ AP guest ]
      wired PCs     Wi‑Fi staff     Wi‑Fi clients
      printers      laptops         (isolated)

VLANs — introduction

A VLAN (Virtual LAN) tags traffic so devices on different VLANs behave like separate switches. Workshop Co. uses:

VLAN IDNameSubnetAccess
10office192.168.10.0/26Staff, printers, intranet
20shop192.168.10.64/26POS, kiosk
30cameras192.168.10.128/27NVR only — no internet inbound
99guest192.168.20.0/24Internet only, no LAN access

DNS on the LAN

Workshop Co. uses the router or Pi-hole as local DNS forwarder. Staff PCs get DNS via DHCP — often 192.168.10.1 forwarding to Cloudflare (1.1.1.1) or Canadian resolver. Internal hostnames (optional) like printer.workshop.lan resolve without touching public DNS.

Guest isolation

Guest VLAN must not route to office subnets. Firewall rules: allow guest → WAN, deny guest → RFC1918 except captive portal if used.

Worked example — class night Wi‑Fi load

Twenty students join guest Wi‑Fi during a Saturday class. With /24 guest subnet and 8-hour leases, addresses recycle cleanly. Bandwidth limit per SSID prevents one streamer from saturating shop POS on another VLAN (different SSID/VLAN — already isolated).

Try it yourself — add a device

Workshop Co. buys a wired label printer for the shop VLAN. List VLAN, subnet, reservation vs pool, and firewall rule you would apply.

Answer

VLAN 20 (shop), subnet 192.168.10.64/26, DHCP reservation e.g. 192.168.10.75, allow shop VLAN → printer port (9100) from POS subnet only; deny guest VLAN → printer.

Quick quiz

  1. What is the default gateway’s role?
  2. Why put cameras on their own VLAN?
  3. How does guest Wi‑Fi differ from office Wi‑Fi in policy?
Answers
  1. Forward traffic to destinations outside the local subnet (usually internet).
  2. Contain compromise; block camera → office lateral movement; simplify rules.
  3. Guest gets internet only; office can reach internal resources.