Hi,

Currently we have main and guest networks at 30 locations on 2865 and 2765 routers and various Draytek APs. All corporate devices are on e.g 10.1.1.1/24 subnet on VLAN0
Guest in on VLAN1, using VLAN tag for guest network on 192.168.2.1/24

I can see these routers support 15 VLANs and 8 LANS. We also use Netgear switches.

I have been told by our Cyber Security manager that we need separate VLANs/Subnets for routers,aps, switches servers, printers, IOT devices, EV hubs etc, rather than having them all on one flat network. Any best practice guides here? Really appreciate the support.

Really appreciate the support !

Thanks

Lots of how to's here:

https://www.draytek.com/support/knowledge-base/
https://www.draytek.co.uk/support/support-articles-index

Hi Marculos56,

Best practices, I would say, map-out your network. You could use a simple text document, although you’d need to come up with a sensible way to lay it all out, or, use something like Visio to map-out the entire network, trust me, you will appreciate it 6 months to a year later, when someone wants to add additional devices to the network!

It sounds like you already have the means to VLAN everything off. Plus, if you’re using VLAN Tags already, then you must have APs and Switches capable of handling the VLAN Tag IDs too.

Ultimately you want all of your infrastructure devices on a ‘Management VLAN’ as well; Switches, APs, etc. That will prevent a node on a non-management VLAN from gaining access, to say, the GUI of an infrastructure device, i.e. a Switch or an AP.

Look-up “VLAN Hopping” too, just so you’re aware of it, and can take action to prevent it, if required.

Hope this helps, a little.