Advices for my new VLAN-based home-network

[Popal]

Hi,

I'm seeking your advice for my new home network.

Today, I have a flat network featuring Gigabit Ethernet, a central server hosting photos, videos, documents, music, etc. Everything is connected to the internet through my ISP router. I only use unmanaged switches (Netgear) and 5 years later everything works fine.

For my new home, I want to add more features, more flexibility and more security. By feature I mean PoE, VPN access, guest access, etc. I've been thinking to use 802.1Q VLAN to achieve this but I'm stuck against inter-vlan routing.

Here's the draft topology :
- VLAN 1 : ISP router 192.168.1.1
- VLAN 2 : private network 192.168.2.0/24 = server, PCs, TV, printer, media renderer, private Wifi AP
- VLAN 3 : guest network 192.168.3.0/24 = guest cabled access to selected ressources, internet access, Guest Wifi AP with captive portal
- VLAN 4 : host for VPN access
- VLAN 5 : surveillance IP cameras or stuff

I'm thinking about placing the server in a DMZ (another VLAN).

Now, if VLAN 2 must access the internet on VLAN1, I must route the trafic either with a router if I use a Layer 2 switch or with a Layer 3 switch.

If I'm right, it's no cheaper to buy a Layer 2 switch+a router instead of a Layer 3 switch.

Now, I also need PoE. It's no cheaper to buy a couple of PoE injectors and non PSD switch instead of a PSD switch, so I'd go for a PoE switch.

At the end, I'd choose a Layer 3 PoE switch such as the Cisco SG-300 28P but it's quite out of budget (>650-700€). I've been wondering if it would be cheaper and reliable to buy a small Cisco SG-300 10 (L3, no PoE) and another cheap L2 802.1Q compliant switch. What do you think ?

Thank you for your remarks and advices.

Popal

 

[thiggins]

You don't have to use different subnets when you use VLANs. That would simplify your problem and widen your switch choices.

 

[jdabbs]

VLAN 1 is the default management VLAN. It'd be unwise to make that your outside interface.

You don't have to use different subnets when you use VLANs. That would simplify your problem and widen your switch choices.

The subnets are necessary for inter-VLAN routing.

You have medium-size business requirements on a household budget. Something's gotta give.

Least terrible but still affordable of meeting requirements is buying an used/EOL Cisco router and have it handle inter-VLAN routing. Trunk it to a VLAN-capable switch. Add individual PoE injectors or a PoE switch as necessary. You'd still need another device capable of being a captive portal and terminating VPN sessions. A low-end pfSense box could handle this. Actually, the pfSense box could handle the network segregation and routing duty too, but you are less likely to get support if you run into problems.

 

[thiggins]

The subnets are necessary for inter-VLAN routing.

I would say the inverse, you need inter-VLAN routing if you have subnets.

For small networks, you can use VLANs without subnetting.

 

[jdabbs]

I would say the inverse, you need inter-VLAN routing if you have subnets.

For small networks, you can use VLANs without subnetting.

What are you suggesting, making all ports trunks? That wouldn't segregate traffic (his apparent goal), and poses a problem for devices that don't handle tagged frames properly.

 

[thiggins]

What are you suggesting, making all ports trunks?

No. If everything is on one switch, there is no need.
VLAN How To: Segmenting a small LAN

 

[Popal]

Hello,

Thank you very much for your answers and thoughs.

There's something I actually don't understand at all : if the goal of VLANs is to segregate traffic, how do we route without a Layer 3-aware device ? I expect that by design, IP 192.168.100.1 on VLAN A can't reach 192.168.100.2 on VLAN B unless I tell it so (in a router or L3 aware device).

For information, today I have about 20 devices on my LAN, I expect 10-15 more for the new LAN at first including surveillance cameras.

Thx.

 

[thiggins]

At a simple, single switch, single subnet level, VLANs work by controlling broadcast packets, as explained in page 2 of the article linked above. So in a single VLAN-enabled switch with all devices in the same subnet, no routing is required.

Once you get beyond a single physical switch, VLAN packets need to be tagged and all devices need to be able to properly process the tags. You still, however, don't need subnets to keep traffic separate.

 

[jdabbs]

No. If everything is on one switch, there is no need.
VLAN How To: Segmenting a small LAN

Ok, I understand how VLANs are implemented in the example.

Frames received by a switch on a particular port are tagged in accordance with the switch-assigned PVID. The frame is only forwarded to ports that permit that VLAN. The port is configured to strip tags from all outbound frames, so clients can't tell a difference between VLANs.

Pedantry aside about whether this is routing (it's not, it's filtering), it would work since filtering is handled on a per-port basis. The switch would have to support general mode, which is not universal. This method is not very secure since the "dump all the VLANs into outbound traffic" approach allows VLAN-capable devices to pick and choose their VLAN via tagging their own frames. To prevent this on a six VLAN network, you'd have to work out 15 permit/deny inter-VLAN relationships and apply it on a per-port basis, for every port.

You still, however, don't need subnets to keep traffic separate.

The subnets are for routing between VLANs.

 

[coxhaus]

I would like an answer to your problem also. I want to be able to create multiple subnets and route traffic inside my house or network without double NAT. I recommend buying good gear and not waste your time with home gear. I bought a couple of RVS4000 routers because they advertised VLANs and having a router mode not using NAT. I was plagued with issues using the routing mode on the RVS4000 just segmenting my wireless devices and WAP. I never even got to testing VLANs. DHCP relay does not work with VLANs on the RVS4000 and DHCP server on the RVS4000 could not handle small subnets plus there was a DNS issue in routing mode with the RVS4000. I just gave up. I finally dug out an old Cisco 2621 router I had stored for years and it worked beautifully off the bat. I forgot how nice it is to use pro gear. The down side to pro gear is it is loud and uses a lot of electricity but it works. I think I will be switching over to old Cisco gear to build my new network structure.

 

[mesa57]

I am looking at the manual of a RVS4000 at this moment. Seems vlan support is build in to it, but not like the example from smallnetbuilder. That article comes from 2007. We are now in the age of gigabyte routers. Which router should I buy to support the setup as mentioned in the article and seperate two lans, one with a small bussines network (6 users) and one with tennants who are not allowed to access the small business network (for obvious reasons) ?