Feature Set of Smart Switches

[gragnous]

With the rise of more and more connected devices, I would like to start segmenting my networks (home/home office, small office with retail front) for security reasons. By segmenting, I mean Layer 2 VLANs.

The wikipedia articles on Network Switches states that there are two categories of managed switches: Smart Switches and Fully Managed. My primary question is: What features should I be looking for to be able to segment my networks for security purposes?

Also:

• When a switch is categorized as a smart switch, are there certain features that are assumed included or not included?
  
• Do APs that support VLANs "integrate" with the VLANs set-up at the switch and/or router? OTW, can the VLANs on my wired network be the same as the wireless? Or, does that require some specific equipment?

 

[L&LD]

Since 'smart switch' is a marketing term, do not assume anything about the features or capabilities of any particular model or brand. Nor should you assume that between two models from the same brand either.

If you have a spare router available (or haven't yet purchased a 'smart switch' already; buy one), I would use that first to segregate different internal networks for the most reliable security segmentation in a home or small office network.

 

[thiggins]

L&LD is correct, you can't assume feature sets for manages / smart switches. You need to check the specs.

VLANs are the basic feature you need to segment your network. Generally, to coordinate VLANs across devices, devices need to support tagged VLANs. See http://www.smallnetbuilder.com/lanw...how-to-segment-a-small-lan-using-tagged-vlans

 

[System Error Message]

Fully managed is configurable, smart isnt. Its a bit like comparing a configurable router like mikrotik to non configurable and consumer.

For example in a fully managed switch you can create rules just like on a configurable router and if you read up on cisco security tutorials you see the switch used being configurable. Smart switches is more ticking and drop down boxes.

Featureset depends on the switch itself. Typically fully managed is more expensive.

 

[sfx2000]

L&LD is correct, you can't assume feature sets for manages / smart switches. You need to check the specs.

VLANs are the basic feature you need to segment your network. Generally, to coordinate VLANs across devices, devices need to support tagged VLANs. See http://www.smallnetbuilder.com/lanw...how-to-segment-a-small-lan-using-tagged-vlans

Also - take some time to look at some of the reviews on the main site - switches have a very long product lifecycle, and do not typically vary much over time...

http://www.smallnetbuilder.com/lanwan/lanwan-reviews

 

[gragnous]

Thank you for pointing out the article on segmenting networks. So it sounds like I need to get a router, switch and APs that support 802.1Q, then configure the connections between router, switches and APs to be truck lines. I assume then that the segment a device is on is based on the physical port / SSID its connected to. Is there a way to configure the network so that the device is assigned to a VLAN regardless of the wired port it might be connected into? Does this require, for example, an 802.1Q compatible NIC? I just looked thru the properties of the NIC in my antique laptop and see it has a VLAN Enable/Disable setting, but don't see anything indicating how to assign a VLAN to it.

Also, if I'm using a 802.1Q compatible router (I'm thinking pfSense) is there any need for ACL at the switch level?

 

[sfx2000]

Also, if I'm using a 802.1Q compatible router (I'm thinking pfSense) is there any need for ACL at the switch level?

That's a level of additional complexity and functionality that you'll have to decide on your own perhaps...

pfSense with a managed switch behind it, that's a nice platform to work with - but...

It also depends on someone having some networking knowledge - so for some, it's not the best fit, for others, it's good enough at present, but still limited on where networking is headed...

 

[dreid]

Thank you for your questions Gragnous!

Without going into the configuration elements of your question, here are some high level answers.

Look for devices that support 802.1q VLANs.

Many smart switches support 802.1q. (I use a Cisco SG200-26 smart switch in my lab.) Configure VLAN trunks on the ports connected to the APs and to the router.

Many small business class routers can also support 802.1q. (I use a Linksys LRT224 in my lab.) If you want to control inter-vlan access, apply ACLs/filters on the router.

Many small business class Access Points support 802.1q as well. To use VLANs with Wi-FI, you assign SSIDs to VLAN IDs on the AP. (I use Ubiquiti UniFi APs in my lab.)

For a device to be assigned to a VLAN regardless of port, there are switches that support MAC based VLANs, but they're not very common. MAC based VLANs can be a pain, requiring you to enter MAC addresses in the switch.

Finally, do you need an 802.1q NIC on your PC? Probably not. However, the NIC in your PC probably supports 802.1q, but the OS does not. Windows does not support 802.1q, but Linux does.

I hope this helps! Good luck!

Doug Reid

 

[crashnburn]

Kind of what I was thinking a well. Noted.

Thank you for pointing out the article on segmenting networks. So it sounds like I need to get a router, switch and APs that support 802.1Q, then configure the connections between router, switches and APs to be truck lines. I assume then that the segment a device is on is based on the physical port / SSID its connected to. Is there a way to configure the network so that the device is assigned to a VLAN regardless of the wired port it might be connected into? Does this require, for example, an 802.1Q compatible NIC? I just looked thru the properties of the NIC in my antique laptop and see it has a VLAN Enable/Disable setting, but don't see anything indicating how to assign a VLAN to it.

Also, if I'm using a 802.1Q compatible router (I'm thinking pfSense) is there any need for ACL at the switch level?

Thank you for your questions Gragnous!

Without going into the configuration elements of your question, here are some high level answers.

Look for devices that support 802.1q VLANs.

Many smart switches support 802.1q. (I use a Cisco SG200-26 smart switch in my lab.) Configure VLAN trunks on the ports connected to the APs and to the router.

Many small business class routers can also support 802.1q. (I use a Linksys LRT224 in my lab.) If you want to control inter-vlan access, apply ACLs/filters on the router.

Many small business class Access Points support 802.1q as well. To use VLANs with Wi-FI, you assign SSIDs to VLAN IDs on the AP. (I use Ubiquiti UniFi APs in my lab.)

For a device to be assigned to a VLAN regardless of port, there are switches that support MAC based VLANs, but they're not very common. MAC based VLANs can be a pain, requiring you to enter MAC addresses in the switch.

Finally, do you need an 802.1q NIC on your PC? Probably not. However, the NIC in your PC probably supports 802.1q, but the OS does not. Windows does not support 802.1q, but Linux does.

I hope this helps! Good luck!

Doug Reid

 

[coxhaus]

Layer 3 switches are the best way to share VLANs. Something like the Cisco SG300 series. Layer 3 switches support routing in the switch so you don't have to go your front door internet router for routing services.

 

[System Error Message]

Layer 3 switches are the best way to share VLANs. Something like the Cisco SG300 series. Layer 3 switches support routing in the switch so you don't have to go your front door internet router for routing services.

Layer 3 switches arent the only best way to share vlans, they are the best way to segment your network on layer 3. A layer 2 switch will share vlans just the same as a layer 3 switch. vlans are layer 2. If you want to segment your network on layer 3 get a layer 3 switch. If you segment on layer 2 get a layer 2 switch. The advantage however of going through your router in layer 3 segmentation is filtering. Bridging and routing on a router has the advantage of features and takes less performance penalty than a managed switch. A simple example would be comparing the CCR1036 with a CRS switch. The drop in performance the moment you add rules to a switch is significant compared to a router.

Also if you just segment and not have networks communicate with each other there is no need for a layer 3 switch.

 

[sfx2000]

Layer 3 switches are the best way to share VLANs

Managed switches are an easy and efficient way to build and create VLAN's within one's "intranet"

There are times where the WAN side needs some support, so there Routers can offer functionality - some are better at this than others - and some WAN providers offer different services based on the VLAN tags - e.g. default might be broadband access, and one VLAN on their side might be TV based services and/or Voice over IP (e.g. DialTone).

In an ideal environment, passing services thru the firewall for carrier based services (TV/VOIP) thru the router out to the managed switch, along with keeping broadband distinct and private for LAN based services - it's a bit of work, but a good router can manage this, and a managed switch can leverage this in a well planned LAN/Intranet.

It's becoming a bigger deal with carriers providing more services on their side over IP, and more folks working from home...

Easy stuff for someone with a networking background - but many consumer grade router/AP's really can't do this at the moment - those products have been chasing bigger/better numbers on the wireless side, and neglecting the wired side, and the attendant routing functionality.

 

[Samir]

...but many consumer grade router/AP's really can't do this at the moment - those products have been chasing bigger/better numbers on the wireless side, and neglecting the wired side, and the attendant routing functionality.

Unfortunately, building for what the crowd gets dazzled over most. Remember when computers were just beige? Who made the decision to bring color into the picture?

I wish one of the manufacturers echoed Henry Ford's statement on colors on the Model T, 'you can have any computer case color you want, as long as that's beige' haha--that would have been classic.

 

[coxhaus]

Layer 3 switches arent the only best way to share vlans, they are the best way to segment your network on layer 3. A layer 2 switch will share vlans just the same as a layer 3 switch. vlans are layer 2. If you want to segment your network on layer 3 get a layer 3 switch. If you segment on layer 2 get a layer 2 switch. The advantage however of going through your router in layer 3 segmentation is filtering. Bridging and routing on a router has the advantage of features and takes less performance penalty than a managed switch. A simple example would be comparing the CCR1036 with a CRS switch. The drop in performance the moment you add rules to a switch is significant compared to a router.
VLANs are too hard to track in large networks without assigning an IP network to each VLAN. So when I use a VLAN I always assign an IP network to each VLAN. This is not required in small LANs but it is a practice I always use so all my answers are based on this.

Also if you just segment and not have networks communicate with each other there is no need for a layer 3 switch.

I think we disagree. The problem you run into in segmenting using VLANs at layer 2 is there is always something which ends up needing to be share across VLANs, printers, NAS, etc.. The layer 3 switches allow this and also will allow access control so if you want to lock out a guest it is easy. You only need one layer 3 switch for the core and the rest of the switches can be layer 2.
Layer 3 switches are fast as they run at wire speed which is much faster than most routers. Take a look at the Cisco small business layer 3 switches SG300-16 or the SG300-28 which I run. I run rules to separate my LAN and my guest network on my SG300-28 layer 3 switch without any noticeable slow downs. At the same time my LAN and guest network are separated using VLANs they share a network laser printer.
VLANs are too hard to track in large networks. So when I setup VLANs I always assign an IP network to each VLAN. I also always use tagged VLANs. This is a practice I have used for 20 years so all my answers are based on this.

I bought my Cisco SG300-28 layer 3 switch off eBay used for cheap.

I have a write up on this site on setting up the SG300-28 layer 3 switch my way. I also have how to modify the layer 3 switch to setup a VLAN for a router so the only traffic in the router VLAN is traffic destined for the internet. In this router VLAN there are no slow downs or collisions in the router VLAN as all the other hardware are in other VLANs. This allows all the other VLANs to feed the router VLAN for high speed internet traffic.

 

[gragnous]

The discussion here has been very helpful. I was focused on another project, so just came back here to reread.

Since MAC based VLANs don't seem like a practical solution to keeping a hardwired device from being assigned to the wrong VLAN, would the proper way to handle this be to use an ACL/Filter to block any unknown device physically connected to the "wrong" VLAN assigned port from passing traffic on that VLAN?

This doesn't seem ideal to me, because I wouldn't be able to plug any approved device into any "random" physical port without having to reconfigure the port for the correct VLAN. But, it sounds like that option might not be practical for a small operator like us.

At the risk of starting a conversation that probably should be in another thread, I'll give you an example of something that I'm trying to prevent: While I was out of the office for a few days, a vendor plugged in an unsecured wireless AP into our network to facilitate their inventory / reordering process. I figured it out pretty quickly, removed the device and had a word with staff and the vendor, but I also realized how easy / quickly the network could be comprised.

This isn't the only reason I need to segment the network, but I'm still not clear how I can do so sucessfully without being about to prevent an unapproved device from being plugged into a hardwired network port.