Connecting managed and un-managed switches together.

Joined
Feb 17, 2018
Messages
25
Reaction score
11
Hi,

Currently looking at a new camera setup, (from Andy) that consists of 5 cameras, 1 of which is a PTZ.

I would like to get myself a managed POE+ switch to connect to these cameras so that I can take advantage of VLANs etc.

I also have about 14 other plain regular ethernet connections to deal with (computers, TVs, etc) that also need to be connected. So that's a total of approx 19/20 ethernet connections, at least 5 will need POE.


Of course a 24 port POE+ switch would be nice, and I don't mind spending the money, only there are no SILENT POE+ switches for obvious reasons. Noise is quite an important factor here so I thought about getting a couple of fanless 16 port switches (or maybe a regular 16 and an POE 8 one etc).

However I haven't even had to do this before, so I had a couple of questions.

If I want to create VLAN to isolate my cameras, which of the following diagrams is the proper way to do it?


Code:
1)

[Router] ----->[Regular 16 Port Unmanaged] ----->Computers.
                                       ^
                                       |
                                       |
                             [16 Port POE+ Managed]------->cameras


Code:
2)

[Router] ----->[Regular 16 Port Managed] ----->Computers.
                                       ^
                                       |
                                       |
                             [16 Port POE+ Unmanaged]------->cameras

Code:
3)

[Router] ----->[Regular 16 Port Managed] ----->Computers.
                                       ^
                                       |
                                       |
                             [16 Port POE+ Managed]------->cameras

Basically, should I
have a manged switch that then daisy chains to an un-managed POE switch.
have an unmanged switch that then daisy chains to an managed POE switch.
have a manged switch that then daisy chains to an managed POE switch.



I'm happy to pick the switches I need, just wondered if any technical person could point me in the right direction! Thanks very much
 

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
The short answer is I would go option 2 (from your diagrams).

What type of router however do you have ?, I've used some Draytek gear before and they offer port based Vlans, your computer network switch can use a 192.168.1.0 network from one of the router ports, and a POE switch connected to another port can reside on a different network, eg 10.0.0.0. The router can either isolate or allow traffic between networks. Both networks will have internet connectivity via the gateway IP. This may be an option for you or your current router may already have this feature. In this case you can use 2 regular switches, Non poe and POE.

Another consideration is do you need to pass traffic between the 2 LANS and how will you do this ?. You may need to add a static route on the router or managed switch to allow this. Alternatively you may have a PC (with a viewing client) with 2 network cards that belongs to both networks (messy since you have to run 2 cables to each of the switches).

If you want both vlans available on both of the switches (eg to add IP cameras off the computer switch in future) then you'll need to configure trunk ports on the switches (to carry tagged traffic from both networks) and they will all need to be managed throughout. That's when you really want to use one vendor's equipment.
 
Joined
Feb 17, 2018
Messages
25
Reaction score
11
The short answer is I would go option 2 (from your diagrams).

What type of router however do you have ?,
I've just double checked but my netgear R7000 doesn't do VLAN on the LAN side of the network.

Can I use the R7000 VLAN feature for internal VLAN separation?
No, the VLAN feature is currently designed to separate WAN services provided by your service provider (ISP). For example, your ISP may require this feature in order to separate Internet, IPTV, and/or telephony services. It is not meant to be used to configure the LAN side of the customer's network.



Another consideration is do you need to pass traffic between the 2 LANS and how will you do this ?. You may need to add a static route on the router or managed switch to allow this.
Yes I will want to pass traffic between them. I assumed this was straight forward with rules added to one of the managed switches? I'm up to my eyes in learning about this stuff (which is what makes it great craic to learn), but am I wrong in my assumptions?

If you want both vlans available on both of the switches (eg to add IP cameras off the computer switch in future) then you'll need to configure trunk ports on the switches (to carry tagged traffic from both networks) and they will all need to be managed throughout. That's when you really want to use one vendor's equipment.
No I'm fairly adamant that the cameras will be on one and the computers on the other and that will provide me enough future proofing for what I'm after.

Thanks for your reply, much appreciated.
 
Joined
Feb 17, 2018
Messages
25
Reaction score
11
See my post here: Ideal router

I am using option 2, also due to the fan noise a large POE switch would produce.

Wow! That's some setup and it took me a number of reads to digest (most) of it.

The only difference I can see between your setup and what I think my setup will look like, is that your router is controlling all the VLAN setup where-as (due to my router not having that feature) my managed switch would be doing it instead.

Have I got that right in my head or am I making any poor assumptions?

Or should I be looking for a L3 managed switch that can do the routing for me? The more you learn, the more you learn how little you know.
 

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
Yes I will want to pass traffic between them. I assumed this was straight forward with rules added to one of the managed switches? I'm up to my eyes in learning about this stuff (which is what makes it great craic to learn), but am I wrong in my assumptions?
I wouldn't say so straightforward, but it's fun learning. You need to check on the switch capabilities. Normally routers direct traffic between different networks (subnets). Switches that can do this internally (which provides better performance) are called 'Layer 3' switches, so look out for those that offer that feature. I'm not sure that every managed switch necessarily offers this capability.
 

Mr_D

Getting comfortable
Joined
Nov 17, 2017
Messages
596
Reaction score
527
Location
Southern California
Wow! That's some setup and it took me a number of reads to digest (most) of it.

The only difference I can see between your setup and what I think my setup will look like, is that your router is controlling all the VLAN setup where-as (due to my router not having that feature) my managed switch would be doing it instead.

Have I got that right in my head or am I making any poor assumptions?

Or should I be looking for a L3 managed switch that can do the routing for me? The more you learn, the more you learn how little you know.
Yes, I'm using my router to router and firewall between different VLANs. L3 switches can route, but I don't think they have the firewall flexibility of an actual router.

There is a way to use VLANs to get any managed switch to segment your network using one subnet. For example:

VLAN How To: Segmenting a small LAN - SmallNetBuilder

Basically, you use VLAN membership on the switch to determine which ports can see which ports. I did this years ago b before I was more experienced with managing firewall rules, which are more flexible. My router was only $100 so that's what I'd recommend.
 

xips

n3wb
Joined
May 23, 2017
Messages
29
Reaction score
19
I've just double checked but my netgear R7000 doesn't do VLAN on the LAN side of the network.

Can I use the R7000 VLAN feature for internal VLAN separation?
No, the VLAN feature is currently designed to separate WAN services provided by your service provider (ISP). For example, your ISP may require this feature in order to separate Internet, IPTV, and/or telephony services. It is not meant to be used to configure the LAN side of the customer's network.
Your R7000 will do VLAN isolation if you flash it with a custom firmware. I do so with TomatoUSB by Shibby firmware which gives me enterprise-like capabilities. I've been using it for about 5-6 yrs now and love it.


Good info -Tomato Firmware forum.
How to -> Build Secure VLAN Networks with 'Shibby' Router Firmware

EDIT - The first install is made easier if you use the initial install firmware. How to video.

If you don't like Tomato returning to Netgear Genie is easy.
 
Last edited:
Top