Cisco 300 series managed POE switches

[tigerwillow1]

There have been little discussions in other threads about this product. I'm going to try to pull them into this one common place. Some features of these switches make them a good candidate for a security camera system:

1. Professional high performance product.
2. Good POE support.
3. Reasonably low power consumption.
4. Very reasonable used prices.

For instance, the SF300-24P has 24 100 mbps POE ports, 4 gigabit ports, and can be found for under $100 on ebay.

I have found 2 major drawbacks:

1. Nasty loud fan noise. I have replaced the fans in mine. I don't think it's going to overheat in my situation. With a full POE load and a hot room, it could have a problem.

2. Unlike some other managed switches, this one will not allow you to set up "overlapping" VLANs, with one or more ports in multiple VLANs, to allow a camera to talk to the NVR and/or computer, while blocking it from accessing the outside Internet. (See further discussion for possible solutions).

Pulling messages from another thread, cyph wrote:
Cisco SF300 24PP with 24 ports POE and 2 gigabit upstream port managed switch with the ability to isolate the cameras to its own VLAN can be bought used on EBay for less than a new dumb 8 port POE switch...

tigerwillow1 replied:
Have you set one of these up? Unlike other managed switches, mine can't be set up to allow a port to access 2 VLANs, making it useless to isolate the cameras from the WAN while allowing the NVR to access the WAN. If there is a way to do this, I'd sure like somebody to tell me how. There might be a way to do it at level 3, but I really want to stay at level 2 and not have to become a network expert to configure the system.

cyph posted 2 responses:
I have not used the SF300 yet, but based on past experience, you have to create a trunk (look up trunking). Alternatively, treat it as separate switches and create a routing table. Allow camera vlan1 to route to NVR vlan2, then drop all packets from vlan1 to internet uplink port.
set system mode {router} will switch it into router mode.
---and---
Hey, I just received the SF300. The easiest way to accomplish what you're doing is to make all the ports for the cameras "protected ports" then also make the uplink port a protected port. Since protected ports can never communicate with each other, the cameras will forever be isolated from each other and from the Internet up-link port. It's an automatic walled garden without the use of VLANs.

Discussion continues any further posts.

 

[tigerwillow1]

Hey, I just received the SF300. The easiest way to accomplish what you're doing is to make all the ports for the cameras "protected ports" then also make the uplink port a protected port. Since protected ports can never communicate with each other, the cameras will forever be isolated from each other and from the Internet up-link port. It's an automatic walled garden without the use of VLANs.

From reading the manual I'm not sure this will do the job. If you want the NVR to talk to the outside Internet, the Internet has to be an unprotected port. If it's unprotected, the cameras can talk to it, too. Maybe there's a way to set it up that I don't see?

I do see hope somewhere else. The used switches are unlikely to have the latest firmware. Starting with version 1.4.0, released August 2014, Cisco added Private VLANs, with Promiscuous, Community, and Isolated ports. The high level description is "The Private VLAN feature provides layer-2 isolation between ports". It looks to me like this might provide what I'm looking for: multiple overlapping VLANs, i.e. some ports can belong to multiple VLANs. If it pans out, it means that Cisco has added a capability found in many other managed switches, changing the terminology and making it more complicated in the process. But if it works, I'm happy in the end. I have not made the firmware upgrade yet. The current version is 1.4.7.06, and it's a must to read the release notes first about a required boot loader upgrade.

 

[nayr]

I dont know what you think overlapping vlans are, thats not a term I'm familar with.. however according to spec sheet:

Port-based and 802.1Q tag-based VLANs

Which indicates it does support VLAN Tagging, and that's how you assign multiple VLAN's to a single port.. it requires a device on the other end that is capable of tagging VLAN's, and is the only way to trunk multiple networks onto a single port.. usually used with switch uplinks, routers and servers.

 

[Cyph]

From reading the manual I'm not sure this will do the job. If you want the NVR to talk to the outside Internet, the Internet has to be an unprotected port. If it's unprotected, the cameras can talk to it, too. Maybe there's a way to set it up that I don't see?

I do see hope somewhere else. The used switches are unlikely to have the latest firmware. Starting with version 1.4.0, released August 2014, Cisco added Private VLANs, with Promiscuous, Community, and Isolated ports. The high level description is "The Private VLAN feature provides layer-2 isolation between ports". It looks to me like this might provide what I'm looking for: multiple overlapping VLANs, i.e. some ports can belong to multiple VLANs. If it pans out, it means that Cisco has added a capability found in many other managed switches, changing the terminology and making it more complicated in the process. But if it works, I'm happy in the end. I have not made the firmware upgrade yet. The current version is 1.4.7.06, and it's a must to read the release notes first about a required boot loader upgrade.

No. Unprotected ports can talk to protected ports. If your NVR is unprotected, it can communicate with any other protected ports. Cameras <-> NVR <-> Internet. Cameras <-X-> Internet. Just try it and let me know if it doesn't work.

 

[Cyph]

Also, I'm not sure why you think the switch doesn't allow ports to work in multiple VLANs. It does. By default, the ports are in "trunk" mode which means it can be in more than one VLAN. You can actually assign it, one VLAN is tagged the other untagged.

 

[tigerwillow1]

Sorry about the term "overlapping vlans". I haven't found an official term for what I'm talking about. It's supported by a Luxul switch and described in the first post here: Simple Port based VLAN . It's also supported by at least some Netgear switches. They describe it this way: "In an advanced port-based VLAN configuration, you can assign a single port to multiple VLANs". I should have known I'd get into trouble saying the Cisco switch wouldn't allow a port into multiple VLANs. I agree this can be done with tagging and trunk mode, neither of which are practical in a simple NVR+camera setup+external switch setup. I'm willing to try the protected/unprotected port setup but can't get to it for at least a few days.

 

[nayr]

thats how it works, go read up on VLAN's.. your sorely lacking and will never set this up right at your current understanding.

If your NVR does not support VLAN interfaces how would it possibly setup 2 networks on a single interface?

Port based VLAN only supports one VLAN per port, you can add additional as tags.. so the default would be what the ports assigned, and the tagged interfaces would have to be configured.. If you dont have a device that can do those tags plugged in, then its taking the port based vlan and thats that.. Running more than 1 VLAN on a single port requires both devices on both ends to support this, no friggin way around that.. Hardware NVR's typically dont support VLAN Interfaces, however a PC VMS would because Windows can create a vlan tagged network interface.

What you need is a VLAN Capable router, you put your Cameras and NVR on one VLAN/Subnet with port based assignments, and your LAN on another VLAN/Subnet with port based assignments.. then you trunk both VLAN's together to the router and have it route traffic back and forth between subnets and implement traffic filtering, ie: These IP's can access NVR, everything else blocked.

Setting up a network in such a way is a very advanced configuration; If you dont understand networking (Subnetting/VLANs/Routing) at a high level then your going to have a hell of a time making any forward progress.. Go pickup a book and start reading, all this is well documented all over the internet thousands of times over.

 

[tigerwillow1]

.. your sorely lacking and will never set this up right at your current understanding.

No argument about that! That's why I'm looking for the simpler capability offered by some of the switches. I fell into the assumption trap (again) of thinking if some switches had this "advanced port-based VLAN configuration", surely a Cisco business-class switch would. I've got the protected/unprotected port setup and the newer Cisco firmware to try before giving up on the layer-2 solution with the Cisco switch. As for learning more about networks, any time I take for that comes out of the time to set up the rest of the camera system, and I'd rather spend my time on the rest of the system. Same reason I walked away from the Hikvision based NVR that was eating up too much of my time.