Dual LANs on Same wire provide Security?

[jmhmcse]

You've quite the network. I'll presume that there is little chance of moving devices from one switch to another. Even if possible, probably would not significantly help with the solution.

The simplest, not the cheapest, solution would be to implement a number of small (? 8 port poe/vlan ) switches. Here is a first attempt to identify required upgrades.





The BI server(s) would need a second NIC and then that connection made to the GREEN network; two additional ports on the GS752.

 

[master_tinkerer]

I talked with a Knowlegable Netgear representative and found out that 5 and 8 port switches will trunk up to their port limit, like 1-8. Well I only need 2 vlans remotely, so I may replace all 4 of my switches. Netgear GS105Ev2 and GS108Ev3 will do what above needs. Also will look at POE options to simplify wires and equipment.
All the tower computers have dual nic , just didn’t show on above.
I suspect streaming and frame rate can improve with VLANS in place.
Thanks so much JMHMCSE for getting me started (and others) Things have come a long way since assembly language in the 70s.
Rob

 

[jmhmcse]

Assembly, macro, overlays, COBOL, Fortran, PL/1, Pascal, Basic, Ansi C..... know (knew) them well.

 

[master_tinkerer]

Question on above layout: I have eagle cameras on separate VLAN ( 13) and rest of cameras on VLAN 12. BI server will have 3 nic for VLAN 12,13 and 11.

I want to restrict YouTube server to VLAN 13 and internet only, and not local computers, NAS etc

Can I do this and /or is there any value in trying to limit YT server off home network?

 

[master_tinkerer]

Testing with spare camera and two switches

 

[jmhmcse]

Can it be done, sure. Is there value in doing so, only you know.

Adding a second (VLAN/subnet) route to the internet creates a challenge. This requires an L3 router or L3 switch.

Pulling some 'art' from online sources, and custom changes.... a standard L3 router scenario would look like:



The router would need to support the number of VLANs wanted exposed to the internet, along with matching number of DHCP servers.


Some switches have the ability to serve up DHCP for each VLAN defined, then perform the L3 routing as well.

 

[master_tinkerer]

Couple 3 questions. For maintenance , I thought of using an old router plugged into each VLAN (4) .. On only when doing maintenance with a wireless connection to the router. Then , I think, i could see all the ip addresses from the cameras. Powered off is normal mode.

Second, does the default gateway mean anything on the cameras on a subnet? Should i be the last switch before internet? or just who cares number?

My router no longer sees the ip addresses on the VLAN s that are not 1. Is that right? I would use that display list for seeing who is connected and getting MAC addresses etc. No lot less members

Thanks,
rob

 

[jmhmcse]

Only a couple of these questions are 'general' networking ones. Others are very specific to you hardware and network address assignments.


does the default gateway mean anything on the cameras on a subnet?

No.​

If possible don't defined any address as the GW. If one is needed, enter a totally fictional one (within the private IP ranges).​

All devices within a specified subnet can 'find' each other without a need of a GW; a GW provides access to another network router to which multiple networks are connected.​

My router no longer sees the ip addresses on the VLAN s that are not 1. Is that right?

VLAN ID1 is the standard default for VLAN capable devices. Whenever possible VLAN ID1 is removed from network devices as other VLANs are added to an environment. (this would remove the typical connect and forget to hosts, clients, and network appliances. making it impossible for an unknown device being added and having connectivity to some part or all of the network it was connected into)​

​

If new VLANs have not been added to the port which is connected to the router, then Yes this is correct. (that is the purpose of VLANs, not letting one network 'see' another network unless defined.​

​

However, simply adding other VLANs to the router-port will not magically work. The router must be able to understand the multiple Network Address (192.168.13.#/24, 192.168.11.#/24, etc) being delivered to it.​

Which of the methods are you using to connect your environment to the internet; L3 Switch (GS752), L3 Router (AX92U), or other L3 device?


I would use that display list for seeing who is connected and getting MAC addresses etc.

Who is connecting to what?​

How is WHO connecting to what?​

​

​

Should i be the last switch before internet? or just who cares number?

Don't follow/understand the question... who/which is "i"?​

The order of connection is as you've configured in the diagram:​

<internet> === <ISP Modem> === <AX92U> === <GS752> === <other switches>​

​

AX92U is your multi-purpose device; Firewall, Switch, VPN, DHCP, DDNS, etc. It MUST be the first device in your network (unless you have another Firewall appliance)​

​

​

For maintenance , I thought of using an old router plugged into each VLAN (4) .. On only when doing maintenance with a wireless connection to the router. Then , I think, i could see all the ip addresses from the cameras.

​

Trying to decipher statement;​

old-router plugged into VLAN ID14 (on switch port of GS752)​

client device connected via Wi-Fi to old-router​

​

all of the VLAN ip addresses would be present on the 'connection', though the client would only connect to one IP Network at a time via manual address configuration on client device with port set as UNTAGGED.​

​

​

================


Your ideas need to be confirmed via experimentation, as you are already doing. A lot has changed in the VLAN environment as "smart" enhancements from when I was exposed to the typical configurations. I can't tell you, for sure, if what you're stating is possible or not without fully understanding your hardware, environment, requirements, and configuration.

Again, you're at the point where only you can continue to implement and see what does or does not work.

​

 

[master_tinkerer]

Which of the methods are you using to connect your environment to the internet; L3 Switch (GS752), L3 Router (AX92U), or other L3 device? Q802.12 advanced ( like the YT videos you recommended above)
I am testing on my JGS524Ev2 (24 port managed) and still waiting for parts before VLANing my GS752TPv2. I ser up a test 5 port switch and changed vlan 1 to 11 and then had to reset as I had no 11 setup anywhere else. I think I get it. The router will be Plugged into VLAN (home) and will "see" only VLAN (home) devices


I would use that display list for seeing who is connected and getting MAC addresses etc.

To better ask the question , I should have included these pictures:
View list would give me

and then this list of all my currently attached devices.

My one remaining question: If the router cable connection can only "see" the VLAN ( home) then all devices on other VLANs will have to have static IP addresses or their respective switch set to DHCP? Most (all?) of mine have static but just asking to understand.

Thanks, rob GO BLue!!

 

[jmhmcse]

The router will be Plugged into VLAN (home) and will "see" only VLAN (home) devices

Correct. The router will see only those devices on the one VLAN.​

The only time you should really have more than one VLAN assigned to a port is when that port is used as a TRUNK to another switch. Each VLAN has its own subnet range; did you notice this in the second video when Doug was illustrating that his audio software (Dante) was only available on specific ports?

While he covered the configuration of the switches to implement VLANs he did not cover his up-stream L3 router.

As your configuration currently sits, only the home VLAN will be able to connect to the internet. All other VLANs are limited to local (internal to your network) devices. And yes, with only one DHCP server (AX92U) all other devices must be set with static IPs.

 

[master_tinkerer]

Recurring difficulty
In my test setup, the VLANs seem to be working. Tivo sees the internet and the BI is seeing the cameras on VLAN2. My issue is that I can see ( log into the Sunroom 5 port) but I can not connect to the 16 port at bottom of picture TV room.

In local testing before moving to TV room , This NetgearGS316EP has a control port identifier-- you can set it to 1-16. Not sure what to set it to. I think it is currently 1. I will plug in a portable laptop tomorrow. If not, reset and start over.
Any ideas would be great. Thanks

This is the two VLAN pages. The 316 is a new format

 

[master_tinkerer]

Thinking more about it, my desktop would have a tag id 11 added then thru the trunk , untouched, and into the TV switch with a id11 tag. So not recognized by the switch because of the 11tag? I’ll try plugging into a truck line , like port 23, and see if any difference .

 

[jmhmcse]

I find no reference to "control port" in the GS316EP manual. The closest term is "flow control" which is disabled by default on all ports. This configures how the switch handles packets when the port's capacity has been exceeded. (something you shouldn't need to worry about)

VLAN ID 1 is not the same as VLAN 1. VLAN ID 11 is VLAN 1.
Why call "VLAN ID 1" "VLAN 11", wouldn't it be simpler to call "VLAN ID 11" "VLAN 11"?

VLAN ID 1 (default) should have no ports with it as a member of any the VLAN on all switches.

Verify that Autonegotiate is enabled for all ports on all servers; unless you have a specific requirement otherwise

GS752

Port 9 - Untagged / VLAN ID 11​

Port 12 - Untagged / VLAN ID 12​

Port 22 - Tagged / VLAN ID 11 and ID 12​

Port 23 - Tagged / VLAN ID 11 and ID 12​

SUNROOM

Port 1 - Tagged / VLAN ID 11 and ID 12​

Port 2 - Untagged / VLAN ID 11​

Port 3 - Untagged / VLAN ID 11​

Port 4 - Untagged / VLAN ID 12​

Port 5 - Untagged / VLAN ID 12​

NETGEAR 16 PORT

Port 1 - Tagged / VLAN ID 11 and ID 12​

Port 2 - Untagged / VLAN ID 12​

Port 3 - Untagged / VLAN ID 12​

Port 4-16 - Untagged / VLAN ID 11​

​

While it is possible to 'mix' VLAN network traffic onto a single port (e.g. Netgear Camera 1,2,3 and Netgear Default) you're defeating the purpose of the VLAN to isolate cameras away from anything else on the network and prevent access to the internet. Sharing untagged subnets on a single port hosts from either network do have the possibility of seeing each other (promiscuous mode) and initiate communication.

Unlike the YouTube videos where Doug was overlaying multiple networks onto a single port, that is NOT the desired configuration for your implementation.

 

[master_tinkerer]

When I wrote about the control port, I didn’t have access to the switch. The black screen above has the Management Vlan at the bottom. I translated that to mean port. I can only assume it should be VLAN11 in my case.
I don’t understand the basic function of the labels VLAN ID and PVID. And Having trouble deleting the VLAN ID 1ports.

I’m getting the idea that trunk is not a separate VLAN. I should delete VLAN 14 and yellow port is really a switch to switch port Black dots in your diagram

On your last comments, are you suggesting I use the Q802.1 basic instead of advanced ? I was following Doug’s example. Basic seems to allow VLAN across switches which is my basic need.
Thanks for your time.

I will try Q802.1basic on another test switch tomorrow

 

[master_tinkerer]

Tested on a Netgear GS108Ev3. Q802.1 basic doesn’t support trunk lines. So staying with Q802 advanced.
Not sure what Doug was doing that I don’t need to.

 

[master_tinkerer]

Management VLAN as 1 was the access problem. Setting to 11 fixed the issue.