Physical switches and VLANs

[saltwater]

I'm at the stage now where I'm planning out my network for my house currently under construction. I am going the UniFi way of doing things, will get an Edge Router X, and for my setup, I'll have two switches, one UniFi 16 port PoE+ switch and for the other a UniFi 16-24 port non-PoE switch.

Anyway, all my cameras will be hooked into the PoE switch, along with the Blue Iris computer, with about 5 or 6 ports spare. The other switch will cater for all room points.

My question is, I'm thinking of using the spare PoE ports for my UniFi Access Points but they'll be on the same switch as my camera setup. Can the 3 or 4 Access Points be separated away from the cameras using VLAN. At this point, if the answer is yes, they can be separated, I don't need a detailed how to do it post (if one is forthcoming or a link that would be appreciated). As I write this I think I'm answering my own question but still would like to put it out there.

What I'm trying to avoid is purchasing a second switch with PoE abilities, hence, extra cost.

 

[Holbs]

As long as the UniFi 16 port POE switch is manageable, yes...you can VLAN to your hearts content. I have somewhat the same setup but with Ubiquiti UDM router and 48 port POE. I do not use VLANs for the cameras, though. They are MAC address blocked from the internet. Setting up VLAN's is a breeze via YouTube vid's. However, one day I will put the cam's on their on VLAN once I figure out firewall ports between VLANs. Is nice to have my main computer able to to login in to each specific camera for firmware upgrades or fine tuning a camera.

 

[gfaulk09]

As long as it’s a managed switch. Absolutely.

 

[gfaulk09]

Just to give you a heads up. If you are going to want to access blue iris camera feeds remotely. It may be easier to add a second nic to the blue iris computer. One nic for internet access. The other nic for cameras.. it’s easier to that vs trying to figure out how to have 1 port access two vlans etc. and hardwired is always better than wireless.

 

[crw030]

I would normally also recommend the dual-NIC setup @gfaulk09 mentions EXCEPT you said you plan to use all Unifi equipment, and I believe you might have to be extra careful because those devices often need to be able to reach your controller software, so you may face that challenge (unless you plan to put it on the Blue Iris machine itself, I would think if you had BI connected to both networks that would solve the problem).

Another option would be to have both switches be POE, because some of those Unifi switches only have a few POE ports and the rest are regular network ports, or use the POE injectors for the AP’s (the only AP I bought CAME with an injector).

I just went the dual NIC method and dumb POE switches because it was cheaper, but your approach will look sharper in the new house it will just cost more for the uniformity.

 

[gfaulk09]

I would normally also recommend the dual-NIC setup @gfaulk09 mentions EXCEPT you said you plan to use all Unifi equipment, and I believe you might have to be extra careful because those devices often need to be able to reach your controller software, so you may face that challenge (unless you plan to put it on the Blue Iris machine itself, I would think if you had BI connected to both networks that would solve the problem).

I just went the dual NIC method and dumb POE switches because it was cheaper, but your approach will look sharper in the new house it will just cost more for the uniformity.

Yeah.. only one device needs to have the controller software. But he will have to run an Internet cord between the 2 switches to get internet access to the access points.
Any computer can run the controller software.

 

[saltwater]

Thanks for the information, all good and food for thought.

If considering a dual NIC setup, does that mean that the BI computer, NIC 1, is connected to a switch directly from the router, therefore got the internet, and that from NIC 2 of the BI computer will be connected to another switch. This other switch then connecting and powering all the cameras. I really need to sketch it to better explain.

 

[gfaulk09]

Thanks for the information, all good and food for thought.

If considering a dual NIC setup, does that mean that the BI computer, NIC 1, is connected to a switch directly from the router, therefore got the internet, and that from NIC 2 of the BI computer will be connected to another switch. This other switch then connecting and powering all the cameras. I really need to sketch it to better explain.

I have a similar setup for what You are trying to do. Except with 40 cameras. The way I would do it. Unifi switch will have vlan tag 100 for cameras. So let’s say u have 14 cameras.. So ports 1-15 will be tagged vlan100. You have to do 1 additional port because of the blue iris pc and let’s use nic1..ports 15-20 will be vlan200. This will be for your access points as well as nic2 on the blue iris pc. Now you won’t have internet access on neither of the vlans because theirs no internet coming into the switch. I would assume your edge router will be providing internet from your modem as well as being the dhcp server. All you have to do is connect your edge router to any of the ports tagged vlan200. Doing it this way will keep your camera network isolated from your home network. Keep in mind. Their will be no dhcp server on vlan100 so you will need to set static ips for your cameras in each cameras device settings...

another way to do this would be subnetting Your networks. But then you will have to start setting static ips for majority of the devices on both networks and dhcp server ranges. And it’s just more complex and not worth the hassle tbh. You wouldn’t need the second nic in this case.

 

[saltwater]

I had a quick look for electronic sketching but ended up doing it old-school, pen and paper, and photographed. This is my sketch I had in mind for my post above (#7). @gfaulk09 your post came in just as I completed my sketch, will digest your info, probably try and sketch it out. (btw, any simple sketching software out there?)

 

[crw030]

Almost. Except NIC1 to Switch-A (or spare Router port in a pinch), and POE NIC3 to SWITCH-B (Poe), which is also where you want your cameras connected (after all they would benefit from POE).

 

[gfaulk09]

I had a quick look for electronic sketching but ended up doing it old-school, pen and paper, and photographed. This is my sketch I had in mind for my post above (#7). @gfaulk09 your post came in just as I completed my sketch, will digest your info, probably try and sketch it out. (btw, any simple sketching software out there?)
View attachment 60957

Almost. Except NIC1 to Switch-A (or spare Router port in a pinch), and POE NIC3 to SWITCH-B (Poe), which is also where you want your cameras connected (after all they would benefit from POE).

Yeah. Very close. Cameras needed to be plugged directly into switch B. Nic1 needs to be plugged into switch A

 

[saltwater]

@crw030 & @gfaulk09 following on then, I can't see a reason why have the second NIC in the Blue Iris computer. One of the reasons for the second NIC, or so I thought, was to physically separate them from the internet, that is, the cameras could not phone home, but the Blue Iris computer has access to the internet.

 

[saltwater]

Here's my next sketch.

 

[Kn10]

You generally do one or the other. The dual nic method or the vlan method. This latest picture is doing both.

For VLANS, you put all the other stuff on the network on VLAN 1 as well as BI.
And the cameras on VLAN2 as well as BI. The only machine that can access both VLANs is the BI Machine.
If this was me, Id plug the BI machine into the router directly for simplicity.

If the BI machine must be below switch A because of the computers physical location, I'd probably go the dual nic method and have the camrera POE switch not connected directly to the router.

 

[catcamstar]

You generally do one or the other. The dual nic method or the vlan method. This latest picture is doing both.

For VLANS, you put all the other stuff on the network on VLAN 1 as well as BI.
And the cameras on VLAN2 as well as BI. The only machine that can access both VLANs is the BI Machine.
If this was me, Id plug the BI machine into the router directly for simplicity.

If the BI machine must be below switch A because of the computers physical location, I'd probably go the dual nic method and have the camrera POE switch not connected directly to the router.

^^
If your BI pc (and NIC1) are able to work with vlans, then you won't need the second NIC. That way, your "cam vlan" is "teminated" by your BI pc NIC 1, if there is no gateway on that vlan, you are sure that your cam's can never haul outside. Simply add the vlan-tag on NIC 1.

If your pc cannot work with tagged vlans, you can, as drawn in your picture, add a second NIC into ANY port (switch A -OR- switch B) and put NIC 2 in the "cam vlan". As long as your "uplink cables" (from switch_A to the router, and from the router to switch_B) are in "trunk" mode and all these vlans are propagated, you are fine. However, bandwidthwise, it makes sense to have it on switch_B (to speak directly towards your cameras). Personally, I would opt to "daisychain" switch_B under switch_A: routing is only needed for "outbound ISP" traffic, your managed switches do know exactly where each (LOCAL) device is located at which port/neighboor port. Switches are optimised for switch-board-passing traffic, routers are optimised for "routing", so knowing this information, it would make sense to hang switch_B to switch_A to avoid dumping traffic through the router.

Hope this helps!
CC

 

[crw030]

If you cut the cable between the router and POE SWITCH-B you have the classic Dual-inc configuration. Your whole network can talk to the Blue iris machine and use UI3 to view the camera feeds, and all the cameras can talk to Blue Iris and all that video traffic is on the separate POE network. This eliminates all security concerns with the cameras themselves.

If you go VLAN method, then I would probably only connect the Blue Iris machine to “POE SWITCH-B” and just make sure the port for the Blue Iris computer is configured to be on BOTH VLANs (Main network VLAN & camera VLAN) and the camera ports are only assigned on the camera VLAN. Then you get by with 1 NIC, and the only traffic going the “slow road” through the router (which will be plenty fast for this purpose), is the Blue Iris traffic (UI3/RDP etc). Since I’m not fully using VLANs you’d definitely want to get pointers from someone that frequently uses VLANs to get it setup right.

 

[Holbs]

Hmm.. with all Ubiquiti equip... wouldn't it be simpler to MAC address block each camera on the WAN Out on his router?

 

[catcamstar]

Hmm.. with all Ubiquiti equip... wouldn't it be simpler to MAC address block each camera on the WAN Out on his router?

That's true, but there have been rumors with people fixing "wrong" gateway addresses in their camera's, that the camera itself spawned a new (virtual?) network addresss and "spoof" some generic gateways. Falsifying MAC-addresses is 2 lines of code. I prefer to simply junk all my free physical network ports into a black hole vlan, and my camera's in another. Nothing comes in, nothing goes out, except a limited number of devices. A "deny all" rule is easier than an individual block.

 

[Holbs]

That's true, but there have been rumors with people fixing "wrong" gateway addresses in their camera's, that the camera itself spawned a new (virtual?) network addresss and "spoof" some generic gateways. Falsifying MAC-addresses is 2 lines of code. I prefer to simply junk all my free physical network ports into a black hole vlan, and my camera's in another. Nothing comes in, nothing goes out, except a limited number of devices. A "deny all" rule is easier than an individual block.

noted. Looks like I gots some VLAN & Firewall education coming soon

 

[crw030]

A "deny all" rule is easier than an individual block.

I have a limited understanding of VLANs, but based on the Ubiquity configs I've been messing around with it APPEARS to me that if something is connected to a switch port and the PORT is assigned a VLAN, that regardless of any trickery, anything attached to that port will get tagged to the assigned VLAN.

Someone had posted some crazy attempts by a camera to escape containment, I just can't ever find that thread on these forums to refer back against. But surely one of the more potentially insidious things to have to worry about is the camera being programmed to try and find a path out of the network.