Simple Port based VLAN

[randytsuch]

Posting this to describe how I implemented simple, port based VLANs.


I have wanted to add VLANs to isolate my cameras from everything else, but have been putting it off because I thought it would be complicated. Turns out it was easy. Also, I did it all within one managed POE switch. This worked because I have all my cameras, BI PC and router connected to this switch. My asus router does not support VLANs, as far as I can tell.


I have a Luxul XMS-1008P switch, bought from ebay because the price was right. It is an older obsolete 8 port managed model. Its POE (not POE+), but is well built, and does everything I could want.


This switch supports Port and 802.1Q VLAN modes. I used Port VLAN mode because it was easier. I’m sure 802.1Q would work too, and give you more options, but that’s also more stuff to mess up.


I know just enough to be dangerous, so don’t expect a lot of technical information here, this is intended more as a practical how to post.


But just a little background, on why would you want VLANs. VLANs create separate little networks, but without needing to actually make separate little networks. So I can make a VLAN for my cameras and PC, and another VLAN for PC and router. This keeps the cameras isolated from the router. But it lets the PC talk to the cameras, and the router. OK, so now on to the details.


The ports on the Luxul switch are connected as follows:

Port Device

1 Main ASUS router

2 Blue Iris PC

3 Camera 1

4 spare

5 Camera 2

6 Camera 3

7 Camera 4

8 Spare


I went to my luxul switch web page, 192.168.1.xxx, where xxx is the address of the switch on your network. Logged into switch. Any managed switch will have a web interface, which is how you setup and monitor the switch.


I went to the VLAN setup page, selected port VLAN, and then setup. With my luxul switch, you just select the VLAN Group number from a dropdown list, check the little boxes for the VLAN member ports you want to include in that VLAN, and then select Apply.

After you hit apply, the updated group will show up in the VLAN Group table.


I setup my VLANS as follows:


VLAN 1 = port 1 (router) and port 2 (BI PC). This lets my PC talk to the router, and via the router the internet and the rest of my network. To do this, you obviously need to have your router connected to your managed switch.


VLAN2 = port 2, 3, 4, 5, 6, 7 and 8. This creates a VLAN of the BI PC and all of my cameras. So now the cameras can talk to each other and the PC, but nothing else. The cameras cannot talk to the router, because the router is not part of VLAN2. So security wise, the cameras cannot talk to the internet, and even if someone were to break into your network, they could not talk to the cameras. The PC can talk to the router, because of VLAN1. Ports 4 and 8 are spares and could have been left out, but if you include and add a camera later to these ports, you don’t need to change anything.

This is shown in the 2nd picture below.

Before I did this, I could see all of my cameras on my router’s client list. After I applied these vlans, and the list refreshed, the cameras were no longer there. Also, after I applied VLANS, I could not access any camera from my laptop. Before I did this, I could.


And that’s all I had to do to create two VLANs which let the PC talk to the internet and cameras, but keep the cameras off of the internet.


So now what if you want to get at a camera from your laptop? Go log back into the switch, and go back to the VLAN setup page.

Change VLAN2 to port 1, 2, 3, 4, 5, 6, 7 and 8

By including port 1 (router) in VLAN2, you can get at the cameras from any PC in your network, and from the internet.

This is shown in the first picture below

Just remember to change back when you’re done, so your cameras will be isolated again.


You could also make a VLAN group for each camera, my switch supports up to 10 VLAN groups.

So you could have

VLAN 1 = port 1 (router) and port 2 (BI PC).


VLAN2 = port 2 and 3 This creates a VLAN of the BI PC and 1st camera


VLAN3 = port 2 and 4 This creates a VLAN of the BI PC and 2nd camera


VLAN4 = port 2 and 5 This creates a VLAN of the BI PC and 3rd camera


Etc


With this setup, the camaras can only talk to the BI PC, they can’t even talk to each other.


This is setup for VLANs to talk to internet and network. Port 1 (router) is part of VLAN2


This is normal setup, where VLAN2 is isolated from the internet, and your network except for one PC. Port 1 is NOT part of VLAN2

 

[randytsuch]

One more pic, for separate VLANs for all cameras

 

[NoloC]

So do you run a local ntp server on the BI machine?

 

[c hris527]

Awesome easy to read primer Thanks!

 

[tigerwillow1]

I wanted to do exactly what this thread is describing. Bought a Cisco managed switch only to find out that it doesn't work with a Cisco switch. It lets you configure a port into multiple VLANs, but it will only talk to one of them if it's an untagged port (which is how it needs to be for the setup in this thread).

 

[randytsuch]

So do you run a local ntp server on the BI machine?

I setup ntp a little while ago, I picked some atomic clock time server. My BI PC has access to the internet, so time syncing seems to work fine.

 

[randytsuch]

I wanted to do exactly what this thread is describing. Bought a Cisco managed switch only to find out that it doesn't work with a Cisco switch. It lets you configure a port into multiple VLANs, but it will only talk to one of them if it's an untagged port (which is how it needs to be for the setup in this thread).

When I was looking into VLANs, I noticed cisco switches are different to setup but since I don't have one, I didn't spend much time looking at how to do it. Are you sure you can't do this with a cisco switch? Its surprising to me.

 

[NoloC]

I setup ntp a little while ago, I picked some atomic clock time server. My BI PC has access to the internet, so time syncing seems to work fine.

How do the cameras time sync? Assuming direct to disk, the overlay must come from the camera. I know it is possible, I am just asking how to do it?
Thanks

 

[randytsuch]

How do the cameras time sync? Assuming direct to disk, the overlay must come from the camera. I know it is possible, I am just asking how to do it?
Thanks

Cameras do the overlay, but this is really off topic.
You can either PM me, or start another thread to get help. Sorry but I don't want to turn this into a time sync thread.

 

[mavlon]

Are your cameras have static IP or DHCP addreses?

Sent from my SM-G935V using Tapatalk

 

[randytsuch]

My cameras are all static, but I need to go look where this is defined, at the camera or at the router. Think I'm doing it at the camera.

Good point, if the cameras cant see the router, then DHCP will have a problem since most use the router as the DHCP server.
Wonder what what happen if the router used one of those addresses for another device? Shouldn't be any conflict since the devices can't talk to each other anyway.

The best thing to do would be to use addresses outside the router's DHCP range for your cameras. No possibility for any conflicts.

 

[randytsuch]

I was just reading this thread
Cisco 300 series managed POE switches

Based on Nayr's 2nd post there, I think my setup works because I'm using a PC, and my PC can figure out how to deal with multiple VLANs.
If I was using a NVR, I don't think this would have worked.
Another reason to use PC's over dedicated NVRs

 

[NoloC]

Hi Randy. Actually your PC has nothing to do with the VLAN routing and an NVR would work just as well.

The magic of the VLAN is happening in your switch. It determines where the packets are allowed or not allowed.
You can read about 802.1Q and learn about how the packets are "tagged" in the data header by the switch.

I have the same ASUS WAN router as you and you may recall I purchased the TP Link TL-SG108PE managed switch you pointed out.
It created VLANs for me using the 802.1Q standard. I would guess your switch is doing something very similar. Creating VLANs you define and then performing layer 3 routing of inter-vlan traffic.

Very cool stuff. I enjoy learning about it.

 

[hmjgriffon]

802.1q is vlan trunking, it lets multiple vlans travel between two ports. you would need it for the connection from the switch to the router if you wanted all the vlans to have internet, or you wanted to do firewall rules for the different vlans and stuff like that. you wouldn't want to make the port to a camera a trunk port since the camera only works on one vlan. if BI is on the vlan with the cameras and you have blocked that vlan from internet you'd need a second port on the BI machine to go into another vlan OR a firewall rule that allows the BI machine and nothing else. You really don't need the cameras on their own vlan to block the internet, you can do all of this with firewall rules, I do it. all depends on what your gear can do, cisco managed switches (layer 3 switches) can do it, layer 2 switches cannot do firewall rules because layer 2 switches only look at hardware mac addresses and not IP addresses.

 

[Squeeker]

This was a helpful thread. I bookmarked it a while back knowing I'd need it.
Now that my cameras are on the way, I'm setting things up.
I have a Netgear Prosafe switch that I setup using your instructions. Easy. Thanks randytsuch.

 

[NoloC]

802.1q is vlan trunking, it lets multiple vlans travel between two ports. you would need it for the connection from the switch to the router if you wanted all the vlans to have internet, or you wanted to do firewall rules for the different vlans and stuff like that. you wouldn't want to make the port to a camera a trunk port since the camera only works on one vlan. if BI is on the vlan with the cameras and you have blocked that vlan from internet you'd need a second port on the BI machine to go into another vlan OR a firewall rule that allows the BI machine and nothing else. You really don't need the cameras on their own vlan to block the internet, you can do all of this with firewall rules, I do it. all depends on what your gear can do, cisco managed switches (layer 3 switches) can do it, layer 2 switches cannot do firewall rules because layer 2 switches only look at hardware mac addresses and not IP addresses.

OK I think I am with you until the "second port on the BI machine". You mean another physical connection like two nics?

Currently by using the 802.1Q option on the little TP Link managed switch, I am achieving having the cameras on one VLAN with the BI machine. The ASUS WAN router is on another VLAN also with the BI machine. Cameras are isolated from the internet. BI PC can see internet and cams. Only one nic (port).

Seems to work. I ran around with a laptop using ping to verify.