VLAN design example

[reflection]

This post is for Slugger who was asking me some questions.

First, congrats on picking an enterprise switch, but also, good lucky on your learning journey. This just an example of how you might set it up. Most enterprises would choose a similar design rather than doing dual NICs.

Think of your 48-port switch as three 16 port switches as drawn in the diagram. Each VLAN is its own domain. One for IoT, one for cameras, and one for home. You can break up your switch into many smaller switches. It could be six 8-port switches. Or maybe a 5-port for IoT, 16-port for cameras, and the rest for Home.

The layer 3 switch allows it to route traffic between the VLANs (the smaller "virtual" switches). You also are able to create rules to filter traffic between VLANs. See my post here for an example of what kind of rules you might consider: Whitelist firewall settings for BlueIris

I'm not going to discuss the pros and cons of an enterprise switch, you can read that here: Switch choices....pros/cons of an Enterprise switch. A layer 3 managed switch is required.

These are the pros and cons of a VLAN design with inter-VLAN routing vs a dual NIC BlueIris design with separate switches.

Starting off with the Cons:
- more of a learning curve. Easier to understand physical switches than "virtual" switches.

Pros:

• more flexibility in terms of creating many switching domains.
• allows you to directly access and view cameras from home network. You don't have to RDP to BlueIris to access cameras. You can save screen captures directly. Recommend applying the appropriate ACLs to allow this to happen as well as block unwanted traffic to/from cameras.
• you don't have to physically touch a device to "move" it. You can change a device from VLAN to VLAN. Example: yesterday I added a new camera. My switch is in the basement but I have a drop in my office. I plugged in my Dahua into my wall jack, put that particular switch port to my "prep" VLAN. This prep VLAN is on the 192.168.1.x subnet. I'm able to connect to 192.168.1.108 from my laptop and change its IP to my camera VLAN. Then I connect to my switch and change that switch port to the camera VLAN and finish setting up my camera.
• allows you to do a dual IP design with one NIC (in this case you would trunk to your BI machine).
• allows you to trunk VLANs to Wireless APs. This way you can have an SSID per network. So you don't need a WAP per network. Cisco WAP config for dual VLAN/SSID example
• the switch can acts as your NTP and DHCP server.

Arguments against:

• one might say that a Con is no physical separation between the Camera VLAN and the Home VLAN. However VLAN separation is used in all Enterprises and Govt. In addition, you can employ security features such as 802.1x, mac filters, spoof guard, storm control, etc. Definitely apply the appropriate ACLs at a minimum.
• VLANs have no encryption. Technically this is true, but the only time you will see a VLAN tag is in a trunk interface. Most users will not use a trunk and my example below does not use any trunks. The switch ports that connect to your PC, router, and cameras are "access" ports. They will not have a VLAN tag and the end devices cannot hop to another VLAN. Also, with port security enabled, it even more secure.
• Someone could hack the switch. Yes, that is always a possibility, but along the same lines, someone could hack your BI machine. There are probably more vulnerabilities with Windows.
• you have a single point of failure with one switch. This is a different design discussion. A VLAN design does not restrict you to one switch. You can have a VLAN design with multiple switches trunked together.

 

[Slugger]

This post is for Slugger who was asking me some questions.

First, congrats on picking an enterprise switch, but also, good lucky on your learning journey. This just an example of how you might set it up.

Think of your 48-port switch as three 16 port switches as drawn in the diagram. Each VLAN is its own domain. One for IoT, one for cameras, and one for home. You can break up your switch into many smaller switches. It could be six 8-port switches. Or maybe a 5-port for IoT, 16-port for cameras, and the rest for Home.

The layer 3 switch allows it to route traffic between the VLANs (the smaller "virtual" switches). You also are able to create rules to filter traffic between VLANs. See my post here for an example of what kind of rules you might consider: Whitelist firewall settings for BlueIris

I'm not going to discuss the pros and cons of an enterprise switch, you can read that here: Switch choices....pros/cons of an Enterprise switch. A layer 3 managed switch is required.

These are the pros and cons of a VLAN design with inter-VLAN routing vs a dual NIC BlueIris design with separate switches.

Starting off with the Cons:
- more of a learning curve. Easier to understand physical switches than "virtual" switches.

Pros:

• more flexibility in terms of creating many switching domains.
• allows you to directly access and view cameras from home network. You don't have to RDP to BlueIris to access cameras. You can save screen captures directly. Recommend applying the appropriate ACLs to allow this to happen as well as block unwanted traffic to/from cameras.
• you don't have to physically touch a device to "move" it. You can change a device from VLAN to VLAN. Example: yesterday I added a new camera. My switch is in the basement but I have a drop in my office. I plugged in my Dahua into my wall jack, put that particular switch port to my "prep" VLAN. This prep VLAN is on the 192.168.1.x subnet. I'm able to connect to 192.168.1.108 from my laptop and change its IP to my camera VLAN. Then I connect to my switch and change that switch port to the camera VLAN and finish setting up my camera.
• allows you to do a dual IP design with one NIC.
• allows you to trunk VLANs to Wireless APs. This way you can have an SSID per network. So you don't need a WAP per network. Cisco WAP config for dual VLAN/SSID example
• the switch can acts as your NTP and DHCP server.

Arguments against:

• one might say that a Con is no physical separation between the Camera VLAN and the Home VLAN. However VLAN separation is used in all Enterprises and Govt. In addition, you can employ security features such as 802.1x, mac filters, spoof guard, storm control, etc. Definitely apply the appropriate ACLs at a minimum.
• you have a single point of failure with one switch. This is a different design discussion. A VLAN design does not restrict you to one switch. You can have a VLAN design with multiple switches trunked together.

View attachment 66113

Thanks a lot @reflection. I’ve decided to go with the vlan-tagging.

I will start with configuring the vlans on the switch. I have your instructions on doing that.

And I have decided not to implement any virtual machines on the BI PC. I am just going to get a dedicated Qotom box and run Pfsense on it instead...eventually. But to start I’m just going to use the Linksys Velop nodes I already have running as my router.

And I already bought a 4 port NIC for the BI PC that I will install. But I guess it’s not really needed now.

So what order would you go about this if I want to wait a few weeks or months to get Pfsense router going? Maybe I do the vlans with a simple dual nic setup first?

Regarding the DHCP server. Do you recemmend that my switch act as the DHCP server? Do I need to configure that? How does that work with the multiple vlans on the same switch?

 

[reflection]

Regarding the DHCP server. Do you recemmend that my switch act as the DHCP server? Do I need to configure that? How does that work with the multiple vlans on the same switch?

Yes, for home use, the switch works fine as a DHCP server. For multiple VLANs, here is an example of doing it for three VLANs. You will have to have the IP address for the vlans set up.

interface vlan 2
  ip address 192.168.2.1 255.255.255.0

interface vlan 3
  ip address 192.168.3.1 255.255.255.0

interface vlan 4
  ip address 192.168.4.1 255.255.255.0

ip dhcp pool home-net
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8
!
ip dhcp pool IOT-net
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 8.8.8.8
!
ip dhcp pool guest-net
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 8.8.8.8
!

 

[reflection]

And I already bought a 4 port NIC for the BI PC that I will install. But I guess it’s not really needed now.

So what order would you go about this if I want to wait a few weeks or months to get Pfsense router going? Maybe I do the vlans with a simple dual nic setup first?

Sure, you can set it up like this. Blueiris is connected to both VLANS using physical ports. In this example, for the Camera VLAN, you don't need to configure an IP address. And the cameras would have no gateway. The Camera VLAN would not be routable (isolated and not particpate in inter-vlan routing).

You can add the routing later if you want.

 

[RevJoe]

What switch did you get?

 

[reflection]

He got this switch:

@reflection can you direct me to the post where you go into more detail? I just got me this on eBay for $110!:
Cisco WS-C3750X-48PF-S 48-Port Gigabit IP Base Switch w/ 1x C3KX-PWR-1100WAC

Great switch with 800W PoE budget.

 

[RevJoe]

Nice

 

[Valiant]

Nice post Reflection. Here's a question for you-

Is there a performance penalty for traffic that goes across the vlans internal to the switch ?. My understanding is that the traffic between vlans goes via the switch CPU which may impact performance compared to traffic in the same vlan/broadcast domain.

People here have experienced problems when their cameras are connected to their recorder/nvr via a home router. For this reason they are advised to keep camera traffic on the one switch. I guess enterprise grade equipment should have no issue. In your first diagram, Blue iris is connected to the Home vlan only. In the second diagram (post 4) , it's connected to both Home and camera vlans and performance in this set up may be slighter better.

 

[Slugger]

He got this switch:



Great switch with 800W PoE budget.

Yep. I’m really excited to get it going. Hoping it will easily handle my ever growing home network needs for years to come. I’ve never had a managed switch at home so I’m looking forward to learning and taking more control of things...

 

[Slugger]

Sure, you can set it up like this. Blueiris is connected to both VLANS using physical ports. In this example, for the Camera VLAN, you don't need to configure an IP address. And the cameras would have no gateway. The Camera VLAN would not be routable (isolated and not particpate in inter-vlan routing).

You can add the routing later if you want.


View attachment 66117

Thanks again @reflection for all the advice and literal instructions. Really helpful... and I love the diagrams too...

 

[reflection]

Nice post Reflection. Here's a question for you-

Is there a performance penalty for traffic that goes across the vlans internal to the switch ?. My understanding is that the traffic between vlans goes via the switch CPU which may impact performance compared to traffic in the same vlan/broadcast domain.

People here have experienced problems when their cameras are connected to their recorder/nvr via a home router. For this reason they are advised to keep camera traffic on the one switch. I guess enterprise grade equipment should have no issue. In your first diagram, Blue iris is connected to the Home vlan only. In the second diagram (post 4) , it's connected to both Home and camera vlans and performance in this set up may be slighter better.

Right, an enterprise switch like what Slugger got would have no problem doing inter-VLAN routing. If one decides to create two VLANs and hairpin the traffic through a home router, the router may have a hard time keeping up - not sure. I'm sure it depends on the router model.

Personally, I have a design similar to what is described in the second diagram, but I'm Blue Iris as a VM, so BI has two virtual NICs. I can still my reach the cameras from other devices because I allow my camera VLAN to route out and I have ACLs on that VLAN to whitelist it.

 

[Slugger]

Yes, for home use, the switch works fine as a DHCP server. For multiple VLANs, here is an example of doing it for three VLANs. You will have to have the IP address for the vlans set up.

interface vlan 2
  ip address 192.168.2.1 255.255.255.0

interface vlan 3
  ip address 192.168.3.1 255.255.255.0

interface vlan 4
  ip address 192.168.4.1 255.255.255.0

ip dhcp pool home-net
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8
!
ip dhcp pool IOT-net
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 8.8.8.8
!
ip dhcp pool guest-net
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 8.8.8.8
!

@reflection (and any others with experience) - I know I went MIA for awhile but I've finally found a little time to work on this. I got the switch running and one camera working in a test scenario. Here's the outline of what i've done so far. I'm slowly learning the Cisco CLI commands but I have a few questions on the networking side. Please offer any advice or pointers. For now, I've just decided to enable vlans on the switch and run a dual NIC setup on the BI PC without doing any vlan routing just yet. I'll be using my Linksys Velop nodes as a router for the first few months until it is replaced with a dedicated pfSense box. I plan to enable vlan routing in the future and as needed but for now i'm just trying to keep it simple to get my network and cameras going.

I got 5 of the DH-IPC-HDW5442TMP-ASE from Jimbu security on AliExpress. He crushed Andy's price and also delivered them DHL in 5 days.

Here's what all I've done (in order):

• installed 4 port NIC on BI PC (it is also connected to guest wifi network)
• installed BI on PC
• on switch that is NOT connected to router yet:

erased all files on flash: except for OS (current version was 15.0(2)SE10a)
rebooted then created hostname and banner
enabled and set secret password
set line console 0 password
set VTY password
encryped service password
enabled synchronous logging
rebooted then created Vlan100, 200, 300, 400 and assigned ports to one of the vlans (12 to each vlan) using your instructions from here: PoE Switch Suggestion List
set ip addresses as instructed above
set dhcp pool for each vlan as instructed above
show vlan (looks correct)
show running-config (looks correct)
copy running-config startup-config
rebooted

• tested DHCP on different vlans using BI PC and it is issuing correct IP addresses and Default gateways for each respective VLAN
• connected PC NIC port 1 to camera vlan
• connected camera1 to camera vlan (which I set up to be 192.168.1.1 and DHCP pool 192.168.1.0)
• went to 192.168.1.108 and logged into camera
• changed camera password
• changed camera to static IP 192.168.1.201 255.255.255.0 192.168.1.1 8.8.8.8
• added camera to BI without changing much from defaults (I will read details later on setting them up better later)
• camera ran through the night and seemed to record and work properly

So now here's my questions:

1) What all do I need to do to ensure these cameras can't get on the internet?

• My BI PC is connected to my router via wifi and it will soon be connected to my home vlan on the switch using a dedicated NIC port 5 which will receive a DHCP address on the home vlan of 192.168.2.x and a default gateway of 192.168.2.1 (IP address of the home vlan). Wifi will then be disabled.
• NIC port 1 is already connected to the camera vlan and has therefor received a 192.168.1.x DHCP address as it should. As instructed, I configured the DHCP server to issue a default gateway that equals the IP address of the respective vlan (for example the camera vlan IP is 192.168.1.1 so the NIC port 1 received that same address as a default gateway)
• And I will soon connect my router to the switch (on home vlan port???)

So I believe I have the networks correctly separated and receiving the correct addresses but is there any way the cameras will be able to access the internet via the BI PC? Do I need to create firewalls in the BI PC to prevent this type of thing? Or is simply having them connected to different NICs configured with the seperate VLAN IPs and default gateways enough to prevent them from gaining internet access? (pardon my ignorance here, probably not explaining this well)

2) What all do I need to do in order to connect the switch to my linksys velop router nodes and give my home vlan access to the internet? Do I need to change the DHCP default gateway issued by the switch for this vlan?

3) Do I need to configure a default gateway for the switch in general (youtube videos showed this as part of a starting config for a flat network)

4) Anything else I should configure in the switch for now?

5) Do you recommend updating the firmware in the cameras? These ASE models are relatively new so I'm unsure if I should use firmware posted here.

Sorry for the LOOOONG post. Thanks for reading and as always being a huge help! I'm getting pretty pumped to get this all working

 

[reflection]

1) If you don't want your camera to access the anything beyond its vlan....when you set static IP addresses for your cameras, do not set a gateway. Your cameras will not know how to go beyond the subnet. Also, you don't need DHCP for the camera network. Set a static IP address for your BI PC on the camera VLAN. Also, you can remove the IP address on the switch for the camera vlan (192.168.1.1).
1b) If you want to reach your cameras from your home vlan, but don't want the cameras to reach the internet....add an ACL on the camera VLAN. I think I posted the rules in another posting.
2) disable the DHCP server on the switch for your home VLAN. Change your switches home vlan IP to 192.168.2.2. Connect your linksys to your home VLAN and let the linksys DHCP server provide addresses to 192.168.2.0/24. Your linksys should be 192.168.2.1. Your BI PC will have another IP address on the 192.168.2.x subnet.
3) youtube is great! Eventually, once you start doing inter vlan routing, you will probably setup up a default route on your switch to point to the Linksys.
4) good job so far.
5) I don't know anything about your supplier, but I would not upgrade unless you have an issue or need a feature.

 

[Slugger]

) If you don't want your camera to access the anything beyond its vlan....when you set static IP addresses for your cameras, do not set a gateway. Your cameras will not know how to go beyond the subnet. Also, you don't need DHCP for the camera network. Set a static IP address for your BI PC on the camera VLAN. Also, you can remove the IP address on the switch for the camera vlan (192.168.1.1).
1b) If you want to reach your cameras from your home vlan, but don't want the cameras to reach the internet....add an ACL on the camera VLAN. I think I posted the rules in another posting.

Ok. Awesome. Thanks for the quick reply. I still need to figure out how I’m going to view the cameras but I’m thinking that as long as I have access to the BI PC from my home vlan that will be sufficient. I will be able to control my BI PC from my office to do camera config from it so at this point I think I’m OK not accessing the actual cameras from my home vlan. I’ll do it how you describe above in 1) and revert to 1b) adding an ACL if I have a need

 

[Slugger]

I’m about to leave town for several days but I plan to implement your 2) suggestions when I get back. Stay tuned for updates (and I’m sure another question or two ). THANKS AGAIN!!!

 

[Bigasspimp]

Slugger and Reflection

I have sent both of you a PM..... if you can hit me there if you would please.