When I first setup IP cameras over 2 years ago, I purchased a Cisco PoE switch. I didn't need a managed switched, but at the time, it was the only PoE switch I could find without a fan (I probably should have looked harder). The switch has so many options like locking down ports based on MAC address, VLAN tagging, even some routing capabilities.
I thought about setting up a VLAN to isolate the camera traffic so that only the server recording the video could access the cameras, but decided against it as I couldn't quite figure out all the pieces and didn't see the point in doing so.
After purchasing the EdgeRouter Lite, I had to setup a VLAN for my guest network in order to prevent guest users from having access to the rest of my network. I don't have too many guests over, but I figured it was a good idea and in order to emulate my Time Capsule, I set it up.
Over the past few weeks, I've been testing out an enterprise grade WiFi access point (more on this in a future post) and one of the features it has is the ability to assign a VLAN to a wireless network. Since I already had experience setting up a VLAN, I started playing with this feature and thought about using a VLAN for my WLAN traffic. Why would I do this? That's a really good question. As this is my home network, I wanted the wireless clients to be able to access resources on the wired network and vice versa. A VLAN is designed to isolate traffic and by trying to combine the networks, I was basically defeating a main reason to use a VLAN. However, I went ahead with my experimentation and was able to put wireless clients on a VLAN. The setup was easy and my clients connected. However, I couldn't use auto discovery like mDNS and UPnP that many services use on a home network.
mDNS was solved using:
configure
set service mdns reflector
commit
save
exit
and this post got UPnP discovery working. I did have some high CPU load on my router with this however.
I got everything working and was fairly pleased (except for the high CPU usage on the router). A Ubiquiti employee pointed out the obvious to me that doing what I wanted defeated the purpose of a VLAN, so I really started thinking about what I was trying to do. I love statistics, so I guess I really just want to know how much traffic is going over the wireless network.
The other reason for doing VLANs is to handle more than 254 (or so) devices on a network. My home network currently has 38 devices, so I haven't hit this limit, yet. If I was running a small business, I'm sure that I could hit this limit fairly quickly and VLANs would make a lot of sense. In that case, the mDNS reflector and UPnP broadcasting could bog down the router. In addition, in order to route traffic to a VLAN, the traffic has to go through a router and that will increase load on the router.
So, I've learned a bit about VLANs, UPnP, and mDNS. I haven't accomplished anything in this experiment as my network still works the same way as it did before I started this.
Comments
February 23rd, 2017
Bill
Hi
I am considering managed switch(es) primarily because I am a networking student and want some hands on with the theory I am doing, but wondered if the features would be practical for home, and to do so would I need two? I have a 16 port in the living room for all the entertainment gear and 2 8 ports in the office/computer room but need to upgrade at least one to a 16 port so now may be the time to make the switch…LOL pun intended.
Any further discoveries in your own experiences or opinions? Anything would be appreciated.
Thanx
February 23rd, 2017
Scott Gruby
Hi Bill,
I’ve actually swapped out all my switches to managed Ubiquiti UniFi switches (a 16 port PoE switch and a 24 port non-PoE switch). The managed switches let me monitor traffic on each port, but also let me assign VLANs to each port. I’ve been gradually separating out traffic for different purposes. For instance, all my cameras are run on a separate VLAN so that they can’t talk to the Internet (inbound or outbound) and all my IoT devices can only talk to the Internet (and not my LAN). For a home network, this is definitely overkill, but I like keeping an eye on everything.
I really like the UniFi gear because there is central management over the switches, access points, and router (I’m replacing my EdgeRouter Lite with a USG soon).
The managed switches are definitely not cheap, but I’ve been pretty pleased with them.
February 23rd, 2017
Bill
Hi Scott
Yeah I get the overkill but I’m into it as well. I’m thinking I’d segment my NAS’s, certain devices, my own cameras, gaming….it will be a learning experience you have gone through. I decided today to order a Zylex 16 port fanless simply because it was a low entry level price but the reviews are good. The only thing it is really lacking is PoE. If it works out I’ll get a second, which I am sure it will. If you don’t mind I might pick your brain when I get going if I get stuck.
I am not sure how much improvement I will see relative to my service, but that is the point of it all. I am on fiber and just upgraded to 150Mb service which is already coming in at 175+. Tx for getting back to me.
February 23rd, 2017
Scott Gruby
I suspect you won’t see any improvement, but the VLANs could give you piece of mind segmenting off traffic.
Have fun!
February 25th, 2017
Bill
Hi Scott
This may sound like a stupid question…hoping against hope….my router does not support VLAN right now. If I can get a tech to give me access I might be able to enable it. In the meantime I was under the impression I could communicate between VLANs on the same one switch and out the router and back in on each VLAN. Two switches for sure would need a trunk which involves an enabled router. I am not so sure now and getting confused. If I am okay for now I will either have to enable it on the ISP router or get my own down the road because I will get at least one more switch. I have connected the switch to a little netbook without internet access just to familiarize myself with the configuration and actually read the manual! ;-) So am I SOL for running VLANs on this one switch with my router in it’s current state?
Tx
February 25th, 2017
Scott Gruby
Hi Bill,
I’m not familiar with using VLANs without a router. The way my network is setup is that all the VLAN traffic comes through the router to goto another VLAN. I don’t have any traffic that stays within a VLAN.
If you don’t have control of your router, I’d definitely recommend trying to get a different router that does VLANs and you can control. Many home routers either don’t have the ability to do VLANs or don’t expose it. The Apple routers have a VLAN for the Guest Network, but it is hidden from the user.
Good luck!