Understanding VLANs

[JustonG]

Hello,

 

I have been browsing the topics under the Networking section, and I have been unable to find anything geared toward...well my gear..  I currently have a Netgear GS724TPv2 24port POE switch, and I am wanting to split everything I have connected into a couple of VLANs, A vlan for my PCs, one for my security cameras, and so on. But Im failing to understand how to confiugure VLANs on my particular switch. I have looked a several videos and read several articles, and I guess im just not getting it  Could someone assist?

 

Thanks!

[Ralphred]

https://kb.netgear.com/11673/How-do-I-setup-a-VLAN-trunk-link-between-two-NETGEAR-switches?language=en_US seems to show most of the config pages used.

There are some general "beginner rules" to be aware of:

• Set up the rest of you LAN as if you have a switch for each network (subnet), and a router between each network.
• Set-up your switch VLAN config before moving on to assign ports to a VLAN
• Assign each port on the switch to the VLAN the item it's connect to should be in
• Don't tag ports unless they are attached to a VLAN aware device, and that device needs access to more than 1 VLAN (for example your NVR if it only has 1 NIC)
• Once everything is working as expected in it's own VLAN, move on to inter VLAN routing and connect them together.

 

So, I'll do a quick config example, with a server and NVR with one NIC, 4 cameras, and a couple of PC's all on the same LAN.

• Using 10.0.10.0/24 for VLAN 10 (cameras)
• Using 10.0.20.0/24 for VLAN 20 (pc's)
• Put ports 17-24 in VLAN 10
• Put ports 2-16 in VLAN 20
• Put port 1 in VLAN's 10 and 20, set it as tagged*
• Plug NVR/Server into port 1, set up two virtual interfaces, one in VLAN 10 one in VLAN 20, configure appropriate IP's*
• Plug Cameras into ports 20-24, set appropriate IP's
• Plug PC's in to ports 4&5, set appropriate IP's

 

To set-up inter-VLAN routing on the switch so PC's can reach and interact with cameras directly:**

• Assign 10.0.10.253 and 10.0.20.253 to separate SVI's (switched virtual interfaces)
• Allow to switch to forward (route) between the two IP's***
• Add static routes to 10.0.{10,20).0/24 to machines that need them via the SVI addresses.

 

I know it's quite long and wordy description, just start small like moving some cameras onto their own vlan, make sure your admin PC can't reach them, then physically move the admin PC into the same VLAN (by changing switchports and re configuring it's IP (or setting multiple IP's)), and check your isolation is working as expected.

 

*If you have the NIC's on your NVR/Server, then it's better to plug it in twice, one NIC for each VLAN, and don't tag any switchports (keeps your camera traffic away from the rest of the servers functions)

** You can set a switch up to do this itself, but routing that you'd need to use the switch as a gateway of last resort happens in software, not hardware, and doing it on switches isn't a good idea until you start spending silly money, and even then that's what routers are for so...

*** The nomenclature surrounding this differs between manufacturers, but https://kb.netgear.com/24755/How-do-I-configure-VLAN-Routing-on-a-smart-switch?language=en_US should cover it.

[JustonG]

okay, on the devices I want on say, VLAN 20, do I configure the IP addresses on those devices first?

[RZomerman]

On 6/13/2022 at 5:43 PM, JustonG said:

okay, on the devices I want on say, VLAN 20, do I configure the IP addresses on those devices first?

your device can either be directly connected to a VLAN (the device is unaware of any VLAN config) - this is where your switchport is in a VLAN in an UNTAGGED mode.. or you can set a switchport to TAGGED mode.. which means the device connected needs to be capable of providing the VLAN number itself 

 

most device do not have built-in VLAN support and thus you are stuck with UNTAGGED VLAN"s on the switchports.. if you run for example Hyper-V or ESX (or any of the others) you can setup a VLAN at VM level or virtual switch level.. and keep the port at TAGGED (in which you can put multiple VLANS for a single port)

[Ralphred]

On 6/13/2022 at 2:43 PM, JustonG said:

okay, on the devices I want on say, VLAN 20, do I configure the IP addresses on those devices first?

It doesn't really matter, but as you are trying this for the first time, doing all the IP configs first and testing everything works as expected without any additional switch config will remove the possibility you made a mistake at that level when you do move on to the actual VLAN config, just my 2c.

[wseaton]

On 6/13/2022 at 9:39 AM, Ralphred said:

*If you have the NIC's on your NVR/Server, then it's better to plug it in twice, one NIC for each VLAN, and don't tag any switchports (keeps your camera traffic away from the rest of the servers functions)

 

Why? Do H265 packets not get along with SMB packets or something? 

 

I'm just curious as somebody who's found 99.99% of VLANs to be utter pointless and offer no security benefit...vertical network segmentation doesn't do that. So, please explain technically why H265 traffic might interfere with a file server. 

 

If the goal here is security you need to focus on locking those devices off the internet, which is most easily accomplished with a firewall. Creating VLANs and then creating ACL lists to allow devices to talk to your PC defeats the purpose, right? It's like installing a steel security door on your house and putting a 2foot hole in the middle of it.

 

Using a VLAN to segregate types of network traffic went out in 1998 along with NetBEUI. There's no need to do this, but it's still pushed by CISCO heads who need to justify over priced switches and their CCNA. Segmenting devices into traffic types doesn't decrease traffic. It doesn't make NIC cards work better. 

[Lurick]

1 hour ago, wseaton said:

Using a VLAN to segregate types of network traffic went out in 1998 along with NetBEUI. There's no need to do this, but it's still pushed by CISCO heads who need to justify over priced switches and their CCNA. Segmenting devices into traffic types doesn't decrease traffic. It doesn't make NIC cards work better. 

LOL, that's about the dumbest thing I've ever heard. EVERYONE (Juniper, Cisco, Arista, Broadcom, Nvidia, etc.) uses VLANs to more easily segment the network and reduce broadcast domains and they are just one of many tools as a means to an end. If you think for a second VLANs are dumb I've got a bridge to nowhere to sell you. A single flat network is the stupid thing to push and there is a reason no SMB, enterprise, or hyperscaler does it.

Are VLANs dumb in most home environments? Sure

Beyond that? Hell no.

 

Edit:

To further clarify, VLANs shouldn't be used to segment traffic types, they are used to segment devices based on what they need access to. If OP is doing it just to segment traffic types, that's not the right approach.

[Lurick]

Just now, offweek said:

I have over 15 networked devices in my house, I trust about half of them.  This is becoming commonplace.  How would you suggest isolating them without VLANs?

When I said most I meant most considering the average consumer, so I could have been more clear with that, not people with some networking knowledge and/or the care to segment stuff

They definitely have a place even at home (I've got a couple myself) but I'm definitely not the average end user and I would wager neither are you.

[Ralphred]

6 hours ago, wseaton said:

Why? Do H265 packets not get along with SMB packets or something?

It's so you can have overlapping multicast address usage between your collection and sending LANs, and so when it snows and the wind blows it doesn't affect client operations.