IT people...some VLAN questions

Factual Questions
1

At my small business, we have about 30 or so devices (plus wifi enabled phones) connected to our network, all of them wired and it seems we’re always adding more. A handful of those are IP cameras and a NAS dedicated to recording and streaming them.
Sidenote: I went with IP cameras for ease of installation. It’s a lot easier to run an ethernet cable to the closest switch than a homerun back to the DVR, plus I used POE cameras so I don’t have to worry about getting power to them.

Somewhere along the line, I read that putting these cameras on their own segment/VLAN will dramatically reduce network traffic since all the traffic generated by the streams coming from the cameras would stay on it’s own VLAN and not bog down all the other devices.

Both my router, as well as the first switch in the network after the router are capable of setting up VLANs. From the reading I’ve done, VLANs aren’t exactly intuitive to set up, but I can learn as I go. What I can’t get a good answer about is if each VLAN needs to be on it’s own physical port on the switch that’s taking care of the segmenting.

My issue, at the moment, is that if each VLAN needs to have it’s own router port(s), I’d need to do some rewiring.
Coming off my router, I have an L3 Managed switch (which can handle the VLANs). Off of that switch, is two POE switches handling some of the cameras, a few ‘regular’ network devices and two more unmanaged switches. Those two unmanaged switches each have a handful of regular devices as well as a POE switch with cameras attached to them.

That’s where I stand at the moment. So, that means, the first (managed) switch has some ports that would be on one VLAN and two ports that would be on another VLAN and two ports that go off to unmanaged switches that would carry traffic from both VLANs.

What I’m hoping for is a way to do this without A)running more wires or B)upgrading switches (though getting everything up to gigabit wouldn’t be an bad thing). But it does seem like swapping those unmanaged switches for managed ones (and using trunk lines?) would take care of my issue.

My switch does mention something about MAC based VLANs, which sounds promising on the surface. I’m also seeing subnet based VLAN, which makes me think all of this could be configured at each client. And, since I prefer static IPs on the vast majority of my devices, it’s no big deal to change some IP info there.

If it’s not possible, I’ll probably leave well enough alone, at least until/if I notice the network slowing.

If it helps, that first switch I mentioned is a Netgear M4100 Series.

2

Assuming your core switch(es) and the router support VLAN tagging, you can just run one cable between the core switch and the router if you want. Google “router on a stick”. I’m not sure what you mean by “… and two ports that go off to unmanged switches that would carry traffic from both VLANs”. If you try to attach an unmanaged switch to a trunk port on your core switch, you will get variable behavior depending on how your unmanaged switches are designed. If you’re talking about attaching unmanaged switches to access ports/non-tagged ports on your core switch, then no issues.

That being said, simplicity is your friend. Make sure VLANing is worth the bother and will actually fix your network performance issues.

3

That’s what I have at the moment. So I’m good there. I think, due to the switch that I have, I may have actually been able to go without a router, but I’m so used to having one to handle the firewall and and any devices that don’t have their own IP address, it would have felt wrong to leave it out of the mix. The way the ‘beginning’ of the network is set up is modem->router->managed switch.

I figured I should draw up a quick map (maybe I still will) but what I mean that is that of all the ethernet cables leaving that managed switch, two of them connect to switches elsewhere in the building. Each of those switches have devices connected to them that I’d want on separate VLANs. And, that’s really the basis of my question. Can I have devices on two (or more) different VLANs that are connected to the same port on the core router?

Technically, I’m not having any network issues yet. But I just connected 8 cameras and a NAS for streaming in the past few days, so I may have issues that I simply haven’t noticed yet.
However, I agree with keeping things simple. It’s nice to be able to plug any network device into, more or less, the closest switch with an open port. I’m just trying to future proof. Also, are network needs to be PCI certified, and my understanding is that if I can take anything devices that handle credit card into and put them in their own segment, that makes passing PCI scans easier. Of course, as it stands, I’ve never had any major problems passing PCI scans.

PS, correct me if I’m wrong, I’m assuming the core switch is that first (and only) switch coming off the router. It’s not the network gateway, it doesn’t handle DNS requests and it’s not used for DHCP., though it can handle all of that, and I assume it needs to for everything downstream if I set up VLANs.

4

Can I have devices on two (or more) different VLANs that are connected to the same port on the core router?

Not in any reasonably reliable and maintainable way, no. Use managed switches off of your core switch.

I’m assuming the core switch is that first (and only) switch coming off the router. It’s not the network gateway, it doesn’t handle DNS requests and it’s not used for DHCP., though it can handle all of that, and I assume it needs to for everything downstream if I set up VLANs.

How is your router not your default gateway? Isn’t that how everything is getting internet connectivity, for example? If you implement router-on-a-stick, the router is still the default gateway, except now instead of just routing out to the internet, it also allows routing between the VLANs. So DNS and such work just fine, it’s just that some of your devices would now be using DNS servers that are located on the other VLAN. DHCP is a little different since it is broadcast-based; do a search on “DHCP relay”.

5

Sorry, that came across in an unclear way, I meant that the core switch is not performing any of those functions (DNS, DHCP, Gateway etc). The router is taking care of everything that a router would typically take care of. The switch I have, IIRC, does have the ability to do all of that, but I delegated it to the router since that’s how I’ve set up networks for the last 20 years and the switch, though more powerful than any switch I’ve ever owned, is functioning, more or less, like an off the shelf/nothing special/Best Buy, unmanaged switch. At least for now.

I probably went overboard when I upgraded that section of network equipment, but it was due for a major upgrade. The router and switch I had been using, though performing fine (for the most part, I was having to reboot it every month or so), was probably 15 years old.

6

Vlans are used for

  • improving security through segmentation: you cannot be hacked through a device that can’t “see” you.
  • improving network capacity by reducing broadcast traffic by smaller “collision domains”: This becomes a problem with around 500 clients in one subnet.

I would say that you shouldn’t mess around with vlans when you have less than 100 clients on your network. Vlan configuration is not entirely trivial and your production network is hardly the ideal environment to experiment.

If you are worried about cameras clogging your network with their traffic you probably should look at the topology first: Is it possible to create a network where camera traffic does not share a “uplink” to the server with other stations? If the cameras have to be on the same switches as your other stations you could look into creating more capacity in your uplinks (etherchannel could work).

Before you do anything measure the throughput of your network.” The simplest way would be to isolate two machines and a switch and copy a large file to determine the throughput of the machines: then copy the same file over the network and compare results.

7

Never heard of that, I’ll look into it when I have a few minutes. Also, if it makes a difference, my core switch (and my router, for that matter) have SFP ports. Not sure if they’re any faster, but they are there.
I’m assuming most of the connected devices in my store have 10/100 NICs. My existing switches are all 10/100, but the router, the core switch and the POE switches are all gigabit. I need to check the specs on the cameras and NAS to see if they have gigabit NICs.

Actually, I was just starting to look into that yesterday. I need to see which of my devices can monitor and report network traffic and what tools I can use, if they exist, for measuring traffic on various nodes and/or from point to point. For all I know, at the moment, I could be at 10% capacity.

As much as I like tinkering with this stuff and as much as I like to future proof (which isn’t always a good idea with tech), I also agree it’s nearly always better to leave well enough alone. I always think of Homer Simpson’s Three Stooges Sydrome. Everything is working so we have to be careful not to change anything and risk breaking everything.

8

I come from a network administration background and agree with The_Librarian that VLANs are not needed on smaller networks. Broadcast traffic is TINY, like a fraction of a percent on most networks. I’ve seen busy /22 networks (up to 1000 devices) work well without VLANs.

The exception would be if you had strict security requirements and wanted to use Access Control Lists to fine tune which devices could talk to each other…techno babble blah blah blah.

9

SFP is a form-factor that takes a module for media (optical or copper) or a DAC (Direct Attach Copper), typically at 1Gb. SFP+ goes up to 10Gb, QSFP+ goes to 40 Gb and beyond.

Remember that the switch is only forwarding packets to the target MAC, so unless the aggregate traffic to a given MAC saturates that connection you will receive no benefit from a faster connection.

Optical over SFP does have lower latency than copper, but likely immaterial.

10

That’s good to know. I’m still curious (and have to keep looking) for some type of program or app that can give me some idea as to how much network traffic I have. Part of the problem, I know, is that many of the devices (like IP cameras and credit card machines) aren’t going to be able to have anything installed on them.

From what I understand, ACLs in this sense is different that what comes on a consumer/residential router with integrated switch. The one I had before and the one I have at home had the ability to block any new devices that attempted to connect to the network until I logged into the admin panel and specifically allowed them. That was a nice feature, but I haven’t seen it yet on either my router or switch. It’s possible it’s there and I haven’t seen it yet. Especially since, from what I’ve seen, at least with the switch, not all features show up in the GUI, some of them require the command line (and they each have a manual that’s something like a thousand pages).

Ya know, I knew that, and I knew it was the big difference between a hub and switch, but it seemed to have slipped my mind.

Regarding SFP, it sounds like it’s not something I need to worry about. Which is good. I’m learning as I go (at least WRT new stuff, I do have a very basic grasp of how a lot of this works), so it’s not a bad thing that SFP isn’t something I even need to think about.

11

Yes you are right. The ACLs would be setup on the L3 core switch doing the inter-vlan routing. You’d use them to set rules like “VLAN 2 can only talk to VLAN 10 and the Internet” and “VLAN 4 can only talk to the Internet and the server at 192.168.10.5.” They can be very time consuming to setup and unless you have strict security requirements you probably don’t need them.

What you’re referring to is called MAC address filtering and is used to help stop new devices from communicating with the network until they are approved. It can be a pain to manage but if you have a small environment and your hardware doesn’t change often it may work for you. It’s not going to stop a hacker but may stop an employee from connecting their laptop they brought from home.

12

I concur - for most networks, unless you are streaming super-hi-res video from quite a few cameras, you will not flood your network. I don’t know that anyone makes hubs nowadays, all network equipment are switches; this means that a packet is only repeated from the source port to the destination. The mportant number is what level of traffic the backplane bus of the switch supports, and rarely does traffic flood that.

After all, the question is - if you have a DVR/video workstation that has one ethernet port, no matter how many cameras you have, your upper limit of total video traffic is the capacity of the DVR’s input port, 1Gbps. (More likely, how fast it can process the streams). Most switches can handle several times the port nominal 1Gb in total traffic.

The only other traffic that might overload the network, is if you do large backups across the network. But again, the port speed of the end devices limit the total traffic and a good backup system uses direct connect if possible or incremental processes.

ACLs and MAC limitations are good security, but the question is - do you really need them? If your data is VERY sensitive, maybe blocking rogue devices is good. (But then MAC and IP can be spoofed). Simple precaution, do not leave live network ports unattended in public areas, especially for PoE. There are some very tiny devices that can be plugged in to create a remote access host.

…and so on. There are plenty of other tricks you should defend against first. Do not allow anonymous enumeration of SID; be sure passwords are complex and secure, and devices (like cameras or routers) do not have the manufacturer default password. Are firmwares kept up to date? Once you have verified elementary precautions, then proceed to more complex things that require regular maintenance, like ACL’s and MAC filters. (which may need updating if equipment changes)

13

OK, while we are talking about VLANs, does anyone have any experience with configuring VLANs on a Netgear R7000 flashed with FreshTomato?

I want to do two things - create a (wired) guest network, and segregate a bunch of IP cameras on their own network, with no access to the internet.

14

The only issue I ever had with them was when I’d add something new to the LAN and spent a half hour pulling my hair out trying to figure out why the new device would see the network, sometimes (sometimes, and, from the device’s POV) appear to connected to the network, but I couldn’t actually reach the internet. After a while, I’d remember that I have to tell the router to allow the new device.
But we don’t add new hardware all that often.

I don’t anyone (but a very small select group of people, so a random person (that isn’t doing anything nefarious) isn’t going to get their wifi on the network by guessing the password. I also have the guest network shut down.
But, I assume someone hacking the network isn’t going to appear as a new device. OTOH, I do have a VPN set up so I can tunnel in and access our surveillance cameras.

In any case, hat was set up as part of a PCI issue. One of my scans** failed due issues with said VPN as well as a few other devices that are technically servers. They wanted me to segment the network, but I asked if I could turn on ACL instead and (for reasons I now think don’t make a difference WRT hacking), they were okay with that.
Also, one of the other reasons I always have VLANs in the back of my mind is to make PCI scans easier to pass by moving out credit card machines (and possibly my desktop) to their own segment.
However, we always pass our scans and this new router didn’t even trigger any potential false positives that I’m so used to dealing with that I have 2 pre-written statements.

**That’s another thing I’ve always wondered about? Are there any free PCI scan tools (or wesbsites with some white hat ‘hacks’ I can use to do some minimal testing) around? Every time I make a (major) change to the network, I run a PCI scan from our CC processor. But after requesting it, it can take up to a day to actually run. It makes for a PITA, to wait a day to find out if I have to make a change and request another scan.

15

I was envisioning someone plugging a physical network cable to a company computer into a laptop they brought from home. In this scenario MAC filtering would likely stop the average Joe but a hacker would just find the MAC address of the connected computer and duplicate it on the laptop.

16

The proper way of doing this is with 802.11x authentication, ideally with certificates. I’ve set this up at our office so that a company owned laptop gets put on the corporate VLAN when plugged in. Any other device gets put on the guest VLAN which only has access to the internet and all other traffic blocked.

17

Haven’t a clue, but…

Presuming your camera network never touches the router (or are you using it as the switch?) that’s simple. If your router does not know the IP subnet of the cameras and is not configured for that VLAN, it cannot pass traffic.

For the guest network - does the new firmware allow for VLAN tagging on ports? If so, create a different VLAN for the guest network, different IP subnet. Otherwise, set one port to be the guest IP range. Don’t allow routing between guest and office IP’s. How to limit that traffic? I don’t know. Probably you can set rules to block traffic between one IP range and another.

18

Well…
I think the camera network needs to go into the router, so that the DVR computer can see the cameras, and I can talk to the DVR from other computers. I guess it might be possible to set up the DVR with dual NICs, and have one dedicated to the cameras, and the other connected to the internal house network, but I don’t know how difficult that would be.

And, yes - FreshTomato supports VLAN tagging. I have the basics down, it’s just the details about bridging that are a bit arcane.

19

Well, at the low-rent place I use to work, the results from a lot of customer’s PCI compliance scanners looked a lot like an unfiltered Nessus/OpenVAS scan. A lot of them were just a bunch of crappy basic version checks that I could automate the answers to with a bunch of (sometimes hundreds) “Nope, patched in this release” cites. The place I currently work for usually gets a higher rent version of a PCI scan submitted to answer for. It’s usually limited to a few CVEs, and sometimes they actually have a CVE that I honestly need to inquire with the devs whether it needs to be addressed. So, yeah, OpenVAS might be good once you filter out the noise to expect from your network.

I’ll generally add my voice to the chorus of “keep it simple until you notice a problem” other than this: unless you’ve got some sort of assurance that the IP cameras you have are going to be supported and patched until X date, and X date is far enough in the future that you’ll be long gone – it’ll be good for you (and probably good for your successors even if that date is far enough off), if you can easily put those cameras on a different VLAN. If you’re dependent on a mfr. for updates, and don’t have those guarantees, I’d put them on a different network than the devices that get the PCI scan.