Jump to content
RESET Forums (homeservershow.com)
Dave

IP Camera and Server Solutions

Recommended Posts

Jason

Thanks itGeeks. Was able to figure it out. The issue was my wanting to connect a managed smart switch to my Untangle box then connect that switch to an unmanaged 24-port gigabit switch for the rest of my devices. Am seriously thinking of getting one large managed Poe switch to simplify my network. Looking at this one:

D-Link Systems Web Smart Switch - 52 Ports - Managed (DGS-1210-52MP) https://www.amazon.com/dp/B00PVES4IK/ref=cm_sw_r_cp_api_tb6FAb7GCC8HR

Share this post


Link to post
Share on other sites
itGeeks

Glad you got it sorted out, Yes everything in the chain needs to be network aware. Holy molly, How many devices are you running? 52 ports??? I am partial to Netgear and I am thinking about getting this one

Edited by itGeeks

Share this post


Link to post
Share on other sites
Jason

Well, I need more than 24 ports but less than 52. Suppose a 48 port switch would be plenty. Definitely want a managed switch with flexibility of PoE/PoE+ on the next one after this experience. Would rather not be daisy-chaining switches together if it can be avoided. I too prefer Netgear. Will definitely check that out.

Share this post


Link to post
Share on other sites
itGeeks

I agree with you, Avoid daisy-chain as much as possible, Every hop creates latency. I do admit though that I normally run just one feed to each room them if needed I add a switch to support more then one device in that room. Your network sounds interesting with that many devices, Can you provide the network details or better yet a network map?

Edited by itGeeks

Share this post


Link to post
Share on other sites
Ikon-TNG

Something has me puzzled. My father tried to show me how to VLAN once, and I found it confusing and it looked like it could be a lot of work to maintain. Eventually, he said I could accomplish the same thing by connecting some cheap, unmanaged switches to different network cards in my gateway router. He said each NIC would be the equivalent of a VLAN, except it would be physical. There would be no need to manage which ports devices were connected to, and it would be more visually logical because I could label the switches according to the purpose: security cameras, general home LAN, guest LAN, and other devices. He did caution me that devices on the security, guest, and other devices switches would not be able to print to a printer connected to the general home LAN, but I'm fine with that. He even said I could give each 'switched LAN' a different IP range, so it might be less confusing: e.g. 192.168.0.x, 192.168.1.x, 192.168.2.x, etc.

 

Was he missing something? Isn't using multiple simple, cheap, unmanaged switches easier?

Share this post


Link to post
Share on other sites
schoondoggy
Something has me puzzled. My father tried to show me how to VLAN once, and I found it confusing and it looked like it could be a lot of work to maintain. Eventually, he said I could accomplish the same thing by connecting some cheap, unmanaged switches to different network cards in my gateway router. He said each NIC would be the equivalent of a VLAN, except it would be physical. There would be no need to manage which ports devices were connected to, and it would be more visually logical because I could label the switches according to the purpose: security cameras, general home LAN, guest LAN, and other devices. He did caution me that devices on the security, guest, and other devices switches would not be able to print to a printer connected to the general home LAN, but I'm fine with that. He even said I could give each 'switched LAN' a different IP range, so it might be less confusing: e.g. 192.168.0.x, 192.168.1.x, 192.168.2.x, etc.
 
Was he missing something? Isn't using multiple simple, cheap, unmanaged switches easier?
What your father described is setting up a separate network. That is how I keep my home network and lab networks totally separate. The issue comes down to routing between networks and sharing internet access. Similar things can be done with vlan's. There are several types of vlan, port or IP based depending on the switch.

Share this post


Link to post
Share on other sites
itGeeks

Well said schoon.

 

@Ikon-TNG

Asking if something is easier is a complicated answer, What may be easy for one person may be hard to another. It all depends on the individual. Putting everything on its own subnet may seem easy to you but also adds extra devices that consume more electric and creates more heat, ect. Its more efficient to do VLANs over using multiple subnets and extra switches.

 

It is certainly an interesting topic and one the I wish I had studied more over the years, The time for me has come so I am digging deep now and reading everything I can on the subject. Maybe Jason will share his working setup and the steps needed to get up and running in a more secure way. There is a lot of bad info out there but if I come across anything that can add value to this subject I will certainly post a link to it. schoon what are you using for a switch and router? can you lay out what you have done? How many VLANs do you have?? Do you separate Data, Video, Voice & IoT devices???

Edited by itGeeks

Share this post


Link to post
Share on other sites
ShadowPeo

 

17 hours ago, Ikon-TNG said:

Was he missing something? Isn't using multiple simple, cheap, unmanaged switches easier?

 

 

As @shoondoggy said, what you are describing there are physically separate LAN"s, which is fine and has its place, but it was precisely this scenario that  VLAN's are designed to avoid. with a VLAN you have one (or more) switches that you can assign ports to; either dynamically or statically a VLAN, with each VLAN not being aware of the other in a logical sense. All data between VLAN's must go through the router.

 

Let's keep this basic with a static VLAN, let's imagine that you have four, eight-port switches in a cabinet. With what you are describing, this is how it must be, with a VLAN I can use a single 24 port switch and assign 8 ports to each VLAN.

 

 

Getting more complicated is Dynamic VLAN's where using something like 802.1X I can assign a user or device to a certain VLAN, so when you come in an log in, and you are part of the marketing team, you get dumped on the marketing VLAN, but as that is separate to the Product Development VLAN, your access to this VLAN is restricted and must go through a router, after lunch you move to another location, but still connected to the network, and log in there, your connection is now assigned again to the marketing VLAN, but Joe Blow who took your original seat, who is product development, is assigned to the product devlopment VLAN.

 

This gets quite complicated and is normally only used in large organisations and where security is paramount. I have only used/am using it in one case (as it required specialised hardware to do it for what I am doing) where we have a single SSID broadcast across a site, and there are two types of users, those utilising corporate resources, who get full network access and those who are not, be they guest or BYOD users, as these systems are seen as more of a threat to the rest of the network, they are segmented off to their own VLAN. This is done via a determination of User (Guest/BYOD) or Certificate (Corporate) Auth on the RADIUS server to decide whether to put you into VLAN 1 (Corporate) or VLAN 6 (Guest) which then tells the WAP's what to do. We are implementing a system for BYOD where they have to register MAC's and run a piece of software that will not allow wireless access until the OS updates and AV are up to date.

 

In either case to get the data back to the router, or between switches, you create a trunked port and then "allow" certain VLAN's and only those VLAN's will be allowed through, commonly these trunks will also be an LACP aggregation but that is not relevant to this.

 

Commonly what I will do is as my ports, apart from WAP's, Switch Interconnects and Servers are single usage, I will lock the port to a single VLAN, as I find this more useful (besides it takes me longer to log into the switch that it does to issue the command to change the VLAN) and I will disable all unused ports. 

 

To further increase security especially when we are dealing with Access Control devices, Alarm systems or Security Camera's I will MAC-Lock the port, so whatever device is on that port is the only one that will be accepted, so if some cheeky bugger tries to get access to the security camera's for instance the switch will reject them and turn the port off if more than one MAC appear on it, and if its not the approved MAC. This can be circumvented by spoofing, but most people are not smart enough to try that.

 

Another thing that I can and do, do is utilise something called LLDP-MED to assign devices to the correct VLAN, I have a Voice VLAN configured and utilising LLDP-MED you can plug a phone into any port and have it activate and be assigned to the Voice VLAN (4)

Edited by ShadowPeo
Forgot Something

Share this post


Link to post
Share on other sites
ShadowPeo
22 minutes ago, itGeeks said:

schoon what are you using for a switch and router? can you lay out what you have done? How many VLANs do you have?? Do you separate Data, Video, Voice & IoT devices???

1

 

Whilst I cannot answer for @shoondoggy, I can give you a little background on what I do at home, Professionally its pretty much identical except for an extra VLAN for the SAN, and the IoT VLAN is management and holds things such as printer's UPS' etc

 

VLAN 1: Private Connections - Data Connections to Family devices - Laptops, iPads, Phones etc

VLAN 2: IoT - Data connections to IoT devices where there is no direct access required i.e. BloomSky

VLAN 3: Security Cameras - Security Camera's and a 2 link LACP group for the NVR

VLAN 4: Voice - VoIP Phones

VLAN 5: Guest - Guest Devices - Captive Portal

 

Router is currently running on a Cisco 867VAE-W but this will be converted to a bridge soon enough. I am thinking a two-stage routing system at this point, as I want to play with a USG-Pro with a Transparent Untangle for Proxy, advert blocking, Malware scan etc.

 

I will try to publish some topology maps soon as I have to update them after the recent changes but I have not done that yet

Share this post


Link to post
Share on other sites
Jason

I’ve kept things fairly simple. Guest wireless is isolated from the LAN. Only have one VOIP phone (Ooma), doesn’t need a VLAN. IP cameras are now on their own VLAN. IoT devices like thermostats, lighting, alarm, etc are currently on the LAN.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...