Home Network Revamp

[jasonreg]

Hi all, I have been considering upgrading the home network primarily as it pertains to security. With the implementation of many IoT devices which will continue to increase, I see this as my primary threat. I took a stab at implementing VLANs last year but could not make it work but now would like to figure it out. I would also like to use my existing router as the path to the internet but move all routing functions onto a new Layer 3 Switch. Here are my Objectives:

1. Decrease security exposure of IoT Devices through use of VLANs
2. Segregate Kids activities from other devices
3. Maintain Control over IoT (Sonos, Light Switches, Hot Tub, Thermostat, etc.) via Main PC and iPhone. Maintain Ring Monitoring on Alexa and iPhone (Parents) on the same systems
4. Maintain ability to Share Central Printer/Scanner (Brother MFC-9340CDW) throughout the house permanent users
5. Have separate Guest Network which can access Internet, but not any other network device
6. Ensure connectivity to planned Synology Server
7. KISS – Keep it Simple Sxxxxxx - if this is possible
8. Maximize performance of key pieces of equipment – prevent bottlenecks
9. Groundwork for Expanding wired and wireless network

Here are the main components:

• 1Gpbs ISP service with Modem (Bridged)
• RV340 Router with Security License
• SG350X-26P Switch
• SG250-48 Switch
• SG200-08 Switch
• WAP-571 (x3) setup in Cluster (may add one additional in Garage)

Please note that I am best described as tech aware ( I like to tinker and read/learn) but not an IT pro and certainly not super knowledgeable on VLANs and networking principles. I can google and with assistance can generally find my way out of trouble (i.e. I am trainable).

Here is the general plan:

1. Use New SG350X-26P Switch for all Layer 3 routing (take the task off RV340)
2. Use New SG350X-26P Switch to power WAP-571 devices
3. Connect Server to SG350X Switch via LAG or XG Ports
4. Use SG250X Switch to connect bulk of wired connections (currently 30+)
5. Use SG-200-08 Switch to distribute wired connections in Family room (Golf Sim PC, AV Receiver, Xbox, Blu-ray Player
6. Use Management VLAN 1 if/as required – See this in several posts – unsure why it is required..
7. Server on it’s own VLAN with Printer
8. Total of 5 VLANs + Guest as follows:

VLAN 1 “Management”
RV340
SG350X-26P
SG250X-48
SG200-08

VLAN 10 “Server”
Server
Brother MFC-9340CDW

VLAN 20 “Office”
Main PC
Work PC
Mitel 5330 IP Phone
Personal Laptop (Wired & Wireless)
Golf Sim PC
Alarm Monitoring (wired)
Ring Video Monitoring (Wireless)
DogWatch Invisible Fence (wired)
Sprinkler System (Wireless)

VLAN 30 “Home”
Kids Laptops (Wireless)
iPhones, iPads
Xbox One

VLAN 50 “IoT”
Sonos (10 Zones all wired)
Light Switches
HVAC Control (Lennox wireless)
Hot tub
Alexa Devices
Smart TVs
Amazon Firesticks
AV Devices

Guest VLAN
Visiting Wireless Devices

Initial Questions:

1. Am I completely off base - making my life too difficult?
2. Which devices need static IPs?
3. Can I mix wired and wireless devices in the same VLAN?
4. DHCP should be off on the WAP Cluster I assume?
5. DHCP should be on the Layer 3 switch?
6. Any benefit to using the 10GB (XG) ports available on the 350X and 250X switches? I will be using a server with 10Gbps connectivity
7. Any benefit from using the static LAG capability on RV340?
8. How Many VLANs do I need / Should I be considering?
9. Should I be using the same SSID on my WAP Cluster for 2.4GHz and 5GHz signals?

I realize this is a lengthy post so thanks for making it this far. I have seen several older posts for suggested configurations but they get quite jumbled as the folks troubleshoot configurations. In any case, looking for input - Jason

 

[OzarkEdge]

KISS – Keep it Simple Sxxxxxx - if this is possible

Good one, but keep posting so I can keep learning! And get one of your kids to follow along so they can take over when you are laid up with Covid-19.

OE

 

[degrub]

Hi all, I have been considering upgrading the home network primarily as it pertains to security. With the implementation of many IoT devices which will continue to increase, I see this as my primary threat. I took a stab at implementing VLANs last year but could not make it work but now would like to figure it out. I would also like to use my existing router as the path to the internet but move all routing functions onto a new Layer 3 Switch. Here are my Objectives:

1. Decrease security exposure of IoT Devices through use of VLANs
2. Segregate Kids activities from other devices
3. Maintain Control over IoT (Sonos, Light Switches, Hot Tub, Thermostat, etc.) via Main PC and iPhone. Maintain Ring Monitoring on Alexa and iPhone (Parents) on the same systems
4. Maintain ability to Share Central Printer/Scanner (Brother MFC-9340CDW) throughout the house permanent users
5. Have separate Guest Network which can access Internet, but not any other network device
6. Ensure connectivity to planned Synology Server
7. KISS – Keep it Simple Sxxxxxx - if this is possible
8. Maximize performance of key pieces of equipment – prevent bottlenecks
9. Groundwork for Expanding wired and wireless network

Here are the main components:

• 1Gpbs ISP service with Modem (Bridged)
• RV340 Router with Security License
• SG350X-26P Switch
• SG250-48 Switch
• SG200-08 Switch
• WAP-571 (x3) setup in Cluster (may add one additional in Garage)

Initial Questions:

1. Am I completely off base - making my life too difficult?
2. Which devices need static IPs?
3. Can I mix wired and wireless devices in the same VLAN?
4. DHCP should be off on the WAP Cluster I assume?
5. DHCP should be on the Layer 3 switch?
6. Any benefit to using the 10GB (XG) ports available on the 350X and 250X switches? I will be using a server with 10Gbps connectivity
7. Any benefit from using the static LAG capability on RV340?
8. How Many VLANs do I need / Should I be considering?
9. Should I be using the same SSID on my WAP Cluster for 2.4GHz and 5GHz signals?

I realize this is a lengthy post so thanks for making it this far. I have seen several older posts for suggested configurations but they get quite jumbled as the folks troubleshoot configurations. In any case, looking for input - Jason

1) not really. planning is good.
2) infrastructure devices (all the cisco) + fixed IOT, house stuff, etc. If you want finer control on kids stuff you can assign their devices as well. primarily a firewall control approach ( time of day control, etc).
3) sure
4) use the layer 3 switch to run DHCP
5) yes
6) for home use, unlikely to saturate a 1 Gb/sec link to any device. your ISP connection is only 1 Gbit/s anyway.
7) see 6. LAG is for large numbers of users accessing a single device at the same time, not a way to increase single or a few device access. LAG works better for a commercial server application.
8) as many as you want to segment the traffic/users from each other
9) yes, and use single point setup once you get the first one configured. Helps with roaming, etc. You may want to use only the 5GHz bands to limit outside and AP to AP signal strength interference in the house. You will have to test and survey to see where you have signal overlap/undercoverage.

you have a number of IOT devices on your OFFICE vlan. Sure you want that if your goal is to protect key devices ?
Keep the management VLAN to the core infrastructure and the device you use to manage it.

just some quick thoughts.

 

[jasonreg]

OK - great - we are on our way!

for home use, unlikely to saturate a 1 Gb/sec link to any device. your ISP connection is only 1 Gbit/s anyway.

- My thinking here was more multiple users of large files accessing the server - several video streams or backups all happening at the same time. I get that the internet pipe is limited to 1Gbps (currently) but this may change in a year or two. That said for now I will use a single connection.

use single point setup once you get the first one configured

- yes this is how I set up originally and will do so again.

You may want to use only the 5GHz bands to limit outside and AP to AP signal strength interference in the house

- would love to however many of the household devices are 2.4GHz only (Ring, Hot tub etc.). My WAPs are ceiling mounted on each of three floors and each offset from each other with the main floor being essentially center ice. So far I can go from floor to floor an not see any interference.

you have a number of IOT devices on your OFFICE vlan. Sure you want that if your goal is to protect key devices ?

- I am not sure at all actually. What I do know is I want to be able to control and interact with these specific devices from the office PC which is what I use primarily.

Keep the management VLAN to the core infrastructure and the device you use to manage it.

- this would mean my main PC would be on that VLAN then as well?

I appreciate the early thoughts. Anyone have a step by step reference or suggestion to follow? What else should I be asking / planning before diving in?

 

[degrub]

Apple devices assume a flat network. So they have to be in the same DHCP range or static range as the IOT thingies that you want to interface with. That can mean either 1) joining the IOT network ssid (and vlan) by switching back and forth between "home" and "IOT" ssid (vlan ) or 2) have both on the same vlan. Which you do may depend on how often you need to access the IOTs versus convenience.

What of the networking gear do you already have ?

Is all the cabling in place ?

Central wiring closet and equipment rack ?

there is at least one SNB vlan guide on the site and at least one person has a thread that talks about implementing a layer 3 switch network to help guide you.

 

[jasonreg]

OK, so have made the following changes to the plan. Does this look better then?

VLAN 20 “Office”
Main PC
Work PC
Mitel 5330 IP Phone
Personal Laptop (Wired & Wireless)
Golf Sim PC

VLAN 30 “Home”
Kids Laptops (Wireless)
Xbox One

VLAN 50 “IoT”
Sonos (10 Zones all wired)
Light Switches
HVAC Control (Lennox wireless)
Hot tub
Alexa Devices
Smart TVs
Amazon Firesticks
AV Devices
Ring Video Monitoring (Wireless)
DogWatch Invisible Fence (wired)
Sprinkler System (Wireless)
iPhones, iPads
Alarm Monitoring (wired)

What of the networking gear do you already have ?

have all the equipment. All but the SG350X are already in use, SG350X in new in a box.

Is all the cabling in place ?

yes

Central wiring closet and equipment rack ?

yes

there is at least one SNB vlan guide on the site and at least one person has a thread that talks about implementing a layer 3 switch network to help guide you

Yes am working through those threads to try and set-up a step-by-step for myself to follow. The Layer 3 switch setup is a bit dated (uses am SG300) but hopefully it will be close. Have not found the VLAN guide - will search.

 

[degrub]

the vlan guide is on the main SNB site.

 

[degrub]

you may have some customization to do for the Mitel 5330 IP Phone . The CISCO gear has a default VLAN for IP phones, but you may have to do some QOS setup. The same guy that wrote the SG300 post dealt with IP phones as well. He should be a good source.

 

[jasonreg]

OK Great - thanks!

 

[jasonreg]

SONOS specific Question - I control the system either by my iPhone or generally (in my home office) via a windows App. If the iPhones are on the same VLAN as the SONOS system (current plan) then this will work fine, will I still be able to access SONOS via my main PC which would be on a separate VLAN? I am assuming the answer is no given you need all the SONOS gear on the Same VLAN generally .....

 

[degrub]

You could create static routes from vlan to vlan or specific to the device, from what i understand. I have not done that though so others will have to chime in on howto.

 

[coxhaus]

You need to setup my L3 switching on the Cisco switch. I have a thread on here with an example.

The way the voice VLAN works is Cisco has a macro which reads the IP phone traffic and puts it in a separate voice VLAN. You need to look at the switch it will have a bunch of IP phone codes if you do not fine your IP Phone then you need to add your code for your IP Phone. So the setup on the switch port is trunk. You plug the PC into the IP Phone and the IP Phone will plug into the switch port. You can do separate ports but it will take twice as many switch ports. When you setup Cisco voice VLAN using the built-in Marcos it will automatically assign priority to voice traffic over LAN traffic in the L3 switch.

To have all the VLANs able to see each other or route to each other then you need to have inter-VLAN routing turned on.

You are pretty much unlimited on how you configure your LAN VLANs.

 

[jasonreg]

OK, so some additional planning. I have tried to create a step-by-step guide for me to follow based on the various related threads. This is a lengthy post so grab a coffee if you are of a mind to help steer me in the right direction. I am getting much more familiar with the concepts but I likely have missed a few things - it was challenging piecing together references to older switches and differing IP numbering - please jump in on any errors which you see. Here goes:

Part 1

Configuration Notes

• RV340 Cisco default of 192.168.1.1 (cisco/cisco)
• IF you want to use 192.168.1.1 for your default gateway for clients then you need to use that network on the Cisco L3 switch as the L3 switch will be your default gateway for all clients on your local LAN. So VLAN1 on the L3 switch will be 192.168.1.1
• WAP-571 can support 16 configured SSIDs
• WAP-571 need to be on Trunk ports, all other switches and users need to be on access ports (is port between SG350X and RV340 a trunk or access????)
• VLAN 1/20/30 need to access 10 (server and printer)
• Guest VLAN 66 accesses only Internet
• VLAN 50 accesses internet and each other’s devices
• Will use CIRA Canadian Shield for DNS resolution and protection) unless I get Umbrella working ….)
  • For Protected, add the following:
    • For IPv4, enter: 149.112.121.20 and 149.112.122.20
    • For IPv6, enter: 2620:10A:80BB::20 and 2620:10A:80BC::20
• The default gateway for your L3 switch needs to be the router IP address.

Step to Follow
1. You start with a factory fresh reset in layer 3 mode. Connect your computer to the switch but do not connect the switch to your network.
2. Update Firmware, reboot switch
3. The first task is to assign a static IP address to the switch

Use 192.168.1.254 255.255.255.0 for VLAN1 the default management VLAN, VLAN1. Reboot so the switch comes up under 192.168.1.254. You need to make sure you do not already have an IP address 192.168.1.254. You do not want any conflicts when plugged into the router network. Reconnect with your web interface again to perform the steps below.​

4. Enable DHCP Server on the Switch.

5. Configure DHCP server with a DHCP pool for VLAN1 if it not already running. The default gateway for all clients will be the 192.168.1.254 switch IP address for VLAN1 since all devices are on VLAN1.

• Question 1 - Do I need to set up the default Router IP address (Option 3)? If so, I am assuming it would be “User Defined” 192.168.1.254 with the “Domain Name Server IP Address set up as 192.168.1.1?

6. Now configure enough ports to handle your home network. Configure the ports as access ports.

• Question 2 - Are the ports to downrange switches trunk or access?

7. Add a static route or default gateway to the switch to point to 192.168.1.1 which will be your router IP address. Using web interface under IP configuration there is a place called IPv4routes. Add the static to point to the router here. Basically, you are routing 0.0.0.0 to 192.168.1.1. The mask is 255.255.255.0

• Question 3 - Is the prefix length “24” or “0”?
• Question 4 - What metric to use when creating a static route from switch VLAN1 to Router? Any reason to change from “Use Default”?
• Step 8 - Question 5 - I am at a bit of a loss as to how to do the above settings for the various IPV6 settings. What happens if I do not connect IPV6?

9. Connect the SG300 to your router and plug the router into one of the access ports setup earlier. Plug your workstation into one of the access ports also like the router. You will need to start migrating the router network over to the switch by plugging in all devices into access ports on the switch.
10. Once your network is moved, go into the router and turn off DHCP in the router and assign a static IP address 192.168.1.1 to your router. At this point all the other network devices are getting IP addresses from the switch now. You may have to reboot some of the devices.
11. Add Static Routes from Router to the switch.

To be continued in new post.

 

[jasonreg]

Part 2

12. Create additional VLANs, DCHP Pools, Ports as required.

13. All devices on SG250 Switch will be assigned to VLAN 50.

• Question 6 - Do I need to set up VLANs on the switches?

14. All devices on SG200 Switch will be assigned to VLAN 50.
15. Create a trunk port for your WAP-571 and connect it with an Ethernet cable.
16. Factory Rest the WAP.
17. The wireless will receive an IP address in VLAN1. Assign a static IP in VLAN1. I will use 192.168.1.251 for WAP 1 (192.168.1.252 for WAP 2, and xxxx.253 for WAP 3)

• Question 7 - I assume I leave the “DHCP Auto Configuration Option” unchecked?

18. Run the wireless wizard for both radios but not for the guest just skip it. It should now work and all clients will be assigned a DHCP IP address from the switch. Configure single point setup since there will be 3 total WAP-7571 APs.
19. Set up additional VLANs 50 “IofT” and 66 “Guest” on WAP-571
20. Configure the other WAP-571 by joining the single point setup and a trunk port on the switch. The second/third WAP-571 will receive the same setting from the first one.
21. Go into your switch under VLAN management. Select Port to VLAN membership and then use your trunk port at the bottom click "join vlan" button. Add VLAN66 down on the bottom left. It will add VLAN66 as a tagged VLAN to your trunk port. Do the same for VLAN 50. Should now see 3 VLANs assigned to your port. save
22. Now go into your wireless and select wireless. Now select networks and add VLAN66 and your SSID for VLAN66. You need to this for both radios if you want both radios. Do the same for VLAN 50. Save
23. OK. You need to go into the switch and create an ACL barring VLAN20 from VLAN1. On the example switch it is under access control.

Notes

• 1) create an ACL (which is just creating a name for an access control workflow)
• 2) create an ACE (this is where you define all the rules and associate an ACE with an ACL)
• 3) associate the ACL with either a VLAN or a Port

24. You wireless should now give out an IP for your guest SSID and have internet access.
25. Crack a Beer!

Looking forward to any and all input. Many thanks in advance - Jason

 

[jasonreg]

So I am thinking that the posts are just too lengthy to realistically expect responses or input. Pending other input I will delete the posts and ask simpler questions as I go. Would appreciate any thoughts. Thanks - Jason

 

[L&LD]

Don't delete anything. Ask your most important questions below.

 

[jasonreg]

Really I was hoping someone would review the post and look for obvious errors. Trying to get as smooth a game plan going in i.e. before I unplug everything and have the answer to the "where's the internet" questions on the Homefront .....

What I don't want is to leave up a post with bad info.....

 

[L&LD]

Generally, you want to give at least 24 hours or more for the people who can make pertinent suggestions to have a chance to read your post and respond.

Be patient. Being wrong isn't always a bad thing.

 

[jasonreg]

OK - off to the golf course then!

 

[coxhaus]

Really I was hoping someone would review the post and look for obvious errors. Trying to get as smooth a game plan going in i.e. before I unplug everything and have the answer to the "where's the internet" questions on the Homefront .....

What I don't want is to leave up a post with bad info.....

That is a long post. Can you summarize it? Have you looked at my Cisco thread setup for L3 switching on a Cisco SG350 switch. Maybe you could look at it and compare then ask questions?