Looking for Novice Level PoE Switch with Emphasis on Security

[username0475]

My network revolves around a RT-AC68U ASUS router > TP-Link unmanaged PoE 5 port switch > 2 TP-Link Access Points.
I have a lot of smart home devices connected to the AP's as I was trying to get better signal to them & off load them from the main router.
I wrongly thought that the AP's being set with the same guest SSID as the one on my router would provide traffic segmentation & secure them from the Admin areas of my LAN.

However, from reading on SNB forums - to better secure these smart IoT devices on the AP's , I need to create a separate VLAN network or 'Guest network' on these AP's as the AP do not get any security protocols sent to it by the router or switch.

The AP's (TP-Link EAP225) only build in security protocols that I am somewhat familiar with are: guest portal , isolation, & rogue AP blocking. Which I don't beleive will allow my smart devices to perform correctly under those 3 options.

I'm currently looking at the TP-Link TL-SG108PE but would like to hear other options that would allow a novice to :
1) Segregate traffic & create different VLAN/Guest SSID's on the AP's
2) At least 4 PoE ports
3) Web UI interface to manage
4) Not overly complicated for an average home user
5) Bang for the buck

 

[Trip]

If you want to do VLANs for wireless devices, you're going to need proper VLAN support across the entire access layer, which includes both your access points and your switch(es). As far as I can tell, the EAP225 only allows for the management VLAN to be changed, which falls short of fully customize-able VLAN-to-SSID mapping, but as long as you're content with putting your IoT devices on the Guest network, which should have it's own separate VLAN ID from the Private network, it should still work. This is assuming the AP actually passes traffic upstream that is properly tagged. If not, you'll either need additional APs to physically segment the IoT traffic, or replacement APs that offer full VLAN support.

As far as the switch goes, it sounds like all you need is a SMB-class L2/L2+ web-managed switch. There are lots of options these days. I tend to lean towards HP as I find they just tend to perform better than most of the SMB stuff (especially in mixed-vendor environments), but I'm willing to pay their price (many users are not). TP-Link switches are decent; they definitely provide one of the best values. You might also want to look at Cisco SG series, Netgear and Zyxel.

 

[umarmung]

TP-Link EAP225 is fine for passing through all types of VLAN tags and assigning VLAN tags to SSIDs.

The issue may actually be your router. What no one ever tells newbies is that while VLANs segment traffic at Layer 2 (like a logical equivalent to a physical switch), you still need to talk to devices at Layer 3, at minimum for issuing IP addresses per VLAN and also for any inter-VLAN traffic - this can only be achieved by a VLAN-aware router or VLAN-aware Layer 3 managed switch!

I do not believe the RT-AC68U supports VLANs via the stock firmware. So, you may need to install Merlin and hack some robocfg scripts if you need to retain maximal throughput performance or install DD-WRT with its convenient VLANs and accept slightly lower performance.

As for the managed switch, yes that specific TP-Link (TL-SG108PE) is better than almost all others for bang for buck, except Zyxel. Zyxel pack some additional features that you will not find in other budget managed switches, e.g. they almost always allow ALL ports except an uplink to be used for PoE (not half the ports in almost all other budget PoE switches), include PoE port management and visibility like being able to turn power down your devices from your switch remotely, and port mirroring for diagnostics.

I believe Zyxel are the only major networking manufacturer that actually makes a 5-port PoE+ (802.3at) managed switch too, for example. One or two others, including small manufacturers, used to make such a switch for PoE (802.3af) but long discontinued them.

 

[Trip]

I believe Zyxel are the only major networking manufacturer that actually makes a 5-port PoE+ (802.3at) managed switch

Off the top of my head, D-Link has the DGS-1100-05PD, and although Mikrotik isn't a major OEM, nor is the RB960PGS a switch only, it will do 802.3at in a 5-port form factor (as well as be a full-blown L3-managed device!). Still, the 8-port options are much more plentiful, and the better-designed ones aren't a whole lot bigger than the 5-ports. But yes, Zyxel still provides some great bang for the buck with many of their devices.

 

[umarmung]

Off the top of my head, D-Link has the DGS-1100-05PD, and although Mikrotik isn't a major OEM, nor is the RB960PGS a switch only, it will do 802.3at in a 5-port form factor (as well as be a full-blown L3-managed device!). Still, the 8-port options are much more plentiful, and the better-designed ones aren't a whole lot bigger than the 5-ports. But yes, Zyxel still provides some great bang for the buck with many of their devices.

Well spotted, but that 5-port D-Link has a such a tiny power budget (18 W with 802.3at / 8 W with 802.3af input power) that it barely qualifies as a PoE switch, let alone a PoE+. The Zyxel 5-port is 60W, i.e. every non-uplink port can be powered at 15W.

That Mikrotik HeX PoE is very interesting, but it only accepts 802.3af/802.3at. It's output is Passive PoE. It cannot be used to power standard 802.3af/802.3at devices without an adapter.

 

[Trip]

Touché. Guess Zyxel do have something truly unique.

 

[spenceclair]

Here are some 8 Port PoE Switch Recommendations:
1. NETGEAR GSS108EPP 8-Port Gigabit PoE+ Smart Managed Click Switch (4 PoE+ ports & 4 non-PoE ports)
2. FS.COM S1130-8T2F 8-Port Gigabit PoE+ Managed Switch ( 8 PoE RJ45 ports & 2 SFP ports)
3. UniFi US-8-150W Switch ( 8 PoE RJ45 ports & 2 SFP ports)