Managed or Unmanaged Switch for Multiple VLANs?

[jksmurf]

Hi,

Unnecessarily complicated explanation alert, all pretty new to me ...

I am in the process of planning future upgrades of my ISP at a remote site (to above 1GB) and with a few planned 2.5GB WAN/LAN routers/nodes I am in the market for a 2.5GB Switch. The question I have (I will explain the Topology below) is whether or not it needs to be a managed switch? In this note I am using Asus-Merlin on various ASUS Routers/Nodes; and plan a TP Link Switch.

Background:

At my local site, I have experimented setting up two VLANs Guest (52) and IoT (53), plus the Primary Network, but only configured one of them to an Ethernet Port, in "Access Mode" for the SDN IoT VLAN (53). My local Mesh node is connected via Wifi Backhaul, hence no other Ethernet Port setting is needed for that one wireless VLAN Guest (52) for either main or node.

LAN Port 2 then goes to an unmanaged 8 Port Switch, which (only) feeds a number of wired IoT devices, all on VLAN (53). My understanding is that Access ports are also known as “untagged” ports, since an access port will "strip the VLAN tag from the packet" i.e. for my case it doesn't really matter (or care) about the Tag identifier as there is only one VLAN (this begs the question whether I really even need to define a mode or SDN for that LAN Port 2 for my local setup, as I am not sending DIFFERENT Tags down one line (nor do I have different LAN cables feeding that 8 port switch)?

Planned Topology at Remote Site:

In any case the Topology at the Remote site is a bit different, essentially ISP -> WAN of Router, then out via ONE LAN Cable to an 8 Port Switch. The switch then has 5 Ethernet lines, one to each of 5 rooms, each with an AIMESH Node at the end (say).

Note that I do not need a different VLAN for different rooms; they all get all 3 VLANs. I would like to set up a Guest and IoT VLAN on the Router and also have the Primary Network (so 3 VLANs), all feeding all the nodes. In this case, let's say the LAN Cable goes from Port 2 of the Router to the switch, what do I choose for Mode and SDN Profile?

Clearly I cannot select "Access" as this is only for ONE VLAN Profile (although it is stripped anyway??), so this leaves either (a) "All (Default)/"Default" OR (b) "Trunk/Allow all Tagging".
Would it be correct that for (b) I would need a MANAGED SWITCH so the Tags are retained?

However if I want all VLANs to go to all Nodes, is it correct to say I do not need actually need any tagging so "All (Default)/"Default" is the correct setting?
And presumably I would not even need a managed switch?

Bonus scenario:

If at some stage I wanted to send separate VLANs to separate rooms, e.g. VLAN 52 to two rooms and VLAN 53 to two rooms (and Main to all 5 rooms), would it be correct that I would need a managed switch to do this and then would I select "Trunk/Allow all Tagging" and in the switch, assign the VLAN IDs for the rooms I wanted to send the respective VLANs to?

Thank you .

 

[tgl]

As a rule of thumb, an unmanaged switch will either drop VLAN-tagged packets on the floor, or forward them without regard to the tags. It's seldom documented which, so you have to try it to see. But neither behavior is very useful in an environment where you need VLANs, unless you have the second behavior and are willing to regard all ports of the switch as trunk ports.

 

[jksmurf]

As a rule of thumb, an unmanaged switch will either drop VLAN-tagged packets on the floor, or forward them without regard to the tags. It's seldom documented which, so you have to try it to see. But neither behavior is very useful in an environment where you need VLANs, unless you have the second behavior and are willing to regard all ports of the switch as trunk ports.

Thank you for that, very much appreciate the concise explanation .

I’m still a little bit unsure about which switch for my use case, if I can get away with an unmanaged switch (which are much cheaper), that would be great.

 

[Crimliar]

You might be able to get away with a "smart" network switch. These often enable some of the capabilities of a level-3 managed switch, but not all, and they're cheaper than a "real" managed switch.
*My own unmanaged 2.5Gbps switch just passes everything through, regardless of VLAN tags.

 

[sfx2000]

Just note that with most consumer router/ap's - the included switch is quite capable of doing Layer2/Layer3 switching for VLAN's...

One just needs to know the magic incantations

 

[tgl]

FWIW, I had some Netgear GS110MX switches a couple of years ago that were in the "pass everything" camp. But this is shaky turf --- a different production run could contain different chips that do the other thing.

 

[jksmurf]

My head is spinning from reading all about VLANs, this one was pretty good (also no affiliation), but most assumed that each node would have a different VLAN, which is not my use case.

My use case is that each Mesh Node has Ethernet Backhaul and supports 3 Wireless VLANs; and has an ESP32 plugged into a spare LAN port (**).

Right, just moving a step forward with this and I found a nice site to make pretty pictures, no affiliation.

So it shows the current situation (with only 3 Mesh Nodes but there are actually Ethernet cables for 5).

I cannot change the cabling, it's my folks place and it is all built in to the walls.

Each Node should provide Primary, Guest and IoT Wifi, with the current wired backhaul i.e. no difference between rooms. I think this part is OK, and lets assume the Main Router (assuming ASUS) has GNP and the Nodes are all 3006 FW capable too i.e. sufficient Wifi interfaces will propagate to the Nodes.

If I wanted to now add WIRED (more reliable, less 2.4GHz interference) ESP32s to the IoT Network (ONLY) what would be the minimum hardware (ESP32s aside) to do this?

I assume that for the ESP32 devices, even if you give them a Static IP burnt into their FW, are not clever enough to recognise tagged packets, is that correct?

So, again, assuming I would like the ESP32s to appear in the IoT Network:

1. Can this be done with the Router Alone; I am pretty sure it cannot; so
2. Can it be done with just a Managed Switch (replacing the unmanaged one), assuming that the cable from 3 separate ports goes to each Mesh Node and the ESP32s are plugged in to teh Nodes LAN Ports (Again I am pretty sure this cannot work, but less sure that (1); or
3. Will I have to add an additional managed switch at each room location, with one port feeding the AIMesh Node and the other the ESP32 Ethernet Device (** i.e. the ESP32 NOT plugged in to the Mesh Node, but rather a small managed switch)? If this is the case can I forgo having to replace the current larger (8 port) unmanaged switch with a managed switch or is that ALSO required. If yes, why would this be the case please?

Thank you!

k.

 

[tgl]

I think (but I'm no expert) that most modern ethernet NIC chips have the ability to pass VLAN tags, and whether a given device can handle them or not is more about its operating system software than its hardware.

However, if you're content with putting the ESP32s in the IoT VLAN without direct access to other VLANs, then you need not worry about whether they've heard of VLANs or not. Plug them into a port of a managed switch, and use the switch's configuration mechanism to set that port as having the IoT VLAN as untagged ("native") while other VLANs are not permitted to access the port. The same applies mutatis mutandis to any endpoint device that only needs access to one VLAN. Actually I think the typical thing is that all your non-switch, non-router devices are connected like that. You pass VLAN-tagged packets only between switch(es) and the router. Where you need cross-VLAN access, you program packet forwarding rules into either your router or your switches (the latter option requires a switch with so-called L3 forwarding ability).

 

[jksmurf]

However, if you're content with putting the ESP32s in the IoT VLAN without direct access to other VLANs, then you need not worry about whether they've heard of VLANs or not.

Hi, thanks for the feedback, appreciated.
Yes isolation for the IoT VLAN is the goal here.

Plug them into a port of a managed switch, and use the switch's configuration mechanism to set that port as having the IoT VLAN as untagged ("native") while other VLANs are not permitted to access the port

So this sounds like 3 above, a managed switch at each node (I’d need five of them eventually)? Hmmm …

 

[tgl]

Well, normally you run ethernet cables from the switch to wherever the devices are.

If you have several devices in the same location that should all belong to the same VLAN, then a shortcut is to attach them all to one switch (can be a cheap unmanaged one), run one cable from that switch to a managed switch, and put the VLAN restriction on that one port.

 

[jksmurf]

Well, normally you run ethernet cables from the switch to wherever the devices are.

If you have several devices in the same location that should all belong to the same VLAN, then a shortcut is to attach them all to one switch (can be a cheap unmanaged one), run one cable from that switch to a managed switch, and put the VLAN restriction on that one port.

Sure, thanks. Actually there's only the ESP32 Device and the Mesh Node, so it will be Ethernet_out_the_wall-to-ManagedSwitch-to-(a) Node and (b) ESP32.

If adding managed switches is what I have to do, I am finding some irony in the fact that a Wifi based EPS32 can be configured to go straight to the IoT VLAN with existing Nodes, but that if I want to wire it up, I have to get a bunch of managed switches for each room where I want to put one .

 

[sfx2000]

FWIW, I had some Netgear GS110MX switches a couple of years ago that were in the "pass everything" camp. But this is shaky turf --- a different production run could contain different chips that do the other thing.

True that - depends on the vendor and specific models...

Had a number of Netgear GS-108 unmanaged switches, and they were true to upstream - mostly because the SoC and Firmware were basically the same as their lightly managed "smart" switches...

i've had a couple of desktop switches from "unnamed vendors" that striped the VLAN tags - they were fine switches, all said...

 

[sfx2000]

EPS32 can be configured

ESP32's are always interesting, as there's a lot of options within their firmware...

 

[jksmurf]

ESP32's are always interesting, as there's a lot of options within their firmware...

Way over my head, but it seems like it might be possible.

If I could somehow configure the Ethernet-connected ESP32 to be VLAN-aware, then that would be the ultimate solution here. Like I said, have not seen anything yet by way of a line in a HA yaml which will effect, this, but there's hope...

Ethernet - ESP32 - — ESP-IDF Programming Guide v5.4.1 documentation

esp-idf/examples/network/vlan_support at v5.4.1 · espressif/esp-idf

Espressif IoT Development Framework. Official development framework for Espressif SoCs. - espressif/esp-idf

github.com

examples/network/vlan_support · v5.1-flow3r · flow3r / esp-idf · GitLab

Fork of esp-idf 5.1 with backported patches on top

git.flow3r.garden

esp-idf/examples/network/vlan_support/main at v5.4.1 · espressif/esp-idf

Espressif IoT Development Framework. Official development framework for Espressif SoCs. - espressif/esp-idf

github.com

 

[degrub]

If you can create VLANs in the router with specific IP ranges for each VLAN, Then give the ESP a static address in that subnet but outside of the range ( use for IOT devices). The switch only has to pass the VLAN tags unmolested. Or get a switch with limited management (smart switch - level 2.5 where you assign VLAN id by port). If you are not assigning static addresses on the IOT devices, then the AP has to associate a VLAN with a SSID.

 

[jksmurf]

If you can create VLANs in the router with specific IP ranges for each VLAN, Then give the ESP a static address in that subnet but outside of the range ( use for IOT devices). The switch only has to pass the VLAN tags unmolested. Or get a switch with limited management (smart switch - level 2.5 where you assign VLAN id by port). If you are not assigning static addresses on the IOT devices, then the AP has to associate a VLAN with a SSID.

I’m not 100% sure I follow, but what led me to ask the question is that I have Primary (192.168.9.xxx) and two GNP VLANs, Guest (VLAN52) and an IoT (VLAN53).

I tried to manually assign an IP to the ESP32-Eth device in the Router (192.168.53.xxx) but when I (just for starters) attached it to my Node (or even my Router), without going through a managed switch (or setting a VLAN on the Router Port) I wasn’t surprised to see that it was assigned an IP in the primary subnet 192.168.9.59.

I haven’t tried it but have been told by the HA forum it will not work to force an IP address in the ESP2 FW (I.e. static IP), hence the query here.

 

[degrub]

i am in the CISCO SMB world. VLANs configured in the router with individual DHCP server for each VLAN. IP address for device assigned based on MAC address listed in the router for the device. All other devices go to guest VLAN if not in the MAC address list.
You can do the same thing with a Level 3 or 2.5 (smart, via port) switch. i am not sure about doing it in the ASUS AiMesh setup. If the router will allow you to assign IP addresses by MAC address, then it seems it should work. You might have to use Merlin to make it easier.

 

[jksmurf]

If the router will allow you to assign IP addresses by MAC address, then it seems it should work. You might have to use Merlin to make it easier.

Yes Merlin certainly does that and does it especially well with an Addon. I use YazDHCP for the Primary network, even wrote a little Excel spreadsheet to make the custom_clients list to upload the Custom Client List and make Custom Icons.

I use dnsmaq.conf.add (actually dnsmaq-1.conf.add and dnsmaq-1.conf.add) for my Guest and IoT Networks. The Custom Client List file takes care of the Icons and names for those as well.

In this instance though, despite assgning the ESP32-Eth Device in the IoT VLAN, when plugged in to the Ethernet (due to me not assigning a VLAN on the Router Ethernet Port / or using a managed switch), the Router just assigns a DHCP Address on the Primary Network. I believe this is expected behaviour.

The issue is if I need a managed switch in each of 5 rooms just for one ESP32-Eth in each room that I want to put on the IoT Network, I am not sure I can run to the cost / ugliness of 5 managed switches. The smallest ones all seem to be 5-port.

 

[sfx2000]

In this instance though, despite assgning the ESP32-Eth Device in the IoT VLAN, when plugged in to the Ethernet (due to me not assigning a VLAN on the Router Ethernet Port / or using a managed switch), the Router just assigns a DHCP Address on the Primary Network. I believe this is expected behaviour.

The issue is if I need a managed switch in each of 5 rooms just for one ESP32-Eth in each room that I want to put on the IoT Network, I am not sure I can run to the cost / ugliness of 5 managed switches. The smallest ones all seem to be 5-port.

IF that's the case - you're missing out on the point of VLAN's...

 

[jksmurf]

IF that's the case - you're missing out on the point of VLAN's...

Hmm? Sorry, I'm not sure what your point is; that the point of VLANs is to purchase sufficient managed switches to make it work?
If that is the case then perhaps I need to decide whether to go that route or just suck it up and just let the ESP32s live on the Primary Network.

It's not as neat and tidy in that it appears in a different section of the Router Client List, but it is cheaper . Home Assistant still sees them, so function is not impaired.