What's new

Some basic VLAN help

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

czucker

New Around Here
Hi,
I've been reading and reading and it's making my head swim. I'm by no means any kind of networking expert, but I'm usually a pretty quick study.

For whatever reason I can get my head wrapped around this, so maybe someone here can help?

I have wired up my 3 apartment building and am looking to share internet access throughout.

My plan is to have a switch with a separate VLAN for each unit. I would also like to have a file server attached that can be accessed across all of the different VLANS.

Can anyone point me to the simplest way to achieve this. The terminology is driving me nuts. Trunking, access ports, tagging, etc. . . .

Additionally, would a smart switch be sufficient, or is there some reason that I need a managed switch?

I would be deeply grateful for any guidance.

Thanks,
Chris
 
Last edited:
In order to make it all work, you need a router that supports VLANs on the internal interface(s).

You would then configure a trunk between the router and the switch, and tag all 4 VLANs onto that port on both the router and the switch.

Then just assign ports on the switch to each of the 4 VLANs as you see fit.

Think of each VLAN as a separate, physical network and approach it that way. It might make more sense.
 
You can get away with just the switch supporting VLANs.

Setup each apartment with it's own VLAN and provide permissions on each VLAN to only access the ports that have the router (internet) and the file server. Then call it a day.

That said, unless this is family/friends who are living in those apartments, I would absolutely not host any content for anyone on a server as a landlord. WAYYYYY too many things that could possibly go wrong there both for support and liability reasons.

A smart switch might work depending on what that actually means. That often means a semi-managed L2 switch, which yes, that would work. However, I've been seeing some yahoos slapping "smart" on their switch when it actually has zero management capabilities. You need something you can manage in some way (and semi-managed is actually pretty comprehensive management) that also supports VLANs.

Preferably something with a web interface, and not something that only works with a windows/mac utility to manage it. I'd also shut down management from the apartment VLANs.
 
The Linksys1900AC supports Vlans on it's 4 ethernet ports, I have not tried it or dug into it except in passing but just noted that it is there. If each of the three apartments has one wired port this might work, don't know how well the 1900 works with 4 possibly heavy users on it or what it's throughput is like.
Let me requalify that, I thought I remembered seeing a vlan page, just went online to linksys and I'm not finding it in the manual.
 
Last edited:
My server is a virtual machine running Ubuntu Server. . . .

I was thinking that I could set up another VM running DD-WRT and use that as the router.

So, cable modem to DD-WRT VM to smart switch, then off to each apartment.

This is the switch I was looking at:
http://www.engeniustech.com/business-networking/switches/16759-egs2108p

Does that make any sense?

Not really.

Just get something like the Netgear 108t or TP-Link SG2008. They'll do what you need. You don't need a router that can support VLANs. Just segment each incoming port from the apartments in to the switch on its own VLAN. Then allow outbound access to each VLAN to only the port that the router is connected to.

Done. The apartments have access to the router/internet and nothing else.

If you must have a server, then you just hang it off another port and allow the apartment VLANs access to that port as well as the router port.

I still think unless you have friends/family living in the apartments it is a terrible idea to run a server for them.
 
Thanks.

I don't have a router at all at the moment that I can spare, so I thought I'd just try to handle it in a VM using the onboard dual ethernet on the server.

And yes, they are close friends at the moment. As apartments turn over, I will likely remove access to the server.
 
I agree with Azazel that I wouldn't do a server here. The best-practice way (yes, it would cost money) would be to get a firewall with UTM (unified threat management) from someone like WatchGuard, Dell/Sonicwall, Zyxel, Sophos, etc. This gives you gateway antivirus, the ability to block certain applications that might saturate the connection (e.g., torrenting) and cause you legal compliance issues, and to rate-limit individual IP addresses, with a lot less concern about management once configured.

I'm not sure you really need VLANs for what you're doing other than to segment your current network and server away from others. If that's the case, I'd just create one VLAN for your network, and one for the other three buildings. Give that second VLAN a large hostmask (example: a /20 hostmask would give you a ridiculous number of addresses, say from 10.10.0.1 to 10.10.15.254). Then set up policies for that VLAN separate from your private one, allowing it access only to the Internet, and bandwidth control policies. I don't see you needing one VLAN per building.
 
Excellent recommendation on the UTM device. He needs a L3 device somewhere and using something like that could potentially kill 3 or 4 birds with one stone.

However, given that the apartments could, at some point in the future, be occupied by complete strangers, I still don't think individual VLANs is a bad idea. A lot of the UTM devices can handle VLAN trunking so it's really not a big deal.
 
Other thought, depending on what you are offering or want to do, most semi-managed and managed switches have port rate limiting. Granted, it isn't QoS that'll share out bandwidth a bit more equally while still allowing any one user to utilize it all if there are no other users (or low bandwidth applications).

However, as apartments, if you are worried about any data hogs, you can always setup port limiting. Suppose you have a 50/5Mbps internet connection. You could set it up so that you rate limit ingress to each apartment's port to 20Mbps and egress to 2Mbps. Yeah, that is more than the max when you total it, but also means even if there are a couple of "data hogs", the last person is still going to get SOMETHING and not a whole lot of lag or totally crushed connection.
 
Excellent recommendation on the UTM device. He needs a L3 device somewhere and using something like that could potentially kill 3 or 4 birds with one stone.

However, given that the apartments could, at some point in the future, be occupied by complete strangers, I still don't think individual VLANs is a bad idea. A lot of the UTM devices can handle VLAN trunking so it's really not a big deal.

I don't disagree with your points. I think you and I would probably do it differently.

My use of VLANs in the three buildings would probably be like this, were I to do it --it would be device based. Quick-and-dirty example:

VLAN 100 - OP's private network
VLAN 101 - Security cameras (if the buildings use IP cameras
VLAN 102 - Wireless (if the buildings have wifi access points)
VLAN 103 - VoIP (if the buildings have VoIP phones for management anywhere)
VLAN 104 - Wired ports in the apartments themselves

For me, the main use of VLANs here would be to allow QoS, other network traffic management, and separation for device grids. I'd likely do all of the wired ports with a single VLAN because policy management would be easier --I'd want one single firewall policy for the wired ports, rather than having either multiple policies, or having to link it to too many places.
 
Last edited:
You could still do a single firewall policy across all of the VLANs (most firewalls and UTM devices allow application of policy at both the logical and physical interface level).

The reason I'd do it my way is because that way each apartment is separated at the logical level. That way a wireless AP in apartment 1 can talk to wired clients in apartment 1 but not in apartment 2.

I can understand the need for functional VLANs (in your example, a separate VLAN for VoIP for instance), I just keep coming back to the idea that the 3 apartments, at some point, will be occupied by people who will likely want their network separate from everyone else's.
 
Other thought, depending on what you are offering or want to do, most semi-managed and managed switches have port rate limiting. Granted, it isn't QoS that'll share out bandwidth a bit more equally while still allowing any one user to utilize it all if there are no other users (or low bandwidth applications).

However, as apartments, if you are worried about any data hogs, you can always setup port limiting. Suppose you have a 50/5Mbps internet connection. You could set it up so that you rate limit ingress to each apartment's port to 20Mbps and egress to 2Mbps. Yeah, that is more than the max when you total it, but also means even if there are a couple of "data hogs", the last person is still going to get SOMETHING and not a whole lot of lag or totally crushed connection.

Due to cost and some other factors I went with an 8-port POE smart switch. I haven't begun setting up the VLANs yet, but I was looking at the bandwidth limiting. It is set in 64k increments from 1-15625.

I'm a bit unsure as to what I am setting here. If I enter 7812 for a given port, for instance, how many kbps will that port be limited to?

Thanks again for all the help.

Best,
Chris
 
Which switch?

At any rate, a little unclear, but it sounds like it is 1-15625 x 64Kbps (as that works out to 1Gbps). So setting 100 would mean the limit would be 6400Kbps.

If you have two machines you can set up, you can test it that way by setting an arbitrary limit or two and see what results. Just figure it is likely to vary by +/-10% or so of whatever limit you are setting as it isn't often super accurate.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top