Residential VLAN discussion

I

Ira

Active Member
Over the last couple of years, I've replaced most of the unmananaged switches in my home with managed switches. I've also added enough non-computer devices to my home LAN to make me start thinking about incorporating VLANs. I'm curious as to how other people are using VLAN's in a residential environment.
 
My internet connection is via a DSL modem. It connects to a router that doesn't have VLAN capability. The router has a managed switch connected to it, along with a few other devices (two printers, two NAS appliances, a timeserver appliance, a wireless router in access point mode, and a PC that is in the same room). The managed switch connected to the router (also in the same room) has a "general purpose" PC, my HA PC (running CQC, weatherlink, brultech), and a UPS attached to it, as well as several other "point of use" managed switches and a couple of "point of use" unmanaged switches.
 
The point-of-use switches vary as to the types of devices connected. For example:
 
1. A managed switch in my den with all of my primary home theater devices attached to it...DVR's, WDTV, AVR, TV, etc.
2. A managed switch in my master bedroom with some secondary AV devices...a DVR, TV, WDTV.
3. A managed switch in my office with computer-related devices (several PC's, a printer, a NAS box, two local UPSs), a DVR, and a TV.
4. A unmanaged switch (industrial high temp rated) located in my attic that has most of my other HA stuff running thru it.
 
I also have a unmanaged switch in my shop that connects to the unmanaged swith in my attic. It has mostly HA stuff plugged in, but I also use a computer in my shop occasionally that needs connection to my other "computer stuff".
 
I'm also starting to play around with a IP security camera. The one I have is wireless (for convenience during the learning stage) but I expect that I will end up with several wired cameras.
 
I understand that VLANs allow me to segregate different types of data, e.g., Audio/Video stuff on one, Home Automation stuff on another, and PC stuff on another. Where it gets confusing to me is when I need to cross boundaries. for example, I want to control my AV and HA stuff from an iPad via a wireless LAN connection, but the iPad also needs internet access, and access to the NAS boxes and printers. My AV and HA stuff need internet access. I may want to get to the HA stuff (e.g., Elk RP2) from my "regular" computers. I may want to view the security cameras from my TVs. I know you can define VLAN's such that some devices can access a different VLAN, but if most devices can cross boundaries, are there really any benefits to VLANs?
 
In a VLAN environment, does endpoint device connected to a unmanaged switch (which is then connected to a VLAN enabled port on a managed switch) become a part of the same VLAN? For example, am I forced to have every device connected to my unmanaged switch in the attic (including the devices connected to the unmanaged switch in my shop which is connected to the attic switch) live on the same VLAN?
 
Am I gaining any funtionality by having some "point of use" managed switches, all connected to a central managed switch? If the answer is yes, what did I gain?
 
Seems like with the price of managed switches getting pretty reasonable (about $10/port), and more devices getting connected to the home LAN, VLANs are something that need to be understood/considered.
 
So how about some recommendations on how I set up the VLANs, assuming it's worth doing.
 
Thanks,
Ira
 
You need a router which supports multiple VLANs, or traffic won't be able to hop from 1 VLAN to the other.  There are some benefits in a home environment, but mostly limited.  I think the #1 use would be to separate video streaming from the regular computer network, since HTPC/TV should always have a higher priority.
 
I personally put wireless networks on a separate interface as well, but with Wi-Fi printers, and limited multi-subnet support from certain popular protocols such as Bonjour/AFS, that might make things more difficult.
 
Personally, I wouldn't be thinking about this at all.
With that said, I do use a couple VLANs at home - 1 to isolate machines I may take home for side work and the other for my guest WiFi. I'm using DD-WRT which makes setting this up a breeze.
 
First off managed switches come in multiple flavors. You have the basic web managed, layer 2 console managed, and layer 3 console managed switches. I prefer the console managed switches, but they do cost more.
 
Think of a VLAN as a virtual network switch. Traffic in the VLAN is isolated from traffic in other VLANs. Depending on the brand switch configuration is different. With HP you configure the VLAN with ports set as untagged or tagged. With Cisco ports are configured as trunk (equivalent to tagged), access (equivalent to untagged), or general (combination of both). Tagged ports transmit data for the VLANs and include the VLAN ID in the packet, which allows downstream devices to know which VLAN the packet is for. Untagged ports transmit data for the VLAN they are assigned with no tag.
 
In order to route traffic between VLANs you need a router. You configure the switch port in trunk mode with the tagged VLANs to be routed. The router interface is also configured with the VLANs and IP addresses for each. You need to use different IP ranges on each VLAN if you want to route traffic between them.
 
Going with a setup like this allows you to place firewall rules on the router to limit traffic flowing between the VLANs. The downside is you have limited the bandwidth between the VLANs to the speed of the uplink. To step up from here you need to look at layer 3 switches, which can also route traffic.
 
For a home setup I would look at using Vyatta (www.vyatta.org) as your router. I could see having a VLAN to isolate a guest network from your network.
 
VLANs have more use cases in a business environment. For example you can have a public vlan, server vlan, guest vlan, workstation vlan trunked to VMware ESXi boxes with VMs isolated in their own networks. Only one network cable is needed instead of having 4 network cables and 4 switches
 
I like rsw686's explanation... One thing to expand on, VLAN's used improperly can really hurt you.  For example, if you have a switch at one end that has both Video and PC's attached to it, in order for the PC to access the video, it won't just go from port 1 (computer) to port 8 (video camera) - it has to go from port 1 back to the router and back to the switch, out port 8 - unless you're routing within the switch as mentioned above.  This will increase the traffic on your network and potentially create bottlenecks, but on a home network you'll probably never even notice.
 
At one point I had some fairly complex routing going on in my home - then I swapped out my primary router and flattened it all temporarily... I had a Cisco 881 router as my primary, and had a series of Netgear ProSafe Plus switches that support VLAN's.  I had 5 VLAN's - one for Corporate VPN back to my office, one for PC's, one for Voice, one for Video, and one for Guest Access.  I also used an Access Point that could tag traffic as well which has two SSID's - one for Guest, one for Trusted, and one for Wireless Cameras - putting traffic to each SSID on the appropriate VLAN.
 
I then set up the appropriate rules so that Guest couldn't talk to anything too secure - just internet and the Airport Expresses in the house; the Corporate VLAN was just split out to my VOIP phone in my home office and a PC; Video would route but the traffic would be isolated due to the pure amount of traffic; etc.
 
I did this initially because I was forced to pass multiple types of traffic over a single ethernet wire - since that's all I had from the wiring closet to my home office - and since I was at it, I decided to keep going and really expand; That said, once that need was eliminated I never spent the time putting it back up - and can't think of any good reason to in a typical home environment unless you're trying to either prioritize VOIP Phone Calls or Video Chat - or if you have teenagers with too much freedom and you're tired of them mucking up your internet connection, so you're giving yourself priority traffic... essentially, I'd never bother unless you need to for prioritization or separation for the sake of security, such as in my Corporate VPN example.
 
I think it depends on how much IP hardware and QOS you need to maintain bandwidth for.

I've done many large, high end residential installs that deployed multiple VLANS. Of course, we had one VLAN for the BAS, another for the IP video and related hardware, another for just security, and then the guest/normal Inet VLAN's.
 
Is this necessary and would most people see the difference? Probably not, but once you hit a certain size and also certain level of integration, it makes sense to treat the network like an enterprise network.
 
DELInstallations said:
I think it depends on how much IP hardware and QOS you need to maintain bandwidth for.

I've done many large, high end residential installs that deployed multiple VLANS. Of course, we had one VLAN for the BAS, another for the IP video and related hardware, another for just security, and then the guest/normal Inet VLAN's.
 
Is this necessary and would most people see the difference? Probably not, but once you hit a certain size and also certain level of integration, it makes sense to treat the network like an enterprise network.
Click to expand...
 
If you are going into this level I would also be enabling rapid or multiple spanning tree and possibly 802.1x port authentication. Spanning tree will prevent a network loop from taking down your network. Even with multiple VLANs this can occur as the switch backplane becomes overloaded. Spanning tree learns the network topology and blocks the ports that create loops. This also allows you to purposely create loops to provide redundancy.
 
For example if you have a core switch and two branch switches connected to the core you could also run a cable between the branch switches. If either a cable between the core and one branch switch was damaged the traffic would flow from core to the branch switch and then to the other branch switch.
 
The 802.1x port authentication allows the port to switch between a normal and guests vlan based on the connecting computer. I usually use this with Active Directory and the Network Policy Server role, but any radius server will work. For a larger house this is would be ideal for common areas or guest bedrooms
 
In case it matters, the managed switches I'm using are Netgear GS716T (16 ports) and GS108T (8 ports). They are part of the Netgear ProSafe Smart Switch line. Both support rapid spanning tree protocol and 802.1x port authentication, although I have no idea what either functions do. My router is a Netgear ProSafe FVS336G.
 
My DSL service includes five static IP address. Although I don't use it yet, I have a second wireless router (Netgear ProSave SRXN3205) connected to the DSL modem that will be used as an isolated guest wireless network.
 
I use static IP addresses for all my wired devices. My wireless devices depend on DHCP, but they have reserved IP addresses on the DHCP server. I currently have about fifty devices active. Some may only be used a few times a week, but all are still in use to some degree.
 
My thought is, since this is a residential situation and not something where you will have a client breathing down your neck if something was to go wrong (except maybe your spouse, which could be just as bad I guess), I would tend to leave as one network and see how it goes for a while. The headaches of segregating might be more trouble then it is worth. I looked at this when I considered IP cams and you could put quite a few on a 100 bit ethernet network and still have plenty of room to spare.
 
The primary purpose of VLANs is to limit broadcast domains.  Basically to allow tons of devices (hundreds/thousands) to share the same networking equipment without interfering with each other.  This is because when you put that many devices on the same network, their broadcasts begin to add up to the point that that is all the network is doing.  
 
Sometimes you might have devices that do excessive broadcasts due to some poorly written app they run that cause you to use VLANs with only a few devices.   But VLANs don't do anything to isolate unicast traffic (most normal traffic), and instead create bottlenecks to that traffic at the router interfaces.  As mentioned above they can also be used for security, etc.
 
It doesn't sound like you have hundreds of network devices, broadcast issues, or security requirements.  You are going to be sharing the same network resources, so splitting into VLANs probably won't do anything but complicate your life and create bottlenecks where none exist today.  If you start having network issues, more likely you need to incorporate some limited QoS to resolve it.  Unless it is just something you want to play with... that's ok, but the excitement will wear off pretty quick.. ;)
 
I can't see having a vlan other than a guest wireless network in my house.
K.I.S.S. method here for me. Until I have Multiple MegaPixel IP cameras installed here I won't ever see a benefit other than making things more complex. Not that much bandwidth being used. Gigabit is plenty for now and some people think I am nuts for having for having that...
 
Personally here at home I have right around 80 devices on the network.  I do have an autonomous network provided by a second (and third) network interface on the firewall. 
 
That said though I have not found it necessary yet to utilize VLANs in the house.  
 
A few years back I keep a separate tunneled network for mostly just work stuff.  That said though and related to routers and switches; mostly would authenticate via one which I considered in the center of the "universe". 
 
I did make made use of a just for management VLAN of the devices as one of multiple VLANs for an enterprise environment. I did also utilize GRE tunneling on the layer 3 switches for a single purpose.
 
Historically though too I have seen the collapse of the spanning tree bridges creating a kind of domino effect with very disastrous results.  (65XX cores or multiple cores). 
 
I have though moved into mostly all Gb at home and so far not really dinging the network.  I do not see a justication for a residential VLAN but that is me and my opinion.
 
Just a note for anyone following along - there's no reason to set up VLAN's just to have a guest wifi - any decent Access Point/AP-Router combo will have an option to create an isolated guest SSID - even though clients on that SSID will receive IP addresses from the same network, they'll be isolated so that they can't talk to anything except the gateway - so they can only access the internet.  As feature sets go up, you can start adding "allowed" IP's so you can let guests print or access your AppleTV or AirportExpress for streaming - and you can even control bandwidth limitations - but that can all be done without introducing the complexity of VLAN's and routing within your home.
 
Work2Play said:
Just a note for anyone following along - there's no reason to set up VLAN's just to have a guest wifi - any decent Access Point/AP-Router combo will have an option to create an isolated guest SSID - even though clients on that SSID will receive IP addresses from the same network, they'll be isolated so that they can't talk to anything except the gateway - so they can only access the internet.  As feature sets go up, you can start adding "allowed" IP's so you can let guests print or access your AppleTV or AirportExpress for streaming - and you can even control bandwidth limitations - but that can all be done without introducing the complexity of VLAN's and routing within your home.
Click to expand...
 
Great point to make if you are using a combo unit. Which brand are you using and how is the reliability? Years ago I threw out the Linksys WRT54G and never looked back. I currently have a Supermicro Atom 1U running Vyatta. The power usage is around 20 watts and the reliability has been great. Before that I was running pfSense on a Nokia IP330, but switched as I wanted IPv6 support.
 
For the access point I have a D-Link DWL-3200AP and DAP-2553. The DWL-3200AP has been a great unit. The DAP-2553 range is terrible in 5GHz mode. I was hoping it would be better as the 2.4GHz range is crowded in my neighborhood. I tried out a Netgeaar WG103 and had nothing but issues between the slow WebGUI and random lockups. Not to mention the power adapter just died. I'll probably pickup a Cisco 1041N next time and just deal with not being able to grab the updated firmware.
 
I just do it using DDWRT, it allows you to create virtual wireless interfaces with their own SSID.
 
You must log in or register to reply here.

Similar threads

D
OmniPro Issues AGAIN!
Replies
14
Views
405
pete_c
pete_c
I
Sonos Amps taking down my network?
Replies
3
Views
441
sjht
S
BraveSirRobbin
Needing Remote Access Advice
Replies
6
Views
317
BraveSirRobbin
BraveSirRobbin
I
Wiring question -- should I provide additional protection?
Replies
4
Views
285
RAL
R
G
Discussion/recommendations on expanding existing UPB / Z-Wave home system
Replies
4
Views
250
electron
electron
Back
Top