Help for VLAN setup on OS X based small office - IP cams, VoIP, Wifi guests and more

Toggle sidebar Toggle sidebar
J

Jacob_113

Commendable
Aug 31, 2016
2
0
1,510
I am trying to plan the local network for my wife's new office and I am a beginner with some IT background. I'm also trying to implement VLANs (no experience whatsoever) because of some issues in a pre-existing office's network setup such as unreliable VoIP, privacy concerns for IP cams, and excessive bandwidth for WiFi guests. The LAN will be composed of Apple computers with possibly some Windows VMs running for business applications.

IT implementations for this office include:

  • VoIP
    DLNA server for Roku/generic dongles into cheap monitors
    Workstations that can connect to both a local server and hosted server (business application)
    PoE IP cameras (for no particular reason other than I've used them)
    VM images for the primary business application which is Windows-based
    Wi-fi internet access for guests
    VPNing into server
I would like to build my network around VLANs and QoS, but have no experience with either of these technologies. As far as I can tell from my interweb research, I could do something like get a good router, connect the local server to a trunk port, then make all other ports access ports for individual VLANs and connect dumb switches to each port for my needs - switch for IP phones, PoE switch for my IP cameras, switch for DLNA streaming, switch for my LAN workstations, and one WiFi router guest WiFi access. Dumb switches because I don't see the need to broadcast across VLANs because my server is the only machine that will need access to several VLANs (??).

Also, I would like to prioritize WAN bandwidth to the VoIP getting highest priority, WiFi guest router with lowest priority (or even fixed limit per client), and everything else somewhere between.

I assume the local server (OS X) will use its virtual interfaces for its trunk port connection because I will have the CCTV software there, the DLNA server will be there, and if the hosted server fails, it will need to serve as a backup server to the local workstations.

Can someone chime in on these ideas as this is way beyond me?

Thanks mucho!
J
 
Solution
L
Generally (though not necessarily) separate VLAN's are given separate IP address spaces. So for example you might take 10.10.1.0/24 and make it for video, 10.10.2.0/24 and make it for workstations, 10.10.2.0/24 and make it for phones, etc. This not only provides layer 2 isolation, but also isolation for layer 3 managed by either a layer 3 switch(s) or a router(s)/Firewall that will pass traffic between them. This allows you to have relatively simple IP filtering rules between VLAN's. For example, you might disallow entirely anyone with IP's on your guest network from communicating with devices on an internal network. You can also then limit types of traffic, for example permitting port 80 traffic to one specific device for guests...
Sort by date Sort by votes
L

LinwoodFerguson

Reputable
Aug 19, 2016
59
0
4,660
Is there a specific aspect of this you want more help with, or just general ideas?

In the general area, the idea of segregation into VLAN's is good; be sure the segregation is real when you set it up (e.g. the guest wifi). Keep in mind out of the box many SOHO devices are not going to do what you want,. Third party software like DD-WRT might be an option there, but good solid commercial gear (e.g. Cisco ASA, and a real Cisco switch not linksys) would be more solid.

Decide how important redundancy is. Many small businesses won't spring for real redundancy, but at least consider it and decide explicitly not just assume. For example, if you are using cable modem for internet, a spare is pretty cheap, and sometimes shuts up the cable vendor quicker than anything else when they blame your gear. Hot spares significantly complicate the configuration is probably not needed, but cold spares (or knowing you have a quick local source) is a good thing.

For POE, don't forget the phones are likely POE as well, so if you are trying to use dumb switches (not a great idea, though doable) you may need two if you plan to segregate VLAN's there. Also don't forget to do a power budget - POE cameras are power hungry if they include IR (and be sure to use the IR power draw), and low end switches often cannot power every (or even most) ports with full POE current.

Wifi - depending on what gear you buy, some wifi adapters can be POE as well.

Plan on at least two WLAN's then for Wifi, one for internal use and one for guests - don't use just one, and better not to have people based there using the guest side. Depending on size you may need more than one AP.

There is no single aspect of what you propose that is difficult, but if it's your first time the combination of all of this is likely to be something of an exercise in frustration to get just right. Perhaps more importantly, it may be difficult for you to notice if you leave security holes open, since everything may work perfectly. If you have any friends who do this more often, maybe some beer and pizza might buy you a bit of help to spec the pieces you want to buy and some help in initial setup. Lots of tweaking to do and learn afterwards.
 
Upvote 0 Downvote
J

Jacob_113

Commendable
Aug 31, 2016
2
0
1,510
Thanks for the feedback on the general stuff.

I'll give an example of a specific problem I'm thinking of. Let's say I'm interested in a synology NAS with a single NIC that I want to use for surveillance, dlna server, and file shares for the workstations, all of which are on their own VLANs. So in order for this NAS to access all the subnets, I would need to put it on a VLAN that is available on all ports (probably same VLAN as the WAN)? What are my security concerns now? How can I enable the workstations and Rokus on different subnets to see the file shares and DLNA server on the NAS if I want to keep the VLANs segregated?



 
Upvote 0 Downvote
L

LinwoodFerguson

Reputable
Aug 19, 2016
59
0
4,660
Generally (though not necessarily) separate VLAN's are given separate IP address spaces. So for example you might take 10.10.1.0/24 and make it for video, 10.10.2.0/24 and make it for workstations, 10.10.2.0/24 and make it for phones, etc. This not only provides layer 2 isolation, but also isolation for layer 3 managed by either a layer 3 switch(s) or a router(s)/Firewall that will pass traffic between them. This allows you to have relatively simple IP filtering rules between VLAN's. For example, you might disallow entirely anyone with IP's on your guest network from communicating with devices on an internal network. You can also then limit types of traffic, for example permitting port 80 traffic to one specific device for guests, but not others (and more active, stateful firewalls can do all sorts of additional filtering and inspection).

(I should note here that one of the complexities comes from NAT, since you will likely have a different address space internally than externally, allowing guests access to internal resources, say a web server that is NAT'd to the same name externally, can be a challenge).

While there are many, many choices, the simplest starting point is probably to assume all devices are in one and only one VLAN (except managed switches and routers, and maybe except phones which often pass a voice VLAN separately from a data VLAN if they have a data port). Then lay them out and figure out what the rules are for traffic passing from and to each of those areas, and from each area to the internet (and from each to other sites if you have other sites). This form of... perhaps deconstruction is the word.. let's you lay out your virtual topology, and make isolated decisions of the flow of traffic between, i.e. rather than just asking "who can talk to whom" you can say "can guests talk to video" and turn it into a series of very specific decisions. That then translates relatively nicely into how each port is set up - which vlan it is allowed to access, and which carry the trunks (i.e. multiple vlans to pass from one switch to another).

The idea of having unmanaged switches actually can complicate this sort of setup, unless you dedicate each switch to one and only one VLAN. Which in turn can cause issues if you have devices like cisco phones which have a separate PC connection data port, as this requires passing both the phone and data VLAN's in one port. While it is perfectly possible to pass two different VLAN's traffic through an unaware, unmanaged switch, it just begs for bad things to happen (e.g. spanning tree turning off a port thinking it is a loop, when it from your perspective is a different vlan).

So to your question, the sinology NAS could be given an IP on the internal network, and any devices on any network could communicate with it through your layer three routing device (subject to your rules). There are other choices, that let it live on more than one vlan at a time, but they (in my opinion) add more complexity than they solve. Keep it simple, put everything in their "normal" place, decide on the flow of traffic between these places, and if you have a few exceptions left over (after asking are they in the right place), then write specific rules for individual devices (as opposed to whole VLAN's).


 
Upvote 0 Downvote
Solution
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom