[SOLVED] Do I need a layer 3 switch?

edwjohn3

Reputable
Jul 22, 2017
31
3
4,545
Hi all,

I am planning to wire my home with Cat 6a ethernet cable. I plan to run 4-6 lines to my home office and entertainment center areas, plus a couple of drops to other rooms and some runs up in the attic for connecting PoE cameras. I plan to get an NVR system from a company like Lorex, and have it all plugged into a switch in my basement.

Right now, my only networking hardware is a basic Linksys EA7300 wifi router. I also have an OpenVPN server set up on a Raspberry Pi. I know I can buy a basic 24 port dumb switch and just plug and play (since the NVR basestation would provide the PoE to the cameras). But, I have been reading that it is a good idea from a security standpoint to put things like IP surveillance systems on a separate VLAN so that if someone were to, say, unplug one of the IP cams and hook up a laptop they would not gain full access to my whole network.

So then the question is, do I need a managed switch with layer 3 inter-VLAN routing capability? I am assuming my home model Linksys will not be able to handle inter-VLAN routing, or act as a DHCP server for multiple IP ranges - so then would I also be looking at having to upgrade to an enterprise grade router??

Or should I just not worry about the VLANs and go with an unmanaged switch? Perhaps the NVR basestation would act as a firewall between the IP cameras and the rest of the network?

I have been looking at offerings from Ubiquiti and Mikrotik for the switches and routers.

Thanks for any/all advice!!
 
Last edited:
Solution
Generally if you do not know why you need a layer3 switch you do not need one.

A layer 3 switch can do all the intervlan routing and many times a dhcp server. Most times you use what is called a "helper" that forwards the dhcp broadcasts to a central server that can do it. It is commonly done by a microsoft domain server because it integrates a bunch of other domain functions with the DHCP. Lots of integration like assigning users to vlans based on their identity.

The key feature that most layer3 switches can not do is NAT. This means you need a router that can do NAT on more than a single subnet. Almost no consumer routers can do this....unless you cheat on the subnet mask.

Then again NAT is only used to the...
Generally if you do not know why you need a layer3 switch you do not need one.

A layer 3 switch can do all the intervlan routing and many times a dhcp server. Most times you use what is called a "helper" that forwards the dhcp broadcasts to a central server that can do it. It is commonly done by a microsoft domain server because it integrates a bunch of other domain functions with the DHCP. Lots of integration like assigning users to vlans based on their identity.

The key feature that most layer3 switches can not do is NAT. This means you need a router that can do NAT on more than a single subnet. Almost no consumer routers can do this....unless you cheat on the subnet mask.

Then again NAT is only used to the internet you would actually route subnets between office locations.

You are liking making thing more complex than you really need to. You run the risk that the complexity introduces security. If your goal is to isolate cameras the fairly common method is to place the cameras on a different network/vlan and then use a dual nic NVR to allow access. Since most these devices have no ability to route traffic between the interfaces it acts a pretty good firewall.
 
  • Like
Reactions: SamirD
Solution
The NVR devices I am looking at have 8 PoE ethernet ports to connect to the cameras, and then 1 ethernet port for connecting the NVR to the LAN. Without a VLAN setup, would someone get full access to my whole network if they connected to one of the ethernet cables running from the NVR device to an exterior camera?
 
Configurable, smart layer 2 switches can usually have multiple VLANs. The Layer 3 functionally just gives you the ability to route BETWEEN the multiple VLANs on said switch. So, you could have a layer 2, 24-port switch where you have ports 1-12 on your 'home network' VLAN and ports 13-24 on your 'security VLAN' (given the right switch).

A dual-NIC NVR would solve your dilemma, as @bill001g suggests. You could also have a 'jump box' on your security VLAN that is also on your wireless. There are several different configurations for your scenario, depending on how secure you want it to be.

One of the reasons why it's a good idea to keep your security system on a separate network is that security devices are notorious for having huge security gaps/bugs that go unpatched forever. Calling them 'security' device is an unfortunate misnomer.
 
Last edited:
I would wire the cameras directly to the nvr, not going through any other switch and only have the nvr on your network. This way, the cameras won't have access to the internet as they shouldn't since they are simply sending info to the nvr.

You don't want to be using vlans or managed switches unless you need to. More complexity can a lot of times be just more complexity. 😀
 
As above, if you have to ask, you probably don't need it.

You can roll vlans with a layer 2 switch, you'd just depend on the router to route between vlans which is CPU limited. The main advantage of layer 3 switching is inter-VLAN routing at wire speed.

Does your consumer router even support different VLANs or separate routed interfaces? Most of them do not without custom firmware.
 
My consumer router does allow two ports out of the 4 LAN ports to be configured for VLAN, but based on the router's documentation this seems to be designed for configuration with ISPs that require a VLAN configuration for segmenting VOIP and traditional data. I don' t know if it would work for inter-VLAN routing. At this point I am leaning heavily towards just getting an unmanaged switch. As others have suggested, having all the IP cameras plugged into the NVR will probably sufficiently isolate them from the rest of the network.
 
  • Like
Reactions: SamirD