Home Network Reconfiguration

[heavy21]

I’m trying to bring order and security to my home network (http://imgur.com/QE5ucn0). I have several questions regarding connections of switches, creation of subnets, etc. and solicit helpful comments. After I digest and implement suggestions, I’ll rackmount all equipment that can appropriately fit into a 45µ 4 post rack.
1. UTM device (Ubiquiti Vault Pro) has four ports as indicated. One of the OPT ports must be assigned (encumbered) for Open VPN. I am looking at using the Ubiquiti as the sole DHCP server on my net unless a case can be made for having an L2 switch serve IP addresses, I am looking at cascading one or more of the L2 switches off the L3 switch as the principle switch.
2. I think it appropriate to segment the LAN for data security with VLANS and sub-netting. I think all current and projected devices can fit within address space 192.168.1.1- 254 using subnet mask 255.255.255.255. I think I see a current and future need for 15 static IP addresses, range 192.168.236-250. One VLAN for workstations, server, and printer; one VLAN for Guest Wi-Fi; one VLAN for Surveillance cameras and NVR, and one VLAN for internal Wi-Fi
3. In the sense of best practices, here are my questions:
a. Hang each switch off a port on the router or, hang L3 switch off router and cascade L2s off L3?
b. Which VLAN(S) recommended for each scenario in 3a.
c. Is an additional VLAN required for all devices to reach the single router gateway or is some other setup more practical?

 

[bill001g]

A layer3 switch is mostly designed to allow communication between subnets not prevent it. Although some have security features it is not its primary purpose. It is mostly used when you need very high speed communication between devices in different subnets.

The order you hook switches up really don't matter. That is the purpose of vlans. You could put all the vlans on all the switches if you wanted. They will all be kept separate by the vlan. Mostly you need to cable it so that you do not get bottlenecks between devices. This tends to be complex because you can have multiple connections between switches with only certain vlans on certain cables if you want.

At some point though you are going to have to cable the switches to a router/firewall that can control traffic between the vlans and to the internet. This can be seperate cables or you can use a single cable for all with vlan tags.

Key here is do this as simple as possible. Do not put in lots of subnets and vlans just because you think it will increase security. The more complex you make it the more chance you have of making a error and leaving a hole in your security.

 

[heavy21]

A layer3 switch is mostly designed to allow communication between subnets not prevent it. Although some have security features it is not its primary purpose. It is mostly used when you need very high speed communication between devices in different subnets.

The order you hook switches up really don't matter. That is the purpose of vlans. You could put all the vlans on all the switches if you wanted. They will all be kept separate by the vlan. Mostly you need to cable it so that you do not get bottlenecks between devices. This tends to be complex because you can have multiple connections between switches with only certain vlans on certain cables if you want.

At some point though you are going to have to cable the switches to a router/firewall that can control traffic between the vlans and to the internet. This can be seperate cables or you can use a single cable for all with vlan tags.

Key here is do this as simple as possible. Do not put in lots of subnets and vlans just because you think it will increase security. The more complex you make it the more chance you have of making a error and leaving a hole in your security.

 

[heavy21]

Thanks for the response Bill.

As I understand, L3 aware devices have more capabilities than L2 devices. Given this increased functionality, my question was whether it was better to cascade the L2 devices off of the L3 or, direct connect each switch to an available port on the router? I think you're saying there's no added value by cascading.

I take your point on making things simple regarding VLANS and sub-netting. I believe that multiple VLANS and their associated sub-nets or IP ranges are appropriate on my network but am interested in any discussion you might provide on how best to accomplish this. As mentioned in the initial request, I don't have a need for more IP addresses devices than available in 192.168.1.1-254. Is it simple to allocate IP address ranges to VLANS or create sub-nets for VLANS?

Thanks again for your insight.

 

[bill001g]

My recommendation is you don't do this other than maybe for your guest vlan. There is also no reason to chop the 192.168.1.0 block into small subnet masks. Just use /24 blocks make it simple.

A lot of microsoft file sharing and printing works much easier if they are all on the same vlans. This is why enterprise network have microsoft domain servers to make it so people do not have to key in ip addresses all the time to get access to things on different subnets.

Don't over complicate it unless you have a very good reason to.