I’m trying to improve my home network and would like to use VLANs for isolation. I’ve been watching a lot of videos and reading articles and I’m ready to get some kit, but I’m still a bit confused over what exactly I need for the box labelled ??? in the diagram.
The black lines are trunk, and the coloured lines individual VLANs. The issue is that I would like to enable only PC-A and TV to access the NAS, ideally with all switching on the ??? box, but I don’t want to lose wirespeed if possible.
Am I correct in my thinking here ? If so, are there any other similar switches that could achieve this ?
If I’m wrong above, how can this be achieved or is the only solution to run the VLANs all the way back to the router (likely pfsense - not 100% decided yet) and handle the ACLs there ?
EDIT: The other switches are also undecided but I would likely buy from the same ecosystem wherever possible.
Handling the VLAN routing at the router is the easiest option, and the best one for almost all networks. “Layer 3” switches, set up to handle the routing for specific subnets (which normally match specific VLANs but don’t have to) are only needed when the desired transfer speed between two subnets/VLANs is higher than what is available from the router of choice. Choosing between the router and the layer 3 switch doesn’t have to be all or nothing, you can have some VLANs use one as the gateway and some VLANs use the other, as long as you also set up the static routes between the router and Layer 3 switch properly (the router needs to know about the subnets which the L3 switch is the gateway of, and vice versa)
What you need at the ??? is a VLAN-capable smart or managed switch. All your switches would ideally be VLAN-capable and of similar types (so you don’t have to learn multiple configuration styles), however its OK to reuse existing dumb switches where its fine for all clients on that switch to be the same VLAN.
I realise that handling the routing at the router is easier, but it also means extra hops being made that don’t need to be and research leads me to believe that I should be able to perform inter-vlan routing at the switch, but still at wire-speed on some switches.
This is where I find things aren’t as clear - can I set a L3 switch to be a gateway and still have wire-speed throughput ?
All I’m trying to do is keep the speed as maximised as possible whilst also avoid having all routes go via the main router if it’s not needed. The other switches would probably just be 802.11Q capable, perhaps with port-isolation, but nothing beyond that. I’m just trying to figure out my best choices for the ??? box without causing any slowdowns.
The extra hops will be completely unnoticeable unless you want more inter-vlan throughput than your router can provide. Setting up a switch for Layer 3 duties however adds a lot of complication to the network. You could buy a Layer 3 capable switch, like that EdgeSwitch, and initially set up everything through the router. Then if you actually notice the router slowing you down in real usage (not just iperf or other benchmarks) would I recommend changing things so the switch is the gateway for any VLANs.
Any switch which has the options will do it at line speed, except for Mikrotik devices, because they include many software features that the hardware might not be suitable for and its up to the administrator to research the device capabilities beforehand (Mikrotik deploys the same OS on all devices - routers, switches, APs).
I’ve done Layer 3 switching professionally in networks that justified it (multi-gigabit inter-vlan traffic). I choose not to do it in my home network. It is better in my opinion to get a capable router that can handle gigabit speeds with the features you want turned on.
This is my main thought though - if I am transferring data from my PC to NAS (or vice versa) at full wire-speed, that would saturate the router for anything else unrelated that may be going on. If I can switch it downstream at a closer point, I can mitigate the disruption to other (internet) traffic that is going through the router but not hitting this vlan.
Equally, if I decide to use link-aggregation to my NAS to get higher throughput, I don’t need to worry that will saturate other routes if they don’t pass over the same trunks.
I read on their site that the CRS3xx series allow hardware-offload for vlan filtering, but it’s not clear if this includes ACLs which is why I’m likely not going that route and will probably go for the EdgeSwitch.
I can say I have a chinese box with 4 NICs connected to my Netgear GS748T switch over a LAGG bond. Off this switch I have a couple of Netgear GS110TP switches connected over LACP bond connections.
My IPcams x4 are recording at 1080p 24x7 on their own vlan.
I can’t say I have any issues with speed over my network, I can easily stream a 50GB bluray file over the network with no caching easily. When I inspect the graphs I can see the vlans are not saturated.
If you have bonded connections to your NAS it won’t make any difference unless you have multiple users accessing the device at the same time and obviously there’s redundancy.
Not much love here for Netgear switches but they do the job at a decent price.
The purpose of VLANs is to separate groups of devices which either cannot coexist (overlapping subnets which the network administrator can’t correct) or pose a security risk to each other. In your case, I don’t understand why the NAS and your PC need to be separated - your ACL is probably going to allow full communication between those two. If you place them in the same VLAN, your routing speed concern goes away. You can still have firewall rules on the NAS itself. The same is probably true of some but not all of your VMs.
All CSS and CRS switches handle VLANs the same as other Smart or Managed Layer 2 switches. CRS1xx and CRS2xx switches have to be configured using the Switch menu, which is a complicated process. CRS3xx switches are configured via the VLAN Filtering settings of the Bridge menu - this is why they say the can hardware offload the VLAN Filtering settings. The CRS317 now has support for Layer 3 routing and ACL hardware offload, but it must be configured separately from the normal routing and firewall menus of RouterOS. This feature is in alpha stages still, and that particular switch is one you don’t need to bother with. But it is worth mentioning because look at what it is - a switch with 10Gbps ports and 320Gbps total throughput. That is where Layer 3 switching makes sense - not on a home network running gigabit.
By the way, you can do Link Aggregation to a router also, if you pick the right router. Or you can use multiple connections between the switch and router and only have one or two VLANs on each port. This is still simpler and easier to maintain and troubleshoot than Layer 3 switching.
That’s true, but then I don’t want the TV (or any other streaming devices) in that same VLAN. There wouldn’t be the same need for speed with those though, so that’s certainly a consideration - only the PC will max that connection.
I realise this, but if I do link aggregation over the router, wouldn’t that mean that if my NAS could saturate 2GB, I’d need the router to manage that plus another 1GB at least total for the other traffic to not be impacted ? Wouldn’t it be better to offload that throughput to a switch that is downstream but still upstream from both the NAS and the PC (or whatever is connecting) ?
How often are you actually going to be transferring inter-vlan such that you saturate the router? And is that worth the tradeoff of the complexity of the L3 setup? I’ll repeat what I said before:
I copy things to/from the NAS quite regularly, which is typically at full 1Gbps throughput (and I plan to aggregate to increase this) but I take your point and I think your advice is solid.
I wanted to ensure I didn’t purchase hardware that then limited me as I set things up. As it is, I think the EdgeSwitch is looking to be a solid choice, and as you say I can start without the complexity but it will handle it if necessary as things move on.
All of the discussion and advice is very much appreciated. Thank you.
For best reliability, keep it simple. Think about maintaining the complexity of L3 switching at the cost of a few seconds…or even minutes. If you do transfers from computer to NAS that routinely consume that much bandwidth, consider 10GB connections to those devices.
I’ve done L3 routing where needed, it’s not fun. My understanding is that it is coming to Unifi…hopefully with a simpler interface.
I considered this, but it would mean that I need each ‘trunk’ to be 10Gb and also the router, which increases the expense substantially.
I don’t mind configuration complexity or command-lines - I’ve been in IT for over 25 years and work in DevSecOps so am used to similar. I’d rather have complexity in setup and then have the most efficient and performant systems that I can, rather than take an easier route and have it be slower or less efficient.
I do appreciate that most people are just looking for the simplest approach though. I definitely agree that ‘end users’ of the system should find it easy to use and ‘just work as expected’.
Just thought I would comment to back up most of what others have said.
Having multiple L3 devices on your network makes it more confusing
Have devices that routinely need to talk to each other on the same vlan / subnet
Trunk / Link Agg / Bond some ports to your router
Consider 10g
MAYBE, do all the L3 switching on ??? and leave your pfsense box to do WAN load balance / filtering etc
Sometimes the speed / most efficient is a trade off. How long will you spend getting the system to be as efficient as it can be vs actual time saved in transfers where you actually need to wait for the transfer before doing more work?
This is strongly under consideration. I’m tempted to make the ??? box an internal router to deal with the VLANs that need big data between them, maybe with 10G, and then the other devices/VLANs go direct to the pfsense (or whatever) router.
I guess the two main overall requirements are high throughput across some VLANs (lab/NAS etc.) that doesn’t affect the others by saturating the links, and also isolation for security.
The VLANs/subnets will mostly be self-contained, but the NAS and my main PCs cross all boundaries and will have high throughput as necessary.
This is all at home, so for me there isn’t a trade-off. I want things to be as efficient as possible - it’s part of why I do this. If it was for business or part of my job, I wouldn’t go so deep on it, as you say, the 80/20 rule.
It’s also about learning all the ins/outs by actually doing and using it. Labs are great, but completely fake - when I have to live / use what I’ve built on a daily basis, even though it’s painful at times, I learn so much better, and retain the knowledge more effectively.
Again, thanks for the response. I do appreciate all of the replies, even if they’re telling me why I shouldn’t be doing this
Either way around, you only have one link from your left hand switch to ??? so if PC-A and the NAS max out that link then no amount of L3 is going to help.
Actually, thinking this through, if the PC and NAS were on the same vlan then the L2 functions would only send the traffic between LeftSw and ??? so devices on RightSw and ??? would be fine regardless and that would be the same as having L3 at ???
Still looks like just using ??? as L3 is the way forward for you though.
Wouldn’t that need the VLAN gateway to be defined at the left-hand box though, otherwise everything would still go through the router and therfore the saturation of the trunk line again.
Can a non-L3 switch be set as a VLAN gateway ?
The PC needs access to devices on most (if not all) of the VLANs, unless I use the router as a jump-host.
If they were on the same subnet (and vlan) then the leftSw would, at L2, forward to ???, ??? would see the MAC was local and send it to the NAS. No need for it to go to the router as it’s “local”
If they were on different subnets and ??? was L2 then it would go leftSw -> ??? -> router -> ??? -> NAS
If you made ??? a L3 device then it wouldn’t matter if they were on the same subnet but either way your bottle neck is the physical link between leftSw and ???. Using either method if you max that link then the other devices connected to leftSw are going to have problems.
(sorry, using vlan and subnet interchangeably here even though they are not really the same)
That all makes sense. I am looking more into the trunk connections, and my other options to think how best I can alter this within the confines of physical capabilities and cost.
I’m also trying to avoid running cables as much as possible (wife-friendly) such that a single line for a trunk to edge-locations in the house is perfect. However, then finding reasonably priced switches of the right size (ideally 4 port but maybe 8 is doable) with 10Gb is even more difficult.
None of the ideas are off the table at present - the whole reason for the question is to get a good sense of the options before spending any money, but once I settle down the path, I’d like it to be flexible for when I have to move things around the house due to family, and also not suddenly becoming to ‘old’ to be useful.
