Network Setup – Advice on Basic Network Setup Involving Security Cameras, Guest Access, and VLANs

access-pointfirewalltrunkvlanwireless

At some point, I'd like to move from a single, flat, network to having a more secure network using VLANs.

I have an idea of what I would want, I just don't fully understand some details of Native VLAN, trunk ports, and having guests on a wireless network. I'll give a breakdown of what I have and what I would like, as well as how I "think" the setup would look. I'd love some feedback/advice or clarification on parts that I may be misunderstanding.

Items I'd be using:

  • Netgear cable modem
  • Ubiquiti EdgeRouter X
  • Netgear GS108PE POE switch
  • HP ProCurve 1800-24G (J9028B) switch
  • Ubiquiti UAP-AC-Lite access point
  • 2 ip cameras
  • computer acting as NVR for ip cameras

Ideally, I'd Like the setup to be something like this:

Two SSIDs from the AP, one for myself to surf the web and have access to any network hardware, and one for guests to surf the web, but not have access to network hardware. I think to solve this, I will need a combination of VLANs and firewall rules, correct?

I'm thinking it would look something like this:

  • MGT_VLAN 10 – 10.0.10.0/24
  • CAM_VLAN 20 – 10.0.20.0/24
  • GST_VLAN 30 – 192.168.1.0/24 with DHCP pool 192.168.1.100-192.168.1.254

Does this all seem okay so far?

I'm thinking the router should be setup as follows:
Router – vif/subinterface of 10.0.10.1 and 10.0.20.1 and 192.168.1.1

And the networking hardware should be a part of the MGT_VLAN 10 and set as Native VLAN? Such as:

  • SW1 – 10.0.10.2
  • SW2 – 10.0.10.3
  • AP – 10.0.10.4 (not sure if this would be better using DHCP vs static)

The ip cameras and NVR set to CAM_VLAN 20:

  • NVRcomp – 10.0.20.2
  • IPcam1 – 10.0.20.3
  • IPcam2 – 10.0.20.4

If I connect to admin SSID with a 10.0.10.X static ip, I should be able to hit the cameras, NVR, or other network hardware if the router and switches are setup properly to use inter-vlan routing, correct?

If a user connects to the guest network, they should automatically receive a 192.168.1.X ip and be able to surf the web and not hit any hardware, if firewall rules are properly set, correct?

The AP, needing to handle both VLAN 10 for management SSID and VLAN 30 for guests SSID, would need to be connected to a trunk port on the Netgear switch, correct?
(not sure if trunk port is the right terminology…seems kinda confusing when looking up the info on Cisco vs other manufacturers.)

I think those are all of my questions. Sorry if this post is unclear. I hope this makes sense, but if not, I can try to draw a picture.

Thank you all for your advice, recommendations, and knowledge.

Best Answer

You're on exactly the right track.

The basic of VLANs are very simple

  • A switch can be partitioned into separate VLANs
  • Now we have to say which VLAN each port is connected to; this is called an "access port" for a given VLAN
  • So far, that's just like having separate switches, but perhaps more convenient. The hosts don't know anything about VLANs
  • To join several of the VLANs of two switches, a port is marked as a trunk. When the switch sends a frame out of a trunk port, it adds a tag to the ethernet header which says which VLAN it's on. The receiving switch expects tags on its own trunk ports, so sees the tag, understands which VLAN it's on, and if possible forwards it appropriately. You might find this helpful https://networkengineering.stackexchange.com/a/49424
  • Consider the access point to be a multi-VLAN switch with funny wires (radio) on one side and a trunk port on the other; each SSID will be connected to one VLAN
  • Remember that the management IP addresses of switches, access points etc are not directly related to the networks they serve.
  • A switch never forwards from one VLAN to another. (However, a so-called "Layer 3 switch" contains router functionality in the switch box, so the router portion of it can.)
  • Routers also do VLANs otherwise you'd have several ethernet cables from the switch to the router
  • Server operating systems also do VLANs. You end up with several ethernet interfaces, effectively plugged into the different VLANs. The server can thereby offer say HTTP on several networks and SSH only on one, without needing multiple ethernets
  • An unmanaged switch doesn't know about VLANs, so it plugs into an access port on a given VLAN on its upstream switch.
  • VLANs come with benefits (highly flexible, configurable through software, save cabling and staff costs) and risks (if you couldn't get to the patch panel, you couldn't rewire into the secret zone. Now a VLAN breach will get your into anywhere.)

My advice would be not to go overboard and don't put everything in its own VLAN just because they have different purposes: focus instead on permissions. Consider just two: one for staff and one for guests, or if necessary staff, guests, device management.

In Layer 3 terms, your network might look like this:

                                    inet
                                     |        
                                     R     
         VLAN a          AP* SW*    / \    VLAN b
                          |   |    /   \
 ssida...=+===+===+===+===+===+===+=   =+===+=.....ssidb
      .   |   |   |   |                     |   .
      PC  PC CAM CAM NVR                    G   G

   PC wired and wifi staff
   AP*, SW* management interfaces
   CAM, NVR CCTV devices
   G wired and wifi guests
   VLAN a, b probably numbered 10 staff, 20 guest
   ssid a, b matching SSIDs, perhaps OURCOWIFI-STAFF, OURCOWIFI-GUEST

In Layer 2 terms, that would match this:

       modem
        |
        R
        |    
        |  .T...a...b.. Multiple SSIDs from Access Point
        |   |   .   .
        |   |   PC  G
        |   |   
       =T===T===a===a===a===a===a===b=== Smart switch
                |   |   |   |   |   |
                |   PC NVR  SW* AP* G 
                |
               =+==+==+== Unmanaged POE switch (all VLAN a)
                   |  |
                  CAM CAM

For your specific, just make sure you can't get packets from staff to guest or back, by whatever means your router provides.

Watch out for "default VLAN". If a frame arrives on a trunk port, it is expected to have a VLAN tag. If it doesn't, many switches will send it to the default VLAN, often 1. If this is your management/private VLAN, this opens the possibility that unauthorised hosts can send frames into your private VLAN. If it's a public VLAN, configuration errors can leak private VLAN info to the public VLAN. The solution is to set ensure none of the your working VLANs are the default.

Related Topic