General > General Technical Chat
Home network design - is it "worth" centrally locating infrastructure?
paulca:
As per my other thread I'm trying to built a better network "logically" with VLANs. The realisation of what that meant only really sunk in today. I'm no longer limited by "where" things are physically. The Internet is just a VLAN on the ethernet, it does not need the "gateway" to be near the phone line anymore (sounds obvious I know).
So that prompted me to put a couple more smart switches in the amazon cart, with the idea being to simply the layer 2 into a nice spread of VLANs. That spiralled onto bringing my cables to a central location with a patch panel, cabinet, etc.
So "Physically" this is what I have now:
From each zone there is 1 single Cat5e to another zone. 3 of them terminate in the hallway and 1 terminates in the office to link over to the bedroom. This was installed intentionally on a "minimal required" basis.
The reasons I am not just phoning the spark and asking him to reroute the current cables and add a few more. Is ... well, I have currently 6 switch ports in used in the office. I'm not running 6 or 8 lines to the office. So I will need "workgroup" switches anyway. A similar story exists in the living room and bedroom. They have a single Cat5e, so for the Media centre PC AND TV to have access, they need at least a (2) so a 5 port switch. By the time I'm done with that the only thing to put into the central cabinet is the main trunk switch and the router. Which equally happily sit under the hall table like they currently do.
Should I just save myself money for something else?
EDIT: I still think it's worth replacing the Wifi+Router boxes with actual switches and link the routers on trunks if needed. I just think leaving switching to switches and layer3 routing to routers makes sense, more sense than trying to configure it on the same devices AS the ip routing AND Wifi radios etc.
ejeffrey:
It's a home network so in the end you do whatever works. That said I certainly would prefer to have all fixed wiring home run back to the same location rather than have the office-bedroom link shown in your diagram.
I also prefer to avoid running vlan trunk lines outside the main wiring closet except for lines dedicated to wireless access points. My ideal situation would be a single smart switch with enough ports for every zone and device. Any server that needed a vlan trunk would be right next to the managed switch and connected directly to it. Then I would have runs to each room and access point. I use celing mounted access points and they get VLAN trunk lines, all the wall jacks are on a specific VLAN. I then would use unmanaged switches for any location that needed more than 1/2 network ports. That said, I didn't go crazy with VLANs. I don't have separate wired VLANs for IoT / media devices. If I have something I want to restrict I put them on wireless and use a restricted SSID (which does map to a VLAN via the access point trunk lines).
But I wouldn't pay to change the wiring to conform to this ideal in a home network.
David Hess:
The larger advantage of a VLAN is being able to route instead of switch between ports, so all devices can be placed on separate subnets and isolated from each other to whatever degree is desired which significantly improves security.
So for instance each "insecure" device like an appliance can be isolated from every other device, but still given access to the internet if required. And since all traffic runs through the router instead of being switched between devices, machines can be given no or one way access to other machines. So for instance PCs could be given access to the printer, but the reverse and not to each other. Or a backup server could be given access to the PCs to pull backups from them, but not the reverse so a compromised machine could not destroy its own backups.
paulca:
Yes, that is how I used to see VLANs. As a way to split up switch ports to isolate the Ethernet broadcast domains at least... and route between them.
It was only when I started looking into them a bit more and actually trying to use them over multiple switches is that they provide much, much more in terms of "aggregation" rather than division.
Teaching my granny to suck eggs, but if you have 3 switches connected, you have one large layer 2 "LAN". Any layer 2 packet on any port can travel to another other port on the whole network. Broadcast packets like DHCP hit ALL ports on the whole network.
But what if you want 2 networks that can't see each other. You could add another 3 switches , separate cables and a router between the sets, or your could partition the 3 you have into 2 VLANs.
That's still division. The aggregation comes when you consider the VLANs logically exist across switches. So anyone switch can be "on" one or many different VLANs and thus you "can" "switch" rather than route. Switching layer 2 around this way is seriously useful.
The two important points is that the VLANs "span switches" just like a network, assuming trunking and from the admin console of said switches you can effectively "route" any layer 2 traffic to a particular port, anywhere in the trunked network.
That means, for example, I can put the Internet PPPoE connection onto a trunk port in the hallway and off load it anywhere in the network to a port and connect a gateway there and receive the rare ISP pubic WAN connection.
In terms of the LAN I want it fully open. I don't want to have to pass security to get into my bathroom when I'm already in the house - so to speak. So having that lot use the default VLAN, VLAN 1, seems to work. I can delibrately put all unused ports onto the GUEST VLAN as a security/convenience if a friend wants to connect a wired laptop for some reason.
The Wifi Guest provides device and AP isolation. I can't say the same for wired guests. They can ping each other, but not Wifi guests. They are all blocked from the AP itself, if it even has an IP Layer 3 interface on the VLAN at all. All the management style ports are on VLAN 1, LAN and a different subnet.
ogden:
--- Quote from: David Hess on December 07, 2021, 07:13:15 pm ---The larger advantage of a VLAN is being able to route instead of switch between ports, so all devices can be placed on separate subnets and isolated from each other to whatever degree is desired which significantly improves security.
--- End quote ---
Right. Manageable switches do not cost that much today. Having capable router you can firewall/demarcate literally every Ethernet port in your network - if needed. With proper managed switches you can authenticate every Ethernet connection as well - to ensure your friends do not hack your home network :)
Navigation
[0] Message Index
[#] Next page
Go to full version