VLANs

[gonegreynow]

Morning all
Having now purchased my first switch (an 8 port Netgear managed switch), I would like to set up 2 VLANs. One for my main PC, printer, etc. The other for my security camera (s).
The camera(s) plugs into the same switch as it provides POE. I will be viewing the camera feeds via a separate laptop (and not my main PC). The laptop will connect to my router either via wifi or i will use an ethernet cable into port 5 on the switch.
Port 8 takes the incoming feed from my router/modem/firewall.
Ports 5,6 and 7 will be reserved for the cameras (and laptop).
Ports 1,2,3 and 4 will be reserved for my main home LAN.
I don’t have any interest in being able to connect to my camera when I’m not at home and I don’t want security alerts.
I have watched so many YT videos and read articles about VLANs. I think I’ve grasped the basic concept but what I can’t get my head round is tagged v untagged.
Any guidance would be very much appreciated.
My thinking is;
Ports 1,2,3 and 4 will be in VLAN 88 (or some other random number). untagged.
Ports 5,6 & 7 will go into a separate VLAN (call it 99 for now). Assume this is untagged, as well??
I don’t want anything in ports 1,2,3 & 4 to be able to talk to anything in ports 5,6, and 7 and vice versa.
If the above ‘untagging’ is correct, what do I do about port 8 which takes the incoming connection from my router/modem/firewall?
Should it be in both VLANs and tagged??
Thanks

 

[gonegreynow]

Port 8 would be a trunk port, or it would need to carry all VLANs you want to use on that switch. Trunk is easiest, I'm not familiar with how Netgear managed switches do this.
Ports 1-4 would be set as VLAN 88, there's no configuration needed on the clients.
Ports 5-7 would left as normal ports, which would be native VLAN, or sometimes known as untagged. Or you can also configure a second VLAN and use that.
You need to configure the appropriate firewall rules on your firewall/router to block traffic between the VLANs. You also need to ensure that the 'CCTV' laptop is also on VLAN 88 otherwise it won't be able to view the feeds. There's also nothing wrong with allowing traffic into VLAN 88, if you want to view the cameras from other networks.

Many thanks for taking the time to reply.
At the moment, I have the router plugged into port 8 and my main PC into port 1. The switch is in its default configuration. So I guess that currently, port 8 is acting as a ‘trunk’ port by default.
To prove that the camera works, I have been plugging it in to port 7 (POE enabled), for very short periods of time.
Despite your helpful comments - many thanks - I am beginning to wonder if I’m not trying to achieve something which is beyond my skill set.
Despite being reasonably IT literate, I hadn’t realised that I’d need to play around with firewall rules as well. For so long now, I’ve simply relied on the default firewall rules within my router/modem (currently a Fritzbox 7530). I have to hold my hand up and say that I’m more than a bit wary of playing around with firewall rules. as I’m not sure I’d know what I was doing. That said, if there was an ‘idiots’ guide on-line, I’d be very happy to spend time and learn.
In my ignorance, I hadn’t realised that there would be additional settings outside of the managed switch.
I guess I could always take the easy option of routing the camera feed and laptop onto a guest network (port 4 on my Router) and isolating it from my main LAN entirely. But that would mean me having to run another ethernet cable from the router (downstairs) to the switch (upstairs). I’m not sure I can face doing that again!
Thanks. I really appreciate your help.

 

[gonegreynow]

You need a router which supports multiple LAN subnets, I’m not sure your box does. It’s not enough to do it on the switch alone.

Although if you want a truly local network to the switch it would be possible, but nothing would be able to communicate outside (or into) VLAN 88, and the devices would not have a default gateway. Plus you’d have to plug your CCTV laptop into VLAN 88, using a port on the Netgear.

Thanks again.
Despite me thinking that I’d at least researched the fundamentals before jumping in with purchases of kit, I’d clearly not gone far enough to make sure I had a fair idea of what I was doing. It simply hadn’t sunk in that my router needed to be VLAN capable, too!!
I now need a rethink, although all is not lost.
One final question, if I may?
Would Setting up ethernet port 4 on my router as a “guest” network, running a cable from that port to the switch and only having the security camera and CCTV laptop plugged into the switch (nothing else plugged into the switch). provide me with some sort of ‘isolated’ solution?
I know that I said I couldn’t face the prospect of running another Ethernet cable from ground floor to first floor, but perhaps that/s what I’m going to have to do and/or physically move the switch. I would then leave my main PC connected to port 1 on my router which is what I was doing before the switch arrived.
One other option is to buy a new router (not sure about my skill level flashing a router with, say, OpenWRT), but I sense that I would soon find myself underwater again, struggling to piece everything together.

 

[gonegreynow]

Why do you want to VLAN exactly? I would assume it’s because you don’t want certain devices to communicate together but it seems like you are in control of both so what is the use case? Asking as there may be an easier solution to achieve your aim.

On my Netgear managed switch there are various ways to setup VLAN so it isn’t always obvious. This basically describes the process.

Thanks. Your assumption is spot on. I’m reading too many articles (not on here) and watching many videos suggesting that IOT devices and security cameras should be isolated from the main network. Hence I would like to do the same if I can.
I’m now not a million miles off having a basic understanding of what needs to take place in the managed switch, but because the router also needs to be “VLAN aware”, I’m basically no further forward as my router doesn’t give me that option.

 

[gonegreynow]

Going back to basics. There are two types of vlan 'tagging' systems - Cisco trunk/access and others use tagged/untagged (some include PVID also like your netgear switch). We will concentrate on the non Cisco method for now. Tagged traffic is where the switch or device at the other end applies the vlan tag to the traffic, its generally firewalls, switches, access points and ip phones that do this. Untagged is where the switch or other device applies the vlan tag to t.

Thank you so much for such a comprehensive reply.
I’ve had a quick read but realise I need to go through it all again a few times before it all sinks in.

 

[gonegreynow]

The important thing to remember is that each VLAN will be on it's own subnet (ip address range). This means that:

1. Using a VLAN isolates it from any other VLAN (think of it as using 2 separate switches unconnected to one another)
2. The subnet used on each VLAN cannot speak to one another without a router, even if the VLANs were able to see one another (i.e. you link your 2 switches together using an RJ45 cable, but a computer on Switch 1 still cannot speak to a computer on Switch 2 because they are on different subnets).

To answer your question - Your bolded part above is important - your laptop has 2 interfaces:

1. Ethernet plugged into Port 5 which is:
a) On the same VLAN as your cameras (so able to see them)
b) On the same subnet as your cameras (so able to speak to them)

This allows your laptop to access your cameras.

*Without a separate DHCP server, these ip addresses may need to be manually assigned

2. Wifi which is linked to your router. This allows your laptop to still have internet access over Wifi.

Thank you for taking the time to reply. Much appreciated.
I think I’m starting to understand the basics at switch level but I am concerned about the implications of needing a VLAN aware router/firewall.
Nothing to do with the cost of new kit, but down to me never having had much (any)experience of changing firewall rules beyond what is the default on my domestic/ISP supplied home routers.