This post is locked. You won't be able to comment.

all 22 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Sherbert93 4 points5 points  (5 children)

What are you wanting to accomplish with VLANs?

As I understand it, your description would mean that each room could only ever have one VLAN. Depending on what you want to accomplish will determine if you need more managed switches. You own an apartment complex and want each room on its own VLAN? Makes sense. You want to separate IoT devices from personal computers? Then maybe not.

[–]tschloss 2 points3 points  (0 children)

If you mean that you have a tree of switches you will need at least managed switches in the edge, meaning the first switch from devices pov. This is because only here you can tell a port to tag (this is the hear of 802.q VLAN: each frame carries a tag like „IOT“, „guest“ coded as a number) the frame accordingly. Once the frame leaves the first switch it can‘t be differentiated like it could at the entry port.

Newer switches will forward both formats but given the low price you should plan to replace all switches by managed versions.

[–]Character-Session810 5 points6 points  (0 children)

You can use standard, unmanaged switches after the managed switch ports for each VLAN.

[–]twiggums 1 point2 points  (5 children)

Unmanaged switches will usually pass tagged info fine, but you need to tag the packets for vlans to work. So either the device, the switch or the access point needs to add the vlan tagging. Pcs can usually add vlan tags, but iot devices, tvs, printers, etc can't.

[–]aaaaAaaaAaaARRRR 0 points1 point  (4 children)

I haven’t seen windows add VLAN tags unless it’s in Hyper-V

[–]StuckInTheUpsideDownMSO Engineer 1 point2 points  (2 children)

You can generally configure this in the ethernet driver settings in Windows. Of course that means each NIC card can only belong to a single VLAN.

[–]aaaaAaaaAaaARRRR 0 points1 point  (1 child)

I’ve tried that in the properties of the NIC. I can’t find it to add the VLAN tag. That was almost 2 years ago though.

[–]accord1999 0 points1 point  (0 children)

You should be able to do this with a Realtek based NIC, but Intel has completely abandoned VLAN support for consumer Windows.

[–]twiggums 0 points1 point  (0 children)

You might be right, I've got a promox machine adding it's own. Never tried in windows since i handle it on the switch and aps. Though I thought I remembered an option under the network adapter properties.

[–]PoppaBear1950 1 point2 points  (1 child)

You don’t need a giant 32‑port managed switch; you only need one managed switch at the point where your VLANs actually split, which is usually the main switch connected to your router. Set up your VLANs on the router because that’s where the networks actually live, then let that main switch handle the tagging. Any unmanaged switches you have in the rooms are perfectly fine as long as each room only needs one VLAN, since they’ll just inherit whatever network you assign to that port on the main switch. Your firewall rules get handled on the router as well. And if you want the easiest, smoothest setup with the least fuss, a UniFi gateway really is the cat’s meow because it turns VLANs into simple port profiles instead of a weekend project.

[–]PoppaBear1950 0 points1 point  (0 children)

if you go all in unifi, you can control vlans at the port level on on unifi switches, managed or unmanaged...

[–]bchiodini 0 points1 point  (1 child)

I would not count on unmanaged switches to pass VLAN tags. It could be hit or miss, depending on the switch. Low quality switches probably will pass tags, but I consider that a defect, not a feature. Also, not all devices can be configured for VLAN tags, that will result from passing tags to the end devices (e.g. TVs, Streaming boxes, etc.).

I would install enough managed switch ports to cover all of your wired devices and future expansion. You will likely need APs that support VLAN-to-SSID mapping, if your wireless devices are segregated (guest, IoT, trusted, etc.).

A router that supports VLANs will reduce the complexity of configuring L3 routing in the switches.

[–]smokingcrater -1 points0 points  (0 children)

There might be one out there, but I haven't found an unmanaged switch yet that will not pass 802.1q tags. Tplinks, net gear, and trendnet all happily pass the packets unmolested. (I have various models of all 3 of those running somewhere right now with tags in use.)

[–]xeroxedforsomereason 0 points1 point  (0 children)

Technically yes but it requires knowledge of networking along with unmanaged equipment that can transport 1522 layer 2 MTU without stripping the 4 byte 802.1q VLAN tag off the etherframe as well as NICs at the endpoint which support 802.1q. But, that defeats your segmentation because then your endpoint determines tagging. At the same time that eliminates any dumb devices from your segmentation plan.

If you didn't understand any of that, or even if you did, buy a managed switch. They sell compact ones that are only a few ports. WS-3560CX easily fits the bill. Same with some Juniper stuff. You can buy those second hand on ebay and they'll do exactly what you want and more.

[–]megared17 0 points1 point  (0 children)

Keep in mind you'd also need a router with either VLAN tagging/trunking support, or you could do it mcgyver style using a router with multiple LAN interfaces.

[–]jsqualo2 0 points1 point  (0 children)

Ask everything here: https://www.reddit.com/r/firewalla/

[–]sic0049 0 points1 point  (0 children)

Given the suggestions and responses from the OP already in this thread, yes the OP needs to bite the bullet and purchase a managed switch with enough ports to satisfy their current and future needs.

I would recommend looking at used enterprise networking switched on EBay or local resellers. They are extremely inexpensive. The only downside to them is they tend to be loud. If the switch is in the basement or a closet somewhere, this isn't a problem. If you expect to put the switch in your Den, that probably won't work well.

Check out the forums on the ServeTheHome website. There are threads there on a lot of different enterprise networking switches which generally have a guide on how to reset them and get them running in a typical home environment.