The number of devices on your network is growing rapidly. You often have no idea what those devices do. It is a safe idea to put them on a separate network or subnet, with the help of a virtual network or VLAN. You can then impose restrictions, but also set traffic priorities. We show how this works, what you need for it and also how you can approach further management of the network.
Such a growing network with IoT devices is nice, but it must also remain manageable. Usually the devices use your normal home network, which does not give a very safe feeling because many ioT devices do not have proper security. Aided by virtual networks (aka virtual LANs or VLANs), it is perfectly separable. A virtual network is basically a separate network β or subnet β that simply uses your existing cables and switches. Handy, for example, to isolate all those IoT devices, so that they cannot enter your main network or make contact with an obscure server in China, just to name a few.
01 What are subnets?
A subnet is actually a series of IP addresses that belong together. Within your local network, these are private IP addresses that do not exist on the Internet (see box 'Known private IP ranges and subnet masks'). The first part of each IP address refers to the associated network, the second part to a specific device or host. A subnet mask indicates which part describes the network. If your router has a separate network port with an isolated guest network, then that is actually also a separate subnet with a different IP range. By working with VLANs, you can create multiple subnets within the same network, provided you use a managed switch that can handle such VLANs. Elsewhere in this Computer! We have tested a number of well-known models for you!
Known private IP ranges and subnet masks
Looking for your router? Chances are you'll find it at an address like 192.168.1.1, with your network devices at addresses between 192.168.1.2 and 192.168.1.254. In this case, the subnet mask is 255.255.255.0. Such a subnet mask indicates which part of an IP address the network points to. In this case exactly the first three numbers, which are the same for every IP address in that subnet. That 'talks' easier, but is not mandatory: you can experiment with it (aided by calculation tools on the internet). You will also often come across the abbreviated CIDR (Classless Inter-Domain Routing) notation. You can then write this specific subnet as 192.168.1.0/24. Another well-known IP range, which we will also use in this workshop, is 10.0.0.0/24.
02 This is how VLANs work
VLANs are kept apart by a unique 'tag' or 'VLAN ID', a value from 1 to 4094. Think of it as a label that is placed on the traffic. It is practical to use such a VLAN ID in the network address, for example 10.0.10.0/24 for VLAN 10 and 10.0.20.0/24 for VLAN 20. A switch determines which ports to send traffic to based on the VLAN ID. When setting it up, you especially need to know what the connected device does with VLANs. If it does nothing with it, such as a PC or printer, you configure the port as a so-called access port. However, if the device handles traffic for selected VLANs, such as certain routers, servers, and business access points, then configure it as a trunk port. We also call such devices 'VLAN-aware'.
03 Set up VLANs on the switch
You add VLANs on the switch one after the other (per VLAN ID) and choose per port between the designation Tagged, Untagged or Not Member. If a port has nothing to do with a specific VLAN, choose Not Member. For an entrance gate you choose Untagged so that traffic leaving the switch is stripped of tags. Choose a trunk port Tagged, so that the device gets (and does something with) the VLAN ID. You usually also have to set a so-called PVID (Port VLAN identifier) ββfor each access port, so that incoming traffic (which does not contain a VLAN ID and is therefore called untagged/untagged) arrives in the correct VLAN. Because an access port is only a 'member' of one VLAN, it can also be deduced from your configuration. Some switches therefore do it independently, but always check! If you pay attention, you will see that you can also set a PVID for a trunk port when configuring the switch. This is because, although it is better to avoid this in practice, you can also offer a maximum of one untagged VLAN via such a trunk in addition to tagged traffic.
04 Default VLAN?
Note that when you take them out of the box, switches often have a default or native VLAN with VLAN ID 1 as PVID by default. That comes a bit from the Cisco world. As a result, untagged incoming traffic will be mapped to VLAN 1 by default. All ports are further set as access port (Untagged) for that VLAN. As soon as you join a port to another VLAN, Tagged or Untagged for a certain VLAN ID, you can remove the VLAN ID 1 again. If a port is no longer a member of another VLAN, it is usually automatically reassigned to VLAN 1. Such behavior differs a bit per switch, so it is wise to check this assignment.
05 Reusing existing switches
Are you short of network ports? You can easily expand your network with old (non-managed) switches. Although they can't handle VLANs, they don't have to. You connect them to a gateway that, as explained above, delivers traffic untagged and reroutes incoming traffic into the correct VLAN via the PVID setting. It is practical to stick a sticker or label on such a switch, so that you know for which subnet you are using it. In any case, it is useful if you work with VLANs to label all ports on switches and perhaps also cables. Or, for example, you use a separate cable color per VLAN.
06 Case study: Internet and guest network
Do you have a router with a separate network port for guest access? And do you want both a regular and guest network in a bedroom, for example? Then place a managed switch in the meter cupboard and bedroom. Choose a VLAN ID for the regular network (for example 6) and the guest network (for example 8). In the meter cupboard, for example, connect port 1 to the regular network and 2 to the guest network. You set a port (for example port 8) as a so-called trunk port, by tagging it for both VLAN IDs. The traffic for both VLANs then goes to the switch in the bedroom via this port.
When configuring the switch, first enter VLAN ID 6 with port 1 on Untagged and port 8 on Tagged. Then enter the second VLAN ID 8 with now port 2 Untagged and port 8 on Tagged. You usually still need to set the PVID for port 1 (6) and 2 (8). In the bedroom you can split the traffic again with a similar configuration. You can of course still assign the remaining ports on the switch to the regular network or guest network, according to preference.
Television and internet via separate cables?
In the internet providers' own network, they usually use VLANs to separate the internet, television and VoIP, for example. This is not only safer, the quality can also be better guaranteed by these separate networks. The router can internally split such traffic over several ports. For television this is sometimes a different subnet and the provider assumes that you pull separate cables. However, if you only have one network cable to the television, you can conveniently use VLANs. Place a managed switch in both the meter cupboard and the television and use VLANs to keep the traffic separate, basically as in our practical example of the regular network with a guest network.
