Since recently acquiring a 48-port layer 3 switch, rebuilding my network has been on my to-do list. What exactly I wanted to setup though, hasn't been very clear in my mind. I've spent a lot of time contemplating different configs, so I thought I would write down my musings. Hopefully it will allow me to get some clarity and who knows, maybe it'll help someone else too. After all, sharing is caring.
I snapped up an HP 1920-48G (JG927A) switch on eBay back in the summer for the princely sum of £250. I'd ideally wanted a Cisco something or other, but finding one that had 48 gigabit ports and layer 3 for a reasonable price was nigh-on impossible at the time. I really wanted a 5548, but they were popping up in the £1K-£2K price bracket which for a home environment is way too much money.
So £250 for a switch with 48 gigabit ports that does layer 3 and was ‘boxed and brand new' seemed like a steal. Now, granted these HP switches are aimed at remote office/branch office (ROBO) setups, so don't really compare feature wise to something like a 5548, but it seems to do all the basics like...
- Supports 256 VLANs (but only 8 VLAN interfaces)
- Has full 48 gig ports
- Does some sort of QoS
- Can do DHCP
- Can do LACP
Lovely, I thought. Then I got familiar with the Web Management Platform. Ugh. I decided to check out the CLI...
User view commands:
initialize Delete the startup configuration file and reboot system
ipsetup Assign an IP address to VLAN-interface 1
password Specify password of local user
ping Ping function
quit Exit from current command view
reboot Reboot system/board/card
summary Display summary information of the device.
telnet Establish one TELNET connection
upgrade Upgrade the system boot file or the Boot ROM program
OK, is that it?
Apparently it's not, there is a hidden CLI which you can access, but its not much better than the Web View to be honest. Well, you get what you pay for.
VLANs, VLANs Everywhere
So whats the first thing you do when you have a switch not only capable of VLANs, but of VLAN layer 3 interfaces? You segregate everything off into its own VLAN of course. This is where I hit my first problem. I kind of had this notion of having all of my physical equipment on one VLAN (PC, laptop, TVs etc) and all the lab related stuff on another VLAN. This was great until I realised that the gimped firmware supplied on my Virgin Media Superhub2ac doesn't allow you to create a static route.
So while I could get traffic between the lab and physical VLANs, anything heading out to the Internet via the Superhub could reach it, but not find a way back.
Swapping the SuperHub
Unlike with DSL based broadband, you can't just replace the ISP provided kit with something of your own, stick in the correct DSL settings and login and be up and running. Virgin Media only allow specific devices to access their fibre broadband network, e.g. the SuperHubs which are registered to customer accounts during initial setup and activation.
The only option which remains is to keep the SuperHub as the bit that hangs off the end of the coax cable but put it into "modem only" mode. This means it simply passes the ISP assigned public IP through to whatever is hanging off its LAN1 port. Unfortunately I didn't have any kind of device which I could use to handle this modem-mode assigned IP.
I'd read a number of reviews on various wireless routers, and for the money the Netgear R7000 aka, the Netgear AC1900 Nighthawk (oooh) seemed to be a good bet. Performance on this device is supposed to be very good, it offers USB 2.0 and 3.0 connections for directly attaching storage, a built-in 4-port gigabit switch, a gigabit WAN port and super duper WiFi performance and range.
More importantly it is also supported by various custom router firmwares such as DD-WRT and Tomato. I've used DD-WRT in the past on an old Linksys WRT54G and was very impressed with the amount of functionality it provides. The old Linksys however only had a 100Mbps WAN port and with 150Mbps broadband speed, I'd have been doing myself out of some bandwidth.
Hopefully the R7000 will arrive tomorrow, so expect to see another write up about flashing the firmware and configuring it to do useful stuff.
This went a bit of piste, but getting back to the original point of all this; I need to re-design my network such that it will provide me with a bit more flexibility and segregation of kit to suit my needs. My high-level goals are:
- Configure an untrusted default VLAN for general devices, predominantly wireless -- I want a place where transient devices can sit which is deemed insecure. Things like phones, tablets, laptops, guest devices etc. can all sit in here.
- Configure a trusted, restricted VLAN for management (wired only) -- This is where ‘important' things live, my main PC, my work laptop, the management interfaces of my ESXi hosts, NAS, Switch and Raspberry Pi.
- Provide dedicated VLANs for specialist traffic -- I need a VLAN for storage traffic e.g. NFS/iSCSI and for vMotion traffic.
- Provide a few lab VLANs -- This is where lab VMs will live, and ideally I need a couple if not more of these.
- Provide a dedicated VLAN for multi-media and streaming -- Smart TVs, Tivo boxes and media servers can all live on their own VLAN onto which I could apply QoS if I knew how...
I really liked the idea of having the default VLAN which connects to the Internet used as a kind of dirty area for untrusted devices. I kind of stole this idea from a colleague of mine who has his own home network setup in the same way (thanks Rynardt), who incidentally keeps a
better similar blog to mine going over at www.virtualvcp.com.
No network design is complete without a "good" Visio diagram, so here is mine. It's pretty high level for now, but it gives me something to work from. When I start setting this up properly, I will update this article and add any relevant tutorials based on what I do/learn. Also, I'm sure I will end up explaining why my plan didn't work and highlight the pitfalls for others to avoid. Until then.