Home Network with Cisco SG350 Best Practice?
-
I only use the Chromecast to project (cast) my browser. My media streamers handles all my true needs. An example of where the Chromecast comes in handy is with Xfinity TV where I can stream to any TV in the house without the need to have a cable box at each TV location. I believe Xfinity TV has a beta Roku app, but a Roku is still more expensive than a Chromecast. The other issue I have is the network TV tuners. Same issue where I am not allowed to specify the hostname or IP of the tuners.
Anyway, let's say I will just have two networks, a VLAN 20 and an untagged network. VLAN 20 will be for untrusted wired and wireless devices. Untagged will be for my trusted devices (including the semi-trusted). I am thinking of dedicating about 2-3 ports on the switch for VLAN20 wired devices, a port (trunk?) for the UniFi AC Pro, a port or two to pfSense, and then the rest can be part of the untagged trusted Network.
-
What is the best way to wire up the SG350 and UniFi AC Pro to the pfSense box?
-
What configuration will be needed on pfSense and the SG350?
-
-
"NAS hence the two ports one in the USER and one in the IOT VLAN"
So your multihoming your nas and it has interfaces in all your networks? Not really a good security model but sure that is one way to skin the layer 2 problem ;) Problem from security is if that nas is compromised from say the internet or one of its legs - you then have a leg in another network without having to get through a firewall.
Yup.
-
I only use the Chromecast to project (cast) my browser. My media streamers handles all my true needs. An example of where the Chromecast comes in handy is with Xfinity TV where I can stream to any TV in the house without the need to have a cable box at each TV location. I believe Xfinity TV has a beta Roku app, but a Roku is still more expensive than a Chromecast. The other issue I have is the network TV tuners. Same issue where I am not allowed to specify the hostname or IP of the tuners.
Anyway, let's say I will just have two networks, a VLAN 20 and an untagged network. VLAN 20 will be for untrusted wired and wireless devices. Untagged will be for my trusted devices (including the semi-trusted). I am thinking of dedicating about 2-3 ports on the switch for VLAN20 wired devices, a port (trunk?) for the UniFi AC Pro, a port or two to pfSense, and then the rest can be part of the untagged trusted Network.
-
What is the best way to wire up the SG350 and UniFi AC Pro to the pfSense box?
-
What configuration will be needed on pfSense and the SG350?
1. Pop an ip address for your untagged vlan on the LAN interface on your pfSense box ( you've done this )
2. Interfaces -> VLANs create vlan 20 and assign its Parent Interface to the LAN interface.
3. Configure an ip address on the vlan interface.
4. Configure the port on the SG350 as a trunk, making it a pass the untagged vlan and vlan20 and connect this to pfSense LAN port.
5. Repeat step 4 for the Ubiquity AP switch port, the AP's management interface needs to be in the untagged vlan.
6. Configure the two SSIDS making them a member of the correct vlan.
7. Configure the two ports you want for vlan 20 on the switch to pass vlan 20 untagged.
8. Configure the rest of the ports to carry the untagged trusted network.
If you look at my examples think of my vlan 4903 as your trusted network and my vlan 3 or 4 as your vlan 20.
-
-
Thanks NogBadTheBad. This is what I originally thought, but after reading some posts about VLANS and Layer 3 switches, I got my head all twisted.
Johnpoz asked how many interfaces on the pfSense box did I wanted to use. Is there another way to install the SG350 where I use more than one pfSense interface to connect the SG350?
-
If you are not pushing close to maybe 500Mbit/s all the time, there is little to gain. But if you want to you can LACP a couple ports to the switch and generally load balance across them. Tag all your VLANs to the lagg.
The main reason to tag all your VLANs to the switch (lagg or not) is so you can put wireless networks on your private LAN without silly things like bridges.
-
Sure you could lagg them - but that is not how I would do it less he had shitton of devices and more than 1 ge up down on internet..
You can use the other interfaces for uplinks of other networks/vlans - all comes down to how many vlans your going to have - which vlans talk to each other the most, etc.. To the internet unless it was quite a fat pipe doing multiple uplinks to pfsense not going to give you anything more.
What I am talking about is not hairpinning when doing intervlan traffic on the vlans that talk to each other the most.. See attached..
So when you trunk to 1 physical interface to the router if in the drawing vlan 300 wants to talk to vlan 200 your max possible speed between vlan 200 and 300 is /2 of that trunks speed.. So gig now becomes max 500mbps between vlan 200 and 300, or either of those to 100, etc..
But if don't use 1 single trunked uplink to pfsense.. 2nd Attached now when vlan 200 and 300 talk they could do full gig between each other.. Now this very simplified drawing with only few vlans, etc.
If your not going to have much or a lot of intervlan traffic then doesn't really matter - but just keep in mind that all vlans that share the same connection if they are talking to each other your doing a hairpin and that bandwidth is cut in half of that interface speed. Now depending maybe those are both trunk connections with multiple vlans on them vs I show it only single vlan.. Or maybe is just access without any tagging and other is trunked with untagged pvid and then tagged vlans.
Devices that talk to each other alot should be on the same layer 2, ie vlan - so their traffic never leaves the switch. But when you start to segment, you want to know what devices and what vlan they are on so vlans that are going to have lots of traffic between should not share the same uplink to the router.
-
Hi johnpoz.
I like your drawings. Once the SG350 arrives (March 1, 2017), I will probably ask more configuration nuts & bolts questions.
I think I will start off with just two networks (untagged and VLAN 10). I like to implement your second drawing which has a trunk for each network to the pfSense box. If I understand your second drawing correctly, how does VLAN 100 gets to the Internet?
PfSense
To implement the two uplinks, I just use the default LAN interface for the untagged network. Then I define a VLAN and assign it to the the Opt1 interface?SG350 Switch (This will be my 1st time using a managed switch.)
-
How to designate Port for UniFi AC Pro which will have untagged and VLAN 10?
-
How to designate uplink ports for each of the untagged and VLAN 10?
-
In this configuration, is switch acting only as Layer 2?
-
-
yes switch is only doing layer 2 in my drawings.. You only need to trunk a port if its going to carry tagged vlans. If you only have 2 networks and your going to use 2 different uplinks you don't need a trunk to the switch the only place you would have to create a trunk is to your AP which will carrry untagged and tagged traffic on the same wire.
-
Thanks johnpoz for explaining trunking.
So in your second drawing if I am just going to have 2 newtorks (untagged & VLAN 10) and using two interfaces on pfSense:
-
I don't need to define any VLAN interface on pfSense and just configure two interfaces?
-
On the switch, each uplink port will automatically receive an IP address from pfSense or is there a special designation (terminology) for the switch's uplink port?
I apologize for the second question because it is more related to the Cisco Sg350 switch, but I am trying to understand what to look for when I read the SG350 manual in trying to configure the switch.
-
-
Switch only needs ip in the network/vlan u will manage it from/one the port connected to pfsense for vlan 10 just need to change vlan of port to 10 native vlan / pvid on port connected to ap u will need to trunk
-
So I installed the Cisco SG350-28 switch using two uplinks, 1 each for the trusted and untrusted networks. The UniFi AC Pro is on a trunk port and it is tagging my untrusted network. The pfSense firewall rules allows traffic from trusted to untrusted and untrusted to Internet, but untrusted is not allow into my trusted network except for printing.
Everything seems to be working as anticipated. I have even created a link aggregation for my unRAID server (802.3ad). Looks like the SG350 is always in Layer 3 mode since I haven't found any settings in the web GUI to switch between the two modes like in the SG300 (as reported by SG300 users). For now, my needs are only using it as a layer 2 device since it make more sense to me at the moment to configure pfSense to control the routing between the two networks.
Now my home network feels right. Let's see what the future will bring so that I can utilize some of the other features on the SG350. I don't know how I've been living with an unmanaged switch all these years.
Thank you to all for helping me.
-
Looks like the SG350 is always in Layer 3 mode since I haven't found any settings in the web GUI to switch between the two modes like in the SG300 (as reported by SG300 users).
There is still a layer 2/3 setting, but it is per vlan interface rather than for the entire device. If you enable Advanced Display mode, you will find it in VLAN Management -> Interface Settings -> Switchport Mode. It defaults to layer 2.
-
Thanks. I forgot about the Advance display mode.