Building my lan: do I need a managed switch for my VLANs?

valepe69

I searched for the specs of the suggested switches and I split them in two families:

• L3 switches like Cisco SG 350-xx
• L2+ switches like D-Link DGS 1210-xx

With L3 switches I could offload to the switch the inter-VLAN traffic, inter-VLAN communication access but with a more complicated handling of the lan (I have to manage two devices for rules, etc).
With L2+ switches all rounting and firewalling is handled by pfSense so a easier handling but with the risk to saturate the physical link from the switch to the router (but I can aggregate two ports to partially solve it).

Am I right? And what do you suggest between them?

Thank you again

A Former User

@valepe69 You always have to coordinate the configuration between pfsense, Switch and AP's. The VLAN assignments on the switch, AP and your interface and VLAN configuration in pfsense must agree. No avoiding multi-point configuration. Doing some inter-VLAN routing on the switch shouldn't complicate things too much.

I am impressed by your thoughtful approach to this! I look forward to hearing what the best practice recommendation is from those more experienced than I. Even though my Cisco SG-220 is L2 only I'll note the recommendations for the future.

bingo600

@valepe69

IMHO L2 switches are adequate for most "Normal usage".
The L3 switches will offload the "router" , but usually their ACL set is limited and if it is not statefull , you are in for a mess.

I'd go for L2 , and if more routing capacity is needed , spend the $$ on a larger router (pfSense).

If you have heavy server intercommunication or backup or ... Just put them in the same Vlan .. No router needed.

/Bingo

johnpoz

Keep in mind that just because your switch supports L3, doesn't mean you have to use it.. Or you can use both L3 and L2 at the same time.

The only thing L3 capable switch gets you is options.. While an L3 switch can route, and L2 can not.. What will you be doing 6 months from now, or a year.. If you get L2 I can tell you for sure you won't be doing any sort of routing on your switch - unless you buy a new one ;)

My sg300 is in L3 mode, and capable of routing. I'm just currently doing L2 on it only.. But its there is I want to test something, or wanted to do that.

bingo600

What JP said id correct , you would have the possibility to route if you get a L3 switch. And don't need to enable that at the beginning.

I'm purely L2 , and everything has to pass my pfSense.
I have not missed L3 yet ....

johnpoz

The reason you would get an L2 over an L3 is cost savings, and no plans of ever routing on it. I have no idea what I might want to do different on my home network, or what to test out..

If a more feature rich switch is in your budget - I would say get it.. Like I said you can never have too many features or options..

Like buying a car, not getting fully loaded. And then winter comes and gawd daggit, wish my seats were heated ;) Damn it what do you mean have to roll down these windows by hand.. What no SiriusXM? The radio only gets AM? WTF!!! ;)

bingo600

@johnpoz said in Building my lan: do I need a managed switch for my VLANs?:

The reason you would get an L2 over an L3 is cost savings, and no plans of ever routing on it.

Totally agree - It was cost & 24/7 power usage , that made me chose the 1210's , i also have a few HP-1820. But like the D-Link's better , featurewise.

My home net is so small , that i don't have to think (worry) about segmenting due to # of clients.

I purely segment for security reasons , hence i would not want to do any L3 on the switch.

But you'll never know ...
When you might just wished you had ...

johnpoz

For example - the unifi switches, all L2.. But the cost is inline with a sg350.. Why would I get that L2 vs a switch that can do L3 and more..

The USW-24 is $225 has 26 ports total, and 2 of those you have to use sfp module (extra cost)
The sg350-28 is $229 has 28 ports total, and can use up to 4 sfps (combo ports)

Why would you not get the L3 capable switch. And 2 more ports for $4 ;)

But hey if you can find say a 24 port L2 that does all that you want currently. And is half the cost of 24 port that can do L3.. Then you might want to do that - but to be honest you find prob not all that much difference in cost.

bingo600

The 28 (24 plus 4 Dual) port DGS-1210-28 is $138 incl. shipping on Amazon.de

https://www.amazon.de/D-Link-DGS-1210-28-1000Mbit-SFP-Slots-l%C3%BCfterlos/dp/B008R7114W/

/Bingo

johnpoz

@bingo600 said in Building my lan: do I need a managed switch for my VLANs?:

DGS-1210-28

That good price... I show it as 193 here

valepe69

Just bought a DLink DGS-1210-28.
Where can I find some tutorials how to setup it?

Thanks

bingo600

@valepe69 said in Building my lan: do I need a managed switch for my VLANs?:

Just bought a DLink DGS-1210-28.
Where can I find some tutorials how to setup it?

Thanks

Google is your friend here.

The D-Links come with a default ip :
10.90.90.90 , and i think admin/admin for login.

valepe69

@bingo600 ok thanks.
Any tips about what to do and not to do setting up the switch? My LAN is composed by few VLANs.
Router will assign DHCP to the devices in these VLANs and it will allow or deny inter-vlan traffico.
Thanks again

bingo600

@valepe69 said in Building my lan: do I need a managed switch for my VLANs?:

@bingo600 ok thanks.
Any tips about what to do and not to do setting up the switch? My LAN is composed by few VLANs.
Router will assign DHCP to the devices in these VLANs and it will allow or deny inter-vlan traffico.
Thanks again

It might be smart to define the L2 vlans early.
The you can set the switch management ip to belong to a Vlan

During the initial management ip setup - Do NOT save the config , until it works.
That way you can always reboot , and get back to factory defaults.

I seem to remember you can factorydefault the switch , by pressing a thin thing into the little reset hole , and wait for all switchport leds to lihht up yellow.

JKnott

@valepe69

First off, you have to decide what's going on the VLANs and then plan from there. For example, I use a VLAN for guest WiFi and the 2nd SSID connects via a VLAN. In offices, VLANs are often used for VoIP phones, etc..

Then, once you've done that you have to ensure you use the same VLANs throughout, from pfsense to the switches, to whatever devcie, such as AP, etc..

bingo600

@valepe69
How is it going , with the switch & Vlans

valepe69

@bingo600 Sorry, I haven't do anything yet. My times are stretching sometimes due to four little kids

bingo600

@valepe69 said in Building my lan: do I need a managed switch for my VLANs?:

@bingo600 Sorry, I haven't do anything yet. My times are stretching sometimes due to four little kids

Whoaa
Configuring a few Vlans should be easy, compared to 4 small kids
Take care

/Bingo

valepe69

@bingo600 yeah, I think so but some evenings I prefer the sofa to the pfSense box...

After VLANs, my next goal is to set the hairpin equivalent: DNS resolver (I read that I can't use forwarder because resolver is used by pfblockerng).

Luckily holidays are coming...

johnpoz

@valepe69 said in Building my lan: do I need a managed switch for my VLANs?:

set the hairpin equivalent: DNS resolver

huh? Resolver works and is the default out of box - there is nothing to do really. What do you mean by hairpin?