VLANs and types of devices to add to them
-
Hi everyone,
I realize that this will be different for each user and the types of networks and devices they utilize but does anyone have a good general rule of thumb to determine what devices to add to each VLAN? In other words, how do you go about determining what goes where?
For example, if creating a MANAGEMENT VLAN what would you add to it: APs, PC(s), and switches to manage pFSense, AP settings, etc.?
Or, for an IoT VLAN, would add there all cell phones, iPads, smart TVs, Nest thermostat, etc?
Again, I am more interested in determining what types of devices to add to different VLAN rather than how to create VLANs.
Thanks in advance!!
-
@marinsnb a general take on it is you would put devices of like into same vlan. Or depending on your situation you might put all devices in a area or floor or room or building all on the same vlan.
In a company setup.. You might put all the devices from the accounting department in vlan X, while you have say shipping dept on vlan Y.
How you segment would really be determined by what your wanting to accomplish, and also allowing for easy rules to allow or block what you want at the vlan level. For example I have all my roku devices in a roku vlan ;) They all need access to my plex server, etc. So this is easy to do for all devices in that vlan via just 1 rule. No need to call out specific IPs, etc.
I don't care if these devices talk amongst themselves, etc.
I lump all my other iot sort of devices into a different vlan.. They do not need to talk to really any of my other networks at all - and while I could prob segment those out more for say alexa devices being on different than my thermostat or refrig, etc. I am not too worried about those devices talking to each other. But I do have like rules for what they can talk to on the rest of my network, which is nothing ;)
My phones and tablets and laptops etc are in a different vlan because those have different rules to what they can talk to on my other network segments. My printer is also in this vlan because makes it easy for my stuff to print via airprint.. But like my roku or iot devices have no need to print anything, etc. But for example my tablets and cell phones do have access to my nas for file sharing which is on my more trust main network along with my pc and I use this "trusted" main vlan for my management vlan access to my switches IPs, can access pfsense web gui, etc.
I also have another vlan for "guests" so my buddy comes over with his cell phone - sure he can use my internet, but he has no reason to talk to my printer or my plex server, etc. So that vlan is really just limited to internet, and can not even talk to my local dns, etc.
-
There are a variety of reasons for using a VLAN. You already mentioned one, management, which keeps unauthorized people away from where they can do harm. Another common one is VoIP phones. In an office, both the phone and computer can use the same switch port, with the phone and computer traffic kept separate. You can also use VLANs to give certain LAN traffic priority over other or to isolate things like IoT devices from accessing the Internet. Etc.
I use a VLAN on the switch port to my WiFi access point, so that I can have both a main and guest SSID. The guests are only allowed out to the Internet and nowhere else.
-
Thank you so much for your insights! Aside from a few Ubiquity APs and switches, my network is fairly simple in terms of devices (few laptops, a couple of smart tvs, nest and a few cell phones. Getting ready to dive into installing the new Netgate 6100 and have been thinking about creating VLANs and how to organize all of my devices there including my Ubiquity devices. Have been thinking about sitting down one of these days and determining what goes where before deciding how many VLANs to create. At the same time I have also been wondering if the VLANs and rules I create will be able to accommodate any new devices I get in the future. That is why I was wondering if there is a general rule to organize current and new devices without having to create new VLANs or having to redo everything on the network.
In my current pfSense setup I don’t have any VLANs - currently using the LAN interface for most devices and another OPT at a different subnet connected to a Cisco 8 port switch with a few devices attached to it via Ethernet (smart TV, Blu-ray and DVR).
Recently I also ran new cat6a cabling everywhere in my house so I am in the process of determining how everything will connect to the new Ubiquity switches/AP and Netgate 6100.
Thanks again! Really appreciate your assistance!