I recently purchased a Peplink 20X for it’s LTE redundancy, and it works wonderfully in my home.
I am going to have structured ethernet wiring, and would like to isolate IoT devices from the rest of the network (both ethernet and wireless). I’m assuming this should be done with VLANs, and that I’d have one VLAN for TrustedDevices and one VLAN for IoTDevices.
I was able to setup the Peplink with an additional subnet network, and tagged it with VLAN ID 111, then on the Ruckus AP, set the corresponding VLAN ID for the IoT SSID. I then added a firewall rule to the 20x to deny any traffic from the IoT subnet (VLAN 111) to the TrustedDevice subnet. I was able to test it out and confirm packets were dropped when initiated from the IoT network, trying to reach the TrustedDevice network, but not the other way around. I was also still able to reach the internet. It seemed I had to leave ‘Inter-VLAN Routing’ enabled on both networks for it to work.
Am I setting this up appropriately, or is there a better/different way to go about it?
Assuming it is setup correctly, to take advantage of this at the ethernet level, though a switch, would any switch with VLAN tagging capability work sufficiently (such as a ‘smart managed’ switch), or is a switch rated/labled as L2/L2+/L3 required?
For this multiple subnet approach, would I have to run multiple ethernet cables to the switch from the 20x, off dedicated ports on the 20x? I think I read somewhere that a L3 switch may be required to handle multiple subnets.
Each LAN port on the Balance 20x can be assigned to either the trusted network or to your VLAN. So, you may not need an external switch.
I am no expert on smart switches, but I am sure that you would only need one Ethernet cable between the B20x and the smart switch. You then have to tell the B20x which VLANs are allowed to travel through that cable. You start at the Network tab → LAN port settings → type of port.
As Michael has pointed out you can just set ports to “access” mode on the 20X and put them in a specific VLAN, you could then just use a couple of unmanaged switches but that’s messy and doesn’t scale over time if you decide to add more VLANs.
So if you want a managed switch just about anything sold as a Layer 2 switch should suffice, as long as it supports 802.1q VLANs you should be able to make it work.
By default the ports on the 20X are configured as “trunk” i.e. they carry multiple VLANs, sounds like you already have this working with your Ruckus AP so you’d just configure the matching VLAN IDs on the switch and configure a port as a trunk on the switch and plug that into a trunk on your 20X.
You do not need a Layer 3 switch for what you are looking to do. A L3 switch would be more useful if you wanted to route in the switch, this is not really needed here - you’d typically do this where you need high performance inter-vlan routing.
In terms of what to look at If you want nice integration with your existing 20X you could look at a Peplink switch. If you want cheap you could look at something like Ubiqiti, Netgear or recently I’ve found the Aruba InstantOn line of switches to be pretty reasonable for the money. Consider going for somethign that supports power over ethernet (POE) as it can be useful for powering things like your APs and cameras etc.
One more point of consideration which is more on the end user side - a lot of this IoT stuff relies on layer 2 discovery, i.e. they often require the thing controlling them to be on the same subnet as the devices themselves so you may need to play around with things like mDNS/Bonjour gateways that repeat the discovery traffic across multiple subnets.
Will - so sorry I did not see this earlier (apparently I don’t have e-mail alerts setup)! Your response is perfectly educational - and I appreciate it so much!! Good call on the bonjour/discovery…
I did narrow it down to two switches - largely based on acoustics… the Zyxel GS1920-48HPv2 or the Ubiquiti USW-48-POE. I had not looked at Aruba Instant On previously, so that was a good call. It seems like their 48 port switches will all be at least 40 dBA (their rating is slightly different), so that would be louder than I would prefer in a closet that is next to a theater room. Despite slightly less PoE capacity and the concerns about being fanless, I am gravitating towards the Ubiquiti. Clearly it is the optimal in acoustics, but slightly concerned about usable life.
I’m really not a network guy, but took my best stab at a network topology layout, with 4 identified VLANs and some sample clients. Does the below make sense from a network design perspective, or should I be doing something different or less weird?
My goal is to have trusted devices on Main, allowing access to IoT and Cameras, but not allow IoT or Cameras back to the trusted/Main network. I’d also have WiFi SSIDs setup to match VLANs (plus the default guest network).