A VLAN (Virtual Local Area Network) is used in various scenarios to enhance network performance, security, and management.
Here are some common situations where VLANs are beneficial:
- Large Networks: When you have a network with 100+ devices, VLANs help manage and segment the network efficiently.
- High Traffic: If there's a lot of traffic on your LAN, VLANs can reduce congestion by segmenting the network into smaller, more manageable parts.
- Security Needs: VLANs provide an added layer of security by isolating sensitive data and devices from the rest of the network.
- Broadcast Domains: When users are not on the same broadcast domain, VLANs can help manage and reduce broadcast traffic.
- Departmental Segmentation: VLANs can be used to separate different departments within an organization, ensuring that each department's traffic is isolated and managed separately.
The default VLAN settings on switches are generally inefficient and ineffective. To establish a properly manageable VLAN, more than just a managed switch is required.
How can you set up a proper VLAN?
When discussing Reyee VLAN and the EG series routers, you can create VLANs directly on the router without needing additional managed switches.
For example, with an EG-Router, you can assign a VLAN to each port of the switch, making each switch an extension of the VLAN. However, this approach may not always be practical, especially if one switch is fully utilized while another is only partially used.
When working with VLANs, we recommend also using the manageable switches from Reyee.
Before starting to program and setting the VLANs in the Router, and switches it is recommended to document the situation in a diagram, for me during the making of this tutorial Visio from MS 365 works still good for me.
In the diagram below, we have a network with computers, cameras, recorder with dual LAN connection, a VMS, and a Guest Wi-Fi.
In general security, and servers devices or network equipment you would like to with static IP addresses, but laptops or other mobile devices would be better with DHCP.
There is the default VLAN 1 for the main network laptops, work PCs, and other company related devices, all on DHCP except the NVR LAN 1 with a fix IP address so that it is having easy access from the main network.
| VLAN 1 Default 192.168.110.0/24 (more about the /24) | ||
| NVR LAN 1 | Static IP | 192.168.110.101 |
| Switch RG-ES209GC-P | 70:42:D3:8A:D9:B2 | 192.168.110.202 |
| Switch RG-ES210GC-LP | D4:31:27:B6:B3:BD | 192.168.110.203 |
| WAP | Static IP | 192.168.110.204 |
| VLAN Wi-Fi SSID | 192.168.110.x (DHCP) | |
For the CCTV system, we design the VLAN 2 with the IP range of 192.168.222.0/24
| VLAN 2 CCTV 192.168.222.0/24 | ||
| NVR LAN 2 | Static IP | 192.168.222.101 |
| Camera 1 | Static IP | 192.168.222.102 |
| Camera 2 | Static IP | 192.168.222.103 |
| Camera 3 | Static IP | 192.168.222.104 |
| VMS | Static IP | 192.168.222.105 |
| VLAN Wi-Fi SSID | 192.168.222.x (DHCP) | |
VLAN 3 192.168.130.0/24 for the guests in isolation.
We recommend adding the Reyee devices in the could first, and when all the devices are added in the cloud, go to the EG router (e)web interface.
- Click on Config
- Then via Network on LAN
- Click on + Add
Enter the details, click on OK, and the VLAN is created.
Now that the VLAN is created, the ports, needs to be assigned to the VLANs.
When there are no other manageable Reyee switches, the ports on the router can be used to assign a VLAN.
When there are manageable switches in the network, there will be a bit more work to program, and we recommend keeping the ports on the router to function as a trunk port.
The trunk port is needed to let all the VLAN traffic pass true to the internet or the other switches.
So all the uplinks also when this is all pass true port to another switch with more than one VLAN this needs to be set ass a trunk port.
Before setting the VLANs the VLAN mode needs to be change to Managed mode.
When this is done, the VLANs can be added.
Click on + Add, enter the VLAN ID corresponding to the one that is created in the router, enter a remark, and click on save.
Then it should look like this picture below.
When VLANs are also entered in the switch (remember to do this in all the switches)
The ports can be assigned to the ports.
To assign the ports:
- Click on config
- Interface
- Select the port, or ports
- Set the type to Access, and select the native VLAN
- Click on save
The same for the CCTV ports
Now to give all the VLANs access to the router and other switches that are connected to the router, the uplink need to be set as the trunk.
- Select the uplink port
- Set the port type to Trunk, and allow the VLANs to pass true
- Click on save
This is how it looks on the other switch with the Reyee Wi-Fi AP connected.
This is also a Trunk because the Wi-Fi is also being used for the VLANs
Now that all the ports are set for the VLANs, so that the ports can get the IP address from the VLANs IP range, there is still communication possible from one to the other VLANs. This is because there is the trunk that is going to the router, and the router knows the way back to the other VLANs.
Now to prevent this from happening, you need to set up the ACL in the router.
Here to set up the ACL in the router?
For this we recommend to us the config page of the router, this can via the cloud and eWeb or direct to the local config page.
- Open the config page from the router
- Open the behavior menu
- Then Access Control
- Now click on + Add to add a new rule
Here is a sample on the demo that is blocking the VLAN 3 to have access to the VLAN2.
The focus is on the source IP range and the destination IP range.
As well for the source, and destination network and in this case the intranet.