Redoing Home Network
-
Question: does it make sense to segment certain traffic because of security concerns? I'm thinking of the blanket statements (never backed up with fact, by the way) I've seen to segment "IoT" devices in the home because of lack of security (E.G they get hacked and said hacker now has access to your entire network).
-
@JaredBusch said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@Dashrender said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@Dashrender said in Redoing Home Network:
I've with JB - You should save the money and get an ER-4. The processor is the same.
POE can be done in the switches, so no need for that in the router.
The ER-4 is nearly half the ER-6.I already ordered the pieces. Thanks for your input though. I needed a router with 4 ports for my 4 rooms plus the incoming port. I plan to use and learn everything about it.
Do you really need four ports? I suppose if you don't have a core switch, and the switches in each room go directly to the firewall, then sure.
That was my plan yes. Router with 4 ports so I could directly connect a switch in each of the rooms. I'm being that's not a good idea.
Your router is not (should not) be your core switch.
Yes, if the router has a switch chip like the ER-X does, it could be your core switch, but you seriously should not think like that.
As I said your router needs 2 ports. WAN and LAN. Period. Can have more but that is all you need.
When you have a need for segregation, sure, use another port as a LAN 2, or just use a VLAN on LAN 1. Does not really matter which you do.
Got it, thanks for the explanation. I had read that it did not matter whether you used vlans or just separate lans if you needed to segregate portions of traffic. Thats why I planned things out the way I did. I had setup vlans before and wanted to do it the other way now, since I was under the impression it accomplished the same thing.
-
@jt1001001 said in Redoing Home Network:
I've seen to segment "IoT" devices in the home because of lack of security (E.G they get hacked and said hacker now has access to your entire network).
The theory there is protecting device to device attacks because it is assumed that the device will be compromised, and be able to breach another unprotected device. It's based on the assumption that people aren't LANless.
And that's very true. But is totally different than keeping the traffic from mingling.
-
@jmoore said in Redoing Home Network:
Thats why I planned things out the way I did. I had setup vlans before and wanted to do it the other way now, since I was under the impression it accomplished the same thing.
It does. One is just the virtual version of the other. In the old days, we always had physically separated hubs. Once we got big switches, people wanted to recreate the physical separation sometimes, hence VLANs.
-
@jt1001001 said in Redoing Home Network:
Question: does it make sense to segment certain traffic because of security concerns? I'm thinking of the blanket statements (never backed up with fact, by the way) I've seen to segment "IoT" devices in the home because of lack of security (E.G they get hacked and said hacker now has access to your entire network).
Well in my readings, they say either method will increase security, as traffic is not supposed to travel between vlans for example. However, as I've learned today, not everything you read in cert books is accurate. So definitely get a few opinions with details.
-
@jmoore said in Redoing Home Network:
@jt1001001 said in Redoing Home Network:
Question: does it make sense to segment certain traffic because of security concerns? I'm thinking of the blanket statements (never backed up with fact, by the way) I've seen to segment "IoT" devices in the home because of lack of security (E.G they get hacked and said hacker now has access to your entire network).
Well in my readings, they say either method will increase security, as traffic is not supposed to travel between vlans for example. However, as I've learned today, not everything you read in cert books is accurate. So definitely get a few opinions with details.
They don't, unless those VLANs go into a ROUTER! LOL
-
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
Thats why I planned things out the way I did. I had setup vlans before and wanted to do it the other way now, since I was under the impression it accomplished the same thing.
It does. One is just the virtual version of the other. In the old days, we always had physically separated hubs. Once we got big switches, people wanted to recreate the physical separation sometimes, hence VLANs.
Ok cool, thanks. If I have to end up separating traffic, I'll just use a vlan and be done with it.
-
@jmoore said in Redoing Home Network:
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
Thats why I planned things out the way I did. I had setup vlans before and wanted to do it the other way now, since I was under the impression it accomplished the same thing.
It does. One is just the virtual version of the other. In the old days, we always had physically separated hubs. Once we got big switches, people wanted to recreate the physical separation sometimes, hence VLANs.
Ok cool, thanks. If I have to end up separating traffic, I'll just use a vlan and be done with it.
No, there is really no scenario where that would make sense. You can't separate the traffic on a single network.
-
@JaredBusch said in Redoing Home Network:
Yes, if the router has a switch chip like the ER-X does, it could be your core switch, but you seriously should not think like that.
Got it, I won't forget this lesson either. I was going to do the separate lans for a learning exercise in getting it set up, but from what it sounds like, it is pretty worthless even as an exercise. Thanks for your opinions!
-
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@jt1001001 said in Redoing Home Network:
Question: does it make sense to segment certain traffic because of security concerns? I'm thinking of the blanket statements (never backed up with fact, by the way) I've seen to segment "IoT" devices in the home because of lack of security (E.G they get hacked and said hacker now has access to your entire network).
Well in my readings, they say either method will increase security, as traffic is not supposed to travel between vlans for example. However, as I've learned today, not everything you read in cert books is accurate. So definitely get a few opinions with details.
They don't, unless those VLANs go into a ROUTER! LOL
Yep, and that wasn't explained in my readings. Hence my inaccurate impressions.
-
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
Thats why I planned things out the way I did. I had setup vlans before and wanted to do it the other way now, since I was under the impression it accomplished the same thing.
It does. One is just the virtual version of the other. In the old days, we always had physically separated hubs. Once we got big switches, people wanted to recreate the physical separation sometimes, hence VLANs.
Ok cool, thanks. If I have to end up separating traffic, I'll just use a vlan and be done with it.
No, there is really no scenario where that would make sense. You can't separate the traffic on a single network.
Ok. Hopefully it won't be an issue with her boss.
-
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@jt1001001 said in Redoing Home Network:
Question: does it make sense to segment certain traffic because of security concerns? I'm thinking of the blanket statements (never backed up with fact, by the way) I've seen to segment "IoT" devices in the home because of lack of security (E.G they get hacked and said hacker now has access to your entire network).
Well in my readings, they say either method will increase security, as traffic is not supposed to travel between vlans for example. However, as I've learned today, not everything you read in cert books is accurate. So definitely get a few opinions with details.
They don't, unless those VLANs go into a ROUTER! LOL
What about routing VLAN traffic on an L3 switch? Does that then classify as a "router"?
-
@scottalanmiller wouldn't use use firewall rules to separate the traffic? (either separate firewall or rues in router if we're using a router/firewall combo,and yes I know today firewall/router are essentially the same thing)
-
@jmoore said in Redoing Home Network:
@JaredBusch said in Redoing Home Network:
Yes, if the router has a switch chip like the ER-X does, it could be your core switch, but you seriously should not think like that.
Got it, I won't forget this lesson either. I was going to do the separate lans for a learning exercise in getting it set up, but from what it sounds like, it is pretty worthless even as an exercise. Thanks for your opinions!
Do it as a learning exercise, yes. But don't leave it like that for your house. Go back to a single LAN after you've learned what it does and how to set it up.
But really, there's nothing to learn. It's so simple. It's barely more than plugging it all in.
-
@jmoore said in Redoing Home Network:
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
Thats why I planned things out the way I did. I had setup vlans before and wanted to do it the other way now, since I was under the impression it accomplished the same thing.
It does. One is just the virtual version of the other. In the old days, we always had physically separated hubs. Once we got big switches, people wanted to recreate the physical separation sometimes, hence VLANs.
Ok cool, thanks. If I have to end up separating traffic, I'll just use a vlan and be done with it.
No, there is really no scenario where that would make sense. You can't separate the traffic on a single network.
Ok. Hopefully it won't be an issue with her boss.
Her boss doesn't know what a VLAN is, or a LAN, or anything of the sort. Either it's an issue to her boss no matter what, or it's not no matter what. The one thing you know for certain, is that nothing you do will make a difference either way.
-
@brandon220 said in Redoing Home Network:
@scottalanmiller said in Redoing Home Network:
@jmoore said in Redoing Home Network:
@jt1001001 said in Redoing Home Network:
Question: does it make sense to segment certain traffic because of security concerns? I'm thinking of the blanket statements (never backed up with fact, by the way) I've seen to segment "IoT" devices in the home because of lack of security (E.G they get hacked and said hacker now has access to your entire network).
Well in my readings, they say either method will increase security, as traffic is not supposed to travel between vlans for example. However, as I've learned today, not everything you read in cert books is accurate. So definitely get a few opinions with details.
They don't, unless those VLANs go into a ROUTER! LOL
What about routing VLAN traffic on an L3 switch? Does that then classify as a "router"?
It absolutely is a router, anything that routes at L3 is a router. That's why L3 switches are technically "multi-port routers". However, in the real world, all L3 "switches" use specialty hardware to make it able to do the routing extremely fast. Never as fast as an L2 true switch with similar hardware, but fast enough to hit line speed.
-
@jt1001001 said in Redoing Home Network:
@scottalanmiller wouldn't use use firewall rules to separate the traffic? (either separate firewall or rues in router if we're using a router/firewall combo,and yes I know today firewall/router are essentially the same thing)
No, the traffic is still mixed in the router. "Separating traffic" is never a thing. What is a thing is "ability to attack each other". You already do that, right? You have firewalls on each device to already limit what device can talk to each other.
The VLAN + Firewall combination is only ever a secondary security tool to do a very rudimentary duplication of what should already exist on a per machine basis. That doesn't make it bad, we just have to be realistic. It's not about separating traffic (that's done in the switch on every network anywhere), nor about providing a block to attacks, it's about attempting to block an attack on another layer of attack blocking.
-
@scottalanmiller Ok appreciate the video. That was enlightening. Half of what I studied is probably wrong lol. I didn't realize that cert was so bad, or I would have just skipped it entirely. Their blanket statements about things definitely caused me to make some bad decisions. However, I should have dug deeper into the material. I just figured I would encounter deeper info in later certs. So, thanks for the explanation!
-
@jmoore said in Redoing Home Network:
@scottalanmiller Ok appreciate the video. That was enlightening. Half of what I studied is probably wrong lol. I didn't realize that cert was so bad, or I would have just skipped it entirely. Their blanket statements about things definitely caused me to make some bad decisions. However, I should have dug deeper into the material. I just figured I would encounter deeper info in later certs. So, thanks for the explanation!
So in what situation do vlans make the most sense and what is their purpose there? Just security to keep machines from talking to each other?
-
@jmoore said in Redoing Home Network:
@scottalanmiller Ok appreciate the video. That was enlightening. Half of what I studied is probably wrong lol. I didn't realize that cert was so bad, or I would have just skipped it entirely. Their blanket statements about things definitely caused me to make some bad decisions. However, I should have dug deeper into the material. I just figured I would encounter deeper info in later certs. So, thanks for the explanation!
CompTIA doesn't do later certs, as those would require, you know, hiring IT people that actually know material lol