HomeNetworking is a place where anyone can ask for help with their home or small office network. No question is too small, but please be sure to read the rules before asking for help. We also welcome pretty much anything else related to small networks.
Layer 2 or 3 switch?
Tldr: figured out that I need to get a router, not a switch.
Hello everyone, even though I am an IT expert for servers, my knowledge is verly little when it comes to Network. So i ended up in this subreddit when I was asked to isolate 4 device into a vlan at my home. When I understood my sources correctly, I need a layer 3 switch to route and aggregate the traffic, can you confirm that? Do you have some suggestions?
But first some more informations about my network: Internet is provided by an FritzBox 6591 Cabel. Than 2 switches supply approx 24 wall sockets and two Ubiquity in Wall Access Points. Now I need to put some IoT-devices into the garage which is accessible from outside. I will lay a new cable.
I want to limit internet access of those IoT-devices to specified web services, I want no access of that devices to my normal home devices and (optional) in some cases I want to access the devices in the garage (port 8080 or 80 or so).
At first I came up with this: https://eu.store.ui.com/collections/unifi-network-routing-switching/products/unifi-switch-lite-8-poe but I am not sure if a layer 2 switch is sufficient for my use case (to store the routing rules). The difference to a layer 3 switch: https://eu.store.ui.com/collections/unifi-network-routing-switching/products/switch-enterprise-8-poe is huge.
It would be great to get some suggestions from you. Maybe you have a clue. Thank you very much! Ben
[EDIT1:] My problem is, that my ISP Router (Fritz Box Cable) does not provide any VLAN functionality or similar. I can add a static route and I can filter the outgoing traffic based on the device but this is not really what I want.
So I thought a Layer3 Switch solve my problem. But to be honest I get the feeling I rather need a another router (including some firewall features instead of a Layer 3 or layer 2 switch.
Am I on the right track?
VLANs can be handled by L2 or L3 switches.
L3 switches add a modicum of routing functionality to the L2 switch so that inter-VLAN traffic can be routed by the switch itself instead of needing to go all the way up to the router. That's very useful in enterprise networks, a lot less so in smaller networks.
With an L2 switch, you need a router that understands VLANs. With an L3 switch, you need a router that understands multiple subnets (i.e. has more advanced routing tables than basic consumer routers).
Most Unifi switches like the Lite 8 PoE are L2-only. Some like the "Pro" ones are L3, although the L3 functionality has been late to come (they shipped the hardware years before the firmware) and I am not sure where they really are currently.
As my Router has no real firewall appliance and no way to handle VLANs except for static routes, I guess I need a real router that allows me to manage all this. ( or get a firewall appliance as recommended here on other posts). What do you think about the ui edge router x ? It has 4 ports ( 4 vlans, extensible with layer 2 switches) and I hope it could handle all my requirements (?).
The normal use case for what you're trying to do is a simple layer 2 managed switch used in conjunction with a router/firewall that can create VLANs and manage the firewall rules controlling what is allowed to go where. I use a basic 8-port managed D-Link switch along with OPNsense running on a mini PC to manage 3 VLANs (LAN, IOT, & guest).
That doesn't sound bad but I need to buy that mini PC too. When I got you right your mini PC has several LAN Ports (for each VLAN) and does routing, VLAN, and firewall?
I personally don't get the need for an managed switch outside of meganetworks.
I want my router to be network god and see all. The router can decide what goes where and why it does or doesn't. And if something tries to do something it shouldn't, I both want to know it happened, it was logged, and it was prevented which comes from my router logs.
I'm a huge managed L2 switch guy, and if that makes me stupid and in the minority, cool. More switches for me at a discount that nobody else wants.