Se­cure net­work de­vices with a man­aged switch

Maximum PC - - R&D - –NICK PEERS

YOU’LL NEED THIS MAN­AGED SWITCH OR ROUTER WITH VLAN SUP­PORT We’re us­ing TP-Link’s TL-SG108E switch, which you can pick up for around

$30-35 on­line, and the Archer VR900 router ($105). 1 PORT-BASED VLANS Routers that sup­port VLANs en­able you to seg­ment your net­work by as­sign­ing sep­a­rate VLANs to in­di­vid­ual Eth­er­net ports. Ev­ery­thing plugged into that port (in­clud­ing any switch you con­nect) be­comes a mem­ber of that VLAN. Some routers—in­clud­ing the TP-Link Archer VR900 we’re fea­tur­ing here [ Im­age A]— can also as­sign wire­less net­works to spe­cific VLANs. 2 CON­FIG­URE YOUR ROUTER Once you’ve con­sulted its man­ual to dis­cover how to set up port-based VLANs, log into your router’s con­fig­u­ra­tion util­ity via your web browser. Archer VR900 users should nav­i­gate to “Ad­vanced > Net­work > LAN Set­tings > In­ter­face Group­ing” [ Im­age B]. Click “Add,” give your group a name, and se­lect which ports and wire­less net­works will be­come part of the new VLAN. Make sure “En­able Group Iso­la­tion” is checked, and click “OK”— this en­sures the VR900 bans any cross-net­work traffic.

Each new VLAN is as­signed a dif­fer­ent sub­net. To see what these set­tings now are, you need to go back to “LAN Set­tings.” Any de­vices con­nected to this VLAN that don’t use DHCP for their net­work set­tings need to be man­u­ally con­fig­ured to ac­cess the new sub­net. EVER WANTED TO SPLIT YOUR NET­WORK in two (or more)? Per­haps you want to di­vide up an In­ter­net con­nec­tion in a shared house­hold, giv­ing ev­ery­one their own pri­vate net­work, or maybe you’re wor­ried about cer­tain de­vices from a se­cu­rity point of view, and would like to iso­late them from the rest of your net­work. Per­haps you’re in­ter­ested in di­vid­ing be­tween home and work, or have heard you might be able to im­prove overall net­work per­for­mance by split­ting off those de­vices that of­ten bring things grind­ing to a halt.

The po­ten­tial so­lu­tion to all these prob­lems is to set up a VLAN (vir­tual LAN). VLAN-ca­pa­ble hard­ware en­ables you to split a sin­gle phys­i­cal net­work into two or more sep­a­rate en­ti­ties. They share your In­ter­net con­nec­tion, but noth­ing else. Many mid to high-end con­sumer routers of­fer VLAN ca­pa­bil­i­ties, while man­aged (or “smart”) switches of­fer vary­ing lev­els of VLAN sup­port, too.

If your router doesn’t seem to sup­port VLANs, visit www.dd-wrt.com to see if it sup­ports the open-source DD-WRT firmware. If it does, re­plac­ing your stock firmware with this—a task we don’t rec­om­mend for less ex­pe­ri­enced users (you could ren­der your router un­us­able)—can give you VLAN ca­pa­bil­i­ties sim­i­lar to those out­lined be­low. 3 EX­TENDED VLAN OPTIONS Man­aged switches, such as TP-Link’s TL-SG108E, also come with sup­port for VLANs, en­abling you to set up VLANs for dif­fer­ent lo­ca­tions in your home us­ing smart switches as the cen­tral point—par­tic­u­larly handy in a pow­er­line net­work, where your switch can’t be di­rectly plugged into the router.

Log in to your SG108E’s Easy Smart Con­fig­u­ra­tion util­ity. Switch to the “VLAN” tab, and you’ll see sev­eral options. “MTU VLAN” is a rough and ready op­tion, en­abling you to quickly iso­late all the ports from each other— but your de­vices re­main vis­i­ble and ac­ces­si­ble to any com­puter not con­nected via the switch. The best op­tion by far is “802.1Q VLAN,” which works by tag­ging net­work traffic in each VLAN with the VLAN ID, en­abling it to be fil­tered ac­cord­ingly. 4 GROUP DE­VICES TO­GETHER Se­lect “802.1Q VLAN,” set its sta­tus to “En­able,” and click “Ap­ply.” You’ll see the “VLAN (1-4094)” field, invit­ing you to cre­ate a num­bered VLAN (num­bers 2–4094 are avail­able).

The “VLAN Name” field is op­tional. As­sum­ing your switch is con­nected to the rest of your net­work via port 1, click “1” un­der “Tagged Ports.” The port can be a mem­ber of mul­ti­ple VLANs, en­abling you to pro­vide In­ter­net ac­cess

to all the VLANs you cre­ate. Next, se­lect the ports you wish to iso­late from the rest of your net­work, by click­ing their num­bers in turn un­der “Un­tagged Ports.” Click “Ap­ply.” Now se­lect “802.1Q PVID Set­ting” in the left-hand menu. Type the VLAN ID you set up into the “PVID” field, then check all the un­tagged ports you’re iso­lat­ing, and click “Ap­ply” [ Im­age C].

The ef­fect should be im­me­di­ate. Try ping­ing any of the de­vices on this switch from your PC via a com­mand prompt, and you should get no re­sponse, or a “des­ti­na­tion un­reach­able” er­ror [ Im­age D]. Con­grat­u­la­tions—you’ve just iso­lated these de­vices from the rest of your net­work; they should still have In­ter­net ac­cess, en­abling you to re­motely con­nect to smart home equip­ment, for ex­am­ple. Add more VLANs to split de­vices fur­ther. 5 EX­TEND VLAN If you have two or more man­aged switches, you can ex­tend your VLANs from one switch to the next, which en­ables you to group de­vices to­gether into the same VLAN, even if they’re on dif­fer­ent switches. In this sce­nario, only one of your switches needs to be con­nected to your router—the other is con­nected daisy-chain fash­ion to the first switch. The di­a­gram [ Im­age E] re­veals how this works in prac­tice—we tested this suc­cess­fully us­ing TP-Link SG108E and TP-Link SG2008 switches.

First, make sure the switches are con­nected as shown, then open the Easy Smart Con­fig­u­ra­tion Util­ity on the SG108E, and nav­i­gate to the “802.1Q VLAN” sec­tion. Fol­low the ad­vice in step four to set up your two VLANs as shown in the di­a­gram—re­mem­ber, port 1 is tagged, and all other ports are un­tagged. Don’t for­get to set the PVIDs. Click “Save” when you’re done. 6 SET UP SEC­OND SWITCH Now log on to your sec­ond switch—in the case of the SG2008, this is through your web browser us­ing its IP ad­dress. Here, nav­i­gate to “VLAN.” Type “101” into the “VLAN ID” box, and click “Cre­ate,” then re­peat to cre­ate VLAN 102.

Next, check the box next to “101” in the VLAN ta­ble. Set port 1 to un­tagged and port 2 to tagged, both with a PVID of 1, and set ports 3–5 as un­tagged, with a PVID of 101 [ Im­age F]. Click “Ap­ply,” then se­lect “102” in the VLAN ta­ble, set ports 1 and 2 as pre­vi­ously, and ports 6–8 to un­tagged, with a PVID of 102. Click “Ap­ply” again.

You should now find that de­vices can only see other de­vices within the same VLAN us­ing the ping test. In­ter­net ac­cess should be avail­able to both VLANs. Any de­vices con­nected to ei­ther switch that aren’t placed in ei­ther VLAN re­main vis­i­ble to both VLAN groups and the rest of your net­work. Job done.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.