Secure network devices with a managed switch
YOU’LL NEED THIS MANAGED SWITCH OR ROUTER WITH VLAN SUPPORT We’re using TP-Link’s TL-SG108E switch, which you can pick up for around
$30-35 online, and the Archer VR900 router ($105). 1 PORT-BASED VLANS Routers that support VLANs enable you to segment your network by assigning separate VLANs to individual Ethernet ports. Everything plugged into that port (including any switch you connect) becomes a member of that VLAN. Some routers—including the TP-Link Archer VR900 we’re featuring here [ Image A]— can also assign wireless networks to specific VLANs. 2 CONFIGURE YOUR ROUTER Once you’ve consulted its manual to discover how to set up port-based VLANs, log into your router’s configuration utility via your web browser. Archer VR900 users should navigate to “Advanced > Network > LAN Settings > Interface Grouping” [ Image B]. Click “Add,” give your group a name, and select which ports and wireless networks will become part of the new VLAN. Make sure “Enable Group Isolation” is checked, and click “OK”— this ensures the VR900 bans any cross-network traffic.
Each new VLAN is assigned a different subnet. To see what these settings now are, you need to go back to “LAN Settings.” Any devices connected to this VLAN that don’t use DHCP for their network settings need to be manually configured to access the new subnet. EVER WANTED TO SPLIT YOUR NETWORK in two (or more)? Perhaps you want to divide up an Internet connection in a shared household, giving everyone their own private network, or maybe you’re worried about certain devices from a security point of view, and would like to isolate them from the rest of your network. Perhaps you’re interested in dividing between home and work, or have heard you might be able to improve overall network performance by splitting off those devices that often bring things grinding to a halt.
The potential solution to all these problems is to set up a VLAN (virtual LAN). VLAN-capable hardware enables you to split a single physical network into two or more separate entities. They share your Internet connection, but nothing else. Many mid to high-end consumer routers offer VLAN capabilities, while managed (or “smart”) switches offer varying levels of VLAN support, too.
If your router doesn’t seem to support VLANs, visit www.dd-wrt.com to see if it supports the open-source DD-WRT firmware. If it does, replacing your stock firmware with this—a task we don’t recommend for less experienced users (you could render your router unusable)—can give you VLAN capabilities similar to those outlined below. 3 EXTENDED VLAN OPTIONS Managed switches, such as TP-Link’s TL-SG108E, also come with support for VLANs, enabling you to set up VLANs for different locations in your home using smart switches as the central point—particularly handy in a powerline network, where your switch can’t be directly plugged into the router.
Log in to your SG108E’s Easy Smart Configuration utility. Switch to the “VLAN” tab, and you’ll see several options. “MTU VLAN” is a rough and ready option, enabling you to quickly isolate all the ports from each other— but your devices remain visible and accessible to any computer not connected via the switch. The best option by far is “802.1Q VLAN,” which works by tagging network traffic in each VLAN with the VLAN ID, enabling it to be filtered accordingly. 4 GROUP DEVICES TOGETHER Select “802.1Q VLAN,” set its status to “Enable,” and click “Apply.” You’ll see the “VLAN (1-4094)” field, inviting you to create a numbered VLAN (numbers 2–4094 are available).
The “VLAN Name” field is optional. Assuming your switch is connected to the rest of your network via port 1, click “1” under “Tagged Ports.” The port can be a member of multiple VLANs, enabling you to provide Internet access
to all the VLANs you create. Next, select the ports you wish to isolate from the rest of your network, by clicking their numbers in turn under “Untagged Ports.” Click “Apply.” Now select “802.1Q PVID Setting” in the left-hand menu. Type the VLAN ID you set up into the “PVID” field, then check all the untagged ports you’re isolating, and click “Apply” [ Image C].
The effect should be immediate. Try pinging any of the devices on this switch from your PC via a command prompt, and you should get no response, or a “destination unreachable” error [ Image D]. Congratulations—you’ve just isolated these devices from the rest of your network; they should still have Internet access, enabling you to remotely connect to smart home equipment, for example. Add more VLANs to split devices further. 5 EXTEND VLAN If you have two or more managed switches, you can extend your VLANs from one switch to the next, which enables you to group devices together into the same VLAN, even if they’re on different switches. In this scenario, only one of your switches needs to be connected to your router—the other is connected daisy-chain fashion to the first switch. The diagram [ Image E] reveals how this works in practice—we tested this successfully using TP-Link SG108E and TP-Link SG2008 switches.
First, make sure the switches are connected as shown, then open the Easy Smart Configuration Utility on the SG108E, and navigate to the “802.1Q VLAN” section. Follow the advice in step four to set up your two VLANs as shown in the diagram—remember, port 1 is tagged, and all other ports are untagged. Don’t forget to set the PVIDs. Click “Save” when you’re done. 6 SET UP SECOND SWITCH Now log on to your second switch—in the case of the SG2008, this is through your web browser using its IP address. Here, navigate to “VLAN.” Type “101” into the “VLAN ID” box, and click “Create,” then repeat to create VLAN 102.
Next, check the box next to “101” in the VLAN table. Set port 1 to untagged and port 2 to tagged, both with a PVID of 1, and set ports 3–5 as untagged, with a PVID of 101 [ Image F]. Click “Apply,” then select “102” in the VLAN table, set ports 1 and 2 as previously, and ports 6–8 to untagged, with a PVID of 102. Click “Apply” again.
You should now find that devices can only see other devices within the same VLAN using the ping test. Internet access should be available to both VLANs. Any devices connected to either switch that aren’t placed in either VLAN remain visible to both VLAN groups and the rest of your network. Job done.