MAC-Based-VLAN, Dot1x, Best Practices

[Blue)(Fusion]

I'm moving into a new house next month. One of the projects is networking the whole place as it has none currently. It will include 3 switches (4 physical, but two will be stacked together), dual fiber 10G uplinks between switches, and dual Cat 6 (maybe 6a) to most rooms. The patch panels will be located in the basement along with the stacked switch.

The switches support MAC-based-VLAn and Dot1x Port Authentication. I currently have RADIUS configured to do Dot1x user authentication on the switches.

What's the best practice when it comes to VLANs in the house? I am going to have the follwing VLANs:
1 - Default (unused)
2 - Voice (VOIP)
3 - Cameras (POE IP)
4 - Guest (internet access only)
5 - Management
10 - Private (all my personal stuff)
20 - Roommate1 (his room's ports + any of his devices)
30 - Roommate2 (his room's ports + any of his devices)

What's the best way going about making this a streamlined setup? It appears if I do MAC-Based-VLANs in the switches, I'll have to put each entry into each switch individually and this can get tedious and they may not be synced between them as devices come and go.

Can I set up normal VLANs with tagged and untagged port memberships and default vlans on various ports for specific rooms, then add Dot1x Port Authentication on top of that? I can make Dot1x just look at the MAC and determine VLAN based on that, right? If it's an unknown device, then use captive portal to ask for login info and set up VLAN that way?

I'm trying to learn alot here as I take on this personal project so some reading and how-to material would be appreciated.

FYI, I am using all Netgear switches as that's what I have already.

 

[neggles]

I'd just be manually assigning access VLANs to various ports for specific purposes. Dealing with MAC-based authentication is a nightmare without using a centralized NAC system, and for a home environment (even a nerdy home environment) it's going to cause far, far more trouble than it's worth - do you really want to spend hours troubleshooting why your roomate can't get his <device> to connect? MAC-based auth is also barely security at all since MACs are easily spoofed.

Use a layer-3 capable switch stack in the core, use it for inter-VLAN routing, and split your VLANs a bit less, IMO. Then assign separate SSIDs for each client-machine and guest VLAN.

VL10 - Management
VL20 - Servers (your stuff, configured with IP ACLs to let roommates access Plex, say)
VL30 - Clients (your stuff, but non-server gear - your WiFi SSID connects here)
VL40 - Security (IP cameras, ACL'd to only be allowed to talk to your NVR device/server)
VL50 - Untrusted (Roommates go here - no need to split them into their own independent VLANs if they don't want it, and it saves an SSID)
VL60 - Guest (ACL'd to only allow access to internet and whatever other services you like)

Configure trunk ports and access ports with specific allowed VLANs, and let the L3 switch handle inter-VLAN routing and access control with ACLs. If you're running a full blown NAC with captive portal, you could also use 802.1x port/MAC based auth if you're dead set on it, but there are limits - IMO a home network needs, first and foremost, to just work. Especially when you're sharing it with others.

 

[Blue)(Fusion]

I'm not dead set on 802.1x but haven't been reading up on it and thought it actually sounded easier by having that centralized RADIUS server set VLAN by MAC. Sure it can be spoofed but noone I know that will have access even know what a MAC is.

As far as L3 switch doing the routing with ACLs, is this equivalent in security to using pfSense to do the routing with firewall rules granting fine times source/destination port access? I've never used L3 routing on a switch. Infact, my planned core switch XSM7224S) doesn't have L3 routing without an expensive license, just L2+. I understand this method would be better though as the switch performance would be way better than pfSense performance.

I appreciate your input and will adopt your VLAN strategy. I like the servers and clients split up idea.

 

[StammesOpfer]

Only reason to use 802.1x vlan mapping in this instance would be if you have to deal with wired clients in a common area where you want the port to map to a different vlan depending on the device. Like if it is your laptop then you get your vlan but if a roommate plugs in their computer they get their vlan. This is super convenient but how often is it really going to happen. Otherwise it is much much easier to just statically assign vlans to the ports and map ssids to VLANs.

 

[Blue)(Fusion]

Thanks StammesOpfer. I believe it would be rather rare for people to plug things in in common areas and that can be dealt with myself for any config change requirements, if even needed.

As far as SSID mapping to VLANs goes....what AP options are there that support multiple SSIDs and VLANs?

 

[Lix]

Ubiquiti Networks - UniFi® AP AC PRO

Should fit your deployment.


Sent from my iPhone using Tapatalk

 

[chilipepperz]

Pics!

 

[Blue)(Fusion]

I will certainly get some pics once I begin setting it up in the new place. Right now everything is in a boring rack in my basement where I am renting still. I am waiting on 2 POE switches (for AP and security camera runs). Otherwise all I need are cables.

 

[neggles]

I'm not dead set on 802.1x but haven't been reading up on it and thought it actually sounded easier by having that centralized RADIUS server set VLAN by MAC. Sure it can be spoofed but noone I know that will have access even know what a MAC is.

As far as L3 switch doing the routing with ACLs, is this equivalent in security to using pfSense to do the routing with firewall rules granting fine times source/destination port access? I've never used L3 routing on a switch. Infact, my planned core switch XSM7224S) doesn't have L3 routing without an expensive license, just L2+. I understand this method would be better though as the switch performance would be way better than pfSense performance.

I appreciate your input and will adopt your VLAN strategy. I like the servers and clients split up idea.

From the looks of things, you should be able to do everything you might want to with that switch - it does IP ACLs, and inter-VLAN routing, with the base license. You'd need to add the upgrade license to get dynamic routing like OSPF or RIP, but you don't need that for a basic setup.

As you're running 10GbE, you're really going to want to do inter-vlan routing on the switch, or your capacity between VLANs will be heavily impacted by your PFSense performance.

I wrote a bunch more here but the forums ate it... I'd suggest doing some reading around here and on r/networking / through the switch doco to see what questions you need to ask

It might also be worth looking at something used and cisco-y if you can, since the troubleshooting will be much easier given the wealth of cisco knowledge available, but they're going to be loud and expensive by comparison, I suspect.

Maybe even look at using a Quanta LB6M with the Brocade TurboIron setup that was just featured on the main site if you're not afraid to get your hands dirty

 

[Blue)(Fusion]

@neggles ,

I have been very interested in the "BrokeAid" solution that recently popped up here. If I hadn't bought a Netgear 24-port SFP+ switch on eBay a few weeks earlier, I'd have absolutely gotten one.

Thanks for the encouragement and info. I definitely want to learn VLAN routing and ACLs on the switch. I've been reading around /r/networking already and here. The Netgear documents aren't very great at explaining the operation, just a copy-paste kind of how-to.