Hello all.
My network consists of the following:
router => unmanaged PoE switch==>wireless AP
I am currently powering the AP from an unmanaged PoE switch and all seems to work. However, when I plug my wired PoE camera into the switch, it is not assigned an IP and I cannot see it on the network. I assume this is because I do not have a managed switch...despite my wife AP working. Is there something I am missing? Or is my only choice to get a managed PoE switch?
This is the switch I have:
If I got a managed switch, would everything just work when I plugged it in?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network # say where the camera goes.
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
That is correct, an unmanaged switch can not separate anything. At best, depending on its chipset, it can transparently forward all VLANs from the upstream to all ports, and leave it to the devices which VLAN they attach to.
No. Devices join VLANs by tagging their ports with the respective VLAN ID, or by an upstream device (like a managed switch) that only gives them a certain VLAN. If they could force themselves into VLANs by simply assuming addresses within the respective network ranges, that wouldn't be effective segmentation, would it?
In the interest of keeping my budget down (for the sake of adding a whopping 3 cameras) maybe it would make sense for me to configure this some other way. I suppose I could use a second router as a managed switch, use it between the PoE and the cameras, then power the AP directly and plug that into the 2nd router?
I'll take a look at this guide unless anyone has a better suggestion:
Thank you all for your unbelievably fast help and responses!
There are two (well three, if you go all-in) options here, depending on how much you need to segregate your network.
keeping your unmanaged PoE switch, connecting it to an 'access port' on your router (only a single VLAN, untagged), using the other 3(?) LAN ports to connect cheap non-PoE/ unmanaged switches with different VLANs (a single untagged VLAN per port at most). For limited home uses, this may be 'good enough', but there is a hard limit on the number of possible VLANs (typically 4, corresponding to the number of LAN ports on your router) - and quickly having multiple unmanaged switches each with their own network becomes cumbersome, from a cable management and power consumption point of view - with no flexibility
getting a cheap non-PoE managed switch and keeping the unmanaged-PoE one for the cameras alone, single untagged VLAN/ network again
going all-in, new managed PoE switch to handle everything
There are viable usage scenarios for each of these options.
Don't waste your time. Buy a quality managed poe switch with the number of ports/power budget you need. Netgear makes nice fanless ones.
Or hobble together something. If a few months, you will buy more cameras/other poe devices, expand/change your network, and realize you shouldn't have cheaped out.
Note: Your NVR/NAS should be plugged into the switch that has all your IP cameras.
Thanks all, I see a TPlink and Netgear which will suffice.
Quick question: If I am going to purchase additional hardware, I would like to know if it is possible for me to use one of the ports on the PoE as just a standard gigabit port...no power. It seems like this is possible through the switch sw menu. However, is that advisable? Is there a risk if it resets or has a hardware failure and supplies power over that line to a connected computer?
Yes, if you get a standards-compliant IEEE 802.3 at/af/bt PoE switch, and there's no reason why you wouldn't. Those do not immediately send power, they test first whether the connected device presents as PoE-powered. If so, they send power, if not, they behave like regular ethernet.
Older or cheap nonstandard PoE gear may be "passive" PoE. Those always send power and can be dangerous to devices that don't expect it. Avoid those.
VLAN isolation is a commonly desired reason for implementing VLANs in the first place. Thus a good reason not to use an unmanaged switch
The behavior of ethernet frames with 802.1q tags through an unmanaged switch is, by definition, undefined. Some switches will pass them transparently, other switches might strip the tags, and some will choke outright. In some cases, this can cause serious network issues. Therefore, even if this specific switch "works", it is best to have the blanket rule that VLANs should not be passed through unmanaged switches because of the fact that it can be unpredicatable.
Obviously an unmanaged switch cannot set port-vlan membership. Assuming that the frames are passed without any issues, the result is that all ports have exactly the same port-vlan membership, including tagging status. The downstream devices must be VLAN aware in order to join the correct VLAN, and there is nothing to stop those devices from joining other VLANs.
For the above reasons, it is generally considered bad practice to use unmanaged switches in the context of 802.1q VLAN tags. And while it can work in some situations, there is nuance that is bound to cause unexpected problems. To be clear, we have seen situations (recently in fact) where an unmanaged switch can cause serious problems on the network (in this case, it made the roaming between APs unstable and unpredictable -- about 2 weeks and 55 posts to discover that)!
I suspect the answer will be for me to post my configs, however, is there a guide or tutorial that would be best for me to follow to setup this new managed device?
No, you will be using OEM GUI. With netgear easy smart switches, you get to pick the "level" of how dumbed down you want vlans to be. Pick the most advanced one and you should be able to understand.
Note: only untagged management vlan can see the GUI i.e. you can lock yourself out on Netgear. Set management vlan same as your trusted main vlan.
