If I buy a managed switch (and connect it to a router) and set up two vlans, 1 default (vlan1) across the environment and then 1 additional vlan (vlan2) with select devices, can I set up it such that the devices on vlan2 don't see the devices on vlan1?

I think I can setup the switch and the vlan environment - that seems straightforward after watching a couple of videos. But not sure how I can make vlan1 invisible, non-reachable by the vlan2 devices. Is there something I can do / need to do at the router?

Sorry, dumb question. This is my first attempt at vlans.

Yes, you need a router that supports vlans or a layer 3 switch.
Configure with access rules/firewall.

Thanks. I guess I need to do more research / learn more. Router manual says something about setting up a bridge for vlan tag group - not sure if that's what's needed here or not.

May need to update my router too.

he answer to the OP's original question is "yes." This is exactly what VLANs are intended to do.

In terms of implementation, there are two kinds of VLANs, those based on assigning switch ports to a particular VLAN so whatever device is plugged into that port becomes a member of the VLAN group), and "tagged" VLANs which use packet pattern matching (e.g. IP or MAC address, protocol, etc.) to assign particular attached devices to a configured VLAN (by "tagging" their ethernet frames). The latter is somewhat more flexible, but not all switches provide this functionality. It is possible, and not at all uncommon that particular switch ports, or devices be members of multiple VLAN groups so as to access devices on different VLANs. This can also be accomplished by router configuration to bridge or route between VLANs. This latter capability is generally managed by firewall rule tables, and/or access control lists.

It can get complicated, and if not carefully implemented, "leak" from a security perspective. I usually prefer to use multiple switches to effect LAN isolation as it is easier to not get mixed up about what ports belong to which VLANs when cable moving day comes around. There is another consideration, if a device on your LAN is too vulnerable to allow Internet connection, perhaps it should not be on your network at all.

Thanks - I know my switch supports VLAN but not sure what type. I need to read the manual more. I think it is VLAN and assigned ports but not sure. This is all new to me. I check the manual later.

It sounds like, based on what you wrote, that by default, VLAN1 and VLAN2 devices won't be able to talk to each other unless I do something extra (VLAN groups, router configuration (bridge, firewall tables, access control lists). That is basically what I want - segregation between VLAN1 devices and VLAN2 devices.

Trying to keep 'safe' devices on VLAN1 and segregate VLAN2 for 'dirty' devices (devices (no personal info, accounts, data) that can be more free to search the internet; devices that belong to guests; etc). VLAN2 devices generally safe but riskier; I want to keep them separate from devices I use for banking, etc.

It’s overkill, but the route I took. Look at the Ubiquiti UDM SE (what I have because I will be adding cameras eventually and the NVR is built in) or UDM and Poe switch

I followed the crosstalk videos to set up exactly what you are wanting to

Not exceptionally expensive. “Pro-sumer” level stuff

I have plenty of extra Access points and a UDM (I’d be willing to sell) During Covid shortages I grabbed whatever I could at the time since I live in a metal clad faraday chamber for all practical purposes and didn’t know what would and what would not work for me

quote:

Originally posted by konata88:
Thanks - I know my switch supports VLAN but not sure what type.
I need to read the manual more.
I think it is VLAN and assigned ports but not sure.
This is all new to me.
I check the manual later.

May I suggest two things:
1. Take a course on IPV4
2. Take a course on VLANS

There are a lot of free YouTube Videos too that can assist.

You will have a much better picture of the subject and it will make much more sense than reading a manual.
I've always said that understanding TCP/IP and understanding permissions on a LAN will solve a majority of IT work.
Now, understand that we are talking mostly about Networking and not the latter of permissions (in my case NTFS) which is less applicable but not out of the realm.

But bone up a tad on the basics if so inclined will serve you well.

Additionally, when you know the capabilities it will help you define your plan or objectives.

VLANs are usually set up to segregate traffic so that they cannot see each other. It is also possible to make a one-way connection so that one VLAN can see the other, but not the other way around.

You also have to make sure that traffic between switches are "tagged" so that the traffic can be moved around the network.

Here is one discussion on one-way connections: https://community.ui.com/quest...d0-8445-343696a93aaa

^^^ While true is also the nature that you will not see different subnets.
Which comes to the question of that "see" it.
Are you defining as browsing or being accessible?

quote:

Originally posted by smschulz:

May I suggest two things:
1. Take a course on IPV4
2. Take a course on VLANS

There are a lot of free YouTube Videos too that can assist.

Additionally, when you know the capabilities it will help you define your plan or objectives.

Thanks. I've been watching a number of videos. But most seem to just repeat what others have said. And not really diving into the layer of abstraction that helps answer the questions I've been having for which you guys have been providing guidance. I'll keep watching more videos.