0

I have a NVR which I can access on my LAN, I would like some IP cameras isolated on a VLAN to access the NVR using a 802.1Q managed switch only.

I want the cameras to connect to the NVR without wasting router resources, can I do this through a switch with 802.1Q? I am thinking of having separate VLANS on a single /24, is this possible (does this make sense)? I don't quite understand how (if) I can get this to work without the simple method of traffic being routed between different subnets for different VLANS.

For example if I have VLAN 14 with 192.168.110.0/24 and VLAN 16 with 192.168.110.0/24. I put the cameras untagged on VLAN 14 with VPID 14, and my LAN on VLAN 16 with VPID 16, but I also put my NAS on VLAN 14 untagged, being that they are in the same broadcast domain, the cameras can see the NVR..? This is the problem I am trying to solve

Bringle
  • 1
  • 1

2 Answers2

2

Basically no, you can't do what you are trying to do.

Think of separate VLANs as physically separate switches that are NOT linked together. There needs to be some sort of join between them for traffic to flow. Or if you want a device to be able to talk to both VLANs then it needs to be ''plugged in'' to both VLANs. Plus if you want anything to be able to talk to both VLANs they need to have separate IP ranges. Having the same subnet on both VLANs will prevent you from being able to talk to both. The whole idea of a subnet is to have 1 unique subnet per broadcast domain. A VLAN is a self contained broadcast domain. Simply having the same IP subnet on 2 separate networks does not make them part of the same broadcast domain.

If you want some form of separation without routing, then you have 3 options.

1) put the cams and NVR behind a firewall. You don't need routing or VLANs or even separate subnets, though you might as well as most firewalls are also routers. For that matter most managed switches are also routers.

2) have two nics in the NVR or PC to have that device in both VLANs. Do not use the same IP subnet for both or you won't be able to talk to both VLANs properly.

3) don't use separate VLANs, just separate subnets and add multiple IPs to your PC single nic and put the NVR in the same subnet as the cameras.

Option 1 and 2 offer much more separation than option 3

Edit: If a device has a network card on the same set of physically linked switches, and the same vlan and the same subnet as another device, and neither device is using an overlapping ip range (aka subnet), then yes they can talk to each other, no matter if either or both devices are members of other vlans or not.

You seem to be getting caught up on tagged vs untagged vpid. They are only mechanisms to determine which vlan the packet should be switched on to, or which vlan the network card will be sent packets from or listen to. There is essentially no difference between a packet on the switch from an untagged vpid vs a vlan tagged packet. If they both have the same vlan number they will be connected by the switch. If they have a different number they will not be connected, ie not be plugged in to the same network, even if both are using tagged, or untagged, or vpid. Incidentally a single network port cannot have 2 VLANs using untagged packets on the same physical port in the switch. If a packet has no tag then the switch assigns a default number as the VLAN for that packet, which is what the VPID specifies.

Once the devices are plugged in to the same vlan switches, you can then worry about connecting them to the same IP range on that switched network, and avoiding overlapping and conflicting IP ranges.

BeowulfNode42
  • 2,595
  • 2
  • 18
  • 32
  • I have basically given up on this idea due to it being outside of the standard of use case, but I'm wondering if I have 2 devices say: device A, VPID 16, VLAN 14 & 16 untagged. and device B VPID 14, VLAN 14 & 16 untagged, both in the same subnet... can they communicate as if they were on a single LAN? – Bringle Apr 12 '19 at 07:47
  • That sounds like you're still trying to confuse yourself. I've updated my answer to try and shed some more light on the matter. – BeowulfNode42 Apr 12 '19 at 12:29
  • Awesome, thankyou. So I have just played with this, using an IP camera on a switch port with VLAN 14 untagged and VPID 14. I have a computer connected to the switch with VPID 1, I can access the camera if I add VLAN 14 untagged to the computer port on the switch. If I put the camera in the LAN IP range, or its own subnet either way I have ~250kbps traffic going through the router, so I assume the router is acting as a gateway in the correct config for seperate VLANS and distinct IP ranges. Just trying to wrap my head around ethernet frames on the computer switch port where it is untagged – Bringle Apr 12 '19 at 13:02
  • @Bringle ahhh, I just noticed all the time talking about VPID I was thinking PVID. You were meaning Port VLAN ID (PVID) and not Video Payload Identifier (VPID) weren't you? – BeowulfNode42 Apr 13 '19 at 05:29
  • yup, I have got a solution by using the switch in my mikrotik router, which allows VLAN filtering on a bridge. Just took me 3 days to figure out how to configure it... definitely complicated enough without trying to invent my own use of 802.1Q.. as here: https://forum.mikrotik.com/viewtopic.php?f=2&t=138232&sid=8faf0e9902a603786fc9ce6a9a6fdce4 – Bringle Apr 15 '19 at 04:20
0

If you want to communicate between VLANs you will have to implement some kind of routing between them, because otherwise they will be completely isolated. This can be done depending on the equipment you use. For example, if you have a L3 CISCO switch you can always enable inter-VLAN routing.

Note that a subnet and a VLAN are not the same thing. Subnets IP address can communicate with each other without using routing devices. A VLAN will require routing.

Overmind
  • 2,970
  • 2
  • 15
  • 24