Guys, of those of you that utilize VLAN in your residential networks, how did you come up with numbering scheme?
Is there a standard, or goto guide that I can use? (please no Wesley jokes.. not yet)


I'm just now getting into VLAN and am using my house as test bed.
I know to separate guest network from production (what do we call it in the house?) and am thinking about separating CCTV, access control, home automation all onto their own VLANs.

Not sure if I should also separate A/V devices such as BD, AVR, HEOS.

Also, not sure if I should separate wireless devices like tablet (known, not visitor's) that are on the production network (not guest network).

Also, are there switches I should avoid that do NOT tag network traffic for VLAN effectively?
Any managed switches that you had issues with, or that had confusing (or non existent) GUI? I do not want to get into Cisco stuff with CLI.

Pakedge has a series of routers and switches that come preconfigured with multiple VLANS. Plus their new SX series of switches have a built in wizard for setting up multiple VLANS.

I normally use a 192.168.x subnet for the client LAN and a 172.16.x subnet for the AV and controls LAN. The 'x' octet I normally number to match the site address house number, i.e. 7 Grief Street would get 192.168.7.0 and 172.16.7.0 respectively (assuming street address is under 254 - not usually a problem in UK!).

I use 192 ranges for the client as that is what they are used to seeing on any other item they may have had dealings with themselves in the past so it doesnt look alien to them, and 172 ranges for the controls as again the typical home user is not used to using or looking for devices in this range, so it is unlikely that these devices will ever be discovered by them in normal network usage!

If using CCTV then I would typically put the cameras and DVR on their own 172.16.x+1 subnet, although again some DVR apps wont allow you to look beyond the local subnet for the DVR in which case it needs to go on the client LAN, or sometimes the DVR can be multi-homed if it has an additional network card.

Note also that certain items of media equipment will need to sit on the client LAN in order for client Apps to be able to see them, i.e Apple TV etc.

I normally use the Draytek range of routers and L2 switches, but I wouldn't say they are the easiest to set up with VLANs as the switch range doesn't always have a consistent GUI across all models. I have been meaning to try the Luxul range of switches as they do seem to feature a consistent interface and look very easy to set up with VLANS, but as yet I have no hands on experience with these (anyone else have a comment on this?).

I used to use the 10.x.x.x ranges but fell foul with this when BT introduced their FTTC service as this also seems to operate on a 10.x.x.x subnet and therefore made routing something of an issue!

I watched a webinar few weeks ago and took this snapshot.
What I'm looking for is ideas/standards for naming &/or grouping of devices.
From readings and youtube videos, I learned that the main/production VLAN is 1 and is set as untagged.

VLAN's are a great solution and sometimes necessary to create solid and reliable network, yet you have to be very careful not to " over do it ". A lot of AV devices and control systems/apps work together via certain device discovery protocols , upnp , multicasting and more. Once you place those devices on separate VLANS, you may start to experience problems ( i.e Sonos on one VLAN and iPad on the other ) , yes it can be overcome via correct settings, tagging , sharing VLAN's and more , yet - is it worth the hassle ? . With that being said, i would always separate VOIP devices , guest wi-fi network , IP cameras and finally " standard " data network - not related to any AV and control .
We have been using Ubiquiti managed switches with a very good results, latest firmware introduced relatively easy VLAN wizard. Luxul seems to have easy VLAN setup as well ( not sure how I feel about the brand though )

Adam, that's a very good point.
Lets say that in my own home, the WiFi is on VLAN10 and I want to allow access for my own tablet to control Denon AVR on VLAN60, but I do not want everyone from VLAN10 to be able to do the same.
Can routers allow IP or MAC specific access across VLANs, or is it all or nothing?

I know I can just put my tablet on different VLAN altogether and allow that bridge, but my question is more general so I know what's possible and what isn't.

BTW, the reason this VLAN question came up is that I'm testing my first Denon HEOS and I was able to download the free app on additional devices and those apps automatically found the player and were allowed to control it.
I don't want just anyone that has access to my WiFi to start messing with things like BD, AVR, Sonos, HEOS etc. just because they're on the network.

Yes, you just need to create the rule in you firewall

Main Network 192.168.1.x
Guest Network 192.168.2.x Firewall rule to only allow internet access
CCTV Network 192.168.3.x

I keep my av gear on the main network below 192.168.1.99.
If it is a larger system, I break it out accordingly.

Awesome.

Another question that just came up:
Lets say I have 5 port unmanaged switch that handles my PC, wife's PC, Wattbox and printer.
I'm OK with all those devices to be on same VLAN.
Can I simply plug the feed from that unmanaged switch into a managed switch and tell it that everything coming in from that location should be tagged with specific VLAN?

In other words, can you connect a bunch of devices into one, unmanaged switch and then connect that switch into upstream, managed switch and just tell the upstream switch that all traffic on that port should be tagged with specific VLAN?

Yes, on a port on a managed switch, you can specify a VLAN for that specific port. Then plug an unmanaged switch into that port to connect multiple things to that VLAN. We use Cisco, and this is easy to accomplish.

Cool beans.
I have a mixture of Snap switches and just got this guy to test: ZyXEL Fanless 8 Port GbE 70w PoE+ L2 Web Managed Desktop Switch(GS1900-8HP)

Please note there are two types of port configuration (generally) when configuring VLANs: access and trunk. Most devices do not respect a VLAN tag and they do not pass one unless instructed to do so. An access port tags the traffic as it traverses the port so that it stays in the correct VLAN in the switching infrastructure. You can only have one VLAN on an access port. This is called the native VLAN. The default is 1.

A trunk port expects and respects VLAN tags. You use trunk ports between managed switches to pass your VLANs. If you do not trunk, the tag is ignored and/or stripped and replaced by the native tag. A trunk is also required for a WAP that uses VLANs. Each SSID is associated with a VLAN tag (although the actual wireless broadcast does not use VLAN tags). You can specify which VLANs are allowed over a trunk port (called pruning). Default usually allows all 4096 VLANs.

In your case, use a trunk port between managed switches to pass VLANs. Use an access port with the correct native VLAN on an unmanaged switch.

Be mindful when creating segmented networks; inter-VLAN routing is handled by your layer 3 device (router or L3 switch). If you are putting bandwidth intensive services that communicate with each other on separate VLANs, the traffic must all pass through the router. For example, all traffic from a NAS on one VLAN to a streaming device on another VLAN would traverse the router. Even if they are plugged into the same switch. Ensure your router is capable of routing the bandwidth you require.

That is not meant to scare - a VLAN can also solve problems with "chatty" devices (eg, IP cameras). Segmenting them via VLAN puts them on a separate broadcast domain. Their traffic will not generally increase latency on other VLANs. In that example you would segment the entire IP video infrastructure including the NVR. Most NVRs have two network ports or the option to trunk. Put the IP video on one VLAN/network port and put the NVR management on the other VLAN/port. If you make the IP video VLAN non-routable it also increases security because the only way to access a camera is on the actual VLAN. This is generally how it is done in large infrastructure.