Too many things on ethernet... help

[Austinian]

I liked having the Router part of the Modem. Make sense or no?

Your choice, but I want them separate so I have complete control of the router; I don't mind Spectrum controlling the modem itself, but I don't want them able to mess with my house network.

Perhaps I am wrong about their control, because I've never owned a combo device, but I feel better with my own router.

I agree with this. A clear demarcation of responsibility. it avoids finger pointing

Yes, and as RDKirk mentions above, I don't trust an ISP to keep the router upgraded as security issues arise. Mine has had at least a half dozen firmware updates since I bought it.

I don't see router vulns discussed nearly as often as I do security problems with OSs, but I consider them as potentially quite serious.

 

[JeffSlade]

So a router is a layer 3 device and it's purpose is to route IP packets using an IP address between different VLANs. If you are not going to set up multiple VLANs a router is not required.

A switch is a layer 2 devices and passes packets within the same network using MAC addresses. If you are going to have only one network segment, not multiple VLANs, then a switch will do just fine.

There are also layer 2 / 3 devices but again unless you want to build a network comprised of multiple network segments, each with their own separate IP space I recommend staying with a switch.

My Motorola modem has 4 Ethernet ports built into it. But I only use one of the 4 which is used to connect my main switch. I also had my house wired for Ethernet where the Ethernet cable run to various rooms terminate in my closet where I have my modem, main switch and network security device.

I tend to agree with others that having a switch separate from your modem is preferred but you should do what is best for you. A separate switch means you also need a power outlet for the switch so this can be a challenge for some. But I have a UPS with multiple power protected power outlets which connect to one power outlet in the wall. Therefore power is not an issue for me. You should consider getting a small UPS if your budget allows.

I use Ubiquiti UniFi switches and Access Points.

I would review the approved modem list from Spectrum and select one from the list that meets your needs and budget:

https://www.spectrum.net/support/internet/compliant-modems-spectrum-network/

Using an approved modem will make any service issues easier in my experience with other providers.

 

[nail33]

I have the Spectrum-supplied cable modem (no extra cost), but my own separate wireless router. It's all been very stable.

+1 Same here.

 

[Billiam29]

So a router is a layer 3 device and it's purpose is to route IP packets using an IP address between different VLANs. If you are not going to set up multiple VLANs a router is not required.

A switch is a layer 2 devices and passes packets within the same network using MAC addresses. If you are going to have only one network segment, not multiple VLANs, then a switch will do just fine.

For clarification of terminology, routers segregate IP networks (or “subnets”) from each other and facilitate communication between them which is “routing.” They do not create, facilitate, or manage virtual LANs (VLANs). For practically every implementation out there, VLANs are a service provided by Ethernet switches, not routers. They are also a service that 99% of home users don’t need and can very likely disregard.

 

[JeffSlade]

What I said is correct. A router routes between VLANs.

A switch segregates VLANs. You set up VLANs on the switch.

The router maintains a routing table of networks and knows next hop to move the packet to the destination requested.

 

[Austinian]

What I said is correct. A router routes between VLANs.

A switch segregates VLANs. You set up VLANs on the switch.

The router maintains a routing table of networks and knows next hop to move the packet to the destination requested.

I'm not a networking expert and haven't run across this terminology before WRT home routers; what is 'virtual' here?

 

[Natural Mysteries]

Jeff,

Your explanations are really helpful to me and I thank you for taking the time to write it out.

Thank you.

John

 

[Billiam29]

What I said is correct. A router routes between VLANs.

I’m sorry, but that statement is not correct. A router routes between IP networks. As you effectively said yourself, routing is an OSI layer 3 function. Go and look at the very first sentence of the Wikipedia entry for Virtual LAN (emphasis mine)…

A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2).

If you want two VLANs to communicate with each other they effectively need to make use of their own IP networks. It is because they each make us of their own IP networks…not because they are different VLANs… that you need a router between them.

Saying routers route between VLANs is similar to saying correlation equals causality.

 

[Billiam29]

I'm not a networking expert and haven't run across this terminology before WRT home routers; what is 'virtual' here?

Loosely speaking, each virtual LAN (VLAN) can be thought of as the functional equivalent of an independent physical Ethernet switch. The key difference is that it doesn't matter where those switches are located or how many switches are configured for a particular VLAN. One VLAN can be tought of "behaving" like one switch.

So why do VLANs exist if you only need a router to communicate between IP networks? That's a broad question with countless answers but typically it's because VLANs can make the actual physical structure of your network irrelevant for many configuration needs.

As a practical example, the environment I used to manage used VLAN-enabled fully managed switches everywhere. We had publicly-accessible Ethernet ports scattered throughout the building. We obviously wanted those isolated as much as possible. These ports were on their own "public" VLAN and the IP network used by that VLAN was routed to the same IP network as the "WAN" side of our campus firewall. The result was that it didn't matter where these public ports were in the building or which managed switch they were patched to. All we had to do was configure them in the "public" VLAN and those ports effectively had the same networking security as the Internet at large.

 

[Austinian]

I'm not a networking expert and haven't run across this terminology before WRT home routers; what is 'virtual' here?

Loosely speaking, each virtual LAN (VLAN) can be thought of as the functional equivalent of an independent physical Ethernet switch. The key difference is that it doesn't matter where those switches are located or how many switches are configured for a particular VLAN. One VLAN can be tought of "behaving" like one switch.

So why do VLANs exist if you only need a router to communicate between IP networks? That's a broad question with countless answers but typically it's because VLANs can make the actual physical structure of your network irrelevant for many configuration needs.

As a practical example, the environment I used to manage used VLAN-enabled fully managed switches everywhere. We had publicly-accessible Ethernet ports scattered throughout the building. We obviously wanted those isolated as much as possible. These ports were on their own "public" VLAN and the IP network used by that VLAN was routed to the same IP network as the "WAN" side of our campus firewall. The result was that it didn't matter where these public ports were in the building or which managed switch they were patched to. All we had to do was configure them in the "public" VLAN and those ports effectively had the same networking security as the Internet at large.

Thank you for the explanation; this is something I've never had to deal with myself. It's a surprise, and that's what makes me wonder what applicability the VLAN method has to an ordinary home router supporting a limited number of devices on what I understood to be a single physical LAN? I think I am missing something here; perhaps a post I overlooked.

 

[Billiam29]

Thank you for the explanation; this is something I've never had to deal with myself. It's a surprise, and that's what makes me wonder what applicability the VLAN method has to an ordinary home router supporting a limited number of devices on what I understood to be a single physical LAN? I think I am missing something here; perhaps a post I overlooked.

Relatively few individual/home users have a need for VLANs. It certainly can exist though. It requires more than typical ordinary home equipment. Still “plausibly affordable” by many standards, just not typical.

Below is a diagram I sketched up for a friend of mine showing a theoretical “advanced take” on his home network. This diagram incorporates a couple of concepts I haven’t explicitly mentioned yet:

1) You can communicate multiple VLANs and their configurations across a single physical link via standardized protocols. This is commonly referred to as VLAN “trunks” or “trunking” but it can go by other names as well. The VLANs within a single trunk remain just as segregated from each other as the VLANs within a single Ethernet switch.

2) Corporate(ish) WiFi equipment is often capable of making use of VLANs. Typically this is done in a manner where you have multiple SSIDs available from your WiFi with each SSID having its own corresponding VLAN.

EDIT:
If you wanted to do the same sort of thing shown below but only with WiFi, then you wouldn't need VLANs. This is evidenced by the "guest network" functionality built into many consumer-grade WiFi "routers". In my friend's case, he was interested in having the same segregation/isolation exist across both WiFi and hardwired Etherenet which is why VLANs came into play. Plus he already owned the Ubiquiti EdgeRouter and wireless access point.

 

[Austinian]

Thank you for the explanation; this is something I've never had to deal with myself. It's a surprise, and that's what makes me wonder what applicability the VLAN method has to an ordinary home router supporting a limited number of devices on what I understood to be a single physical LAN? I think I am missing something here; perhaps a post I overlooked.

Relatively few individual/home users have a need for VLANs. It certainly can exist though. It requires more than typical ordinary home equipment. Still “plausibly affordable” by many standards, just not typical.

Very informative. I started to wonder if it would it be correct to say that the guest network capability of home routers would be an example of a VLAN; that has led me down a rabbit hole of networking arcana (for me) that I'll have to explore in depth later. Interesting stuff, thanks for introducing me to this.

(Now I see your EDIT. )

 

[Billiam29]

Very informative. I started to wonder if it would it be correct to say that the guest network capability of home routers would be an example of a VLAN; that has led me down a rabbit hole of networking arcana (for me) that I'll have to explore in depth later. Interesting stuff, thanks for introducing me to this.

(Now I see your EDIT. )

Another thing to keep in mind with gear you might have for a home is that a typical consumer-grade “router” usually incorporates the functionality of four networking devices:

• TCP/IP router
• Firewall
• Ethernet Switch
• Wireless access point

When those four roles are within a single box manufactured by one company, there is at least some small degree of flexibility for the manufacturer to blur the lines between the hardware and software responsible for each of those roles. As long as everything connecting to the box sees it behaving in accordance with formal standards, that’s what matters.

Of course, nearly all the consumer grade hardware is probably based on Linux when you dig into it deep enough. I would have to imagine the manner in which Linux is built along with what services it can offer sets some real-world practical limits on what’s possible for the manufacturers of consumer gear.

 

[Austinian]

Very informative. I started to wonder if it would it be correct to say that the guest network capability of home routers would be an example of a VLAN; that has led me down a rabbit hole of networking arcana (for me) that I'll have to explore in depth later. Interesting stuff, thanks for introducing me to this.

(Now I see your EDIT. )

Another thing to keep in mind with gear you might have for a home is that a typical consumer-grade “router” usually incorporates the functionality of four networking devices:

• TCP/IP router
• Firewall
• Ethernet Switch
• Wireless access point

When those four roles are within a single box manufactured by one company, there is at least some small degree of flexibility for the manufacturer to blur the lines between the hardware and software responsible for each of those roles. As long as everything connecting to the box sees it behaving in accordance with formal standards, that’s what matters.

Of course, nearly all the consumer grade hardware is probably based on Linux when you dig into it deep enough. I would have to imagine the manner in which Linux is built along with what services it can offer sets some real-world practical limits on what’s possible for the manufacturers of consumer gear.

I'm pretty sure you are right; at least some of the vulns that have been patched on this router were related to Linux exploits, and at least some third-party firmware available for it is Linuxian.

 

[JeffSlade]

How does sever foo on VLAN 200 reach server goo on VLAN 300?

 

[Billiam29]

How does sever foo on VLAN 200 reach server goo on VLAN 300?

The answer is of course server Foo on VLAN 200 reaches server Goo on VLAN 300 through a router.

but...

The reason Foo reaches Goo through a router is because by necessity VLAN 200 uses IP subnet [A] and VLAN 300 uses IP subnet .

You could have server Foo in the same subnet [A] and server Goo in same subnet without any managed switches or VLANs being involved whatsoever and you would still need the same router role doing the same IP routing between the same two subnets. The only things that might be different are the quantity of switches involved, the quantity of cabling runs, and maybe the quantity of interfaces on your router.

Apologies for repeating a point, but it’s a causation/correlation issue. The cause of needing a router is communication between IP networks. It happens to be the use of multiple VLANs almost always correlates with using different IP networks for each VLAN.

 

[kelpdiver]

Thank you for the explanation; this is something I've never had to deal with myself. It's a surprise, and that's what makes me wonder what applicability the VLAN method has to an ordinary home router supporting a limited number of devices on what I understood to be a single physical LAN? I think I am missing something here; perhaps a post I overlooked.

putting aside the obvious use case of a 'guest wifi' network for guests, there is a rather large segment of surveillance cams and other IOT devices with shoddy (or worse) security practices that you might not trust to be on the same network as your personal files. Cams that dial home to China, for example. Or ones that just don't get firmware updates every time there is a new vuln identified in the common linux stacks they use.

 

[kelpdiver]

Then he went outside to where the cable comes out of the ground and into their box. He replaced several connections. Then said the understatement of the decade,

Your cable looks really old. I'm going to replace it now, and another crew will show up in 7-10 days to bury it.

It was "original equipment"--1991.

So everything comes down to this. It's not the number of devices you have, or the equipment in the home. It's the size of the pipe from the house to the cable box.

For the past decade or two, cable tv/data is routed over RG6 cable. This replaced a thinner, less shield RG59 cable that was adequate for the analog era, and likely what you have in the ground.

 

[Billiam29]

For the past decade or two, cable tv/data is routed over RG6 cable. This replaced a thinner, less shield RG59 cable that was adequate for the analog era, and likely what you have in the ground.

Out of curiosity, have you ever seen any practical means for an average individual to test the quality coax cable runs within a home? I’m referring to any coax runs that may be in place between the demarc where your ISP “enters” your house to wherever you have your cable modem connected. All too often you hear stories of “Well, we can roll a truck but you will be charged [ridiculous amount] if it turns out to be the wiring inside your home.”

I know you can test basic continuity of the center conductor on a coax run but you wouldn’t have any signal at all at your cable modem if that was broke, not a crappy signal. I’ve always assumed the only feasible course of action would be to physically move your cable modem, connect it right where the cable comes into your house, and then see if the signal levels on the channels are any different than at its normal location. There are a variety of reasons people might not be able to do that though.

 

[Tom_N]

What I said is correct. A router routes between VLANs.

A router routes between subnets. Subnets were around long before there were VLANs, and there is nothing saying that a subnet has to consist of a VLAN, as opposed to some sort of LAN, WAN, or point-to-point network.