I'm trying to design a new network for my house, which is spread across 4 floors. I've been thinking about my requirements and I tried to write down
Requirements
Security Cameras
- security cameras should not have internet access;
- security cameras must access the network video recorder (NVR);
- the NVR should be able to access a remote mail server to send email notifications in case of security incidents
- a special security camera will require internet access and NVR access; Update: special here means that the camera allows for 2-way audio communication over the Internet, e.g. talking to the person in front of the camera.
- I should be able to access the NVR (even ethernet only is fine);
Heating System
- thermostat should not have internet access;
- thermostatic valves should not have internet access;
- the family should be able to access the heating system (wifi);
Home office
- 2 PCs on ethernet (VLAN 4)
- 1 PC on Wifi
- printer
- NAS
Other misc devices
- Smart TVs with internet access;
- Gaming systems with internet access;
Wifi network coverage
- Guest access (fully isolated network)
- Family access (can access heating system and NAS)
Rough network structure
Doubts and questions
-
I'm thinking of the following VLANs:
- cameras
- special camera
- NVR
- Guest
- heating
- office
- family safe (for internal wifi)
- family unsafe (gamign systems, tv, etc.)
Is this breakdown reasonable? It's unclear to me if that would satisfy all my requirements. For example, would I be able to configure the network so that I can access the NVR (VLAN 4) and the special camera (VLAN 3) from VLAN 8 or 7?
-
How intensive is inter-VLAN routing? I'm assuming this can be handled by the Edge Router (powered by dd-wrt).
-
The "special camera" is a potential security risk… right? Is it enough for it to be in its own VLAN?
-
I'm considering using CAT6A for all my connections and 1Gigabit Ethernet for the trunking ports between the switches. Would another cable category or trunking speed (10Gigabit Ethernet?) be more appropriate for connecting the switches? I'm not initially planning for using any 10G network device. This might change in the future for the NAS.
-
Is there any specific feature I should look for in the switch I'm going to buy?
-
Do I need a DHCP server for each VLAN for having dynamic assignment? Can a single router handle the addressing for all the VLANs?
Pardon me for the length of the question (and sub-questions :D). I hope this isn't OT: looks fitting giving the list of topics here.
Thanks for your help!
Best Answer
It really big project with many choices.
security camera -> NVR traffic can reach 2 - 7 Mbit/s per camera depends on camera brand and recording modes.
UPD. It can kneel down generic WRT router. WRT1900ACS is 2 cores 1.6 Ghz CPU. And declare performance 1900 Mbps
Depends on what special in it.
10G eqyipment cost more. So it more budget question.
You plan to use 10G devices (NAS, PC ...)?
When hidden in-wall wiring is used and cable replacment is hard. It good idea to use cable class which allow link speed upgrade in future when needed.
With full isolated VLANs yes.
But many managed switches support some kind of Port Isolation/Leakage.
For example: NVR , router and cameras in one VLAN but in different isolation groups, so any camera can communicate only with NVR but not with router or oter cmeras.
PS.
One Wi-Fi AP may be not enough for 4 floors house. So Plan VLANs for Guest Wi-Fi and Family Wi-Fi
When more complex configuration You choose, then more resources to implement, maintain and troubleshoot required. Be Wise. Look from point of view of threat scenarios.
UPD2. To keep wiring quality keep this UTP CABLING INSTALLATION PRACTICES