How to structure networks with VLANs

Great video! One friendly reminder: Cisco proprietary protocol for Etherchannel or LAG is PAgP.
Primarily, the term "trunking" is not the same as LAG. We use the term "Trunking" when we want to pass multiple VLAN traffic over a single trunk link.
LAG is when we aggregate multiple links such as Fast Ethernet or GigaEthernet ports into one! Cisco names it "Port-Channels" :))))

mrd

Good to see someone works such hard to create quality content for others. Just a hint to make VLAN tags and port types more clear and simple: From VLAN tag point of view we have two type of ports. Trunk ports and Access ports.
The egress frames on an Access ports never have VLAN tag, because it is removed when exiting. This is why the whole VLAN mechanism is transparent to the end device attached to that Access port.
The ingress frame on Access ports are tagged with VLAN tag when it is arrived (with the VLAN the port belongs to).
So Access ports are like a smurf sitting on an Access port and he has a sponge in his left hand and a pencil (only one pencil with the one correct VLAN color) in his right hand. Each time a frame leaving the port, the smurf uses his left hand and erases the VLAN tag with the sponge. Each time a frame arrives (usually from an end device) and entering to the port, the smurf uses his right hand and tags the frame with the pencil.
Normally Access ports never receive frames with VLAN tag from outside.
The other type of port is Trunk. The main different is that the smurf sitting on the Trunk port does not have sponge in his left hand, so VLAN tags will remain on egress frames. So basically egress frames and ingress frames also will have VLAN tags. Also, trunk ports can send and receive frames from any configured VLAN. Trunk ports are connected to trunk ports on another devices.
Also, as I wrote in an another reply you might not seen: Portchannels not increasing, or aggregating speed. They increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel.
I think people can understand more easily these technical concepts and mechanisms if they are described with analogy from life (who says smurfs dont exists? :D )
Looking forward to see more content from you. ;)

viktornagy

Great channel! LACP actually doesn’t add the speeds of single links. It adds concurrency. It just enables you to have 2 devices at 10Gbe instead of splitting the bandwidth over the same physical cable. It’s basically a kind of load balancing with failover.

SpadeQc

I've been watching your videos here and there for a while, but did not know you worked for sophos! My company is the number 1 sophos reseller in the united states, we eat sleep and breathe their products. I personally run a Sophos firewall running in Hyper-V for my home gateway. Great video!

xShadoku

When talking about vlans it's important to understand what a broadcast domain is - each vlan is a unique layer 2 broadcast domain meaning something in vlan 2 won't be able to talk to something in vlan 3 without enabling inter vlan routing and enabling FW polices. In your case you want your firewall to be your default gateway for each vlan this way you can apply policies to the traffic within that vlan/subnet/broadcast domain.
- one point of clarification about your LAG - you won't "see" 20GB worth of link speed, but instead you'll have more concurrent traffic streams available on your 20GB link compared to just a single 10GB port. This gives you more bandwidth, not line rate speed.

whiskerjones

I use MikroTik devices only. I run my own WirelessISP and for home i have an overkill setup. I have 18 different VLANS for different stuffs and man, configuring a new AP or Switch can be painful :D

victorshane

As usual really good video! I always enjoy watching them and you inspire so much!
The part about 10 gigabit ports in LAG giving you 20 gigabit is to some extend true, just remember that it still is two different cables and as so one single session can not be split between them meaning that that total throughput between them is 20 gigabit but for a single transfer using a single session for the transfer only 10 gigabit is available.
Also you were talking about it as speed, but in the case of LAG it is also seen as bandwidth as the LAG Wil probably be used to allow more sessions through a "bigger" interface 😊
If you do a lot of transferring of files, having vm's running from external storage etc between storage and servers I would suggest you look into making a storage vlan with a higher MTU of 9000 (jumbo frames) 😁

Keep up the videos! Love your content

rallegade

Hello :) Sorry, what app/website did you use to create the network diagram? Also, do you have any idea for a software that can create some similar diagram but automatically via SNMP or something maybe?

WizardsWoW

How do we draw the ascii diagram like yours ?

shamik

Just in case no one commented, the LAG does not “double” the speed; it just allows different processes to use the two 10Gbps ports separately. So if you clocked the performance, you would only get 10G, but if you had multiple tests going on, each one could achieve 10G rather than sharing one 10G connection.

chapagawa

This video was my inspiration for finally getting a Sophos Switch. I did in fact purchase the 24 port model, and I will use this video as a tutorial to setting up VLANS . I look forward to many more great things from Sophos. :) This will hopefully replace my current TP-Link switches and Omada controller which are OK, but having the single pane of glass from Sophos will make things that much easier. Sophos Central is really coming along and just seems to get better and better all the time.

canadianwildlifeservice

Christian you helped me a lot during the past years where I went back to school learn It administration, windows and linux.
Again thanks for all the content you offer it is a great ressource for every beginner.

rom_

Although I'm very keen on your lesson, I am most interested in the tool you've used to create the scheme in .md of your network at 1m50s. :-)

martindebes

This was too complex of a setup for me to understand concept of VLANs.

emsicz

You should NOT put your local servers in a DMZ, DMZ is normaly used for internet faced servers. Not local servers. So DMZ in used wrongly here.

krisboeckx

Helpful video but I am still struggling with it. I think I've watched every VLAN video on YouTube and I don't think I've seen a single example of Inter-vlan routing on the same switch. For example and take the router and the needed firewall rules out of play here, you have vlan for a single workstation. Another VLAN for a single printer. Lastly, another vlan for file server. All these devices are all plugged into the same switch (48 port in my case.) Now workstations without printing and access to a file server would be useless don't you agree? In this case should the port for the workstation and printer be set as access(untagged?) I guess the server port would be trunked(tagged) because the 2 vlans need to talk? Don't even get me started on the PVID!!! I just don't understand why I can't grasp this concept.

nottad

How would I put all my unsecure WiFi IoT Devices in one group? Since I cant assign them to a specific vlan port? Or I am missing something?

Do I have to use a separate access point just for my IoT Devices? Not sure if thats smart idea to have one access point for my trusted devices and one for my untrusted (IoT) devices.

AS-oslj

I think you would be helping the Sophos team with your videos. The way you go about presenting the information is personable and easy to understand.

seanwoods

/16 Network in an Home Environment doesnt make any sense :D

adrianbonde

Well I bet you work in german public services. There is no other reason for using Sophos :D

Alex-scrc