Network Design - Keep it simple - Untagged VLANs

Показать описание

Sometimes when you try to get cute or overcomplicate network design it can have the opposite of the desired effect. In this case a customer switched their PVID and UNTAGGED VLANs to 100 on the switch -- but couldn't really tell me why except to not use VLAN1. Well -- by making everything PVID and UNTAGGED 100 you just moved everything to VLAN100 -- so what's the difference at the switch level?

Affiliate Links (I earn a small percentage of the sale if you use these links):

Time Stamps:
00:00 - Intro
00:15 - Dry Erase Board VLANs
03:17 - Wrap up!

Contact us for network consulting and best practices deployment today! We support all Grandstream, DrayTek, Obihai, Poly, Ubiquiti, MikroTik, Extreme, Palo Alto, and more!

Come back for the next video!
Twitter - @WillieHowe
Instagram - @howex5
TikTok - @whowe82

SUBSCRIBE! THUMBS-UP! Comment and Share!

Рекомендации по теме

Комментарии

Ahh! a fresh cup of coffee and a Willie video first thing in the morning to get me going :) Good video !

JasonsLabVideos

Operational difference could be: that traffic coming out of sw2 is untagged for vlan 100 but when traffic goes into sw2 then vlan tag 100 is added to the frame... thus traffic with vlan100 leaves sw2 to the router for example through a trunk port arriving to a router with all traffic from sw2 tagged with vlan100. Is this not true? Great video btw and certainly makes that part of your brain ich. thanks for the vid

josegranados

Set up in this example does not make logical sense to me. Why not keep the infrastructure on the same management VLAN, then create other vlans & use PVID to designate specific ports on the switches to separate out traffic. Just saying…

QuikTechSolutions

I was confused when my new company came in, disabled VLAN 1, and then made everything on a new a VLAN. When I asked why we did that, I was told it was good security to disable VLAN 1. I am guessing it is for security on trunk ports and not acces ports.

TVJAY

In some cases there is maybe issue with spanning tree protocol, Some version of STP working with the default vlan 1 to send BPDU. But it’s really depending on switch vendors.

romchiko

still cannot understand tagged vs untagged, and what's pvid?

bitkahuna

This video made me think of something.
The switch flex mini, is there a way to set up a port so you can come on to a site plug it in and use it as your access to the management interfaces? Unplug it and the access is gone?

jasonperry

Good example is if you have IP camera system. The cameras all external of the office. A hacker can un-plug a camera, connect her laptop. BAM! they are now on your network. ( better yet, install a small wifi router, reconnect the camera. Camera still up n working. She can now sit in her van in a parking lot and just own your network )

Instead, you use VLANs. One VLAN for cameras, one VLAN for smart home type devices, one VLAN for management such as sever ILO, Access points interfaces, , VLAN for VoIP, VLAN for customer computers if you are a repair shop. The customer VLAN is incase you connect a trojan horse PC, or ransomware infected system that will scan network and infect others.

In this case, when she connects to a camera network cable, she shall only have access to that. Cameras and the NVR. You can enable port isolation too.

Now, if had just been faithful, she would not have tried to hack you stuff and plant evidence that you are an Alien. So her dads secret team can adduct you and take to base 51.

BigBadDodgex

Personally, there is no operational difference except adding complexity and possible network issues, especially with the provision of some new devices. some manufacturers configure their devices to be on vlan 1 by default yes there are ways around it but why put yourself in the problems without any real benifit

midnightwatchman

Question, would this mean the devices on Vlan 1 not see the devices on Vlan 100??? Other than that, WHY indeed!!?

OLDMANDOM.Dominic

This type of diagram makes me want a full network including default gateways. But certainly management vlan being the same as a user vlan is poor security practice. If you want to move away from default vlan that’s fine, too.

samsampier

If I’m using a nac like ise or clearpass they don’t like vlan 1 as the default vlan.

jhippl

We have taken the route that:
IDF:
Unused ports defaults to untagged vlan1/base vlan (and are admin set to down, the untagged is just an extra level of security'ish measure)
Used ports are untagged access to what ever vlan they belong, or trunk in case of multiple vlans needed (with acl's/radius etc)
All trunk ports going from the IDF to the MDF are purely tagged, and vlan 1 is forbidden.

MDF:
no vlan 1 in the setup

This should ensure that someone plugging into an unused port is limited to who ever else is plugged into an unused port, in case of IT forgetting to down the port.

sarhtaq

Nice video! Dealing with vlan's now with Gwn7000 or Mikrotik gateway and tplink omada switch at our store. There is an extra step with those switch for vlans. I have a simple vlan's, one that's native (1), vlan 20 for voice and vlan 30 for guest wifi.

gibbykaro

Ok, so for the most part I dislike doing Vlan's UNLESS the customer has plenty of money for Cisco gear. Over 20 years now, I have found that with most regular hardware the VLAN and PVID configurations slow down the switches and the routers. So I avoid it. Sure on my team I have a Cisco certified person that can do it but I still don't like it.
1. if you want it to work consistantly and NOT fail you need Cisco gear which is expensive.
2. if a customer needs to reboot a VLAN then we have to reboot ALL VLans
3. it's a lot of extra complexity which takes time to build, and maintain.
So I build seperate networks if at all possible, ya an extra switch / router. etc. they are secure too, without all the extra work. Yes more gear, still less cost than good Cisco gear.
And customer can reboot lan XXX with ease, without my team. Just reboot switch / LAN XXX no problem. the whole building won't go down either.

lespederson

Network Design - Keep it simple - Untagged VLANs

Network Design - Keep it simple - Untagged VLANs

ENCOR - Enterprise Network Design

DO NOT design your network like this!! // FREE CCNA // EP 6

How to Become a Network Design Ninja

Best Practices for Network Design Modeling

Network Design - Facility Location & Capacity Allocation Optimization Models

Learn before it is too late: Wireless HART Network Design

Edge Secure Network - How To Design Your Own Enterprise Network (Part 5)

2. Network Segmentation By VLANs For Network Engineer | Cisco Switching Network Explained #switches

Network Design - Best Practices

Chapter 6 - Network Design

Hotel Management Network Design & Implementation using Packet Tracer | Enterprise Network Projec...

Headquarters Network Design - How To Design Your Own Enterprise Network (Part 2)

How-to Design and Configure a Home or Small Office Network

Network Design and Optimisation - A User Perspective with Sofia Rivas Herrera

Enterprise network design

CCNA3 Module 11: Network Design - Enterprise Networking Security and Automation (ENSA)

Campus Network Design & Implementation Project on Packet Tracer | Enterprise Network Project #4

Automated FTTH network design

Algorand's Network Design is Changing 👀 #algorand #developers

Part#2: Networking Project | Simulating XYZ Company Network Design Using Cisco Packet Tracer

Network Layer Design Issues

4. Hierarchical Network Design (Access, Distribution & Core Layers) & Network Cables

Webcast- Introduction to Network Design