Good to see someone works such hard to create quality content for others. Just a hint to make VLAN tags and port types more clear and simple: From VLAN tag point of view we have two type of ports. Trunk ports and Access ports. The egress frames on an Access ports never have VLAN tag, because it is removed when exiting. This is why the whole VLAN mechanism is transparent to the end device attached to that Access port. The ingress frame on Access ports are tagged with VLAN tag when it is arrived (with the VLAN the port belongs to). So Access ports are like a smurf sitting on an Access port and he has a sponge in his left hand and a pencil (only one pencil with the one correct VLAN color) in his right hand. Each time a frame leaving the port, the smurf uses his left hand and erases the VLAN tag with the sponge. Each time a frame arrives (usually from an end device) and entering to the port, the smurf uses his right hand and tags the frame with the pencil. Normally Access ports never receive frames with VLAN tag from outside. The other type of port is Trunk. The main different is that the smurf sitting on the Trunk port does not have sponge in his left hand, so VLAN tags will remain on egress frames. So basically egress frames and ingress frames also will have VLAN tags. Also, trunk ports can send and receive frames from any configured VLAN. Trunk ports are connected to trunk ports on another devices. Also, as I wrote in an another reply you might not seen: Portchannels not increasing, or aggregating speed. They increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel. I think people can understand more easily these technical concepts and mechanisms if they are described with analogy from life (who says smurfs dont exists? :D ) Looking forward to see more content from you. ;)
Great video! One friendly reminder: Cisco proprietary protocol for Etherchannel or LAG is PAgP. Primarily, the term "trunking" is not the same as LAG. We use the term "Trunking" when we want to pass multiple VLAN traffic over a single trunk link. LAG is when we aggregate multiple links such as Fast Ethernet or GigaEthernet ports into one! Cisco names it "Port-Channels" :))))
I love how some vendors like HP/Aruba use the term "trunking" in reference to a LAG which is not confusing at all (/s) when mixing HP & Cisco switches.
Great channel! LACP actually doesn’t add the speeds of single links. It adds concurrency. It just enables you to have 2 devices at 10Gbe instead of splitting the bandwidth over the same physical cable. It’s basically a kind of load balancing with failover.
@@TheRayDog I think we should not conflate throughput with speed. I believe that is what the previous commenter was trying to point out. Indeed double the throughput, but NOT double the speed. The analogy I have used for years is that it is another lane in the highway--it allows for more traffic to come through. But the speed limit is the same (the posted limit, anyway ;) )
I've been watching your videos here and there for a while, but did not know you worked for sophos! My company is the number 1 sophos reseller in the united states, we eat sleep and breathe their products. I personally run a Sophos firewall running in Hyper-V for my home gateway. Great video!
Christian you helped me a lot during the past years where I went back to school learn It administration, windows and linux. Again thanks for all the content you offer it is a great ressource for every beginner.
Thanks. Great tutorial for VLAN understanding. For someone new to VLAN operation, this is priceless information! So many people throw jargon around and try to impress us with what they don't know. Your video is refreshing in its content, production and approach.
This video was my inspiration for finally getting a Sophos Switch. I did in fact purchase the 24 port model, and I will use this video as a tutorial to setting up VLANS . I look forward to many more great things from Sophos. :) This will hopefully replace my current TP-Link switches and Omada controller which are OK, but having the single pane of glass from Sophos will make things that much easier. Sophos Central is really coming along and just seems to get better and better all the time.
Just in case no one commented, the LAG does not “double” the speed; it just allows different processes to use the two 10Gbps ports separately. So if you clocked the performance, you would only get 10G, but if you had multiple tests going on, each one could achieve 10G rather than sharing one 10G connection.
When talking about vlans it's important to understand what a broadcast domain is - each vlan is a unique layer 2 broadcast domain meaning something in vlan 2 won't be able to talk to something in vlan 3 without enabling inter vlan routing and enabling FW polices. In your case you want your firewall to be your default gateway for each vlan this way you can apply policies to the traffic within that vlan/subnet/broadcast domain. - one point of clarification about your LAG - you won't "see" 20GB worth of link speed, but instead you'll have more concurrent traffic streams available on your 20GB link compared to just a single 10GB port. This gives you more bandwidth, not line rate speed.
I'm having my ass kicked by inter vlan routing. I use a Cisco router with zoned based firewall and a physical network port for each vlan (because it came crammed with HWICs, so why not?) and some vlans in my setup can talk with others, some can't talk with no one besides internet and some can only have traffic in one way. Works beautifully when testing with an endpoint in each port. My 3com layer 3 switch f*cks everything and lets anyone talk with everyone. I don't know how to disable it on them.
@@RoboticParanoia Sounds like you have a lot going on there. I'd suggest removing the layer 3 portion of your 3com switch. You want your routing and policy matching to take place on your router in this case. Trunk your vlans up from your switch to your router and work on your policies and test as you build out.
As usual really good video! I always enjoy watching them and you inspire so much! The part about 10 gigabit ports in LAG giving you 20 gigabit is to some extend true, just remember that it still is two different cables and as so one single session can not be split between them meaning that that total throughput between them is 20 gigabit but for a single transfer using a single session for the transfer only 10 gigabit is available. Also you were talking about it as speed, but in the case of LAG it is also seen as bandwidth as the LAG Wil probably be used to allow more sessions through a "bigger" interface 😊 If you do a lot of transferring of files, having vm's running from external storage etc between storage and servers I would suggest you look into making a storage vlan with a higher MTU of 9000 (jumbo frames) 😁 Keep up the videos! Love your content
@@rallegade @The Digital Life This is what I also wanted to say. Portchannels not increasing speed, they increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel.
Great video and explaination of vlans, Christian! I would love a sophos switch. They are a bit on the expensive side, but I think that it is a nice touch to the sophos ecosystem and integrates into Sophos Central. I would replace my tp link Omada switch with one and have a proper switch. You are an asset to the Sophos community. Hope you are doing better.
Sehr schönes Video. Das sind Grundlagen die ich immer schon mal verstehen wollte, wo ich aber nie den Einstieg fand. Ich hatte einige AHA-Erlebnisse beim Anschauen. Danke!
One thing to note about LAGs is that the bandwidth is the aggregated speed, but your throughput will still only be the speed of a single link. If you were to run a speed test across the link you would see this. The reason is how LACP and other LAG protocols work. They will use the source MAC, destination MAC, or both to pin that connection to a single link. (this is usually configurable) This allows for less congestion for multiple devices that need to talk at the same time, but doesn't help for increasing the speed coming from a single connection. The analogy I like to use is think of LAG member ports as different lanes on a highway. While driving you can only occupy one lane at a time, and each lane has a maximum speed limit. When there isn't any congestion to you having 4 lanes to choose from means nothing to you. however when there is congestion the added lanes increases the capacity of the road so cars don't have to slow down to wait for one another. Otherwise great video.
Awesome video man. Thank you for making this. I watched a few videos and read a bit about VLAN's. I sort of got the idea but not the full concept. Others would explain it and I get the facts but.....the facts don't contain a lot of data I can turn into something visual when they explain it. Its like IRL CMD....you get all data fed to you in text. You gotta focus. Its not as easy as if you could turn the data into something visual for your mind to attach to. But the way you explained it.....you basically told us about your network setup in reference to VLANs. If this was a podcast with no video I would have still gotten more than enough information because the explanation was packed with a lot of information that I could easily turn into something visual. No longer like IRL CMD. Now its like IRL File Explorer where you can easily visualize the data fed to you. You see the folders and where they are at as well as the files. Your explanation not only had the facts of what VLANs are...but a good chunk of why was explained so that I am not sitting here taking educated guesses as to what one might do with this. Simultaneously you also gave better understanding to a newb on the concepts of a VLAN deployment in a real scenario (totally better than me taking an educated guess) and even took the time to throw in a bonus link aggregation tutorial. You freaking nailed it man. I learned a great deal about VLANs in 20 minutes. Somebody get this man a fruit basket....NOW!!! This my first time here. You easily gained a like and sub from me on the first try. I was able to setup my VLAN network and understand because you made it easy. I don't normally do this...but... You did good bro. You did good
On your B roll of your switches you have your F Stop to high on your camera. Lower your Fstops and raise your ISO or lengthen your shutter speed. What this will do is give you a deeper depth of field for your camera when showing B roll so the only thing in focus will not only be the closes point of the Ethernet cables.
As always , Perfect Vid but you can use same boundle(LAGG) and create what is called Sub Interface (On firewall side ) and prevent using didicated LAGg for each VLAN, you will archive same goal with more scalability!
Just be aware that this can mean performance penalties depending on how the firewall handles the subinterfaces. This setup is known as router on a stick and can be helpful in situations where a simpler network is wanted, but is often substituted with layer 3 switches running virtual interfaces per vlan instead. This is also why enterprise networks utilize L3 switches in core and distribution layer as they can do L2 at wirespeed because of dedicated ASIC's as well as offloading L3 routing to hardware.
@@rallegade I'm not sure what you're saying is technically correct - instead I'd say for the situation you're describing you'd be better off doing something like OSPF between your firewall and your switching infrastructure and "force" traffic to your firewall. If you're forwarding packets outside a firewall policy (ie layer 3 switch/svi on your switch) you're opening yourself up for potential unintended traffic flows which will be harder to manage because you're limited to simple ACLs policies and end up with too many management points to deal with.
@@whiskerjones9662 I totally agree with this! The inherent problem is that all routing between the subnets will happen on the switch now and the firewall can not do anything about it. I must admit that I have not heard about this type of setup where OSPF can force the the traffic to be forwarded onto the firewall. It sounds like a dream scenario to be able to offload layer 2 to 3 traffic on the switch and then forward it to the router for it to do what it is supposed to do, separate, segregate and inspect the traffic. Could you possibly point me to a paper on a setup like this as I would be very interested in trying it out in my own lab, as I am having the before mentioned setup because of the penalties of intervlan routing on the firewall. Love learning new things!
@@rallegade When I say force, I'm really talking about using routing to influence your traffic flows. Longest match wins so this involves a bit of traffic engineering and planning to deploy but is very common in the wild. I'd suggest looking over the Cisco validated design guides for more specifics as a starting point. As with anything in life there are a million ways to accomplish the same goal so a lot of network design comes from experience with a focus on the KISS principle. Unfortunately a lot of the times we think we're really smart doing some fancy deployment only to find out that we end up with unintended consequences and a network/environment that's next to impossible to troubleshoot. I don't pretend that i'm the end all be all but I've certainly been in a lot of networks in my time - feel free to reach out and we can discuss more outside YT comments :)
Thank you for this amazing guide. It has helped me a lot. Could you please make another one for a case like this... I have created 5 VLANs on my Sophos switch and I want each VLAN to have its own IP address and maybe a different subnet if possible. I'm using Sophos XG as my router. I will really appreciate.
Basically, you can follow the same guide as described in the video. You just need to add 5 VLAN interfaces to XG, and they will all have their own IP settings
I use MikroTik devices only. I run my own WirelessISP and for home i have an overkill setup. I have 18 different VLANS for different stuffs and man, configuring a new AP or Switch can be painful :D
Hello :) Sorry, what app/website did you use to create the network diagram? Also, do you have any idea for a software that can create some similar diagram but automatically via SNMP or something maybe?
If you want a complete solution for mapping your network, you can check what a CMDB is. It also provides a lot more features like tracking all your different server configurations It's way more overkill though
:yt:Some great comments below from Mr D, Jason Davis, and R G. I would only add as being a network engineer that goes back to the days of Wellfleet Routers, Cisco MGX Brouters and ArcNet, Banyan Vines, and good ole Token Ring. It is important to keep the syntax of packet and frame associated properly with the OSI layer being discussed. In almost every case where you prefaced "Frame" with Ethernet you were correct, but there were a few forgivable errors where you interchange a Layer 2 technology with the term packet which is Layer 3. Easy to do, but a gotcha term in some early career certification tests like CCNA and CompTIA . And if you get asked, ATM is a 53byte cell, 48 bytes payload, 5bytes header. And ask them what the hell are they using ATM for, if A) yhey are not a telco and B) when Ethernet is so much easier 🤣🤣🤣
Great video on your networking, probably more sophisticated than what I need. Is your Sophos firewall better than the firewall in my ASUS router? I plan to just add a managed switch between my router and computers that I want on VLAN so I can still use wireless connection on my router for those computers that don't require additional security provided by the VLAN. I want the computers on the VLAN (old SGI computers to have access to the printer on the network as well.) The old SGIs are not as secure on the internet and require careful security setup within the IRIX operating system for hardening. I am hoping that the VLAN essentially makes them invisible to the internet but visible on my home network side. I will probably use a CISCO Catalyst 1000 switch.
that untagged and tagged VLAN configuration to fw was pretty smart. I haven't thought of that approach. Will this work if my switch doesn't have the PVID feature?
Geeat video! Just a quick question. Why wouldnt you just want to have everything tagged instead of leaving the native vlan on for your dmz? Wouldnt it be better for security to use a different vlan for those and drop the native vlan altogether?
You should properly make a video on the various types of managed switches, as most videos on RU-vid seams to indicate that a switch is either managed or unmanaged. However a managed switches does not all have the same feature sets, which I learned after buying one and found myself missing things like ACL. Especially TP-Link has very poor marketing with their naming schemas like having both "Smart Switch" and "Easy Smart Switch", where "Easy" just means that it's missing a lot of features.
Helpful video but I am still struggling with it. I think I've watched every VLAN video on RU-vid and I don't think I've seen a single example of Inter-vlan routing on the same switch. For example and take the router and the needed firewall rules out of play here, you have vlan for a single workstation. Another VLAN for a single printer. Lastly, another vlan for file server. All these devices are all plugged into the same switch (48 port in my case.) Now workstations without printing and access to a file server would be useless don't you agree? In this case should the port for the workstation and printer be set as access(untagged?) I guess the server port would be trunked(tagged) because the 2 vlans need to talk? Don't even get me started on the PVID!!! I just don't understand why I can't grasp this concept.
I agree the concept is hard to understand. You can use tagged ports if your device is aware of vlans and you configure the different ids and networks on the interface. Typically you use it to send multiple virtual networks through a single port. Untagged means the port is not aware of vlan ids and just bound to one specific vlan. The PVID should be configured according to the vlan Id of an untagged port.
Great video, learned a lot. Maybe I'm a fool to suggest this but it seems to me that a product that is managed switch and firewall would spear one all the sending back and forth?
Thank you! :) Firewalls and Switches really have different use cases, a Firewall might have some features of a Switch and a Switch might have some features of a Firewall. But I always tend to buy these devices separately, as they're best at what they're built for.
Interesting setup. Well explained. You mentioned you use the Fritzbox as a gateway. How do you handle the ITV from the ISP coming in on the Fritzbox? Or haven't you tried yet how to handle it coming from the Fritzbox? I ask this because I have trouble to route ITV on a L3 switch to a different vlan. Maybe you have a tip for me how to solve this. Vlan 4 internet, vlan 6 ITV, vlan 7 iptel is incoming from my ISP to my fritzbox. The only way I get it working is to have ITV on vlan 1 (default) on the switch. if i try to reroute to different vlan i get issues (stuttering & freezing). Any ideas???
@@christianlempa digital tv. We're I'm from were used to say ITV to that. It's more same as what happened to phones that are now VoIP. Hopefully it clears up the question.
How would I put all my unsecure WiFi IoT Devices in one group? Since I cant assign them to a specific vlan port? Or I am missing something? Do I have to use a separate access point just for my IoT Devices? Not sure if thats smart idea to have one access point for my trusted devices and one for my untrusted (IoT) devices.
if you have multiple Unifi APs which have lets say 2 wifi networks (stuff and guest created in Unifi Controller) and connected to sophos on the same port (vlan1 &vlan2) via unmanaged switch how to prevent the two network see each other?
@@christianlempa I was actually trained in juniper firewalls in 2000, but the isg didn't existed. This is the second one I touch. I'm kinda overwhelmed by the sheer power and the amount of resources it have. I didn't had time to tinker deep with it, I only set up two of its ports and trusted and untrusted and put standard rules so it can work, but I'm pretty sure I've seen something about virtualization. And surf shark. I'll definitely lose some nights of sleep on it after I finish the new cabling here and the rack arrives. It's everything piled on a coffee table of sorts. Even the no breaks. Poor table.
Hello Christian, I still have big problems with my switch and my OPNsense FireWall. Could you maybe help me configure the Switch correctly? I'm still very confused by why my network doesn't work.
Sorry but that is just pedantic, a DMZ is a separate zone between your LAN and WAN where to put devices that are controlled by firewall rules. Nobody says it can't be used for this and that. The point here is to show how to protect your home servers.
1) your Internet is most likely slower than 20Gbit/s, the argument of needing LAG for Internet is … lame at best 2) most people fail to explain what actually makes VLAN „secure“ You are until now, the most close as you at least mentioned that the traffic goes over firewall But As most VLAN teachers you did not mention the downsides 3) unfortunately most people come from cost-saving perspective, so instead of buying 2 cheap switches and run them over firewall, they buy one big one with more ports and start fiddling around, replicating the experience you would have if you just would have used 2 instead Espescially worse if you have 2 unused laying around, but feel the urge to buy a new one
