How to structure networks with VLANs

Great video! One friendly reminder: Cisco proprietary protocol for Etherchannel or LAG is PAgP.
Primarily, the term "trunking" is not the same as LAG. We use the term "Trunking" when we want to pass multiple VLAN traffic over a single trunk link.
LAG is when we aggregate multiple links such as Fast Ethernet or GigaEthernet ports into one! Cisco names it "Port-Channels" :))))

I've been watching your videos here and there for a while, but did not know you worked for sophos! My company is the number 1 sophos reseller in the united states, we eat sleep and breathe their products. I personally run a Sophos firewall running in Hyper-V for my home gateway. Great video!

Hey great content! It’s really nice to see network related stuff as well in this channel. Much love ❤️

Good to see someone works such hard to create quality content for others. Just a hint to make VLAN tags and port types more clear and simple: From VLAN tag point of view we have two type of ports. Trunk ports and Access ports.
The egress frames on an Access ports never have VLAN tag, because it is removed when exiting. This is why the whole VLAN mechanism is transparent to the end device attached to that Access port.
The ingress frame on Access ports are tagged with VLAN tag when it is arrived (with the VLAN the port belongs to).
So Access ports are like a smurf sitting on an Access port and he has a sponge in his left hand and a pencil (only one pencil with the one correct VLAN color) in his right hand. Each time a frame leaving the port, the smurf uses his left hand and erases the VLAN tag with the sponge. Each time a frame arrives (usually from an end device) and entering to the port, the smurf uses his right hand and tags the frame with the pencil.
Normally Access ports never receive frames with VLAN tag from outside.
The other type of port is Trunk. The main different is that the smurf sitting on the Trunk port does not have sponge in his left hand, so VLAN tags will remain on egress frames. So basically egress frames and ingress frames also will have VLAN tags. Also, trunk ports can send and receive frames from any configured VLAN. Trunk ports are connected to trunk ports on another devices.
Also, as I wrote in an another reply you might not seen: Portchannels not increasing, or aggregating speed. They increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel.
I think people can understand more easily these technical concepts and mechanisms if they are described with analogy from life (who says smurfs dont exists? :D )
Looking forward to see more content from you. ;)

Thanks. Great tutorial for VLAN understanding. For someone new to VLAN operation, this is priceless information! So many people throw jargon around and try to impress us with what they don't know. Your video is refreshing in its content, production and approach.

Christian you helped me a lot during the past years where I went back to school learn It administration, windows and linux.
Again thanks for all the content you offer it is a great ressource for every beginner.

Thank you! Very well done. I understood 80% of what you said without replaying it several times.

Great channel! LACP actually doesn’t add the speeds of single links. It adds concurrency. It just enables you to have 2 devices at 10Gbe instead of splitting the bandwidth over the same physical cable. It’s basically a kind of load balancing with failover.

This video was my inspiration for finally getting a Sophos Switch. I did in fact purchase the 24 port model, and I will use this video as a tutorial to setting up VLANS . I look forward to many more great things from Sophos. :) This will hopefully replace my current TP-Link switches and Omada controller which are OK, but having the single pane of glass from Sophos will make things that much easier. Sophos Central is really coming along and just seems to get better and better all the time.

thank you christian .. you change my lyf .. all the best brother

I think you would be helping the Sophos team with your videos. The way you go about presenting the information is personable and easy to understand.

Sehr schönes Video. Das sind Grundlagen die ich immer schon mal verstehen wollte, wo ich aber nie den Einstieg fand. Ich hatte einige AHA-Erlebnisse beim Anschauen. Danke!

On your B roll of your switches you have your F Stop to high on your camera. Lower your Fstops and raise your ISO or lengthen your shutter speed. What this will do is give you a deeper depth of field for your camera when showing B roll so the only thing in focus will not only be the closes point of the Ethernet cables.

Good job, man! More about VLAN config and topics like that, please

Great Video. Helped me a lot, thank you.

very intuitive . You enlighten me alot :)

Very interesting video and good explanation! thank you

I love the ASCII diagram! Cool idea.....grin

Great video

When talking about vlans it's important to understand what a broadcast domain is - each vlan is a unique layer 2 broadcast domain meaning something in vlan 2 won't be able to talk to something in vlan 3 without enabling inter vlan routing and enabling FW polices. In your case you want your firewall to be your default gateway for each vlan this way you can apply policies to the traffic within that vlan/subnet/broadcast domain.
- one point of clarification about your LAG - you won't "see" 20GB worth of link speed, but instead you'll have more concurrent traffic streams available on your 20GB link compared to just a single 10GB port. This gives you more bandwidth, not line rate speed.

Awesome video man. Thank you for making this. I watched a few videos and read a bit about VLAN's. I sort of got the idea but not the full concept. Others would explain it and I get the facts but.....the facts don't contain a lot of data I can turn into something visual when they explain it. Its like IRL CMD....you get all data fed to you in text. You gotta focus. Its not as easy as if you could turn the data into something visual for your mind to attach to. But the way you explained it.....you basically told us about your network setup in reference to VLANs. If this was a podcast with no video I would have still gotten more than enough information because the explanation was packed with a lot of information that I could easily turn into something visual. No longer like IRL CMD. Now its like IRL File Explorer where you can easily visualize the data fed to you. You see the folders and where they are at as well as the files. Your explanation not only had the facts of what VLANs are...but a good chunk of why was explained so that I am not sitting here taking educated guesses as to what one might do with this. Simultaneously you also gave better understanding to a newb on the concepts of a VLAN deployment in a real scenario (totally better than me taking an educated guess) and even took the time to throw in a bonus link aggregation tutorial. You freaking nailed it man. I learned a great deal about VLANs in 20 minutes. Somebody get this man a fruit basket....NOW!!! This my first time here. You easily gained a like and sub from me on the first try. I was able to setup my VLAN network and understand because you made it easy. I don't normally do this...but... You did good bro. You did good

As usual really good video! I always enjoy watching them and you inspire so much!
The part about 10 gigabit ports in LAG giving you 20 gigabit is to some extend true, just remember that it still is two different cables and as so one single session can not be split between them meaning that that total throughput between them is 20 gigabit but for a single transfer using a single session for the transfer only 10 gigabit is available.
Also you were talking about it as speed, but in the case of LAG it is also seen as bandwidth as the LAG Wil probably be used to allow more sessions through a "bigger" interface 😊
If you do a lot of transferring of files, having vm's running from external storage etc between storage and servers I would suggest you look into making a storage vlan with a higher MTU of 9000 (jumbo frames) 😁
Keep up the videos! Love your content

Very very very nice!

Thank you for a very interesting and informative video. Sophos is an interesting firewall. It's a pity that you can't study it in my country.

Thanks!

Thank you! Thank you! Thank you!

Great video and explaination of vlans, Christian! I would love a sophos switch. They are a bit on the expensive side, but I think that it is a nice touch to the sophos ecosystem and integrates into Sophos Central. I would replace my tp link Omada switch with one and have a proper switch. You are an asset to the Sophos community. Hope you are doing better.

I would love to see more Sophos videos, it is hard to find good Sophos content on the web.

Just in case no one commented, the LAG does not “double” the speed; it just allows different processes to use the two 10Gbps ports separately. So if you clocked the performance, you would only get 10G, but if you had multiple tests going on, each one could achieve 10G rather than sharing one 10G connection.

One thing to note about LAGs is that the bandwidth is the aggregated speed, but your throughput will still only be the speed of a single link. If you were to run a speed test across the link you would see this. The reason is how LACP and other LAG protocols work. They will use the source MAC, destination MAC, or both to pin that connection to a single link. (this is usually configurable) This allows for less congestion for multiple devices that need to talk at the same time, but doesn't help for increasing the speed coming from a single connection.
The analogy I like to use is think of LAG member ports as different lanes on a highway. While driving you can only occupy one lane at a time, and each lane has a maximum speed limit. When there isn't any congestion to you having 4 lanes to choose from means nothing to you. however when there is congestion the added lanes increases the capacity of the road so cars don't have to slow down to wait for one another.
Otherwise great video.

top video

You could show the LAG Mode as well (LACP Mode on firewall and Switch). Those modes can be important to max the performance.

Thanks for vlan topics. Watch later.

You should do a revise of your networkcables shown in your rack. Especially the twistedpair ones. Some of them are far away more bend than allowed.

Thank you for this amazing guide. It has helped me a lot.
Could you please make another one for a case like this... I have created 5 VLANs on my Sophos switch and I want each VLAN to have its own IP address and maybe a different subnet if possible. I'm using Sophos XG as my router.
I will really appreciate.

Good video thanks, what about if you connect an AP with two separate VLANs for two wifi points?

:yt:Some great comments below from Mr D, Jason Davis, and R G. I would only add as being a network engineer that goes back to the days of Wellfleet Routers, Cisco MGX Brouters and ArcNet, Banyan Vines, and good ole Token Ring. It is important to keep the syntax of packet and frame associated properly with the OSI layer being discussed. In almost every case where you prefaced "Frame" with Ethernet you were correct, but there were a few forgivable errors where you interchange a Layer 2 technology with the term packet which is Layer 3. Easy to do, but a gotcha term in some early career certification tests like CCNA and CompTIA . And if you get asked, ATM is a 53byte cell, 48 bytes payload, 5bytes header. And ask them what the hell are they using ATM for, if A) yhey are not a telco and B) when Ethernet is so much easier 🤣🤣🤣

Geeat video! Just a quick question. Why wouldnt you just want to have everything tagged instead of leaving the native vlan on for your dmz? Wouldnt it be better for security to use a different vlan for those and drop the native vlan altogether?

As always , Perfect Vid but you can use same boundle(LAGG) and create what is called Sub Interface (On firewall side ) and prevent using didicated LAGg for each VLAN, you will archive same goal with more scalability!

Great video on your networking, probably more sophisticated than what I need. Is your Sophos firewall better than the firewall in my ASUS router? I plan to just add a managed switch between my router and computers that I want on VLAN so I can still use wireless connection on my router for those computers that don't require additional security provided by the VLAN. I want the computers on the VLAN (old SGI computers to have access to the printer on the network as well.) The old SGIs are not as secure on the internet and require careful security setup within the IRIX operating system for hardening. I am hoping that the VLAN essentially makes them invisible to the internet but visible on my home network side. I will probably use a CISCO Catalyst 1000 switch.

Welches Tool hast du genutzt für das erstellen der Netzwerktopologie in Minute 2:16 ? Tolles Video!

Hi, nice and interesting video! I was a little fascinated by the ASCI Diagramm, may I ask what tool do you use for that?

share more on sophos switch

I use MikroTik devices only. I run my own WirelessISP and for home i have an overkill setup. I have 18 different VLANS for different stuffs and man, configuring a new AP or Switch can be painful :D

What did you use to make the ASCII diagram?

Hello :) Sorry, what app/website did you use to create the network diagram? Also, do you have any idea for a software that can create some similar diagram but automatically via SNMP or something maybe?

How do we draw the ascii diagram like yours ?

Is it a good idea, to create a vlan for the ps5, pc and firestick? Using a managed switch

Great video, learned a lot.
Maybe I'm a fool to suggest this but it seems to me that a product that is managed switch and firewall would spear one all the sending back and forth?

What is the cost of the firewall and switch with licenses, wanting to add something like this in my homelab.

that untagged and tagged VLAN configuration to fw was pretty smart. I haven't thought of that approach. Will this work if my switch doesn't have the PVID feature?

Great video! What do you think of a Juniper Isg 2000 for a home lab firewall?

When you added sophos did you setup the router to be in bridge mode?

What tools did you use to generate the ascii art network diagram?

if you have multiple Unifi APs which have lets say 2 wifi networks (stuff and guest created in Unifi Controller) and connected to sophos on the same port (vlan1 &vlan2) via unmanaged switch how to prevent the two network see each other?

Interesting setup. Well explained.
You mentioned you use the Fritzbox as a gateway.
How do you handle the ITV from the ISP coming in on the Fritzbox? Or haven't you tried yet how to handle it coming from the Fritzbox? I ask this because I have trouble to route ITV on a L3 switch to a different vlan.
Maybe you have a tip for me how to solve this.
Vlan 4 internet, vlan 6 ITV, vlan 7 iptel is incoming from my ISP to my fritzbox.
The only way I get it working is to have ITV on vlan 1 (default) on the switch. if i try to reroute to different vlan i get issues (stuttering & freezing). Any ideas???

This is amazing, but how much does this part 10gbit kind of network setup cost?

A question , could i use sophos XG as a switch and firewall for my network with a 4 port intel ethernet card or do I have to get a L2-3 switch also ?

How would I put all my unsecure WiFi IoT Devices in one group? Since I cant assign them to a specific vlan port? Or I am missing something?
Do I have to use a separate access point just for my IoT Devices? Not sure if thats smart idea to have one access point for my trusted devices and one for my untrusted (IoT) devices.

Which tool do you use for the markdown diagrams?

Hello, what tools do we use to make the diagrams in ASCII?

Can you explain vlan interfaces in Proxmox?

Is it possible to have one pihole work in multiple vlans?

On a separate question: Is that Sophos firewall actually capable of deep packet inspection and processing those packets at WireSpeed of 20Gbps?

You should properly make a video on the various types of managed switches, as most videos on TH-cam seams to indicate that a switch is either managed or unmanaged. However a managed switches does not all have the same feature sets, which I learned after buying one and found myself missing things like ACL. Especially TP-Link has very poor marketing with their naming schemas like having both "Smart Switch" and "Easy Smart Switch", where "Easy" just means that it's missing a lot of features.

how can i apply this so i can seperate my IoT devices from my private lan?

Hello Christian,
I still have big problems with my switch and my OPNsense FireWall.
Could you maybe help me configure the Switch correctly?
I'm still very confused by why my network doesn't work.

At around 01:50, does anyone know how to create these network maps/diagrams? I need to store the diagram in a markdown document. Thank you!

What do you mean by "Management" zone?

Did you use mermaid to create that network diagram?

what about the VMs? what VLAN are they on ?

i hope you back to docker tuts
and docker tools like portiner
and mail cow tools thats was awesome and I look for more

This is why I prefer Unifi. It's just so simple. Create the VLANS, click the port, select the VLAN from the drop down menu. DONE.

@16:29 my gah seems so hard 😓

LAG doesn’t increase speeds it increases throughout. Flows are still limited by the speed of the member link….

Helpful video but I am still struggling with it. I think I've watched every VLAN video on TH-cam and I don't think I've seen a single example of Inter-vlan routing on the same switch. For example and take the router and the needed firewall rules out of play here, you have vlan for a single workstation. Another VLAN for a single printer. Lastly, another vlan for file server. All these devices are all plugged into the same switch (48 port in my case.) Now workstations without printing and access to a file server would be useless don't you agree? In this case should the port for the workstation and printer be set as access(untagged?) I guess the server port would be trunked(tagged) because the 2 vlans need to talk? Don't even get me started on the PVID!!! I just don't understand why I can't grasp this concept.

You should NOT put your local servers in a DMZ, DMZ is normaly used for internet faced servers. Not local servers. So DMZ in used wrongly here.

/16 Network in an Home Environment doesnt make any sense :D

20 jesus christ the times we are living in.

This was too complex of a setup for me to understand concept of VLANs.

Well I bet you work in german public services. There is no other reason for using Sophos :D

Please slow down Ur speed mate

1) your Internet is most likely slower than 20Gbit/s, the argument of needing LAG for Internet is … lame at best
2) most people fail to explain what actually makes VLAN „secure“
You are until now, the most close as you at least mentioned that the traffic goes over firewall
But
As most VLAN teachers you did not mention the downsides
3) unfortunately most people come from cost-saving perspective, so instead of buying 2 cheap switches and run them over firewall, they buy one big one with more ports and start fiddling around, replicating the experience you would have if you just would have used 2 instead
Espescially worse if you have 2 unused laying around, but feel the urge to buy a new one