Good to see someone works such hard to create quality content for others. Just a hint to make VLAN tags and port types more clear and simple: From VLAN tag point of view we have two type of ports. Trunk ports and Access ports. The egress frames on an Access ports never have VLAN tag, because it is removed when exiting. This is why the whole VLAN mechanism is transparent to the end device attached to that Access port. The ingress frame on Access ports are tagged with VLAN tag when it is arrived (with the VLAN the port belongs to). So Access ports are like a smurf sitting on an Access port and he has a sponge in his left hand and a pencil (only one pencil with the one correct VLAN color) in his right hand. Each time a frame leaving the port, the smurf uses his left hand and erases the VLAN tag with the sponge. Each time a frame arrives (usually from an end device) and entering to the port, the smurf uses his right hand and tags the frame with the pencil. Normally Access ports never receive frames with VLAN tag from outside. The other type of port is Trunk. The main different is that the smurf sitting on the Trunk port does not have sponge in his left hand, so VLAN tags will remain on egress frames. So basically egress frames and ingress frames also will have VLAN tags. Also, trunk ports can send and receive frames from any configured VLAN. Trunk ports are connected to trunk ports on another devices. Also, as I wrote in an another reply you might not seen: Portchannels not increasing, or aggregating speed. They increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel. I think people can understand more easily these technical concepts and mechanisms if they are described with analogy from life (who says smurfs dont exists? :D ) Looking forward to see more content from you. ;)
Great video! One friendly reminder: Cisco proprietary protocol for Etherchannel or LAG is PAgP. Primarily, the term "trunking" is not the same as LAG. We use the term "Trunking" when we want to pass multiple VLAN traffic over a single trunk link. LAG is when we aggregate multiple links such as Fast Ethernet or GigaEthernet ports into one! Cisco names it "Port-Channels" :))))
I love how some vendors like HP/Aruba use the term "trunking" in reference to a LAG which is not confusing at all (/s) when mixing HP & Cisco switches.
I've been watching your videos here and there for a while, but did not know you worked for sophos! My company is the number 1 sophos reseller in the united states, we eat sleep and breathe their products. I personally run a Sophos firewall running in Hyper-V for my home gateway. Great video!
Great channel! LACP actually doesn’t add the speeds of single links. It adds concurrency. It just enables you to have 2 devices at 10Gbe instead of splitting the bandwidth over the same physical cable. It’s basically a kind of load balancing with failover.
@@TheRayDog I think we should not conflate throughput with speed. I believe that is what the previous commenter was trying to point out. Indeed double the throughput, but NOT double the speed. The analogy I have used for years is that it is another lane in the highway--it allows for more traffic to come through. But the speed limit is the same (the posted limit, anyway ;) )
Christian you helped me a lot during the past years where I went back to school learn It administration, windows and linux. Again thanks for all the content you offer it is a great ressource for every beginner.
Just in case no one commented, the LAG does not “double” the speed; it just allows different processes to use the two 10Gbps ports separately. So if you clocked the performance, you would only get 10G, but if you had multiple tests going on, each one could achieve 10G rather than sharing one 10G connection.
Thanks. Great tutorial for VLAN understanding. For someone new to VLAN operation, this is priceless information! So many people throw jargon around and try to impress us with what they don't know. Your video is refreshing in its content, production and approach.
This video was my inspiration for finally getting a Sophos Switch. I did in fact purchase the 24 port model, and I will use this video as a tutorial to setting up VLANS . I look forward to many more great things from Sophos. :) This will hopefully replace my current TP-Link switches and Omada controller which are OK, but having the single pane of glass from Sophos will make things that much easier. Sophos Central is really coming along and just seems to get better and better all the time.
When talking about vlans it's important to understand what a broadcast domain is - each vlan is a unique layer 2 broadcast domain meaning something in vlan 2 won't be able to talk to something in vlan 3 without enabling inter vlan routing and enabling FW polices. In your case you want your firewall to be your default gateway for each vlan this way you can apply policies to the traffic within that vlan/subnet/broadcast domain. - one point of clarification about your LAG - you won't "see" 20GB worth of link speed, but instead you'll have more concurrent traffic streams available on your 20GB link compared to just a single 10GB port. This gives you more bandwidth, not line rate speed.
I'm having my ass kicked by inter vlan routing. I use a Cisco router with zoned based firewall and a physical network port for each vlan (because it came crammed with HWICs, so why not?) and some vlans in my setup can talk with others, some can't talk with no one besides internet and some can only have traffic in one way. Works beautifully when testing with an endpoint in each port. My 3com layer 3 switch f*cks everything and lets anyone talk with everyone. I don't know how to disable it on them.
@@RoboticParanoia Sounds like you have a lot going on there. I'd suggest removing the layer 3 portion of your 3com switch. You want your routing and policy matching to take place on your router in this case. Trunk your vlans up from your switch to your router and work on your policies and test as you build out.
Sehr schönes Video. Das sind Grundlagen die ich immer schon mal verstehen wollte, wo ich aber nie den Einstieg fand. Ich hatte einige AHA-Erlebnisse beim Anschauen. Danke!
One thing to note about LAGs is that the bandwidth is the aggregated speed, but your throughput will still only be the speed of a single link. If you were to run a speed test across the link you would see this. The reason is how LACP and other LAG protocols work. They will use the source MAC, destination MAC, or both to pin that connection to a single link. (this is usually configurable) This allows for less congestion for multiple devices that need to talk at the same time, but doesn't help for increasing the speed coming from a single connection. The analogy I like to use is think of LAG member ports as different lanes on a highway. While driving you can only occupy one lane at a time, and each lane has a maximum speed limit. When there isn't any congestion to you having 4 lanes to choose from means nothing to you. however when there is congestion the added lanes increases the capacity of the road so cars don't have to slow down to wait for one another. Otherwise great video.
As usual really good video! I always enjoy watching them and you inspire so much! The part about 10 gigabit ports in LAG giving you 20 gigabit is to some extend true, just remember that it still is two different cables and as so one single session can not be split between them meaning that that total throughput between them is 20 gigabit but for a single transfer using a single session for the transfer only 10 gigabit is available. Also you were talking about it as speed, but in the case of LAG it is also seen as bandwidth as the LAG Wil probably be used to allow more sessions through a "bigger" interface 😊 If you do a lot of transferring of files, having vm's running from external storage etc between storage and servers I would suggest you look into making a storage vlan with a higher MTU of 9000 (jumbo frames) 😁 Keep up the videos! Love your content
@@rallegade @The Digital Life This is what I also wanted to say. Portchannels not increasing speed, they increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel.
Great video and explaination of vlans, Christian! I would love a sophos switch. They are a bit on the expensive side, but I think that it is a nice touch to the sophos ecosystem and integrates into Sophos Central. I would replace my tp link Omada switch with one and have a proper switch. You are an asset to the Sophos community. Hope you are doing better.
Awesome video man. Thank you for making this. I watched a few videos and read a bit about VLAN's. I sort of got the idea but not the full concept. Others would explain it and I get the facts but.....the facts don't contain a lot of data I can turn into something visual when they explain it. Its like IRL CMD....you get all data fed to you in text. You gotta focus. Its not as easy as if you could turn the data into something visual for your mind to attach to. But the way you explained it.....you basically told us about your network setup in reference to VLANs. If this was a podcast with no video I would have still gotten more than enough information because the explanation was packed with a lot of information that I could easily turn into something visual. No longer like IRL CMD. Now its like IRL File Explorer where you can easily visualize the data fed to you. You see the folders and where they are at as well as the files. Your explanation not only had the facts of what VLANs are...but a good chunk of why was explained so that I am not sitting here taking educated guesses as to what one might do with this. Simultaneously you also gave better understanding to a newb on the concepts of a VLAN deployment in a real scenario (totally better than me taking an educated guess) and even took the time to throw in a bonus link aggregation tutorial. You freaking nailed it man. I learned a great deal about VLANs in 20 minutes. Somebody get this man a fruit basket....NOW!!! This my first time here. You easily gained a like and sub from me on the first try. I was able to setup my VLAN network and understand because you made it easy. I don't normally do this...but... You did good bro. You did good
On your B roll of your switches you have your F Stop to high on your camera. Lower your Fstops and raise your ISO or lengthen your shutter speed. What this will do is give you a deeper depth of field for your camera when showing B roll so the only thing in focus will not only be the closes point of the Ethernet cables.
As always , Perfect Vid but you can use same boundle(LAGG) and create what is called Sub Interface (On firewall side ) and prevent using didicated LAGg for each VLAN, you will archive same goal with more scalability!
Just be aware that this can mean performance penalties depending on how the firewall handles the subinterfaces. This setup is known as router on a stick and can be helpful in situations where a simpler network is wanted, but is often substituted with layer 3 switches running virtual interfaces per vlan instead. This is also why enterprise networks utilize L3 switches in core and distribution layer as they can do L2 at wirespeed because of dedicated ASIC's as well as offloading L3 routing to hardware.
@@rallegade I'm not sure what you're saying is technically correct - instead I'd say for the situation you're describing you'd be better off doing something like OSPF between your firewall and your switching infrastructure and "force" traffic to your firewall. If you're forwarding packets outside a firewall policy (ie layer 3 switch/svi on your switch) you're opening yourself up for potential unintended traffic flows which will be harder to manage because you're limited to simple ACLs policies and end up with too many management points to deal with.
@@whiskerjones9662 I totally agree with this! The inherent problem is that all routing between the subnets will happen on the switch now and the firewall can not do anything about it. I must admit that I have not heard about this type of setup where OSPF can force the the traffic to be forwarded onto the firewall. It sounds like a dream scenario to be able to offload layer 2 to 3 traffic on the switch and then forward it to the router for it to do what it is supposed to do, separate, segregate and inspect the traffic. Could you possibly point me to a paper on a setup like this as I would be very interested in trying it out in my own lab, as I am having the before mentioned setup because of the penalties of intervlan routing on the firewall. Love learning new things!
@@rallegade When I say force, I'm really talking about using routing to influence your traffic flows. Longest match wins so this involves a bit of traffic engineering and planning to deploy but is very common in the wild. I'd suggest looking over the Cisco validated design guides for more specifics as a starting point. As with anything in life there are a million ways to accomplish the same goal so a lot of network design comes from experience with a focus on the KISS principle. Unfortunately a lot of the times we think we're really smart doing some fancy deployment only to find out that we end up with unintended consequences and a network/environment that's next to impossible to troubleshoot. I don't pretend that i'm the end all be all but I've certainly been in a lot of networks in my time - feel free to reach out and we can discuss more outside YT comments :)
Hello :) Sorry, what app/website did you use to create the network diagram? Also, do you have any idea for a software that can create some similar diagram but automatically via SNMP or something maybe?
If you want a complete solution for mapping your network, you can check what a CMDB is. It also provides a lot more features like tracking all your different server configurations It's way more overkill though
Thank you for this amazing guide. It has helped me a lot. Could you please make another one for a case like this... I have created 5 VLANs on my Sophos switch and I want each VLAN to have its own IP address and maybe a different subnet if possible. I'm using Sophos XG as my router. I will really appreciate.
Basically, you can follow the same guide as described in the video. You just need to add 5 VLAN interfaces to XG, and they will all have their own IP settings
Great video on your networking, probably more sophisticated than what I need. Is your Sophos firewall better than the firewall in my ASUS router? I plan to just add a managed switch between my router and computers that I want on VLAN so I can still use wireless connection on my router for those computers that don't require additional security provided by the VLAN. I want the computers on the VLAN (old SGI computers to have access to the printer on the network as well.) The old SGIs are not as secure on the internet and require careful security setup within the IRIX operating system for hardening. I am hoping that the VLAN essentially makes them invisible to the internet but visible on my home network side. I will probably use a CISCO Catalyst 1000 switch.
Geeat video! Just a quick question. Why wouldnt you just want to have everything tagged instead of leaving the native vlan on for your dmz? Wouldnt it be better for security to use a different vlan for those and drop the native vlan altogether?
:yt:Some great comments below from Mr D, Jason Davis, and R G. I would only add as being a network engineer that goes back to the days of Wellfleet Routers, Cisco MGX Brouters and ArcNet, Banyan Vines, and good ole Token Ring. It is important to keep the syntax of packet and frame associated properly with the OSI layer being discussed. In almost every case where you prefaced "Frame" with Ethernet you were correct, but there were a few forgivable errors where you interchange a Layer 2 technology with the term packet which is Layer 3. Easy to do, but a gotcha term in some early career certification tests like CCNA and CompTIA . And if you get asked, ATM is a 53byte cell, 48 bytes payload, 5bytes header. And ask them what the hell are they using ATM for, if A) yhey are not a telco and B) when Ethernet is so much easier 🤣🤣🤣
I use MikroTik devices only. I run my own WirelessISP and for home i have an overkill setup. I have 18 different VLANS for different stuffs and man, configuring a new AP or Switch can be painful :D
that untagged and tagged VLAN configuration to fw was pretty smart. I haven't thought of that approach. Will this work if my switch doesn't have the PVID feature?
How would I put all my unsecure WiFi IoT Devices in one group? Since I cant assign them to a specific vlan port? Or I am missing something? Do I have to use a separate access point just for my IoT Devices? Not sure if thats smart idea to have one access point for my trusted devices and one for my untrusted (IoT) devices.
if you have multiple Unifi APs which have lets say 2 wifi networks (stuff and guest created in Unifi Controller) and connected to sophos on the same port (vlan1 &vlan2) via unmanaged switch how to prevent the two network see each other?
@@christianlempa I was actually trained in juniper firewalls in 2000, but the isg didn't existed. This is the second one I touch. I'm kinda overwhelmed by the sheer power and the amount of resources it have. I didn't had time to tinker deep with it, I only set up two of its ports and trusted and untrusted and put standard rules so it can work, but I'm pretty sure I've seen something about virtualization. And surf shark. I'll definitely lose some nights of sleep on it after I finish the new cabling here and the rack arrives. It's everything piled on a coffee table of sorts. Even the no breaks. Poor table.
Yes it does DPI, the throughput depends on the hardware sizing though, you should check out the tech specs on the XGS devices and IPS/DPI throughput
2 роки тому
Interesting setup. Well explained. You mentioned you use the Fritzbox as a gateway. How do you handle the ITV from the ISP coming in on the Fritzbox? Or haven't you tried yet how to handle it coming from the Fritzbox? I ask this because I have trouble to route ITV on a L3 switch to a different vlan. Maybe you have a tip for me how to solve this. Vlan 4 internet, vlan 6 ITV, vlan 7 iptel is incoming from my ISP to my fritzbox. The only way I get it working is to have ITV on vlan 1 (default) on the switch. if i try to reroute to different vlan i get issues (stuttering & freezing). Any ideas???
@@christianlempa digital tv. We're I'm from were used to say ITV to that. It's more same as what happened to phones that are now VoIP. Hopefully it clears up the question.
Great video, learned a lot. Maybe I'm a fool to suggest this but it seems to me that a product that is managed switch and firewall would spear one all the sending back and forth?
Thank you! :) Firewalls and Switches really have different use cases, a Firewall might have some features of a Switch and a Switch might have some features of a Firewall. But I always tend to buy these devices separately, as they're best at what they're built for.
I could, but I don't want to mess around with it since I got that Fritzbox from my ISP anyway, and I also use it for DECT phones, so I'm gonna keep it :)
Hello Christian, I still have big problems with my switch and my OPNsense FireWall. Could you maybe help me configure the Switch correctly? I'm still very confused by why my network doesn't work.
You should properly make a video on the various types of managed switches, as most videos on UA-cam seams to indicate that a switch is either managed or unmanaged. However a managed switches does not all have the same feature sets, which I learned after buying one and found myself missing things like ACL. Especially TP-Link has very poor marketing with their naming schemas like having both "Smart Switch" and "Easy Smart Switch", where "Easy" just means that it's missing a lot of features.
Helpful video but I am still struggling with it. I think I've watched every VLAN video on UA-cam and I don't think I've seen a single example of Inter-vlan routing on the same switch. For example and take the router and the needed firewall rules out of play here, you have vlan for a single workstation. Another VLAN for a single printer. Lastly, another vlan for file server. All these devices are all plugged into the same switch (48 port in my case.) Now workstations without printing and access to a file server would be useless don't you agree? In this case should the port for the workstation and printer be set as access(untagged?) I guess the server port would be trunked(tagged) because the 2 vlans need to talk? Don't even get me started on the PVID!!! I just don't understand why I can't grasp this concept.
I agree the concept is hard to understand. You can use tagged ports if your device is aware of vlans and you configure the different ids and networks on the interface. Typically you use it to send multiple virtual networks through a single port. Untagged means the port is not aware of vlan ids and just bound to one specific vlan. The PVID should be configured according to the vlan Id of an untagged port.
Sorry but that is just pedantic, a DMZ is a separate zone between your LAN and WAN where to put devices that are controlled by firewall rules. Nobody says it can't be used for this and that. The point here is to show how to protect your home servers.
1) your Internet is most likely slower than 20Gbit/s, the argument of needing LAG for Internet is … lame at best 2) most people fail to explain what actually makes VLAN „secure“ You are until now, the most close as you at least mentioned that the traffic goes over firewall But As most VLAN teachers you did not mention the downsides 3) unfortunately most people come from cost-saving perspective, so instead of buying 2 cheap switches and run them over firewall, they buy one big one with more ports and start fiddling around, replicating the experience you would have if you just would have used 2 instead Espescially worse if you have 2 unused laying around, but feel the urge to buy a new one
Good to see someone works such hard to create quality content for others. Just a hint to make VLAN tags and port types more clear and simple: From VLAN tag point of view we have two type of ports. Trunk ports and Access ports.
The egress frames on an Access ports never have VLAN tag, because it is removed when exiting. This is why the whole VLAN mechanism is transparent to the end device attached to that Access port.
The ingress frame on Access ports are tagged with VLAN tag when it is arrived (with the VLAN the port belongs to).
So Access ports are like a smurf sitting on an Access port and he has a sponge in his left hand and a pencil (only one pencil with the one correct VLAN color) in his right hand. Each time a frame leaving the port, the smurf uses his left hand and erases the VLAN tag with the sponge. Each time a frame arrives (usually from an end device) and entering to the port, the smurf uses his right hand and tags the frame with the pencil.
Normally Access ports never receive frames with VLAN tag from outside.
The other type of port is Trunk. The main different is that the smurf sitting on the Trunk port does not have sponge in his left hand, so VLAN tags will remain on egress frames. So basically egress frames and ingress frames also will have VLAN tags. Also, trunk ports can send and receive frames from any configured VLAN. Trunk ports are connected to trunk ports on another devices.
Also, as I wrote in an another reply you might not seen: Portchannels not increasing, or aggregating speed. They increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel.
I think people can understand more easily these technical concepts and mechanisms if they are described with analogy from life (who says smurfs dont exists? :D )
Looking forward to see more content from you. ;)
Thanks 😉
Thanks for explaining this!
Great video! One friendly reminder: Cisco proprietary protocol for Etherchannel or LAG is PAgP.
Primarily, the term "trunking" is not the same as LAG. We use the term "Trunking" when we want to pass multiple VLAN traffic over a single trunk link.
LAG is when we aggregate multiple links such as Fast Ethernet or GigaEthernet ports into one! Cisco names it "Port-Channels" :))))
I am a network engineer and was hoping on to see if someone had replied with this. The video was super informative and appreciate the content.😀
Thanks for sharing bro! :))))
@@christianlempa My pleasure Christian! Keep up the excellent work!
@@mrd4233 Thanks bro, of course I'll do!
I love how some vendors like HP/Aruba use the term "trunking" in reference to a LAG which is not confusing at all (/s) when mixing HP & Cisco switches.
I've been watching your videos here and there for a while, but did not know you worked for sophos! My company is the number 1 sophos reseller in the united states, we eat sleep and breathe their products. I personally run a Sophos firewall running in Hyper-V for my home gateway. Great video!
Wow so cool! Thanks 😀
Great channel! LACP actually doesn’t add the speeds of single links. It adds concurrency. It just enables you to have 2 devices at 10Gbe instead of splitting the bandwidth over the same physical cable. It’s basically a kind of load balancing with failover.
Technically correct, but a bit semantic. Single tcp link not doubled, but throughput doubled. In the end which really matters?
@@TheRayDog I think we should not conflate throughput with speed. I believe that is what the previous commenter was trying to point out. Indeed double the throughput, but NOT double the speed. The analogy I have used for years is that it is another lane in the highway--it allows for more traffic to come through. But the speed limit is the same (the posted limit, anyway ;) )
@@TheOneOriginalPoloaha but now your 45 min drive home is only 35 because less traffic 😎 😎 /s
Christian you helped me a lot during the past years where I went back to school learn It administration, windows and linux.
Again thanks for all the content you offer it is a great ressource for every beginner.
Thanks mate! Glad it helped you
Just in case no one commented, the LAG does not “double” the speed; it just allows different processes to use the two 10Gbps ports separately. So if you clocked the performance, you would only get 10G, but if you had multiple tests going on, each one could achieve 10G rather than sharing one 10G connection.
I think you would be helping the Sophos team with your videos. The way you go about presenting the information is personable and easy to understand.
Thanks! 😉
Thanks. Great tutorial for VLAN understanding. For someone new to VLAN operation, this is priceless information! So many people throw jargon around and try to impress us with what they don't know. Your video is refreshing in its content, production and approach.
Thank you! Very well done. I understood 80% of what you said without replaying it several times.
This video was my inspiration for finally getting a Sophos Switch. I did in fact purchase the 24 port model, and I will use this video as a tutorial to setting up VLANS . I look forward to many more great things from Sophos. :) This will hopefully replace my current TP-Link switches and Omada controller which are OK, but having the single pane of glass from Sophos will make things that much easier. Sophos Central is really coming along and just seems to get better and better all the time.
Thanks!
Thank you so much for your support 😍
When talking about vlans it's important to understand what a broadcast domain is - each vlan is a unique layer 2 broadcast domain meaning something in vlan 2 won't be able to talk to something in vlan 3 without enabling inter vlan routing and enabling FW polices. In your case you want your firewall to be your default gateway for each vlan this way you can apply policies to the traffic within that vlan/subnet/broadcast domain.
- one point of clarification about your LAG - you won't "see" 20GB worth of link speed, but instead you'll have more concurrent traffic streams available on your 20GB link compared to just a single 10GB port. This gives you more bandwidth, not line rate speed.
I'm having my ass kicked by inter vlan routing. I use a Cisco router with zoned based firewall and a physical network port for each vlan (because it came crammed with HWICs, so why not?) and some vlans in my setup can talk with others, some can't talk with no one besides internet and some can only have traffic in one way. Works beautifully when testing with an endpoint in each port. My 3com layer 3 switch f*cks everything and lets anyone talk with everyone. I don't know how to disable it on them.
@@RoboticParanoia Sounds like you have a lot going on there. I'd suggest removing the layer 3 portion of your 3com switch. You want your routing and policy matching to take place on your router in this case. Trunk your vlans up from your switch to your router and work on your policies and test as you build out.
@@whiskerjones9662 just found out in the switch's web interface the routing disable feature. Everything is how it should be now. Thanks!
thank you christian .. you change my lyf .. all the best brother
Hey great content! It’s really nice to see network related stuff as well in this channel. Much love ❤️
Sehr schönes Video. Das sind Grundlagen die ich immer schon mal verstehen wollte, wo ich aber nie den Einstieg fand. Ich hatte einige AHA-Erlebnisse beim Anschauen. Danke!
Vielen Dank! :) freut mich total dass es dir geholfen hat
I love the ASCII diagram! Cool idea.....grin
One thing to note about LAGs is that the bandwidth is the aggregated speed, but your throughput will still only be the speed of a single link. If you were to run a speed test across the link you would see this. The reason is how LACP and other LAG protocols work. They will use the source MAC, destination MAC, or both to pin that connection to a single link. (this is usually configurable) This allows for less congestion for multiple devices that need to talk at the same time, but doesn't help for increasing the speed coming from a single connection.
The analogy I like to use is think of LAG member ports as different lanes on a highway. While driving you can only occupy one lane at a time, and each lane has a maximum speed limit. When there isn't any congestion to you having 4 lanes to choose from means nothing to you. however when there is congestion the added lanes increases the capacity of the road so cars don't have to slow down to wait for one another.
Otherwise great video.
Thanks! ;)
As usual really good video! I always enjoy watching them and you inspire so much!
The part about 10 gigabit ports in LAG giving you 20 gigabit is to some extend true, just remember that it still is two different cables and as so one single session can not be split between them meaning that that total throughput between them is 20 gigabit but for a single transfer using a single session for the transfer only 10 gigabit is available.
Also you were talking about it as speed, but in the case of LAG it is also seen as bandwidth as the LAG Wil probably be used to allow more sessions through a "bigger" interface 😊
If you do a lot of transferring of files, having vm's running from external storage etc between storage and servers I would suggest you look into making a storage vlan with a higher MTU of 9000 (jumbo frames) 😁
Keep up the videos! Love your content
Thanks mate! :)
@@christianlempa no problem! Hope it can inspire you to make more network videos 😊
@@rallegade @The Digital Life This is what I also wanted to say. Portchannels not increasing speed, they increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel.
I would love to see more Sophos videos, it is hard to find good Sophos content on the web.
Thanks! We'll have to see... currently, I'm more excited about other topics :D
Great video and explaination of vlans, Christian! I would love a sophos switch. They are a bit on the expensive side, but I think that it is a nice touch to the sophos ecosystem and integrates into Sophos Central. I would replace my tp link Omada switch with one and have a proper switch. You are an asset to the Sophos community. Hope you are doing better.
Thanks! Good to see some Sophos fans here, maybe I need to do some more content for you :D
Good job, man! More about VLAN config and topics like that, please
Sure thing! Thanks!
Thank you for a very interesting and informative video. Sophos is an interesting firewall. It's a pity that you can't study it in my country.
Awesome video man. Thank you for making this. I watched a few videos and read a bit about VLAN's. I sort of got the idea but not the full concept. Others would explain it and I get the facts but.....the facts don't contain a lot of data I can turn into something visual when they explain it. Its like IRL CMD....you get all data fed to you in text. You gotta focus. Its not as easy as if you could turn the data into something visual for your mind to attach to. But the way you explained it.....you basically told us about your network setup in reference to VLANs. If this was a podcast with no video I would have still gotten more than enough information because the explanation was packed with a lot of information that I could easily turn into something visual. No longer like IRL CMD. Now its like IRL File Explorer where you can easily visualize the data fed to you. You see the folders and where they are at as well as the files. Your explanation not only had the facts of what VLANs are...but a good chunk of why was explained so that I am not sitting here taking educated guesses as to what one might do with this. Simultaneously you also gave better understanding to a newb on the concepts of a VLAN deployment in a real scenario (totally better than me taking an educated guess) and even took the time to throw in a bonus link aggregation tutorial. You freaking nailed it man. I learned a great deal about VLANs in 20 minutes. Somebody get this man a fruit basket....NOW!!! This my first time here. You easily gained a like and sub from me on the first try. I was able to setup my VLAN network and understand because you made it easy. I don't normally do this...but... You did good bro. You did good
Thank you so much! I'm glad you enjoy the style of the video tutorials 😀
You should do a revise of your networkcables shown in your rack. Especially the twistedpair ones. Some of them are far away more bend than allowed.
On your B roll of your switches you have your F Stop to high on your camera. Lower your Fstops and raise your ISO or lengthen your shutter speed. What this will do is give you a deeper depth of field for your camera when showing B roll so the only thing in focus will not only be the closes point of the Ethernet cables.
Very interesting video and good explanation! thank you
Thanks :)
very intuitive . You enlighten me alot :)
Although I'm very keen on your lesson, I am most interested in the tool you've used to create the scheme in .md of your network at 1m50s. :-)
Haha 😂 I was using asciiflow
@@christianlempa Thanks a million!
How do we draw the ascii diagram like yours ?
As always , Perfect Vid but you can use same boundle(LAGG) and create what is called Sub Interface (On firewall side ) and prevent using didicated LAGg for each VLAN, you will archive same goal with more scalability!
Thanks mate! I'll have a look!
Just be aware that this can mean performance penalties depending on how the firewall handles the subinterfaces. This setup is known as router on a stick and can be helpful in situations where a simpler network is wanted, but is often substituted with layer 3 switches running virtual interfaces per vlan instead.
This is also why enterprise networks utilize L3 switches in core and distribution layer as they can do L2 at wirespeed because of dedicated ASIC's as well as offloading L3 routing to hardware.
@@rallegade I'm not sure what you're saying is technically correct - instead I'd say for the situation you're describing you'd be better off doing something like OSPF between your firewall and your switching infrastructure and "force" traffic to your firewall. If you're forwarding packets outside a firewall policy (ie layer 3 switch/svi on your switch) you're opening yourself up for potential unintended traffic flows which will be harder to manage because you're limited to simple ACLs policies and end up with too many management points to deal with.
@@whiskerjones9662 I totally agree with this! The inherent problem is that all routing between the subnets will happen on the switch now and the firewall can not do anything about it.
I must admit that I have not heard about this type of setup where OSPF can force the the traffic to be forwarded onto the firewall. It sounds like a dream scenario to be able to offload layer 2 to 3 traffic on the switch and then forward it to the router for it to do what it is supposed to do, separate, segregate and inspect the traffic.
Could you possibly point me to a paper on a setup like this as I would be very interested in trying it out in my own lab, as I am having the before mentioned setup because of the penalties of intervlan routing on the firewall.
Love learning new things!
@@rallegade When I say force, I'm really talking about using routing to influence your traffic flows. Longest match wins so this involves a bit of traffic engineering and planning to deploy but is very common in the wild. I'd suggest looking over the Cisco validated design guides for more specifics as a starting point. As with anything in life there are a million ways to accomplish the same goal so a lot of network design comes from experience with a focus on the KISS principle. Unfortunately a lot of the times we think we're really smart doing some fancy deployment only to find out that we end up with unintended consequences and a network/environment that's next to impossible to troubleshoot. I don't pretend that i'm the end all be all but I've certainly been in a lot of networks in my time - feel free to reach out and we can discuss more outside YT comments :)
Good video thanks, what about if you connect an AP with two separate VLANs for two wifi points?
Hello :) Sorry, what app/website did you use to create the network diagram? Also, do you have any idea for a software that can create some similar diagram but automatically via SNMP or something maybe?
I use asciiflow for that
If you want a complete solution for mapping your network, you can check what a CMDB is. It also provides a lot more features like tracking all your different server configurations
It's way more overkill though
Great Video. Helped me a lot, thank you.
You're welcome
At around 01:50, does anyone know how to create these network maps/diagrams? I need to store the diagram in a markdown document. Thank you!
Thank you for this amazing guide. It has helped me a lot.
Could you please make another one for a case like this... I have created 5 VLANs on my Sophos switch and I want each VLAN to have its own IP address and maybe a different subnet if possible. I'm using Sophos XG as my router.
I will really appreciate.
Basically, you can follow the same guide as described in the video. You just need to add 5 VLAN interfaces to XG, and they will all have their own IP settings
Great video on your networking, probably more sophisticated than what I need. Is your Sophos firewall better than the firewall in my ASUS router? I plan to just add a managed switch between my router and computers that I want on VLAN so I can still use wireless connection on my router for those computers that don't require additional security provided by the VLAN. I want the computers on the VLAN (old SGI computers to have access to the printer on the network as well.) The old SGIs are not as secure on the internet and require careful security setup within the IRIX operating system for hardening. I am hoping that the VLAN essentially makes them invisible to the internet but visible on my home network side. I will probably use a CISCO Catalyst 1000 switch.
Geeat video! Just a quick question. Why wouldnt you just want to have everything tagged instead of leaving the native vlan on for your dmz? Wouldnt it be better for security to use a different vlan for those and drop the native vlan altogether?
Welches Tool hast du genutzt für das erstellen der Netzwerktopologie in Minute 2:16 ? Tolles Video!
Asciiflow, aber ich mach bald ein neues diagram mit einfacherer Software :) danke übrigens!
Thanks for vlan topics. Watch later.
:yt:Some great comments below from Mr D, Jason Davis, and R G. I would only add as being a network engineer that goes back to the days of Wellfleet Routers, Cisco MGX Brouters and ArcNet, Banyan Vines, and good ole Token Ring. It is important to keep the syntax of packet and frame associated properly with the OSI layer being discussed. In almost every case where you prefaced "Frame" with Ethernet you were correct, but there were a few forgivable errors where you interchange a Layer 2 technology with the term packet which is Layer 3. Easy to do, but a gotcha term in some early career certification tests like CCNA and CompTIA . And if you get asked, ATM is a 53byte cell, 48 bytes payload, 5bytes header. And ask them what the hell are they using ATM for, if A) yhey are not a telco and B) when Ethernet is so much easier 🤣🤣🤣
Ouch, I thought I got it right 🤣
I even made the error in my comment where this should read 48bytes payload not bits. Big difference.
What did you use to make the ASCII diagram?
I use MikroTik devices only. I run my own WirelessISP and for home i have an overkill setup. I have 18 different VLANS for different stuffs and man, configuring a new AP or Switch can be painful :D
Wow that seems like a crazy set up :D
that untagged and tagged VLAN configuration to fw was pretty smart. I haven't thought of that approach. Will this work if my switch doesn't have the PVID feature?
Thanks :) There are some switches that don't have a separate paid flag, in this case they usually treat the incoming packets the same as the outgoing.
Hi, nice and interesting video! I was a little fascinated by the ASCI Diagramm, may I ask what tool do you use for that?
Hey thanks :D I'm using asciiflow and nerdfonts for the icons
@@christianlempa thank you very much!
This is amazing, but how much does this part 10gbit kind of network setup cost?
Wow, hard to say, but it's not cheap if you'd buy all this stuff
What tools did you use to generate the ascii art network diagram?
asciiflow.com
How would I put all my unsecure WiFi IoT Devices in one group? Since I cant assign them to a specific vlan port? Or I am missing something?
Do I have to use a separate access point just for my IoT Devices? Not sure if thats smart idea to have one access point for my trusted devices and one for my untrusted (IoT) devices.
if you have multiple Unifi APs which have lets say 2 wifi networks (stuff and guest created in Unifi Controller) and connected to sophos on the same port (vlan1 &vlan2) via unmanaged switch how to prevent the two network see each other?
Very very very nice!
Thank you! Cheers!
Hello, what tools do we use to make the diagrams in ASCII?
He said he used asciiflow
Great video! What do you think of a Juniper Isg 2000 for a home lab firewall?
Thanks mate! Can't say anything good or bad about juniper, never tested
@@christianlempa I was actually trained in juniper firewalls in 2000, but the isg didn't existed. This is the second one I touch. I'm kinda overwhelmed by the sheer power and the amount of resources it have. I didn't had time to tinker deep with it, I only set up two of its ports and trusted and untrusted and put standard rules so it can work, but I'm pretty sure I've seen something about virtualization. And surf shark. I'll definitely lose some nights of sleep on it after I finish the new cabling here and the rack arrives. It's everything piled on a coffee table of sorts. Even the no breaks. Poor table.
@@christianlempa and again, loving your channel!
On a separate question: Is that Sophos firewall actually capable of deep packet inspection and processing those packets at WireSpeed of 20Gbps?
Yes it does DPI, the throughput depends on the hardware sizing though, you should check out the tech specs on the XGS devices and IPS/DPI throughput
Interesting setup. Well explained.
You mentioned you use the Fritzbox as a gateway.
How do you handle the ITV from the ISP coming in on the Fritzbox? Or haven't you tried yet how to handle it coming from the Fritzbox? I ask this because I have trouble to route ITV on a L3 switch to a different vlan.
Maybe you have a tip for me how to solve this.
Vlan 4 internet, vlan 6 ITV, vlan 7 iptel is incoming from my ISP to my fritzbox.
The only way I get it working is to have ITV on vlan 1 (default) on the switch. if i try to reroute to different vlan i get issues (stuttering & freezing). Any ideas???
Hmm no I haven't used ITV before, what is that?
@@christianlempa digital tv. We're I'm from were used to say ITV to that. It's more same as what happened to phones that are now VoIP. Hopefully it clears up the question.
You could show the LAG Mode as well (LACP Mode on firewall and Switch). Those modes can be important to max the performance.
Can you explain vlan interfaces in Proxmox?
Is it a good idea, to create a vlan for the ps5, pc and firestick? Using a managed switch
how can i apply this so i can seperate my IoT devices from my private lan?
Is it possible to have one pihole work in multiple vlans?
A question , could i use sophos XG as a switch and firewall for my network with a 4 port intel ethernet card or do I have to get a L2-3 switch also ?
You could use the XG as a switch, however, I would still recommend a L2-3 switch, which might be more performant and flexible for those tasks.
What is the cost of the firewall and switch with licenses, wanting to add something like this in my homelab.
Great video, learned a lot.
Maybe I'm a fool to suggest this but it seems to me that a product that is managed switch and firewall would spear one all the sending back and forth?
Thank you! :) Firewalls and Switches really have different use cases, a Firewall might have some features of a Switch and a Switch might have some features of a Firewall. But I always tend to buy these devices separately, as they're best at what they're built for.
Great video
share more on sophos switch
Do you still use the Fritzbox? Couldn't you just use the Sophos firewall as your router?
I could, but I don't want to mess around with it since I got that Fritzbox from my ISP anyway, and I also use it for DECT phones, so I'm gonna keep it :)
Thank you! Thank you! Thank you!
You are so welcome!
When you added sophos did you setup the router to be in bridge mode?
No it's running in gateway mode
Which tool do you use for the markdown diagrams?
Asciiflow and nerdfonts
What do you mean by "Management" zone?
It's a different network that I use for my network devices
Hello Christian,
I still have big problems with my switch and my OPNsense FireWall.
Could you maybe help me configure the Switch correctly?
I'm still very confused by why my network doesn't work.
Hey, sorry I'm a little short on time, did you join the discord yet? Let's meet there and maybe me or somebody else can help you
Did you use mermaid to create that network diagram?
No it was asciiflow back then xD
top video
You should properly make a video on the various types of managed switches, as most videos on UA-cam seams to indicate that a switch is either managed or unmanaged. However a managed switches does not all have the same feature sets, which I learned after buying one and found myself missing things like ACL. Especially TP-Link has very poor marketing with their naming schemas like having both "Smart Switch" and "Easy Smart Switch", where "Easy" just means that it's missing a lot of features.
This is why I prefer Unifi. It's just so simple. Create the VLANS, click the port, select the VLAN from the drop down menu. DONE.
Yeah, at some point I need to look at Unifi ;)
what about the VMs? what VLAN are they on ?
On the DMZ as well
Helpful video but I am still struggling with it. I think I've watched every VLAN video on UA-cam and I don't think I've seen a single example of Inter-vlan routing on the same switch. For example and take the router and the needed firewall rules out of play here, you have vlan for a single workstation. Another VLAN for a single printer. Lastly, another vlan for file server. All these devices are all plugged into the same switch (48 port in my case.) Now workstations without printing and access to a file server would be useless don't you agree? In this case should the port for the workstation and printer be set as access(untagged?) I guess the server port would be trunked(tagged) because the 2 vlans need to talk? Don't even get me started on the PVID!!! I just don't understand why I can't grasp this concept.
I agree the concept is hard to understand. You can use tagged ports if your device is aware of vlans and you configure the different ids and networks on the interface. Typically you use it to send multiple virtual networks through a single port. Untagged means the port is not aware of vlan ids and just bound to one specific vlan. The PVID should be configured according to the vlan Id of an untagged port.
LAG doesn’t increase speeds it increases throughout. Flows are still limited by the speed of the member link….
You’re absolutely right, thanks for sharing!
@16:29 my gah seems so hard 😓
i hope you back to docker tuts
and docker tools like portiner
and mail cow tools thats was awesome and I look for more
Don't worry, I'll do some docker videos in the future as well ;)
@@christianlempa waiting you
You should NOT put your local servers in a DMZ, DMZ is normaly used for internet faced servers. Not local servers. So DMZ in used wrongly here.
Sorry but that is just pedantic, a DMZ is a separate zone between your LAN and WAN where to put devices that are controlled by firewall rules. Nobody says it can't be used for this and that. The point here is to show how to protect your home servers.
This was too complex of a setup for me to understand concept of VLANs.
/16 Network in an Home Environment doesnt make any sense :D
Please slow down Ur speed mate
20 jesus christ the times we are living in.
1) your Internet is most likely slower than 20Gbit/s, the argument of needing LAG for Internet is … lame at best
2) most people fail to explain what actually makes VLAN „secure“
You are until now, the most close as you at least mentioned that the traffic goes over firewall
But
As most VLAN teachers you did not mention the downsides
3) unfortunately most people come from cost-saving perspective, so instead of buying 2 cheap switches and run them over firewall, they buy one big one with more ports and start fiddling around, replicating the experience you would have if you just would have used 2 instead
Espescially worse if you have 2 unused laying around, but feel the urge to buy a new one
Well I bet you work in german public services. There is no other reason for using Sophos :D