Great channel! LACP actually doesn’t add the speeds of single links. It adds concurrency. It just enables you to have 2 devices at 10Gbe instead of splitting the bandwidth over the same physical cable. It’s basically a kind of load balancing with failover.
Great video! One friendly reminder: Cisco proprietary protocol for Etherchannel or LAG is PAgP. Primarily, the term "trunking" is not the same as LAG. We use the term "Trunking" when we want to pass multiple VLAN traffic over a single trunk link. LAG is when we aggregate multiple links such as Fast Ethernet or GigaEthernet ports into one! Cisco names it "Port-Channels" :))))
@Lord Carnor Jax Haha indeed :) But for the right networking terms as mentioned above, technically it is not the same. If you gonna configure a Cisco Switch trunk port or a LAG port is two different things :DDD!
I love how some vendors like HP/Aruba use the term "trunking" in reference to a LAG which is not confusing at all (/s) when mixing HP & Cisco switches.
Christian you helped me a lot during the past years where I went back to school learn It administration, windows and linux. Again thanks for all the content you offer it is a great ressource for every beginner.
On your B roll of your switches you have your F Stop to high on your camera. Lower your Fstops and raise your ISO or lengthen your shutter speed. What this will do is give you a deeper depth of field for your camera when showing B roll so the only thing in focus will not only be the closes point of the Ethernet cables.
As usual really good video! I always enjoy watching them and you inspire so much! The part about 10 gigabit ports in LAG giving you 20 gigabit is to some extend true, just remember that it still is two different cables and as so one single session can not be split between them meaning that that total throughput between them is 20 gigabit but for a single transfer using a single session for the transfer only 10 gigabit is available. Also you were talking about it as speed, but in the case of LAG it is also seen as bandwidth as the LAG Wil probably be used to allow more sessions through a "bigger" interface 😊 If you do a lot of transferring of files, having vm's running from external storage etc between storage and servers I would suggest you look into making a storage vlan with a higher MTU of 9000 (jumbo frames) 😁 Keep up the videos! Love your content
@R G @The Digital Life This is what I also wanted to say. Portchannels not increasing speed, they increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel.
One thing to note about LAGs is that the bandwidth is the aggregated speed, but your throughput will still only be the speed of a single link. If you were to run a speed test across the link you would see this. The reason is how LACP and other LAG protocols work. They will use the source MAC, destination MAC, or both to pin that connection to a single link. (this is usually configurable) This allows for less congestion for multiple devices that need to talk at the same time, but doesn't help for increasing the speed coming from a single connection. The analogy I like to use is think of LAG member ports as different lanes on a highway. While driving you can only occupy one lane at a time, and each lane has a maximum speed limit. When there isn't any congestion to you having 4 lanes to choose from means nothing to you. however when there is congestion the added lanes increases the capacity of the road so cars don't have to slow down to wait for one another. Otherwise great video.
Awesome video man. Thank you for making this. I watched a few videos and read a bit about VLAN's. I sort of got the idea but not the full concept. Others would explain it and I get the facts but.....the facts don't contain a lot of data I can turn into something visual when they explain it. Its like IRL CMD....you get all data fed to you in text. You gotta focus. Its not as easy as if you could turn the data into something visual for your mind to attach to. But the way you explained it.....you basically told us about your network setup in reference to VLANs. If this was a podcast with no video I would have still gotten more than enough information because the explanation was packed with a lot of information that I could easily turn into something visual. No longer like IRL CMD. Now its like IRL File Explorer where you can easily visualize the data fed to you. You see the folders and where they are at as well as the files. Your explanation not only had the facts of what VLANs are...but a good chunk of why was explained so that I am not sitting here taking educated guesses as to what one might do with this. Simultaneously you also gave better understanding to a newb on the concepts of a VLAN deployment in a real scenario (totally better than me taking an educated guess) and even took the time to throw in a bonus link aggregation tutorial. You freaking nailed it man. I learned a great deal about VLANs in 20 minutes. Somebody get this man a fruit basket....NOW!!! This my first time here. You easily gained a like and sub from me on the first try. I was able to setup my VLAN network and understand because you made it easy. I don't normally do this...but... You did good bro. You did good
Sehr schönes Video. Das sind Grundlagen die ich immer schon mal verstehen wollte, wo ich aber nie den Einstieg fand. Ich hatte einige AHA-Erlebnisse beim Anschauen. Danke!
Good to see someone works such hard to create quality content for others. Just a hint to make VLAN tags and port types more clear and simple: From VLAN tag point of view we have two type of ports. Trunk ports and Access ports. The egress frames on an Access ports never have VLAN tag, because it is removed when exiting. This is why the whole VLAN mechanism is transparent to the end device attached to that Access port. The ingress frame on Access ports are tagged with VLAN tag when it is arrived (with the VLAN the port belongs to). So Access ports are like a smurf sitting on an Access port and he has a sponge in his left hand and a pencil (only one pencil with the one correct VLAN color) in his right hand. Each time a frame leaving the port, the smurf uses his left hand and erases the VLAN tag with the sponge. Each time a frame arrives (usually from an end device) and entering to the port, the smurf uses his right hand and tags the frame with the pencil. Normally Access ports never receive frames with VLAN tag from outside. The other type of port is Trunk. The main different is that the smurf sitting on the Trunk port does not have sponge in his left hand, so VLAN tags will remain on egress frames. So basically egress frames and ingress frames also will have VLAN tags. Also, trunk ports can send and receive frames from any configured VLAN. Trunk ports are connected to trunk ports on another devices. Also, as I wrote in an another reply you might not seen: Portchannels not increasing, or aggregating speed. They increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel. I think people can understand more easily these technical concepts and mechanisms if they are described with analogy from life (who says smurfs dont exists? :D ) Looking forward to see more content from you. ;)
Hello :) Sorry, what app/website did you use to create the network diagram? Also, do you have any idea for a software that can create some similar diagram but automatically via SNMP or something maybe?
If you want a complete solution for mapping your network, you can check what a CMDB is. It also provides a lot more features like tracking all your different server configurations It's way more overkill though
As always , Perfect Vid but you can use same boundle(LAGG) and create what is called Sub Interface (On firewall side ) and prevent using didicated LAGg for each VLAN, you will archive same goal with more scalability!
@Whisker Jones I would suspect though that running proxmox with HA , meaing the need for using external storage (ISCSI or NFS) for the CT volumes and/or VM disks, would be quite a bit of a task running through a router on a stick scenario on a firewall and also unnecessary, hence most enterprises would use a fiber channel for something like that, it can of course also just stay on layer 2 and thereby avoid routing as it is unnecessary. Traffic which is also very latency sensitive will not benefit from a router on a stick setup. But again my experience with firewalls and router on a stick performance comes mainly down to opnsense, pfsense, untange and dd-wrt :) It absolutely is the way one learns! And as stated there is more than one solution to networks and it always depends on the usecase of it and what is wanted/needed by the users of it :)
@R G I would suggest you benchmark a few use cases with iPerf - you'll be surprised that it's actually pretty hard to saturate even a 1GB link with only a select few applications being able to do so (vMotion and replication as a couple easy example). In all but a very few select use cases pinning traffic to a subinterface like you bring up is perfectly fine. You'd need MULTIPLE MULTPLE TCP and/or UDP streams going from multiple users which isn't as common as you'd think before this really turns into an issue. Anyway this is how you learn - trial and error and doing research!
@Whisker Jones agreed! But this is how it is and there is always an opinion as well as other ways of doing the exact same thing! I absolutely do agree that the KISS principle is worth following in most cases, but I also think that using router on a stick for a high speed, big file transfer scenario is wrong as doing layer 2 to layer 3 on a firewall by CPU on a double 10 gigabit connection is a waste of potential :) But as I said I am delighted to learn more and grateful for all info I can collect on topics! I will definitely reach out to you to discuss some of these topics as I would love to implement them myself :) Thanks!
@R G When I say force, I'm really talking about using routing to influence your traffic flows. Longest match wins so this involves a bit of traffic engineering and planning to deploy but is very common in the wild. I'd suggest looking over the Cisco validated design guides for more specifics as a starting point. As with anything in life there are a million ways to accomplish the same goal so a lot of network design comes from experience with a focus on the KISS principle. Unfortunately a lot of the times we think we're really smart doing some fancy deployment only to find out that we end up with unintended consequences and a network/environment that's next to impossible to troubleshoot. I don't pretend that i'm the end all be all but I've certainly been in a lot of networks in my time - feel free to reach out and we can discuss more outside YT comments :)
@Whisker Jones I totally agree with this! The inherent problem is that all routing between the subnets will happen on the switch now and the firewall can not do anything about it. I must admit that I have not heard about this type of setup where OSPF can force the the traffic to be forwarded onto the firewall. It sounds like a dream scenario to be able to offload layer 2 to 3 traffic on the switch and then forward it to the router for it to do what it is supposed to do, separate, segregate and inspect the traffic. Could you possibly point me to a paper on a setup like this as I would be very interested in trying it out in my own lab, as I am having the before mentioned setup because of the penalties of intervlan routing on the firewall. Love learning new things!
I've been watching your videos here and there for a while, but did not know you worked for sophos! My company is the number 1 sophos reseller in the united states, we eat sleep and breathe their products. I personally run a Sophos firewall running in Hyper-V for my home gateway. Great video!
When talking about vlans it's important to understand what a broadcast domain is - each vlan is a unique layer 2 broadcast domain meaning something in vlan 2 won't be able to talk to something in vlan 3 without enabling inter vlan routing and enabling FW polices. In your case you want your firewall to be your default gateway for each vlan this way you can apply policies to the traffic within that vlan/subnet/broadcast domain. - one point of clarification about your LAG - you won't "see" 20GB worth of link speed, but instead you'll have more concurrent traffic streams available on your 20GB link compared to just a single 10GB port. This gives you more bandwidth, not line rate speed.
@Apenas um Robô Paranóico Sounds like you have a lot going on there. I'd suggest removing the layer 3 portion of your 3com switch. You want your routing and policy matching to take place on your router in this case. Trunk your vlans up from your switch to your router and work on your policies and test as you build out.
I'm having my ass kicked by inter vlan routing. I use a Cisco router with zoned based firewall and a physical network port for each vlan (because it came crammed with HWICs, so why not?) and some vlans in my setup can talk with others, some can't talk with no one besides internet and some can only have traffic in one way. Works beautifully when testing with an endpoint in each port. My 3com layer 3 switch f*cks everything and lets anyone talk with everyone. I don't know how to disable it on them.
It might be a good idea not to use VLAN1 for anything else than the default config. Just pick 10 or anything else. Vendors tend to use VLAN1 for special purposes that might pose a problem later down the road. Also it would be good practice to make use of the ingress-filtering you skimmed over in the video. That basically prevents tagged frames from entering through one of the untagged ports. Even if you think that nobody would maliciously exploit this, it might still happen that you accidentally connect a tagged with an untagged port and then wonder what the heck is going on in your network. :)
@Christian Lempa ;) At 15:00 you can see that ingress filtering is off while PVID is set. Basically PVID just tells the switch what to tag any untagged frames with (ingress) respectively whicht tags to remove (egress). Apart from that any tagged frames would be accepted as long as filtering is turned off (like in your setup). That is usually not what you want as anybody could connect to any of your VLANs by just setting the appropriate tag.
I haven’t yet seen any problem with VLAN1, like you said it might be a vendor specific problem that doesn’t apply here, however I’m changing it in the next project to avoid discussions xD regarding the ingress filtering I’m not sure, as far as I know that should be avoided by PVID setting but I’ll double check when I have time, thanks for the heads-up!
You should properly make a video on the various types of managed switches, as most videos on KZclip seams to indicate that a switch is either managed or unmanaged. However a managed switches does not all have the same feature sets, which I learned after buying one and found myself missing things like ACL. Especially TP-Link has very poor marketing with their naming schemas like having both "Smart Switch" and "Easy Smart Switch", where "Easy" just means that it's missing a lot of features.
i prefer to have a mix of perimetric security and zero trust. in order to do that each computer or proxmox or nas are located on different firewall zone, physical gigabit port. but be aware that ipv6 will modify those concepts
Interesting setup. Well explained. You mentioned you use the Fritzbox as a gateway. How do you handle the ITV from the ISP coming in on the Fritzbox? Or haven't you tried yet how to handle it coming from the Fritzbox? I ask this because I have trouble to route ITV on a L3 switch to a different vlan. Maybe you have a tip for me how to solve this. Vlan 4 internet, vlan 6 ITV, vlan 7 iptel is incoming from my ISP to my fritzbox. The only way I get it working is to have ITV on vlan 1 (default) on the switch. if i try to reroute to different vlan i get issues (stuttering & freezing). Any ideas???
@Christian Lempa digital tv. We're I'm from were used to say ITV to that. It's more same as what happened to phones that are now VoIP. Hopefully it clears up the question.
Great video, learned a lot. Maybe I'm a fool to suggest this but it seems to me that a product that is managed switch and firewall would spear one all the sending back and forth?
Thank you! :) Firewalls and Switches really have different use cases, a Firewall might have some features of a Switch and a Switch might have some features of a Firewall. But I always tend to buy these devices separately, as they're best at what they're built for.
@Christian Lempa I was actually trained in juniper firewalls in 2000, but the isg didn't existed. This is the second one I touch. I'm kinda overwhelmed by the sheer power and the amount of resources it have. I didn't had time to tinker deep with it, I only set up two of its ports and trusted and untrusted and put standard rules so it can work, but I'm pretty sure I've seen something about virtualization. And surf shark. I'll definitely lose some nights of sleep on it after I finish the new cabling here and the rack arrives. It's everything piled on a coffee table of sorts. Even the no breaks. Poor table.
Hello Christian, I still have big problems with my switch and my OPNsense FireWall. Could you maybe help me configure the Switch correctly? I'm still very confused by why my network doesn't work.
if you have multiple Unifi APs which have lets say 2 wifi networks (stuff and guest created in Unifi Controller) and connected to sophos on the same port (vlan1 &vlan2) via unmanaged switch how to prevent the two network see each other?
Helpful video but I am still struggling with it. I think I've watched every VLAN video on KZclip and I don't think I've seen a single example of Inter-vlan routing on the same switch. For example and take the router and the needed firewall rules out of play here, you have vlan for a single workstation. Another VLAN for a single printer. Lastly, another vlan for file server. All these devices are all plugged into the same switch (48 port in my case.) Now workstations without printing and access to a file server would be useless don't you agree? In this case should the port for the workstation and printer be set as access(untagged?) I guess the server port would be trunked(tagged) because the 2 vlans need to talk? Don't even get me started on the PVID!!! I just don't understand why I can't grasp this concept.
I agree the concept is hard to understand. You can use tagged ports if your device is aware of vlans and you configure the different ids and networks on the interface. Typically you use it to send multiple virtual networks through a single port. Untagged means the port is not aware of vlan ids and just bound to one specific vlan. The PVID should be configured according to the vlan Id of an untagged port.
I use MikroTik devices only. I run my own WirelessISP and for home i have an overkill setup. I have 18 different VLANS for different stuffs and man, configuring a new AP or Switch can be painful :D
Sorry but that is just pedantic, a DMZ is a separate zone between your LAN and WAN where to put devices that are controlled by firewall rules. Nobody says it can't be used for this and that. The point here is to show how to protect your home servers.
:yt:Some great comments below from Mr D, Jason Davis, and R G. I would only add as being a network engineer that goes back to the days of Wellfleet Routers, Cisco MGX Brouters and ArcNet, Banyan Vines, and good ole Token Ring. It is important to keep the syntax of packet and frame associated properly with the OSI layer being discussed. In almost every case where you prefaced "Frame" with Ethernet you were correct, but there were a few forgivable errors where you interchange a Layer 2 technology with the term packet which is Layer 3. Easy to do, but a gotcha term in some early career certification tests like CCNA and CompTIA . And if you get asked, ATM is a 53byte cell, 48 bytes payload, 5bytes header. And ask them what the hell are they using ATM for, if A) yhey are not a telco and B) when Ethernet is so much easier 🤣🤣🤣
Great channel! LACP actually doesn’t add the speeds of single links. It adds concurrency. It just enables you to have 2 devices at 10Gbe instead of splitting the bandwidth over the same physical cable. It’s basically a kind of load balancing with failover.
Great video! One friendly reminder: Cisco proprietary protocol for Etherchannel or LAG is PAgP.
Primarily, the term "trunking" is not the same as LAG. We use the term "Trunking" when we want to pass multiple VLAN traffic over a single trunk link.
LAG is when we aggregate multiple links such as Fast Ethernet or GigaEthernet ports into one! Cisco names it "Port-Channels" :))))
@Lord Carnor Jax Haha indeed :)
But for the right networking terms as mentioned above, technically it is not the same. If you gonna configure a Cisco Switch trunk port or a LAG port is two different things :DDD!
I love how some vendors like HP/Aruba use the term "trunking" in reference to a LAG which is not confusing at all (/s) when mixing HP & Cisco switches.
@Mr D Thanks bro, of course I'll do!
@Christian Lempa My pleasure Christian! Keep up the excellent work!
Thanks for sharing bro! :))))
You could show the LAG Mode as well (LACP Mode on firewall and Switch). Those modes can be important to max the performance.
I think you would be helping the Sophos team with your videos. The way you go about presenting the information is personable and easy to understand.
Thanks! 😉
Christian you helped me a lot during the past years where I went back to school learn It administration, windows and linux.
Again thanks for all the content you offer it is a great ressource for every beginner.
Thanks mate! Glad it helped you
Hey great content! It’s really nice to see network related stuff as well in this channel. Much love ❤️
On your B roll of your switches you have your F Stop to high on your camera. Lower your Fstops and raise your ISO or lengthen your shutter speed. What this will do is give you a deeper depth of field for your camera when showing B roll so the only thing in focus will not only be the closes point of the Ethernet cables.
As usual really good video! I always enjoy watching them and you inspire so much!
The part about 10 gigabit ports in LAG giving you 20 gigabit is to some extend true, just remember that it still is two different cables and as so one single session can not be split between them meaning that that total throughput between them is 20 gigabit but for a single transfer using a single session for the transfer only 10 gigabit is available.
Also you were talking about it as speed, but in the case of LAG it is also seen as bandwidth as the LAG Wil probably be used to allow more sessions through a "bigger" interface 😊
If you do a lot of transferring of files, having vm's running from external storage etc between storage and servers I would suggest you look into making a storage vlan with a higher MTU of 9000 (jumbo frames) 😁
Keep up the videos! Love your content
@R G @The Digital Life This is what I also wanted to say. Portchannels not increasing speed, they increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel.
@Christian Lempa no problem! Hope it can inspire you to make more network videos 😊
Thanks mate! :)
One thing to note about LAGs is that the bandwidth is the aggregated speed, but your throughput will still only be the speed of a single link. If you were to run a speed test across the link you would see this. The reason is how LACP and other LAG protocols work. They will use the source MAC, destination MAC, or both to pin that connection to a single link. (this is usually configurable) This allows for less congestion for multiple devices that need to talk at the same time, but doesn't help for increasing the speed coming from a single connection.
The analogy I like to use is think of LAG member ports as different lanes on a highway. While driving you can only occupy one lane at a time, and each lane has a maximum speed limit. When there isn't any congestion to you having 4 lanes to choose from means nothing to you. however when there is congestion the added lanes increases the capacity of the road so cars don't have to slow down to wait for one another.
Otherwise great video.
Thanks! ;)
Awesome video man. Thank you for making this. I watched a few videos and read a bit about VLAN's. I sort of got the idea but not the full concept. Others would explain it and I get the facts but.....the facts don't contain a lot of data I can turn into something visual when they explain it. Its like IRL CMD....you get all data fed to you in text. You gotta focus. Its not as easy as if you could turn the data into something visual for your mind to attach to. But the way you explained it.....you basically told us about your network setup in reference to VLANs. If this was a podcast with no video I would have still gotten more than enough information because the explanation was packed with a lot of information that I could easily turn into something visual. No longer like IRL CMD. Now its like IRL File Explorer where you can easily visualize the data fed to you. You see the folders and where they are at as well as the files. Your explanation not only had the facts of what VLANs are...but a good chunk of why was explained so that I am not sitting here taking educated guesses as to what one might do with this. Simultaneously you also gave better understanding to a newb on the concepts of a VLAN deployment in a real scenario (totally better than me taking an educated guess) and even took the time to throw in a bonus link aggregation tutorial. You freaking nailed it man. I learned a great deal about VLANs in 20 minutes. Somebody get this man a fruit basket....NOW!!! This my first time here. You easily gained a like and sub from me on the first try. I was able to setup my VLAN network and understand because you made it easy. I don't normally do this...but... You did good bro. You did good
Thank you so much! I'm glad you enjoy the style of the video tutorials 😀
Good job, man! More about VLAN config and topics like that, please
Sure thing! Thanks!
Sehr schönes Video. Das sind Grundlagen die ich immer schon mal verstehen wollte, wo ich aber nie den Einstieg fand. Ich hatte einige AHA-Erlebnisse beim Anschauen. Danke!
Vielen Dank! :) freut mich total dass es dir geholfen hat
Good to see someone works such hard to create quality content for others. Just a hint to make VLAN tags and port types more clear and simple: From VLAN tag point of view we have two type of ports. Trunk ports and Access ports.
The egress frames on an Access ports never have VLAN tag, because it is removed when exiting. This is why the whole VLAN mechanism is transparent to the end device attached to that Access port.
The ingress frame on Access ports are tagged with VLAN tag when it is arrived (with the VLAN the port belongs to).
So Access ports are like a smurf sitting on an Access port and he has a sponge in his left hand and a pencil (only one pencil with the one correct VLAN color) in his right hand. Each time a frame leaving the port, the smurf uses his left hand and erases the VLAN tag with the sponge. Each time a frame arrives (usually from an end device) and entering to the port, the smurf uses his right hand and tags the frame with the pencil.
Normally Access ports never receive frames with VLAN tag from outside.
The other type of port is Trunk. The main different is that the smurf sitting on the Trunk port does not have sponge in his left hand, so VLAN tags will remain on egress frames. So basically egress frames and ingress frames also will have VLAN tags. Also, trunk ports can send and receive frames from any configured VLAN. Trunk ports are connected to trunk ports on another devices.
Also, as I wrote in an another reply you might not seen: Portchannels not increasing, or aggregating speed. They increasing bandwidth. And these two terms are often misused. I always say that Portchannel is like highway with multiple lanes. Even if you add more physical links to a Portchannel (more lanes to a highway) you still have the same speed (speed limit on that highway). But with more lanes the highway can have more traffic with that same speed. And the algorithm will decide which session will use which physical link within the Portchannel.
I think people can understand more easily these technical concepts and mechanisms if they are described with analogy from life (who says smurfs dont exists? :D )
Looking forward to see more content from you. ;)
Thanks 😉
Hello :) Sorry, what app/website did you use to create the network diagram? Also, do you have any idea for a software that can create some similar diagram but automatically via SNMP or something maybe?
If you want a complete solution for mapping your network, you can check what a CMDB is. It also provides a lot more features like tracking all your different server configurations
It's way more overkill though
I use asciiflow for that
As always , Perfect Vid but you can use same boundle(LAGG) and create what is called Sub Interface (On firewall side ) and prevent using didicated LAGg for each VLAN, you will archive same goal with more scalability!
@Whisker Jones I would suspect though that running proxmox with HA , meaing the need for using external storage (ISCSI or NFS) for the CT volumes and/or VM disks, would be quite a bit of a task running through a router on a stick scenario on a firewall and also unnecessary, hence most enterprises would use a fiber channel for something like that, it can of course also just stay on layer 2 and thereby avoid routing as it is unnecessary. Traffic which is also very latency sensitive will not benefit from a router on a stick setup.
But again my experience with firewalls and router on a stick performance comes mainly down to opnsense, pfsense, untange and dd-wrt :)
It absolutely is the way one learns! And as stated there is more than one solution to networks and it always depends on the usecase of it and what is wanted/needed by the users of it :)
@R G I would suggest you benchmark a few use cases with iPerf - you'll be surprised that it's actually pretty hard to saturate even a 1GB link with only a select few applications being able to do so (vMotion and replication as a couple easy example). In all but a very few select use cases pinning traffic to a subinterface like you bring up is perfectly fine. You'd need MULTIPLE MULTPLE TCP and/or UDP streams going from multiple users which isn't as common as you'd think before this really turns into an issue. Anyway this is how you learn - trial and error and doing research!
@Whisker Jones agreed! But this is how it is and there is always an opinion as well as other ways of doing the exact same thing!
I absolutely do agree that the KISS principle is worth following in most cases, but I also think that using router on a stick for a high speed, big file transfer scenario is wrong as doing layer 2 to layer 3 on a firewall by CPU on a double 10 gigabit connection is a waste of potential :)
But as I said I am delighted to learn more and grateful for all info I can collect on topics!
I will definitely reach out to you to discuss some of these topics as I would love to implement them myself :)
Thanks!
@R G When I say force, I'm really talking about using routing to influence your traffic flows. Longest match wins so this involves a bit of traffic engineering and planning to deploy but is very common in the wild. I'd suggest looking over the Cisco validated design guides for more specifics as a starting point. As with anything in life there are a million ways to accomplish the same goal so a lot of network design comes from experience with a focus on the KISS principle. Unfortunately a lot of the times we think we're really smart doing some fancy deployment only to find out that we end up with unintended consequences and a network/environment that's next to impossible to troubleshoot. I don't pretend that i'm the end all be all but I've certainly been in a lot of networks in my time - feel free to reach out and we can discuss more outside YT comments :)
@Whisker Jones I totally agree with this! The inherent problem is that all routing between the subnets will happen on the switch now and the firewall can not do anything about it.
I must admit that I have not heard about this type of setup where OSPF can force the the traffic to be forwarded onto the firewall. It sounds like a dream scenario to be able to offload layer 2 to 3 traffic on the switch and then forward it to the router for it to do what it is supposed to do, separate, segregate and inspect the traffic.
Could you possibly point me to a paper on a setup like this as I would be very interested in trying it out in my own lab, as I am having the before mentioned setup because of the penalties of intervlan routing on the firewall.
Love learning new things!
I've been watching your videos here and there for a while, but did not know you worked for sophos! My company is the number 1 sophos reseller in the united states, we eat sleep and breathe their products. I personally run a Sophos firewall running in Hyper-V for my home gateway. Great video!
Wow so cool! Thanks 😀
When talking about vlans it's important to understand what a broadcast domain is - each vlan is a unique layer 2 broadcast domain meaning something in vlan 2 won't be able to talk to something in vlan 3 without enabling inter vlan routing and enabling FW polices. In your case you want your firewall to be your default gateway for each vlan this way you can apply policies to the traffic within that vlan/subnet/broadcast domain.
- one point of clarification about your LAG - you won't "see" 20GB worth of link speed, but instead you'll have more concurrent traffic streams available on your 20GB link compared to just a single 10GB port. This gives you more bandwidth, not line rate speed.
@Whisker Jones just found out in the switch's web interface the routing disable feature. Everything is how it should be now. Thanks!
@Apenas um Robô Paranóico Sounds like you have a lot going on there. I'd suggest removing the layer 3 portion of your 3com switch. You want your routing and policy matching to take place on your router in this case. Trunk your vlans up from your switch to your router and work on your policies and test as you build out.
I'm having my ass kicked by inter vlan routing. I use a Cisco router with zoned based firewall and a physical network port for each vlan (because it came crammed with HWICs, so why not?) and some vlans in my setup can talk with others, some can't talk with no one besides internet and some can only have traffic in one way. Works beautifully when testing with an endpoint in each port. My 3com layer 3 switch f*cks everything and lets anyone talk with everyone. I don't know how to disable it on them.
It might be a good idea not to use VLAN1 for anything else than the default config. Just pick 10 or anything else. Vendors tend to use VLAN1 for special purposes that might pose a problem later down the road.
Also it would be good practice to make use of the ingress-filtering you skimmed over in the video. That basically prevents tagged frames from entering through one of the untagged ports. Even if you think that nobody would maliciously exploit this, it might still happen that you accidentally connect a tagged with an untagged port and then wonder what the heck is going on in your network. :)
@Jan Lenz ah, well that makes sense! Thank you I’ll have a look and Change it :)
@Christian Lempa ;)
At 15:00 you can see that ingress filtering is off while PVID is set. Basically PVID just tells the switch what to tag any untagged frames with (ingress) respectively whicht tags to remove (egress). Apart from that any tagged frames would be accepted as long as filtering is turned off (like in your setup). That is usually not what you want as anybody could connect to any of your VLANs by just setting the appropriate tag.
I haven’t yet seen any problem with VLAN1, like you said it might be a vendor specific problem that doesn’t apply here, however I’m changing it in the next project to avoid discussions xD regarding the ingress filtering I’m not sure, as far as I know that should be avoided by PVID setting but I’ll double check when I have time, thanks for the heads-up!
Hi, nice and interesting video! I was a little fascinated by the ASCI Diagramm, may I ask what tool do you use for that?
@Christian Lempa thank you very much!
Hey thanks :D I'm using asciiflow and nerdfonts for the icons
You should properly make a video on the various types of managed switches, as most videos on KZclip seams to indicate that a switch is either managed or unmanaged. However a managed switches does not all have the same feature sets, which I learned after buying one and found myself missing things like ACL. Especially TP-Link has very poor marketing with their naming schemas like having both "Smart Switch" and "Easy Smart Switch", where "Easy" just means that it's missing a lot of features.
Very interesting video and good explanation! thank you
Thanks :)
i prefer to have a mix of perimetric security and zero trust. in order to do that each computer or proxmox or nas are located on different firewall zone, physical gigabit port.
but be aware that ipv6 will modify those concepts
Interesting setup. Well explained.
You mentioned you use the Fritzbox as a gateway.
How do you handle the ITV from the ISP coming in on the Fritzbox? Or haven't you tried yet how to handle it coming from the Fritzbox? I ask this because I have trouble to route ITV on a L3 switch to a different vlan.
Maybe you have a tip for me how to solve this.
Vlan 4 internet, vlan 6 ITV, vlan 7 iptel is incoming from my ISP to my fritzbox.
The only way I get it working is to have ITV on vlan 1 (default) on the switch. if i try to reroute to different vlan i get issues (stuttering & freezing). Any ideas???
@Christian Lempa digital tv. We're I'm from were used to say ITV to that. It's more same as what happened to phones that are now VoIP. Hopefully it clears up the question.
Hmm no I haven't used ITV before, what is that?
On a separate question: Is that Sophos firewall actually capable of deep packet inspection and processing those packets at WireSpeed of 20Gbps?
Yes it does DPI, the throughput depends on the hardware sizing though, you should check out the tech specs on the XGS devices and IPS/DPI throughput
Which tool do you use for the markdown diagrams?
Asciiflow and nerdfonts
Great video, learned a lot.
Maybe I'm a fool to suggest this but it seems to me that a product that is managed switch and firewall would spear one all the sending back and forth?
Thank you! :) Firewalls and Switches really have different use cases, a Firewall might have some features of a Switch and a Switch might have some features of a Firewall. But I always tend to buy these devices separately, as they're best at what they're built for.
Great video! What do you think of a Juniper Isg 2000 for a home lab firewall?
@Christian Lempa and again, loving your channel!
@Christian Lempa I was actually trained in juniper firewalls in 2000, but the isg didn't existed. This is the second one I touch. I'm kinda overwhelmed by the sheer power and the amount of resources it have. I didn't had time to tinker deep with it, I only set up two of its ports and trusted and untrusted and put standard rules so it can work, but I'm pretty sure I've seen something about virtualization. And surf shark. I'll definitely lose some nights of sleep on it after I finish the new cabling here and the rack arrives. It's everything piled on a coffee table of sorts. Even the no breaks. Poor table.
Thanks mate! Can't say anything good or bad about juniper, never tested
Great Video. Helped me a lot, thank you.
You're welcome
thank you christian .. you change my lyf .. all the best brother
How do we draw the ascii diagram like yours ?
Hello Christian,
I still have big problems with my switch and my OPNsense FireWall.
Could you maybe help me configure the Switch correctly?
I'm still very confused by why my network doesn't work.
Hey, sorry I'm a little short on time, did you join the discord yet? Let's meet there and maybe me or somebody else can help you
if you have multiple Unifi APs which have lets say 2 wifi networks (stuff and guest created in Unifi Controller) and connected to sophos on the same port (vlan1 &vlan2) via unmanaged switch how to prevent the two network see each other?
What is the cost of the firewall and switch with licenses, wanting to add something like this in my homelab.
Helpful video but I am still struggling with it. I think I've watched every VLAN video on KZclip and I don't think I've seen a single example of Inter-vlan routing on the same switch. For example and take the router and the needed firewall rules out of play here, you have vlan for a single workstation. Another VLAN for a single printer. Lastly, another vlan for file server. All these devices are all plugged into the same switch (48 port in my case.) Now workstations without printing and access to a file server would be useless don't you agree? In this case should the port for the workstation and printer be set as access(untagged?) I guess the server port would be trunked(tagged) because the 2 vlans need to talk? Don't even get me started on the PVID!!! I just don't understand why I can't grasp this concept.
I agree the concept is hard to understand. You can use tagged ports if your device is aware of vlans and you configure the different ids and networks on the interface. Typically you use it to send multiple virtual networks through a single port. Untagged means the port is not aware of vlan ids and just bound to one specific vlan. The PVID should be configured according to the vlan Id of an untagged port.
what access point do you use? can you do a speedtest on wifi on your next video?
I use the Sophos APX320, haven't done a speed test yet, hmm maybe at some point but not in the near future
LAG doesn’t increase speeds it increases throughout. Flows are still limited by the speed of the member link….
You’re absolutely right, thanks for sharing!
This is why I prefer Unifi. It's just so simple. Create the VLANS, click the port, select the VLAN from the drop down menu. DONE.
Yeah, at some point I need to look at Unifi ;)
I use MikroTik devices only. I run my own WirelessISP and for home i have an overkill setup. I have 18 different VLANS for different stuffs and man, configuring a new AP or Switch can be painful :D
Wow that seems like a crazy set up :D
Very very very nice!
Thank you! Cheers!
This is amazing, but how much does this part 10gbit kind of network setup cost?
Wow, hard to say, but it's not cheap if you'd buy all this stuff
When you added sophos did you setup the router to be in bridge mode?
No it's running in gateway mode
Great video
Thank you! Thank you! Thank you!
You are so welcome!
Thanks!
Thank you so much for your support 😍
what about the VMs? what VLAN are they on ?
On the DMZ as well
What do you mean by "Management" zone?
It's a different network that I use for my network devices
Thanks for vlan topics. Watch later.
top video
/16 Network in an Home Environment doesnt make any sense :D
Well I bet you work in german public services. There is no other reason for using Sophos :D
i hope you back to docker tuts
and docker tools like portiner
and mail cow tools thats was awesome and I look for more
@Christian Lempa waiting you
Don't worry, I'll do some docker videos in the future as well ;)
You should NOT put your local servers in a DMZ, DMZ is normaly used for internet faced servers. Not local servers. So DMZ in used wrongly here.
Sorry but that is just pedantic, a DMZ is a separate zone between your LAN and WAN where to put devices that are controlled by firewall rules. Nobody says it can't be used for this and that. The point here is to show how to protect your home servers.
:yt:Some great comments below from Mr D, Jason Davis, and R G. I would only add as being a network engineer that goes back to the days of Wellfleet Routers, Cisco MGX Brouters and ArcNet, Banyan Vines, and good ole Token Ring. It is important to keep the syntax of packet and frame associated properly with the OSI layer being discussed. In almost every case where you prefaced "Frame" with Ethernet you were correct, but there were a few forgivable errors where you interchange a Layer 2 technology with the term packet which is Layer 3. Easy to do, but a gotcha term in some early career certification tests like CCNA and CompTIA . And if you get asked, ATM is a 53byte cell, 48 bytes payload, 5bytes header. And ask them what the hell are they using ATM for, if A) yhey are not a telco and B) when Ethernet is so much easier 🤣🤣🤣
I even made the error in my comment where this should read 48bytes payload not bits. Big difference.
Ouch, I thought I got it right 🤣