VLANs and Parent Interface
-
I'm a bit confused as to how I should set up my parent interface for my vlans. I'm using a separate interface from my regular lan interface as the interface I have plugged my managed switch into.
If I want to use my interface set up several VLANs on separate subnets. Does my parent interface just not have an ip under ipv4 configuration type? Right now the interface I have plugged my switch into that I want to set as the parent interface for the vlans is not configured at all.
-
Basically, to clarify what I mean is: if the interface I'm using is not the lan interface, should the parent interface I'm using have an IP? Or should I leave it with no IP and set it once I've configured the individual VLANs?
-
Leave the parent interface unassigned.
Create VLANs and assign/enable/IP those interfaces.
That traffic will be "tagged" on the switch port.
-
So dont enable the parent at all?
-
You do not need to do anything with igb0 to use igb0_vlan1000, for instance.
It can remain down in available network ports.
-
Shibby 8)
-
Or you could use that interface for an untagged vlan.. And your tagged vlans are what are on the parent..
-
Or you could use that interface for an untagged vlan
Could is correct but it's good practice to not mix tagged and untagged traffic on the same interface.
It's possible so someone has to mention it, I guess… -
Yeah an untagged interface for management and a tagged interface for the VLANs is actually pretty ideal.
That way you can connect a laptop directly to LAN if you have to.
I create a tagged interface on my mac in that case but it's a lot easier to not have to talk someone through that on the phone if you don't have to.
-
Well that really depends.. While I agree that on a layer 2 network only where there is no routing between the vlans then sure tagged is the way to go. But if your routing between the lans anyway I do not see it as an issue.
You could run into a double tagged attack to gain access I guess. Is this a high security network? I doubt it - if it was why is the OP here asking questions ;)
Are you tagging the traffic on the access ports? Doubt it.. Because then every device on the access port has to understand the tag. Your talking about trunk ports where yes you would tag the native vlan. But since this is the trunk port to your router/firewall I don't see it as an issue.
You also run into issues with some devices that do not allow you to tag the management.. Access point for example from unifi the management vlan can not be tagged. So while you might have vlans on your different ssids you can not tag the vlan you will use access the AP. So on that trunk port you connect to the AP the native vlan has to be untagged.
I see no issue with running your native vlan untagged to your router interface. It also could be more work if your adding vlans to an interface that was before just being used native without tags.
So while I agree from a security aspect tagging the native over a trunk port on say an uplink between switches is best practice. When the end device is a router or some other device that would use this native vlan I do not see it as a security concern.. Now if your in some DOD facility that might be another story.. But I take it this is some guys home network or smb sort of setup.
-
My problem with mixing tagged and untagged is switch/gear vendors can treat it differently. Yes, these days, it generally works fine.
I would still change the PVID of the untagged traffic on the switch to something other than VLAN1. Mainly so it can be properly tagged and "trunked"
to other switches/devices.Many ways to design networks. OPs question was is it required to do something with the parent. Answer there is no.
-
Depends on the switch, some you can tag vlan 1.. I currently have it tagged to a vm running domotz and its working just fine with the tag. Because I have an interface on the vm that knows about vlan 1 being tagged, etc.
"Many ways to design networks."
Exactly!! You can use the parent interface if you want, or if you just want to runs vlan on top of it and not use the parent that is fine too.
-
… if it was why is the OP here asking questions ;)
Exactly. And for beginners asking questions KISS is always a good idea, usually the best.
By not mixing T and U traffic on one IF it is likely more overseeable, don't you think? -
I'll probably just stick everything in vlan interfaces. Not use the parent interface.
I'll either change the default traffic to untagged and switch it to vlan 10, or tag everything.
Thanks everyone, that settles my question.
-
"By not mixing T and U traffic on one IF it is likely more overseeable, don't you think?"
To be honest I don't see it as an issue, while I completely agree with KISS and why over complicate things. Not having any settings on a interface tends to confuse new users.. So if they can think of that as network ABC, and then adding vlans on top of that its pretty simple.
But you have a talking point sure. But then your doing it opposite to the end machines - you don't tag the port that end device is connected too. if you do then you have to set the end device to understand the tag.. So no matter how you look at it your going to be running tagged and untagged when you start to vlan. So how is it any different for your router vs your workstation. Just in the router you need to tagg the traffic for the other vlan lans its routing, etc..
