Using only vlans no lan

rhvw

Hello, I was wondering if it’s recommended to only configure vlans tied to an interface directly? Or is it more appropriate to create vlans with the parent being lan?

I ask because I watched this video:
link text

I’ve heard it’s best practice not to mix untagged and tagged traffic, but so many examples/tutorials use lan as the parent interface.

The video author stated that sometimes without a lan configured that this may make certain things more difficult as it’s “highly integrated in pfsense”

Any help is much appreciated
Thank you
Rip

JKnott

@rhvw

Having both tagged and untagged frames on the same wire is quite common and is main feature of VLANs. For example, I have my guest WiFi VLAN on the same interface and cable as the main WiFi. In offices, it's common to have VoIP phones on a VLAN on the same connection as the main LAN. The purpose of VLANs is to have multiple virtual networks over a single physical network.

rhvw

Would only tagged vlans on a trunk port be considered more secure?

Are there any complications with not configuring a lan (untagged) with respect to installing certain packages?

Thanks

heper

@rhvw

the world is filled with bullshit ....

vlans don't provide security

if someone has physical access to a switch, then all security is lost anyhow

rhvw

Sorry I wasn’t clear, is mixing tagged and untagged more susceptible to vlan hopping?

johnpoz

@rhvw said in Using only vlans no lan:

is mixing tagged and untagged more susceptible to vlan hopping?

No... But it could be more open to mistakes being made in the config I guess..

Tagged and Untagged traffic would only ever be on a port that is uplink to some device that would be handling the vlans. Another switch, another router, an AP.. Some VM host, etc.

It what scenario would you have anything but 1 vlan untagged traffic going to an end use device? If you were doing that - then sure the end device could get on any vlan they wanted that was allowed on the port.

The ability to hop vlans amost always comes down to a mis configuration.. If you setup your switch/AP correctly.. And there is no underlaying issue with the switch/ap - it not very likely to be able to hop vlans.

In a correctly configured an functioning switch. If I put port X in vlan Y.. The user tagging traffic would not be allowed by the switch port, so it would/should not be possible for the user to hop to a different vlan.. Only untagged traffic should be allowed into that switch port, and it would be on vlan Y.