Best Practices for VLANs with Multiple Interfaces

ossgeek · Apr 10, 2022, 8:23 PM

I've just received my netgate 4100 and am beginning to set it up to replace my current router. The current setup has several VLANS all going down a single interface to a managed switch. Since the 4100 has quite a few ports for me to segment things into, I was thinking of breaking out my server and desktop vlans on their own interfaces (with the rest of the vlans lumped on a 3rd interface). So something like this:

ix3 - WAN
igc0 - LAN (management, untagged)
igc1 - VLAN 16 (desktop, tagged)
igc2 - VLAN 19 (servers, tagged)
igc3 - VLAN 18,99,116,110, 172 (various, tagged)

The question I have is: what's the best practice for setting this scenario up? Should igc1 and igc2 even be VLANS on the 4100 or should I just mark the port on the switch with the VLAN ID? Is there any throughput advantage/disadvantage to doing it either way?

thanks in advance!

johnpoz · Apr 10, 2022, 8:51 PM

@ossgeek said in Best Practices for VLANs with Multiple Interfaces:

Is there any throughput advantage/disadvantage to doing it either way?

Not really - some go by practice tag all, etc. But there are some advantages of not tagging in the sense you can connect to that port without having to tag. Like you have on your "lan" if you want to call that management.

I do same sort of setup where some interfaces are untagged, and then on another interface I have my tagged vlans - my wifi stuff mostly since they are going to be less bandwidth intense, and there is no intervlan traffic between them to speak off.

Really comes down to personal preference, especially if just a home network where there are no actual company policies or procedures that have to be adhered too, etc.

Breaking out networks to their own interfaces does have the advantage bandwidth for that network/vlan has that physical interface to itself. So traffic between those interfaces is not shared via hairpin.

Example if say your vlan 116 and 110 did a lot of intervlan talking - I wouldn't put them on the same physical interface if have the interfaces to work with. But if those vlan 18,99,116,110, etc. don't really do a lot of bandwidth intense communication between themselves.. Then makes sense to group them together on the same uplink.

ossgeek · Apr 10, 2022, 9:05 PM

@johnpoz

Thanks for the quick reply!

This is just a home setup so no corpo policies to speak of. The primary reason is definitely that the desktop and server vlans DO have lots of traffic and the rest of the vlans (iot, phones, dmz, etc) should not talk to each other (in fact there will be firewall rules to prevent it!).

Really all I can think of as a disadvantage to NOT tagging would be if in the future I wanted to add another VLAN to servers or desktop interface, it would be a few extra clicks to configure.

Thanks again. I think I'll move forward untagged and just have the vlan specified on the switch port.

johnpoz · Apr 10, 2022, 9:11 PM

@ossgeek said in Best Practices for VLANs with Multiple Interfaces:

it would be a few extra clicks to configure.

Either way adding more vlans to a physical interface is no big deal, be it you have untagged on the interface already or not. Sure you would have to change the config on your switch a bit.

But I run native (untagged) network on same interface I also have tagged vlans on.. There is nothing saying you can not do that - unless you had some limitation of your switch? Or again some company policy stated not to do that ;)