VLANs on separate or aggregated interfaces?

Started by DarkCorner, December 27, 2023, 09:36:35 AM

Previous topic - Next topic

DarkCorner

I'm doing some lab tests before activating it in the work environment. I talked about it in a post a couple of months ago.
I have about 20 desks with PCs and VoIP.
On all floors I have only one switch connected with an optical backbone to the main rack.
On some floors I also have an Access Point used for both work and guests.
On one floor I also have a personal area.
I had thought about separating the network with VLANs: Works, Guest, VoIP and Home. So, I have to run a trunk to the individual switches.
A Captive Portal would allow me to divide access across VLANs.

The firewall has 3 interfaces.
I was wondering whether to keep them all independent, each with its own VLAN, or aggregate them and associate all the VLANs on this single interface.

LAN traffic is modest. The Guests one cannot be documented, but I imagine it is equally modest and in any case occasional. The Home one, on the other hand, is quite demanding although only during non-working hours.

So it's not so much a problem of network load, but rather of ease of management.

What is your opinion?

deanwebb

Generally, the interfaces on the firewall are for controlling traffic zones, so one interface would be external access, one would be for the internet traffic to/from guests, the final one for internet traffic to/from the office/VoIP hosts. Your call on where your personal device goes, but you might want it on guest so that there's no chance personal browsing mingles with office stuff.

You will have firewall rules that must be in place for the office/VoIP that you will not want in place on the guest/personal traffic. Also, you would be able to prioritize traffic on office/VoIP at all times, just in case.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

DarkCorner

In reality there are 5 interfaces because one is dedicated to the WAN and one for the DMZ. The 3 interfaces indicated are for internal traffic, understood as VoIP traffic and work, guest and personal traffic using a Captive Portal and obviously rules for these 3.

What I was wondering was whether to create the VLANs on the 3 interfaces or whether to aggregate them all together and create the VLANs only on the "aggregate" interface.

deanwebb

Personally, I'd do the 1:1 assignment so I could keep things clear. If I had to shut the interface, only the one set of traffic on that interface would be impacted.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.