Separate Network vs. VLAN

Tom, first, thank you for your wonderful training videos! You have inspired me to also create my own (more on the Programming meets Infrastructure side). … OK, inspiring to create videos, but just need to find the time.

My question is this:

At one point; yesterday, you said that for devices that you don’t trust; you would prefer to put those things on a separate network over a different VLAN for security to prevent VLAN hopping,

How do you do that? I am sure that your not talking about a separate subnet, but instead it seems like you are talking about a different network where you have another router. Would this be true? Or do you create a new network in your PFSense router, have another port on the router go to an isolated switch?

Interested to know.

Because if your suggestions and tutorials, I easily set up a different set of VLAN’s for my Network, Servers (home lab), Surveillance System, and Security systems, having their own VLAN’s. This works great!

I mostly do it as you see in this video

VLAN’s are fairly secure but since you are encapsulating other traffic there is more risk as it shares the same lines on the same switches.

Creating physically separate networks can help mitigate that risk and keeps everything more centrally managed via the firewall, but you have to make sure you are writing the rules properly.