VLAN usage question

I manage a private ISP for a residential site where we have multiple VLANs and subnets that are associated with physical locations; i.e. clusters of residences.

To date, I have been using untagged ports on my core switch to feed the remote switches in each cluster with the specified VLAN, but on those remote switches themselves, all ports just use the native VLAN (VLAN 1).

My question: is this a good practice, or should the remote switches also be configured to use the specified VLAN (rather than the native VLAN) as the default on all ports?

I think either should work, but I’m not sure of the implications/benefits.

Part of the reason why I ask this is that I have been using more traditional HP switches to date, but expect to deploy more UniFi switches soon. My sense with UniFi is that they want all relevant ports forced to the specific VLAN on both the core switch as well as the remote switches.

Well I use Netgear switches at home, there are several defaults it uses. VLAN 1 is the default too, so it will remain the same unless changed.
I’ve setup my network to use VLAN 10 onwards.

However when I configure my ports I take them off VLAN 1, which happens to be all of them. This is more because I don’t use VLAN1 and no firewall rules are setup for them.

Suppose it comes down to whether you use the default vlan or not.

First question: how did you configure the ports on your core switch: Single VLAN assigned to each port or is each port a trunk port providing all VLANs?

Second question: which of the VLANs that you defined on your Core switch need to propagate to your remote switches? Because if you connect those remote switches to untagged ports only, they will only have that untagged VLAN available on all ports.

I learned to operate VLANs on UniFi only, so I apologise if I misinterpret your question. UniFi switches allow for precise VLAN configuration using their controller software, but so do other brands. UniFi I found is more of a sort-it-all-out-by-yourself solution but when it works it shines



Functionally, there is nothing wrong with the way you’re doing it. The benefit on the client side is they can take your uplink cable and drop that into any switch port on their end, barring any additional configurations. An additional benefit is that while you’re making your port access, the receiving port doesn’t actually have to know about any of the config on your switch, specifically the VLAN ID. They can choose to make their port access and tie that VLAN ID into a trunk on a diff port, giving them more control over their side (not sure if this is relevant to your scenario).

In my opinion, I would do it slightly differently. I’d provide a trunk port from your core switch into the client switch, and then the recipient switch would be trunked as well. All the additional ports would be untagged (or access mode) on any remaining switch ports. Doing it this way will give you flexibility later if/when you need to segment off different networks on that same uplink.

just my 2 cents…

I do configure ports as trunks (or “hybrid” on HP switches) so they can carry all other VLANs tagged in addition to the default VLAN untagged.

I’m mostly trying to avoid using VLAN1 at all for reasons of security and predictability.