In the business world, and good practice, vlans should only exist on ports where that vlan’s traffic needs to pass.
Example: say my cameras are on vlan 3, and my default vlan is 1. I’ve also got IoT on vlan 9. IoT does not need access to the internet. Neither do the cameras (they’re viewed from a vm running blueiris)… The port going to the modem only needs vlan 1 on it, all others excluded.
IoT needs to talk to the cams sometimes, so the cams have both 3 and 9, and IoT has 3 and 9. (this could also be done with some l3-fu on the switches, but I configured the routes in opnsense so I could log peculiarities).
I’ve only got two machines that are allowed access to the management vlan (13), which has all my IDRAC/ilo/bmc/nm configured on their ports, and no other vlans.
Those two machines are firewalled on machine and the management access is only allowed when necessary (manually).
In the business world, and good practice, vlans should only exist on ports where that vlan’s traffic needs to pass.
Example: say my cameras are on vlan 3, and my default vlan is 1. I’ve also got IoT on vlan 9. IoT does not need access to the internet. Neither do the cameras (they’re viewed from a vm running blueiris)… The port going to the modem only needs vlan 1 on it, all others excluded.
IoT needs to talk to the cams sometimes, so the cams have both 3 and 9, and IoT has 3 and 9. (this could also be done with some l3-fu on the switches, but I configured the routes in opnsense so I could log peculiarities).
I’ve only got two machines that are allowed access to the management vlan (13), which has all my IDRAC/ilo/bmc/nm configured on their ports, and no other vlans.
Those two machines are firewalled on machine and the management access is only allowed when necessary (manually).
Hope that’s clearer than mud.