Setting all 24x switchports as tagged for 200 x VLANs?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

james23

Active Member
Nov 18, 2014
441
122
43
52
Main Question:
should I expect any performance hit from enabling 210x tagged VLANs on ALL 24x ports of a switch (or alternatively setting ALL 24x ports as trunk ports)


background / equipment:
We have a install with 10 x netgear 24-port switches, into which are plugged 200x ruckus 7372 access points running standalone firmware (one ap, hardwired, per apartment, 200 apartments). Switches are: Netgear GS728TPP switches (24-port, 1g poe, specs state max 256 vlans)

Each access point has a unique SSID and password for the unit it is in (ie unit 213’s ap is putting out SSID: u213 with WPA Password: xyzxyz213). This units SSID is set to tagged VLAN 213. There is a core mikrotik which will have all 200 VLANs with a /24 10.x ip and DHCP-server on each vlan.

I could go into more specifics about why we want the system to be set up this way, but I don’t want the thread/question to be too long (too late!, but if interested i’ll post more details in reply)

I really want to focus on my main question; should I expect any issues or performance hits from Setting all 24 ports to all 200 tagged VLANs. (or is it better to set all ports as trunk ports? or neither and this is a bad idea?)
Part of this question is hypothetical, as i will most like end up config-ing all ports of each switch for only the 24 vlans (units) it can possibly serve and trunk the uplinks- but id like to know answer to my original question still.

(I could of course properly set each port to its proper "unit number" VLAN, and then set my uplinks as trunks- however there may come scenarios where the Ethernet plugs physically get rearranged at the switch and thus unit-421 could end up being plugged into a swithcport only tagging for vlan 428 and thus not work).

Thanks!
 

altmind

Active Member
Sep 23, 2018
285
101
43
>>I really want to focus on my main question; should I expect any issues or performance hits from Setting all 24 ports to all 200 tagged VLANs. (or is it better to set all ports as trunk ports? or neither and this is a bad idea?)

no issues, no benefits.
(no idea why are you doing this, dont you have anything better to do?)
 
  • Like
Reactions: james23

Blinky 42

Active Member
Aug 6, 2015
615
232
43
48
PA, USA
200 vlans on a port should be nothing for any halfway decent switch. The Netgear you mention isn't super high spec but it should be able to keep up.

Without knowing more of the use case details, from a security and BW use perspective I wouldn't do it however. I would just write a script to configure the VLANs you need per port based on the apartment, or the trunk you have going to the switch serving 24 apartments. If every port in the system has all VLANs present on it, it won't be long until someone unplugs the AP and plugs in a laptop and can then access all 200+ VLANs from their apartment, and can cause headaches based on what you are doing. Those netgears have a workable web interface, but I wouldn't want to try and manage 10 of them / 240 ports like that by hand. If you can't script it... get a better switch :)

Other thought that may or may not apply, with between 6x and 24x over subscription if you are doing one each switch 24 copper to the AP's and then 1-4x 1G Fiber links back-hauled to the main data room it would be trivial to bog down the network with a rogue AP or someone plugged directly into the switch.
 
  • Like
Reactions: james23

james23

Active Member
Nov 18, 2014
441
122
43
52
Thanks for all the replies,

I should have been a bit more clear, there are 10x switches at this property, in a flat network config (ie all in default vlan0), however every AP is in router mode (ruckus calls this gateway mode- ie each AP is doing NAT and dhcp-server to its WLAN interfaces).

This is all working great, however bandwidth at each AP is topping out at 70-110mbit, even on the 1 wired port of an AP.
The reason being- Ruckus clearly states that APs when in gateway/router mode do have reduced bandwidth (and they state the limit/estimate per model, for the 7372 we are using its around 50-100mbit).

However, with the APs in their more traditional Lan to WAN Bridged mode, the speeds are what we expect for 2x2 N at 5ghz (ie ~200mbit). So the goal is to move all the routing onto the mikrotik. The AP support vlan tagging per SSID/WLAN.

We have done some tests with 20x APs in this configuration and the performance is great, my only concern was tagging so many vlans, on *ALL* ports- but the feedback im getting from here and other posts ive made, is that the switch should have no problems handling what i was concerned about.

In terms of security, i realize that someone could plug in a device, and set their NIC to use a different VLAN, so we may *roughly* address that via MAC ACL's . Additionally, we already get an alert when a units AP is un-plugged or goes down, and one of us then investigates (so that may cover someone pulling AP and attaching their own NIC set to a different VLAN.)

In reality, when we roll out this "vlan upgrade" , i will most likely end up taking the time with an assistant to properly configure the exact 1x vlan per port for the unit/ap that port connects to. (and set uplink eth ports as trunk ports)

One other question (in general as i know terminology differs between vendors):

Does a trunk port tag/pass ALL vlans (ie 1-4096), or does it only tag/pass ALL vlans that have been created on that specific switch?

as an example if ive only created:
vlans 1-10 on switch A and
vlans 20-30 on switch B and
I set eth-port 23 and eth-port 24, on both, as trunk ports and connect the switches via eth-port 24,
will a router plugged into eth-port 23 of switch A have traffic from VLAN 25 passed to it (assuming vlan25 has been added to the router's eth port going into SW A port23)


(if you cant tell, my 2x test/lab switches had to be put into service recently due to an emergency, so im waiting on replacements, else i would test my trunk question, myself)
thanks
 

james23

Active Member
Nov 18, 2014
441
122
43
52
i know my reply above is a bit long winded, so here is a more direct post of my follow up question:

does a trunk port pass ALL vlans (ie 0-4096) OR only all vlans *used/created on that specific switch?*
ie: if i have switch A making use of only vlan 50,
and switch B making use of only vlan 60,
and sw A and B are connected via trunk ports, will a router connected to a trunk port of switch B be able to see/access traffic from vlan 50 (ie from the upstream switch A?). thanks
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
completely depends on the firmware implementation, but usually it means only "all" the vlans that have been created/in use on that switch
 
  • Like
Reactions: james23