I have an APX320 on Port1 of an XGS. The original setup was to first bridge Port1, PortF1, and Port4 onto a bridge, LAN_Bridge, and then have the AP send three of its SSIDs down VLANs and bridge the other SSID to its LAN (LAN_Bridge). So the VLANs (LAN_Bridge.10, LAN_Bridge.20, etc) were associated with the bridge LAN_Bridge. I'm calling this approach "VLANs on a bridge".
I was thinking that, logically, I might want to instead have the VLANs aligned with the idea that the APX is assigning each SSID to a VLAN (and I would throw the fourth VLAN, which is currently bridged, onto its own VLAN) so I should make the VLANs on Port1 not the bridge: Port1.10, Port1.20, etc, and then I would bridge, say, Port1.10 (a VLAN), PortF1, and Port4 onto LAN_Bridge. This seems logically simpler and potentially more secure and traceable. (Secure in that the AP's subnet would be isolated from the no-longer-bridged SSID that would shift to a VLAN.) I'm calling this approach "bridging VLANs".
But I'm having a complication with trying to turn on a hotspot on my Guest SSID (a separate issue) and it's got me rethinking the new approach.
QUESTION: Is there a preferred approach: Bridge first and have VLANs within the bridge, or VLAN first, then bridge individual VLANs (and ports)?
Two areas I'm thinking of: 1) a bridge between VLANs might force bridging to occur higher in the stack and hence be less efficient, and 2) in the Sophos context, could the more granular bridging cause issues with services (like hotspots needing the captive portal service)? Since this is an XGS, could fast-path be affected by the choice?
Edited TAGs
[edited by: Erick Jan at 2:41 AM (GMT -7) on 10 Jun 2024]
