Buy from the Ubiquiti Store (Affiliate): - US: store.ui.com/us/en/pro/products/udm-pro-max?a_aid=CameronGray - EU: store.ui.com/eu/en/pro/products/udm-pro-max?a_aid=CameronGray
Fantastic. Ive been trying to understand how can I connect my single WAN (BT) connection to both UDM's. This video is the only video that answers that question (at time index 7:35). I had a feeling/thought where I needed a switch but this video actually answered that question. Thank you Cameron!
Excellent video and explanation on exactly how this works and what to do in different situations. Since I have UNVR Pro's, I don't have to worry about loosing historical video footage. But I appreciate the very thorough explanations. All of the other videos I have seen on this was just how it failed over and then switched back. Your video is the first I have seen that goes over all of the different scenarios of failure and what to do in each. Bravo.
This is an absolutly awesome video. I wasn't aware that the shadow mode is still a single point of failure (switch) mode which could not be the final solution for this.
You'd connect both ISPs to both UDMs, likely by connecting each of them via some sort of switching. Automtic Shadow Mode is only really to handle failure of a UDM, each UDM will handle ISP failover internally.
I have 2 UDM PRO and already set to shadow mode and it connected to 1 unifi USW-Pro-Aggregation (core switch) but I think again that what if my core switch die? and my question is, is it possible to use two unifi USW-Pro-Aggregation connected to each UDM PRO that already set up with shadow mode? Thanks
Interesting; would this be functional through USW-Aggregation switch with dac cables? ISP to Aggregation * 2.5Gbps Fiber* Dac to UDM-Pro 1 & Dac to UDM-Pro 2?
My ISP will attach one IP address to one MAC address. If the gateway is changed, a new IP address will have to be obtained (usually by modern reboot) Does this setup appear as a single device to the ISP?
Great video! Clear and detailed. Have to wonder about adding the other two points of failure to the system though. I wonder if Ub will make a switch device to go between them.
This setup is only really intended for large networks so you're already going to have LAN switches so you wouldn't really be adding a point of failure there. You are still technically adding one if you need a switch on the WAN side, but switches are generally pretty reliable and if you're at the point of running redundant UDMs, you'd probably also have redundant WAN connections, each with their own switch.
what is really annoying about people pushing Unifi products is that they never mention they are more than likely out of stock. Point in case is the UDR which has not been in stock for weeks. I do worry about choosing a supplier that can not manage its stock and manufacturing process correctly.
If you were going to the expense of HA you would likely have a separate uvr and not have any cameras on udm. The reason I originally liked unifi was every thing was separate not Kean on the all in the one devices although they are good I personally think it's a backwards step and would prefer just a gateway with 10 GB ports.
That’s weird I have 2 udmse and I got them to sync but I don’t have the option for the auto failover. Maybe it just happens without having to select it now?
Does it support dual WAN assuming the same unifi SFP Adapter? I would be inclined to use 1 LAN trunk port and configure VLANs on downstream switches and manually move over the trunk patch cable. Excellent video!
Dual WAN works the same way as on a single UDM except with Automatic Shadow Mode you'd connect both WAN connections into both of the UDMs. Not sure what you mean about the trunk port and manually swapping the cable? With Automatic Shadow Mode you'd configure a trunk port on both UDMs and connect both of them to the switches at the same time, that way failover will happen automatically without requiring any cabling changes.
Do you know if you're upgrading firmware, will it upgrade the first gateway, switch over to the second, and then switch back to the first and upgrade the second -- or does it upgrade both at the same time?
Thanks! These are the exact cables I'm using but you can find similar slim CAT 6 cables from many other suppliers: patchsavesolutions.com/773-slim-small-diameter-pvc-snagless-patch-cables
I would say having them need to be switched back is a overside. Imagine you have some glitchy power conditioner done the chain, that looses poeer then powers up again, then looses power and so on. (I know not fhe most likely, but it is possible). Then the udm will switch constantly, sou will probably loose internet connection constantly and unify protect properly has a footage issue. I understand that it's probably hard to implement it because the first one doesn't knoenit failed when it comes back online but still, it would be great
They do look interesting and I'd love to check them out in the future, but since I don't necessarily have a use for them personally, the cost is unfortunately a bit hard to justify purely to make a video on them.
I can't see why not, although that does raise an interesting situation - with the switch sitting on the WAN side of the UDM, I don't think it would automatically be manageable through the UniFi controller. I haven't tested this but I suspect you'd need to also have the switch connected to your LAN to allow management through UnFi and then add a VLAN that includes all of the ports used for your WAN connection (the ports linking to each UDM and the port(s) uplinking to your ISP).
It's a Little disappointing they not replicating video storage between the two units, Might be bandwidth or processor constraints, but surely they could create another interface just dedicated to video traffic but the processor might be harder to overcome.
For the most part, in the WAN side yours ISP's modem may have multiple LAN ports than you can connect the UDMs, or you may use 1 simple switch. Simple unmanaged Switches from reputable brands may be really reliable because their simplicity, so they are intrinsically less prompt to failure. On the LAN side you got lots of options, depending on the size of your network, if you have only one downstream core switch you can just connect the 2 UDMs to your core switch. If you have multiple downstream switches you can connect both UDMs to every switch, or you may use STP (Spanning Tree Protocol) to create a Daisy Chain Ring between them. There are looots of options depending on the size of the network, number of switches and which are the critical ones. Cheers!
On the LAN side, you could have a pair of stacked core switches, and make sure each one has a link going to your access switches. Not sure if that’s something you can setup with a Unifi setup or not, not too familiar with their switches. Also, switches with dual power supplies On the WAN side, it’d depend on what your ISP supports, but if you do just get 1 network port handoff from them, at least going into a reliable dual power supply switch would be a good idea. Having a single point of failure somewhere along the line is something you’ll have to live with, unless you start going down some much more complicated setups, and likely needing more enterprise grade gear
Does it have any interface tracking features? For example, if your WAN cable gets damaged on the primary and becomes disconnected, would it trigger a failover to keep the internet live to the network? Or would it stay as it is an you would loose connectivity?
I haven't tested this, although I suspect not. Automatic Shadow Mode is designed purely to handle the complete loss of a UDM (hardware failure, software crash.etc). When it comes to WAN redundancy, the expected setup would be to have a pair of WAN connections which are both connected to both UDMs.
@@camerongray1515 on the tp link switches, usually you connect the upstream cable to port 5 (labelled Link/Act) and you connect downstream devices to ports 1-4. you connected the uplink cables from the dream machines to ports 3 and 4. how does that work?
There is no difference between any of the ports, they all work the same. A switch doesn't care which port is used to uplink to the router, it doesn't even see any difference between a router and a client device - all general Layer 2 switches like these do is forward traffic between connected devices based on MAC addresses. You may sometimes see switches with ports labeled "Uplink" but that usually just defines either, a higher speed port (e.g. 10GbE port on an otherwise 1GbE switch, or 1GbE port on an otherwise 10/100 switch) or on a PoE switch it may be used to label a single port that doesn't provide PoE.
You could as long as you make a separate VLAN for all the ports involved in the WAN side of things. However, bear in mind that your switch is still a single point of failure. In a real world setup you'd need to build in some sort of switch redundancy in addition to automatic shadow mode.
@@camerongray1515 Wow I need to make separate VLANs as well? I was hoping the shadow mode UDM pro would already know to switch over. What if I placed a switch aggregate between the 2 UDM pros and my 2 ubiquiti switches? Greatly appreciate all your help! I am not a network engineer and being tasked to rebuild our office network. Thanks!
I honestly think the protect is not reliable enough at the moment. it should maybe have an option to replicate the footage across both nodes/record on both nodes simultaneously, or something along these lines. I dont trust unifi for my own home cctv anyways, and if I were to turn my cctv system into a highly available system i'd simply buy another network video recorder and have it record the same cameras twice
What's wrong with that? It's very commonly done in commercial settings, in fact, with most commcerial leased line setups, the ISP's supplied termination equipment is often some sort of managed switch that they manage centrally.
Not sure what you mean by a WAN breakout? In commercial leased line settings it's often just a switch with the management handled centrally by the provider who can remotely log into the switch to perform diagnostics.etc. There's no issue with having switches on the WAN side of a firewall as long as you're not doing something silly like putting the switch's management interface on the public internet. Switches aren't some sort of special "LAN only" device - there isn't some sort of special class of device used for network distribution inside ISPs or across the internet, it's mostly just interconnected switches, even a lot of traditional routing features are now being handled by layer 3 switches.
@@camerongray1515 I understand that you don't, I'm not asking for a basic lesson in networking, I'm saying its bad practice to put UNMANAGED switches in front of your firewall. Unless you're properly configuring a managed switch and then monitoring it, you are introducing the potential for problems. A WAN breakout is a term referring to a managed L2 switch used to split an incoming connection - and it is what you're referring to when you say it is very commonly done in commercial settings.
The basic switches used here were just for the purposes of the demonstration, if you're installing this setup in a production setup, of course you'd probably want to go for higher end managed switches and probably factor in some level of switch redundancy as well, but that was beyond the scope of this video.
Buy from the Ubiquiti Store (Affiliate):
- US: store.ui.com/us/en/pro/products/udm-pro-max?a_aid=CameronGray
- EU: store.ui.com/eu/en/pro/products/udm-pro-max?a_aid=CameronGray
Fantastic. Ive been trying to understand how can I connect my single WAN (BT) connection to both UDM's. This video is the only video that answers that question (at time index 7:35). I had a feeling/thought where I needed a switch but this video actually answered that question. Thank you Cameron!
Excellent video and explanation on exactly how this works and what to do in different situations. Since I have UNVR Pro's, I don't have to worry about loosing historical video footage. But I appreciate the very thorough explanations. All of the other videos I have seen on this was just how it failed over and then switched back. Your video is the first I have seen that goes over all of the different scenarios of failure and what to do in each. Bravo.
This is an absolutly awesome video. I wasn't aware that the shadow mode is still a single point of failure (switch) mode which could not be the final solution for this.
When the failover happens, does the MAC address get cloned to the Failover UDM so that there would not be an IP change on the WAN interface?
yes
Great video, but what happens if I have two ISPs, one active and the other in failover mode? The question is, where do I connect the second ISP?
You'd connect both ISPs to both UDMs, likely by connecting each of them via some sort of switching. Automtic Shadow Mode is only really to handle failure of a UDM, each UDM will handle ISP failover internally.
Thank you for this detailed video!
I have 2 UDM PRO and already set to shadow mode and it connected to 1 unifi USW-Pro-Aggregation (core switch) but I think again that what if my core switch die? and my question is, is it possible to use two unifi USW-Pro-Aggregation connected to each UDM PRO that already set up with shadow mode? Thanks
What about dual WAN from 2 different ISP’s. How do App and Firmware updates work with Automatic failover?
Interesting; would this be functional through USW-Aggregation switch with dac cables?
ISP to Aggregation * 2.5Gbps Fiber* Dac to UDM-Pro 1 & Dac to UDM-Pro 2?
I assume this limitation could be mitigated by attaching an NVR that is separate from the UDM which would be storing footage from the controller?
My ISP will attach one IP address to one MAC address. If the gateway is changed, a new IP address will have to be obtained (usually by modern reboot)
Does this setup appear as a single device to the ISP?
Great video! Clear and detailed. Have to wonder about adding the other two points of failure to the system though. I wonder if Ub will make a switch device to go between them.
This setup is only really intended for large networks so you're already going to have LAN switches so you wouldn't really be adding a point of failure there. You are still technically adding one if you need a switch on the WAN side, but switches are generally pretty reliable and if you're at the point of running redundant UDMs, you'd probably also have redundant WAN connections, each with their own switch.
Gotcha! Makes sense! Thanks for the reply and video.
I'm wondering if there is a way to sync the footage to the standby over the HA link.....
what is really annoying about people pushing Unifi products is that they never mention they are more than likely out of stock. Point in case is the UDR which has not been in stock for weeks. I do worry about choosing a supplier that can not manage its stock and manufacturing process correctly.
Absolutely. I ended up finding a second hand UDR after waiting 3 months without luck. That was a while ago now and they're still not in stock
Plenty of stores that sell them.. You don't need to buy it at the Ubiquiti Store...
@@SmokingCrop Have a link? I couldn't find one in stock anywhere in UK/EU that I could find
Does this work with wan2 connections?Assuming that a wan2 failover would be the same process as wan1
If you were going to the expense of HA you would likely have a separate uvr and not have any cameras on udm. The reason I originally liked unifi was every thing was separate not Kean on the all in the one devices although they are good I personally think it's a backwards step and would prefer just a gateway with 10 GB ports.
gateway with just 10g ports, that would be the UXG
That’s weird I have 2 udmse and I got them to sync but I don’t have the option for the auto failover. Maybe it just happens without having to select it now?
Doch,, die Option ist nur als Link sichtbar (daneben ist ein Ausrufezeichen). Einfach auf den Link klicken.
Does it support dual WAN assuming the same unifi SFP Adapter? I would be inclined to use 1 LAN trunk port and configure VLANs on downstream switches and manually move over the trunk patch cable. Excellent video!
Dual WAN works the same way as on a single UDM except with Automatic Shadow Mode you'd connect both WAN connections into both of the UDMs. Not sure what you mean about the trunk port and manually swapping the cable? With Automatic Shadow Mode you'd configure a trunk port on both UDMs and connect both of them to the switches at the same time, that way failover will happen automatically without requiring any cabling changes.
Hi will it be able to spit the load between two router in Shadow Mode? Thanks.
Shadow mode is purely active/standby high availability - it doesn't perform any sort of load balancing.
Do you know if you're upgrading firmware, will it upgrade the first gateway, switch over to the second, and then switch back to the first and upgrade the second -- or does it upgrade both at the same time?
I am wondering this too.
Absolutely amazing video and very clear presentation. Really enjoyed thank you. Could you please link the those clear though patch cables please
Thanks! These are the exact cables I'm using but you can find similar slim CAT 6 cables from many other suppliers: patchsavesolutions.com/773-slim-small-diameter-pvc-snagless-patch-cables
@@camerongray1515thank you so much
I would say having them need to be switched back is a overside. Imagine you have some glitchy power conditioner done the chain, that looses poeer then powers up again, then looses power and so on. (I know not fhe most likely, but it is possible). Then the udm will switch constantly, sou will probably loose internet connection constantly and unify protect properly has a footage issue.
I understand that it's probably hard to implement it because the first one doesn't knoenit failed when it comes back online but still, it would be great
Great video Cameron, would love to see some videos on peplink devices like the balance one 5g
They do look interesting and I'd love to check them out in the future, but since I don't necessarily have a use for them personally, the cost is unfortunately a bit hard to justify purely to make a video on them.
Will this work with the uxg pro?
this is exactly what i was thinking, i hope it does because it could be super useful at work, as long as it still supports dual WAN
I have a 10g Ethernet with 5g/5g WAN connection so I wonder if the switch between the the WAN and the UDM could be a unifi aggregation switch.
I can't see why not, although that does raise an interesting situation - with the switch sitting on the WAN side of the UDM, I don't think it would automatically be manageable through the UniFi controller. I haven't tested this but I suspect you'd need to also have the switch connected to your LAN to allow management through UnFi and then add a VLAN that includes all of the ports used for your WAN connection (the ports linking to each UDM and the port(s) uplinking to your ISP).
What about two IPS's?
It's a Little disappointing they not replicating video storage between the two units,
Might be bandwidth or processor constraints, but surely they could create another interface just dedicated to video traffic but the processor might be harder to overcome.
So how do you now make the two additional switches have the same level of redundancy?
For the most part, in the WAN side yours ISP's modem may have multiple LAN ports than you can connect the UDMs, or you may use 1 simple switch. Simple unmanaged Switches from reputable brands may be really reliable because their simplicity, so they are intrinsically less prompt to failure.
On the LAN side you got lots of options, depending on the size of your network, if you have only one downstream core switch you can just connect the 2 UDMs to your core switch. If you have multiple downstream switches you can connect both UDMs to every switch, or you may use STP (Spanning Tree Protocol) to create a Daisy Chain Ring between them.
There are looots of options depending on the size of the network, number of switches and which are the critical ones.
Cheers!
On the LAN side, you could have a pair of stacked core switches, and make sure each one has a link going to your access switches. Not sure if that’s something you can setup with a Unifi setup or not, not too familiar with their switches. Also, switches with dual power supplies
On the WAN side, it’d depend on what your ISP supports, but if you do just get 1 network port handoff from them, at least going into a reliable dual power supply switch would be a good idea.
Having a single point of failure somewhere along the line is something you’ll have to live with, unless you start going down some much more complicated setups, and likely needing more enterprise grade gear
Now, how do you run shadow mode with SFP= fiber wan? That's the main thing.
Does this only work on the new Pro Max or also UDM Pro Se and Pro ?
This feature is being rolled out to all rackmount UDMs, so that includes the UDM Pro, UDM SE and UDM Pro Max.
Does it have any interface tracking features? For example, if your WAN cable gets damaged on the primary and becomes disconnected, would it trigger a failover to keep the internet live to the network? Or would it stay as it is an you would loose connectivity?
You would hope it fails over purely because of the WAN packet loss
@@NaokisRC hope being the key word here
I haven't tested this, although I suspect not. Automatic Shadow Mode is designed purely to handle the complete loss of a UDM (hardware failure, software crash.etc). When it comes to WAN redundancy, the expected setup would be to have a pair of WAN connections which are both connected to both UDMs.
Do you need the Max or is it coming to the SE ?
This will come to all rack mount UDMs - so the UDM Pro, UDM SE and UDM Pro Max should all be getting it!
Don’t you need to use the Link ports on those switches? How can that work?
I'm not sure what you mean?
@@camerongray1515 on the tp link switches, usually you connect the upstream cable to port 5 (labelled Link/Act) and you connect downstream devices to ports 1-4. you connected the uplink cables from the dream machines to ports 3 and 4. how does that work?
There is no difference between any of the ports, they all work the same. A switch doesn't care which port is used to uplink to the router, it doesn't even see any difference between a router and a client device - all general Layer 2 switches like these do is forward traffic between connected devices based on MAC addresses. You may sometimes see switches with ports labeled "Uplink" but that usually just defines either, a higher speed port (e.g. 10GbE port on an otherwise 1GbE switch, or 1GbE port on an otherwise 10/100 switch) or on a PoE switch it may be used to label a single port that doesn't provide PoE.
Oh boy, a mass of cables.
Is video content moved between them?
Did you look at the video?
What is it for a laptop?
Looks to be a Framework laptop.
Thanks for the video. Question: Instead of using 2 unmanaged switches, can I just use a single ubiquiti switch instead? Thanks
You could as long as you make a separate VLAN for all the ports involved in the WAN side of things. However, bear in mind that your switch is still a single point of failure. In a real world setup you'd need to build in some sort of switch redundancy in addition to automatic shadow mode.
@@camerongray1515 Wow I need to make separate VLANs as well? I was hoping the shadow mode UDM pro would already know to switch over.
What if I placed a switch aggregate between the 2 UDM pros and my 2 ubiquiti switches?
Greatly appreciate all your help! I am not a network engineer and being tasked to rebuild our office network.
Thanks!
Unifi always have great ideas but OMG their updates can be an absolute nightmare and brick your machine.
11:32 "RestorNing"
I honestly think the protect is not reliable enough at the moment. it should maybe have an option to replicate the footage across both nodes/record on both nodes simultaneously, or something along these lines. I dont trust unifi for my own home cctv anyways, and if I were to turn my cctv system into a highly available system i'd simply buy another network video recorder and have it record the same cameras twice
This seems like bad design, putting a switch in front of your firewall...
What's wrong with that? It's very commonly done in commercial settings, in fact, with most commcerial leased line setups, the ISP's supplied termination equipment is often some sort of managed switch that they manage centrally.
@@camerongray1515 But wouldn't that be a WAN breakout, specifically configured to the task - things like locking the management port, etc?
Not sure what you mean by a WAN breakout? In commercial leased line settings it's often just a switch with the management handled centrally by the provider who can remotely log into the switch to perform diagnostics.etc. There's no issue with having switches on the WAN side of a firewall as long as you're not doing something silly like putting the switch's management interface on the public internet. Switches aren't some sort of special "LAN only" device - there isn't some sort of special class of device used for network distribution inside ISPs or across the internet, it's mostly just interconnected switches, even a lot of traditional routing features are now being handled by layer 3 switches.
@@camerongray1515 I understand that you don't, I'm not asking for a basic lesson in networking, I'm saying its bad practice to put UNMANAGED switches in front of your firewall. Unless you're properly configuring a managed switch and then monitoring it, you are introducing the potential for problems. A WAN breakout is a term referring to a managed L2 switch used to split an incoming connection - and it is what you're referring to when you say it is very commonly done in commercial settings.
The basic switches used here were just for the purposes of the demonstration, if you're installing this setup in a production setup, of course you'd probably want to go for higher end managed switches and probably factor in some level of switch redundancy as well, but that was beyond the scope of this video.