Another thing you can do to further secure the ports on a switch, especially if you have kids that like to plug things in, is to set the unused ports to "disabled".
2nd ever Super Thanks given on TH-cam. The first one given was on your "new to Unifi VLANs" video. Several things clicked for me in both videos that never clicked or was explained on videos from other youtubers.
Nice explanation. That was the proper amount of detail. 80%+ of TH-camrs blaze through or completely leave out context and important implementation details. It always seems to result in a somewhat useless video saying… “I did this thing, but I’m not going to show you how.”
I agree with you about the breezing over thing and will always try to be a bit more thorough in my videos... I get blasted for that though too and "talk too much" LOL. Thanks for your kind assessment!
I just drawn up a diagram for a simple SOHO network with a VLAN for PoE cameras and for IoT devices before watching this video. I took it a step further and used subnetting just so I can have knowledge on subnetting for medium and enterprise networks.🔥
Great video! If you have a Cisco switch lying around, please make a video on what a configuration might look like, isolate IoT and cameras in the best/safest way.
I really appreciate this video. You taught me a lot in a very easy way to understand. So many other videos go too fast or click too fast or are just too high level.
Thanks for another great video. Appreciate this series of videos where you describes VLAN 👍 If you could make one where you throw in a Synology NAS into the equation, that would be great.
@@ethernetblueprint I guess so that DiskStation Manager (DSM), Synology Drive and Synology Office can be reached from the outside safely. As well as from the inside from the default VLAN.
I believe you can also do the port configuration with a Port Profile, accessed via the Advanced options and setup as a profile in Settings. If you have many ports needing to be moved to a particular VLAN configuration, then this can make sure they are all done the same way. That's how I do my camera VLAN as I have several cameras ( Cameras seem to multiply quickly ). I've enjoyed all your setup videos and appreciate your time and effort. I had watched the Mac Telecoms ones, but he tends to glance over things to keep it to one shorter video, instead of going into the details over a multipart video. That "programming" of the switch is the killer. I had a DLINK managed switch, before I replaced it with a Ubiquiti Unifi switch, and although it has a WebGUI, it was cumbersome to work with. I did get it working with VLANs, and it worked fine once setup, but boy that interface..... That's the killer. Ubiquiti make the interface really easy to use.
I'm glad you shared that. I have used the port profile method before too and like your case, it worked well. I do like the Mactelecom videos too, but they aren't really geared for the newbies of the world. But I do watch most of his stuff. I hear you on the 3rd party switch setup. Just this past week, I had to add a new AP to a home that had a TPLink switch and I had to google how to make that a trunk port because it wasn't super obvious. I too, was able to get it working, but when you compare that to Unifi, it is definately much easier! Thanks for sharing... and for watching!
Great Video!!! I am at the point for my Camera VLAN (40) to allow only communicating within that VLAN. I now need to block all INTERNET access to that VLAN both Outgoing and Incoming as I installed the new UniFi Local VPN (WireGuard) feature which eliminates any need for direct Internet access to that VLAN. Next VLAN project... Expanding my VPN (70) VLAN. The current VLAN I use specifically for "MY" remote access to the home network. Well the kids are going on a Foreign country vacation and I gave them access to my commercial "Private Internet Access" account. But there are issues where some of the streaming sites (here in the US are known to block access from foreign countries, so I will be adding a VLAN (75) which will only provide access to the Internet but nothing in the local network. Inch by inch... Learning something new each day.
@@ethernetblueprintGreat! Do one for the iPhone and Windows environment. There are a couple different methods for installing them. Take it slow and step by step. Everyone will like that
Native VLAN means any untagged traffic moving accross the link will be assigned to that subnet. The benefit of a native vlan happens when you are using the interface as a trunk port and either want to black holes untagged traffic or assign it to a specific subnet. That concept didnt make sense until I worked on the two technologies below. On Cisco devices you can utilize the native VLAN while using flex connect to allow normal trunking of secure tagged wireless traffic to traverse the local network while the AP is not communicating with the Controller (meaning no capwap is established and the AP is in local switching mode as compare to centalized switching) and use the native vlan to be the AP management VLAN so that the AP will automatically pull DHCP and establish a connection to the controller once connected to the network. On Arista Switches where you are using voice and data over the same interface they trunk the switchport and assign the native vlan to be the DATA vlan and assign a Phone vlan for the voice traffic. This allows the computers untagged traffic to become assigned to the data segmentation of the network taking the VLAN tagging responsibility away from the phone its self. The phone of course will tag its own traffic.
Hi great video...thanks for taking the time to make them. How about if we add another switch to the mix? router > switch > switch > camera. How do you setup VLANs for the uplink and downlink ports for those 2 switches?
@@ethernetblueprint Thanks for the fast reply. Let me bother you a bit more with the issue I'm having. I know I'm doing something wrong as this is all new to me and kind of like learning about it on my spare time. The system is 100% Ubiquiti setup with a Unifi Next Gen Gateway Pro, USW Pro MAx 48 POE and a couple of USW Flex where cameras are all hook up....the VLAN is created and the cameras have static IP on this VLAN. Right now everything is set to trunk (allow all) and my PC on the main (native) VLAN has access to the cameras. So on the MAx 48 (main switch) I have the two ports that go to the USW Flex set to the VLAN Camera (Only Cameras are connected to the USW Flex), the ports on the FLEX I can't set them to the Camera VLAN as I loose connection, so ended up setting the ports the cameras are connected to the Native VLAN. I also left the USW FLex link port to the Max 48 on the Native VLAN. If I change any of these to the camera VLAN I lose connection from any PC on the Native....could you give me a hint on the mistake I'm making here? The idea being that a PC on the native VLAN can access the cameras but not the other way around. Thanks in advanced!
I may need a bit more information... It sounds like maybe there there is an issue with your FW rules. why don't you email me at tim@ethernetblueprint.com and we can try to figure out what is going on...
Great video, please make one about how to assign a device on a network based on the MAC address format of a device group. For example, if i have 50 cameras, and all of the MAC adress start with 00:AA:FF.... how i can assign these cameras on a specific VLAN no mather to which port i will connect them ? Thanks!
That sounds like entrerprise level authentication and using a radius server, which I don't have any experience with. I have seen some forums on it, so I know it is possible, but I don't know that I will be getting to those kind of videos anytime soon. I'm not familiar with that kind of setup.
Thanks for that video. Helps a lot to understand. Q: What about the opposite way: In my home network scenario I do have a Draytek Vigor DSL Router (integrated modem) and this prevented me to buy a Ubiquiti router so far. I have a unifi network controller running on linux. The rest (or most of them) of my network devices are ubiquiti switches and access points. My question here about VLAN: when I start at the draytek router and its integrated 5 port switch, I create the VLANs at Draytek router plus I need to create in unifi network application plus add them to all the ubiquiti switch ports, right? That should work too?
I have a question, in your previous video you created VLANs and assigned IPs to them on UDM. Now, why there is a need to assign the IPs again to the switch port? Why we did not configure only access port or trunk port? If I have AP connected to port 1 of the switch and in AP, we have 3 different SSID and each are in different VLANs. I have created these 3 VLANs on UDM and assign DHCP per VLAN, so that each SSID will get relevant IP address. Are you creating native VLAN network for the management purpose? As native VLAN is untagged. Right? So, I have VLAN 20 for management purpose, that network traffic will be untagged?
It is all about the terminology. For this, you don't assign IPs to the switch ports... similar to WiFi SSID's, you assign VLANs to switchports which are tied IP Networks. The native VLAN is what IP you wan't the device to get assigned.. So, if you plug an AP into a trunk port with a native VLAN, the AP will get a management IP of that native VLAN, but still allow those other VLANS to talk on your SSID's Hopefully that makes sense.
I haven't used one of those. Unifi doesn't send me any free gear to do videos on so I would need to get my hands on one before I could do a video on it.... does that run on the same OS as their Edge Switch series?
I'm currently researching UniFi for my future house and your videos have been very helpful. One thing that is still unclear to me: In this video you mention that if you work with other brands, the switch has to be managed, which makes sense since you can't use the UniFi interface to do so. But if you work let's say with a UDM Pro and want to do the tagging of individual ports on a switch - does that switch need to be a layer 2 or a layer 3 switch? Or does the tagging work independently from that - meaning all Unified Switches are managed? What would be the advantages of a layer 2 vs layer 3 be? Thanks for the help!
Good question. I’ll break this into two parts to try and answer you. Let me know if you’re still confused. So most switches are layer 2. And routers are layer 3. So when you have a layer 3 switch, you are talking about adding routing and creating VLANs in the switch instead of the router. Forgetting layer 3 switching for a second, if you just have a standard layer 2 switch, you can have two different kinds. Managed and unmanaged. Unmanaged means that you can’t log into the switch and make configuration changes. It just takes a single cable plugged into it and whatever that network is, then all the ports on that switch will transmit that network. A managed switch on the other hand allows you to configure it, assign VLANs, name ports, define settings, etc…. All UniFi switches are managed and can be adopted. When I mentioned that in this video, I simply meant that you can use ANY brand managed switch and use it in your UniFi network. However for your VLANs to work, you would need to log into that switch individually and configure your VLANs to match what you setup on your UniFi router. It’s much easier to just use UniFi and have that single pane of glass but many users already have switches that they want to use with UniFi so I wanted to point out that it’s possible. Hope that helps. Let me know if you need more clarification.
I will see what I can do. I have a triple NAT situation currently that I may need to fix before I can do many VPN instructions. It’s on my list though. Thanks for watching.
Thanks for the great videos! Do I understand it right that when I have a device on VLAN 1 (for example 192.168.1.1), it can communicate with VLAN 2 (192.168.2.1) if the VLAN management is on 'Allow All'? Even if the IP adress range is different?
@@ethernetblueprint Thanks for your reaction. I'm not understanding where the block all function is for then? And am I right that then the only way preventing VLANs to communicate with each other is with firewall rules?
Yes. The FW rule are what restricts them from talking to each other. When you have trunk port (allow-all), it means that mulitple VLANs can communicate through that port... for example, when you have an AP with different SSIDs and VLANs, you would want it plugged into a trunk port because that 1 device (the AP) has multiple network communicating to it... If you plugged the AP into an access port (block-all), then it would get an IP from whatever VLAN that is programmed on the port and could not communicate with wireless devices on multiple VLANs... It would ONLY be able to talk on that one VLAN. Trunk ports are usually for Switch to Switch ports, AP ports and Servers that have VMware running on it. Most other ports that have a single device plugged in should be set to Access (block-all). I hope that helps.
Ubiquiti’s L3 switches used to not be able to block inter-VLAN traffic that stays entirely on the switch even though the hardware had the capability. Have they fixed that?
On the Alta Labs switch you can't configure the camera port with native VLAN 3 and "Allowed VLAN 3" at the same time, because the camera attached to that port is VLAN unaware. It has to be on Native VLAN 3 only.
Sorry if I missed it but did you show how you set up the camera VLAN that you implement in this video? Is it a separate vid? I'm looking for a VLAN tutorial for ethernet connected streamers like Roku and Bluesound. Your VLAN for wifi video rocked my world I'm a total noob and your process worked for me. Thank you so much.
Hey man. Thanks for the comment. The camera VLAN is setup exactly like the IOT network in my “Let’s make some VLANs” Video. Exactly the same. But there isn’t a video that shows how to set it up.
@@ethernetblueprint Great thank you. Your first VLAN video worked for me on Wifi devices (Hue lights work perfectly) but I can't seem to bugger how to get wired devices that have smartphone/tablet controllers like hifi audio streamers to work with the same rules/profiles.
OK - I got it. It was on the device introduction side and not on your VLAN implementation. I now have smart lights and an audio streamer on the VLAN from your tutorial. Thank you!
I know that wasn't part of that video, but that is how I have my network now. I like having a mgmt network for my network devices to communicate on... Thumbs up all the way!
Hey, thanks for this! One question - I can't seem to ping SOME of the devices from my default LAN to my other VLANS. I thought, in theory, I could ping all the devices FROM the default, but couldn't ping from the other VLANs TO the default. Am I missing something?
I am sorry for your troubles. In theory, you are correct. Communication is open from the default to the other VLANs and not visa-versa. The actual issue here may be difficult to answer in the comment section. I'd be happy to try and help offline if you like. Send me an email to tim@ethernetblueprint.com and we can dive in a little easier.
Great Videos Thank You Very Much. Ask: Would it be possible to create a 5min video just for a single vLan, each for: 1. Internal Cameras 1.a. vLan 1.b. Firewall Rule 1.c. IP Group 2. WiFi (Smart Device or PC) for Guests to only allow www 2.a. vLan 2.b. Firewall Rule 3.c. IP Group 3. WiFi (Smart Device or PC) to access internal cameras, www and LAN 3.a. vLan 3.b. Firewall Rule 3.c. IP Group Being able to view a short video solely on a single topic would be so awesome, so that convoluted or confused configurations moving back and forward prevent from growing knowledge. I would imagine that a single fundamental of only one product would allow some of us to see better and then view a second 5min video to progress. Anyways Thank You Again.
I will see what I can do. With all of those items being fairly interconnected, especially from a FW standpoint, I may be forced to still cross into each of the categories a bit... but I will still see what I can do...
@@ethernetblueprint (Sorry) This TH-cam is so awesome, it would be so much better if it was in small sections\parts (Part 1 blah (different 5min video), Part 2 (different 5min video, etc)). But it is missing the Firewall Rules.... Note: The reason I mention smaller videos is because it allows us to revisit that one and only video that will help us get to where we want faster, then attempting to find what we need at the moment we need it, sorry if this sounds selfish, it is just a thought :) Again, Sorry: th-cam.com/video/yWlvuwq5AXE/w-d-xo.html
I just watched the video you linked. I do like how the content that was presented and, however, i wouldn't setup a home network (or small business for that matter) like that... you have to have FW rules. Just my opinion.. which are all over YT... LOL
Nice you make great video's. But why do you put your wifi channels on the same channel. That is never good, you have make shure that they don't interfere
Pro and Cons to that. I don't do that and like my APs to be on different channel to help combat interference. If you have them all on the same channel and there is interference on that channel, it affects your whole network. Many Mesh system struggle with this... To date, I haven't had this happen with my APs on different channels.
Hi. I'm newish to this and if someone could help that would be very much appreciated. I recently bought an L2 managed switch (Netgear GS308Ev4). I have my IP cameras plugged in via one port on the switch. The internet connection is plugged in via another port. If the internet connection is to 'all' ports or to the same VLAN as the camera, then the cameras work fine. However, if I then plug a laptop into another port; if it's on a different VLAN from the camera or not, and I run a scan on the network, I can see all devices on my network, including the cameras, despite them being on a different VLAN. I am trying to stop someone unplugging a camera in my garden, plugging their laptop in and then seeing my network devices. Please help! Thanks.
What router are you using? VLANs and security like that require both a router that is capable of VLANs and a managed switch. If you are just using your ISP router, what you’re trying to do won’t work.
Challenge I am having is if your phone or tablet is not on the same VLAN as the device, some apps like Sonos, apples HomeKit and a few other automation tools have issues.
I agree with you. There are definitely some challenges there. With Sonos specifically, I almost always put it on my main/default devices network - which is less secure but makes it work better. I haven’t worked with HomeKit much yet but am in the process of implementing that and home assistant in my home. So more to come on that.
It seems like the new IoT auto discover feature might help. It make IoT devices accessible from the mail LAN automatically. Don’t know how they decide what devices are IoT and not though…
Thanks for the best video about VLANs on current UniFi interface layout
Again, thank you for your compliments and generous tip amount.
Another thing you can do to further secure the ports on a switch, especially if you have kids that like to plug things in, is to set the unused ports to "disabled".
Absolutely. In businesses, I highly recommend doing that. In a home, owners choice. Good call out though.
2nd ever Super Thanks given on TH-cam. The first one given was on your "new to Unifi VLANs" video. Several things clicked for me in both videos that never clicked or was explained on videos from other youtubers.
You are very kind... I wish you well on your Unifi setup. Thanks for watching and following!
Excellent. Best explanation that I have run into on Unifi VLANs. Thanks!
Great. So glad it helped! Thanks for watching!
Great compliment to the first VLan video. Thanks.... yes I subscribed.
Awesome. I am so happy to hear that.
Nice explanation. That was the proper amount of detail. 80%+ of TH-camrs blaze through or completely leave out context and important implementation details. It always seems to result in a somewhat useless video saying… “I did this thing, but I’m not going to show you how.”
I agree with you about the breezing over thing and will always try to be a bit more thorough in my videos... I get blasted for that though too and "talk too much" LOL. Thanks for your kind assessment!
I just drawn up a diagram for a simple SOHO network with a VLAN for PoE cameras and for IoT devices before watching this video. I took it a step further and used subnetting just so I can have knowledge on subnetting for medium and enterprise networks.🔥
That is so great. Planning is key!!!
Great video!
If you have a Cisco switch lying around, please make a video on what a configuration might look like, isolate IoT and cameras in the best/safest way.
I really appreciate this video. You taught me a lot in a very easy way to understand. So many other videos go too fast or click too fast or are just too high level.
You're very welcome! I enjoy hearing that it helped you out!
Thanks for another great video. Appreciate this series of videos where you describes VLAN 👍 If you could make one where you throw in a Synology NAS into the equation, that would be great.
What specifically with that NAS?
@@ethernetblueprint I guess so that DiskStation Manager (DSM), Synology Drive and Synology Office can be reached from the outside safely. As well as from the inside from the default VLAN.
Copy that. Thats a good video idea.
I believe you can also do the port configuration with a Port Profile, accessed via the Advanced options and setup as a profile in Settings. If you have many ports needing to be moved to a particular VLAN configuration, then this can make sure they are all done the same way. That's how I do my camera VLAN as I have several cameras ( Cameras seem to multiply quickly ).
I've enjoyed all your setup videos and appreciate your time and effort. I had watched the Mac Telecoms ones, but he tends to glance over things to keep it to one shorter video, instead of going into the details over a multipart video.
That "programming" of the switch is the killer. I had a DLINK managed switch, before I replaced it with a Ubiquiti Unifi switch, and although it has a WebGUI, it was cumbersome to work with. I did get it working with VLANs, and it worked fine once setup, but boy that interface..... That's the killer. Ubiquiti make the interface really easy to use.
I'm glad you shared that. I have used the port profile method before too and like your case, it worked well. I do like the Mactelecom videos too, but they aren't really geared for the newbies of the world. But I do watch most of his stuff.
I hear you on the 3rd party switch setup. Just this past week, I had to add a new AP to a home that had a TPLink switch and I had to google how to make that a trunk port because it wasn't super obvious. I too, was able to get it working, but when you compare that to Unifi, it is definately much easier!
Thanks for sharing... and for watching!
Danke!
It was my pleasure...
Great Video!!! I am at the point for my Camera VLAN (40) to allow only communicating within that VLAN. I now need to block all INTERNET access to that VLAN both Outgoing and Incoming as I installed the new UniFi Local VPN (WireGuard) feature which eliminates any need for direct Internet access to that VLAN. Next VLAN project... Expanding my VPN (70) VLAN. The current VLAN I use specifically for "MY" remote access to the home network. Well the kids are going on a Foreign country vacation and I gave them access to my commercial "Private Internet Access" account. But there are issues where some of the streaming sites (here in the US are known to block access from foreign countries, so I will be adding a VLAN (75) which will only provide access to the Internet but nothing in the local network. Inch by inch... Learning something new each day.
Wow. That’s quite the setup. I plan on doing a wireguard video here soon.
@@ethernetblueprintGreat! Do one for the iPhone and Windows environment. There are a couple different methods for installing them. Take it slow and step by step. Everyone will like that
Thanks for the suggestion.
Great job, you are a very good educator.
Thank you very much for your kind words.
Thanks, so much better explanation compared to the Unifi documentation!
Oh great. Glad you found it helpful.
Native VLAN means any untagged traffic moving accross the link will be assigned to that subnet.
The benefit of a native vlan happens when you are using the interface as a trunk port and either want to black holes untagged traffic or assign it to a specific subnet. That concept didnt make sense until I worked on the two technologies below.
On Cisco devices you can utilize the native VLAN while using flex connect to allow normal trunking of secure tagged wireless traffic to traverse the local network while the AP is not communicating with the Controller (meaning no capwap is established and the AP is in local switching mode as compare to centalized switching) and use the native vlan to be the AP management VLAN so that the AP will automatically pull DHCP and establish a connection to the controller once connected to the network.
On Arista Switches where you are using voice and data over the same interface they trunk the switchport and assign the native vlan to be the DATA vlan and assign a Phone vlan for the voice traffic. This allows the computers untagged traffic to become assigned to the data segmentation of the network taking the VLAN tagging responsibility away from the phone its self. The phone of course will tag its own traffic.
Thanks for sharing... I'm sure the viewers really appreciate the extra info on the matter! Nice comment!
Hi great video...thanks for taking the time to make them. How about if we add another switch to the mix? router > switch > switch > camera.
How do you setup VLANs for the uplink and downlink ports for those 2 switches?
Switch to switch connections need to be setup as trunk ports... No matter what model and brand of switch...
@@ethernetblueprint Thanks for the fast reply.
Let me bother you a bit more with the issue I'm having.
I know I'm doing something wrong as this is all new to me and kind of like learning about it on my spare time.
The system is 100% Ubiquiti setup with a Unifi Next Gen Gateway Pro, USW Pro MAx 48 POE and a couple of USW Flex where cameras are all hook up....the VLAN is created and the cameras have static IP on this VLAN.
Right now everything is set to trunk (allow all) and my PC on the main (native) VLAN has access to the cameras.
So on the MAx 48 (main switch) I have the two ports that go to the USW Flex set to the VLAN Camera (Only Cameras are connected to the USW Flex), the ports on the FLEX I can't set them to the Camera VLAN as I loose connection, so ended up setting the ports the cameras are connected to the Native VLAN. I also left the USW FLex link port to the Max 48 on the Native VLAN. If I change any of these to the camera VLAN I lose connection from any PC on the Native....could you give me a hint on the mistake I'm making here? The idea being that a PC on the native VLAN can access the cameras but not the other way around. Thanks in advanced!
I may need a bit more information... It sounds like maybe there there is an issue with your FW rules. why don't you email me at tim@ethernetblueprint.com and we can try to figure out what is going on...
Great video, please make one about how to assign a device on a network based on the MAC address format of a device group. For example, if i have 50 cameras, and all of the MAC adress start with 00:AA:FF.... how i can assign these cameras on a specific VLAN no mather to which port i will connect them ? Thanks!
That sounds like entrerprise level authentication and using a radius server, which I don't have any experience with. I have seen some forums on it, so I know it is possible, but I don't know that I will be getting to those kind of videos anytime soon. I'm not familiar with that kind of setup.
Thanks for that video. Helps a lot to understand.
Q: What about the opposite way: In my home network scenario I do have a Draytek Vigor DSL Router (integrated modem) and this prevented me to buy a Ubiquiti router so far. I have a unifi network controller running on linux. The rest (or most of them) of my network devices are ubiquiti switches and access points. My question here about VLAN: when I start at the draytek router and its integrated 5 port switch, I create the VLANs at Draytek router plus I need to create in unifi network application plus add them to all the ubiquiti switch ports, right? That should work too?
Yes, As long as the router is capable of VLANs, you should be add them in the controller and have it all work together. Make sure the VLAN IDs match.
I have a question, in your previous video you created VLANs and assigned IPs to them on UDM. Now, why there is a need to assign the IPs again to the switch port? Why we did not configure only access port or trunk port? If I have AP connected to port 1 of the switch and in AP, we have 3 different SSID and each are in different VLANs. I have created these 3 VLANs on UDM and assign DHCP per VLAN, so that each SSID will get relevant IP address. Are you creating native VLAN network for the management purpose? As native VLAN is untagged. Right? So, I have VLAN 20 for management purpose, that network traffic will be untagged?
It is all about the terminology. For this, you don't assign IPs to the switch ports... similar to WiFi SSID's, you assign VLANs to switchports which are tied IP Networks. The native VLAN is what IP you wan't the device to get assigned.. So, if you plug an AP into a trunk port with a native VLAN, the AP will get a management IP of that native VLAN, but still allow those other VLANS to talk on your SSID's Hopefully that makes sense.
Very helpful, Thanks!!!
You bet... I am glad it was helpful
Great videos!! Was wondering if u can explain vland setup on a Ubnt tough switch. Tnx.
I haven't used one of those. Unifi doesn't send me any free gear to do videos on so I would need to get my hands on one before I could do a video on it.... does that run on the same OS as their Edge Switch series?
Tk u for sharing, I need to create documentation for my home network
Yes. Planning is a big part of the process.
I'm currently researching UniFi for my future house and your videos have been very helpful. One thing that is still unclear to me: In this video you mention that if you work with other brands, the switch has to be managed, which makes sense since you can't use the UniFi interface to do so. But if you work let's say with a UDM Pro and want to do the tagging of individual ports on a switch - does that switch need to be a layer 2 or a layer 3 switch? Or does the tagging work independently from that - meaning all Unified Switches are managed? What would be the advantages of a layer 2 vs layer 3 be? Thanks for the help!
Good question. I’ll break this into two parts to try and answer you. Let me know if you’re still confused.
So most switches are layer 2. And routers are layer 3. So when you have a layer 3 switch, you are talking about adding routing and creating VLANs in the switch instead of the router.
Forgetting layer 3 switching for a second, if you just have a standard layer 2 switch, you can have two different kinds. Managed and unmanaged. Unmanaged means that you can’t log into the switch and make configuration changes. It just takes a single cable plugged into it and whatever that network is, then all the ports on that switch will transmit that network. A managed switch on the other hand allows you to configure it, assign VLANs, name ports, define settings, etc…. All UniFi switches are managed and can be adopted.
When I mentioned that in this video, I simply meant that you can use ANY brand managed switch and use it in your UniFi network. However for your VLANs to work, you would need to log into that switch individually and configure your VLANs to match what you setup on your UniFi router. It’s much easier to just use UniFi and have that single pane of glass but many users already have switches that they want to use with UniFi so I wanted to point out that it’s possible.
Hope that helps. Let me know if you need more clarification.
@@ethernetblueprint This indeed clarifies the doubts I had. Thanks a lot for the explanation!
Happy to help!
Thanks
How can you assign a VLAN to a specific LAN socket ?
Do you mean a data jack in a home? If so, yes you can. If I am off base, please correct me.
Your tutorials were on point. Can you give us a tutorial on WireGuard VPN, so that I can connect to my in-house server from an external network?
I will see what I can do. I have a triple NAT situation currently that I may need to fix before I can do many VPN instructions. It’s on my list though. Thanks for watching.
@@ethernetblueprint Thank you, looking forward to it
Thanks for the great videos! Do I understand it right that when I have a device on VLAN 1 (for example 192.168.1.1), it can communicate with VLAN 2 (192.168.2.1) if the VLAN management is on 'Allow All'? Even if the IP adress range is different?
Yes...however, one correction... The port does not need to be allow all. You can have it on Block all and still achieve the same result.
@@ethernetblueprint Thanks for your reaction. I'm not understanding where the block all function is for then? And am I right that then the only way preventing VLANs to communicate with each other is with firewall rules?
Yes. The FW rule are what restricts them from talking to each other. When you have trunk port (allow-all), it means that mulitple VLANs can communicate through that port... for example, when you have an AP with different SSIDs and VLANs, you would want it plugged into a trunk port because that 1 device (the AP) has multiple network communicating to it... If you plugged the AP into an access port (block-all), then it would get an IP from whatever VLAN that is programmed on the port and could not communicate with wireless devices on multiple VLANs... It would ONLY be able to talk on that one VLAN. Trunk ports are usually for Switch to Switch ports, AP ports and Servers that have VMware running on it. Most other ports that have a single device plugged in should be set to Access (block-all). I hope that helps.
Ubiquiti’s L3 switches used to not be able to block inter-VLAN traffic that stays entirely on the switch even though the hardware had the capability. Have they fixed that?
I haven’t tested layer3 on UniFi switches. I’m sorry, I can’t answer that for you.
On the Alta Labs switch you can't configure the camera port with native VLAN 3 and "Allowed VLAN 3" at the same time, because the camera attached to that port is VLAN unaware. It has to be on Native VLAN 3 only.
Hmmm. It worked for me. I had my trunk port setup to communicate on all VLANs and my camera setup just like that and it worked well.
Sorry if I missed it but did you show how you set up the camera VLAN that you implement in this video? Is it a separate vid? I'm looking for a VLAN tutorial for ethernet connected streamers like Roku and Bluesound.
Your VLAN for wifi video rocked my world I'm a total noob and your process worked for me. Thank you so much.
Hey man. Thanks for the comment. The camera VLAN is setup exactly like the IOT network in my “Let’s make some VLANs” Video. Exactly the same. But there isn’t a video that shows how to set it up.
@@ethernetblueprint Great thank you. Your first VLAN video worked for me on Wifi devices (Hue lights work perfectly) but I can't seem to bugger how to get wired devices that have smartphone/tablet controllers like hifi audio streamers to work with the same rules/profiles.
That sounds more like a multicast issue. Make sure mDNS is enabled on the VLANs that you want to control like that.
OK - I got it. It was on the device introduction side and not on your VLAN implementation. I now have smart lights and an audio streamer on the VLAN from your tutorial. Thank you!
What do you think of create special vlan for management, for example all the APs, SW and servers in that vlan instead of the default?
I know that wasn't part of that video, but that is how I have my network now. I like having a mgmt network for my network devices to communicate on... Thumbs up all the way!
Hey, thanks for this! One question - I can't seem to ping SOME of the devices from my default LAN to my other VLANS. I thought, in theory, I could ping all the devices FROM the default, but couldn't ping from the other VLANs TO the default. Am I missing something?
I am sorry for your troubles. In theory, you are correct. Communication is open from the default to the other VLANs and not visa-versa. The actual issue here may be difficult to answer in the comment section. I'd be happy to try and help offline if you like. Send me an email to tim@ethernetblueprint.com and we can dive in a little easier.
Can you use a VLAN network Ip as 10.10.20.0 or 10.20.10.0 where the main network is 10.10.10.0
Yes, you can use a 10.10.20.0 255.255.255.0 as one VLAN and 10.10.10.0 255.255.255.0 as a different VLAN and be just fine.
Thanks!
You bet!
Great Videos Thank You Very Much.
Ask:
Would it be possible to create a 5min video just for a single vLan, each for:
1. Internal Cameras
1.a. vLan
1.b. Firewall Rule
1.c. IP Group
2. WiFi (Smart Device or PC) for Guests to only allow www
2.a. vLan
2.b. Firewall Rule
3.c. IP Group
3. WiFi (Smart Device or PC) to access internal cameras, www and LAN
3.a. vLan
3.b. Firewall Rule
3.c. IP Group
Being able to view a short video solely on a single topic would be so awesome, so that convoluted or confused configurations moving back and forward prevent from growing knowledge. I would imagine that a single fundamental of only one product would allow some of us to see better and then view a second 5min video to progress.
Anyways Thank You Again.
I will see what I can do. With all of those items being fairly interconnected, especially from a FW standpoint, I may be forced to still cross into each of the categories a bit... but I will still see what I can do...
@@ethernetblueprint
(Sorry) This TH-cam is so awesome, it would be so much better if it was in small sections\parts (Part 1 blah (different 5min video), Part 2 (different 5min video, etc)). But it is missing the Firewall Rules....
Note: The reason I mention smaller videos is because it allows us to revisit that one and only video that will help us get to where we want faster, then attempting to find what we need at the moment we need it, sorry if this sounds selfish, it is just a thought :)
Again, Sorry: th-cam.com/video/yWlvuwq5AXE/w-d-xo.html
I just watched the video you linked. I do like how the content that was presented and, however, i wouldn't setup a home network (or small business for that matter) like that... you have to have FW rules. Just my opinion.. which are all over YT... LOL
How do we get to Network version 8.1.111?
I believe it is because I am setup for early access releases since this is my testing unit.
Nice you make great video's. But why do you put your wifi channels on the same channel. That is never good, you have make shure that they don't interfere
Pro and Cons to that. I don't do that and like my APs to be on different channel to help combat interference. If you have them all on the same channel and there is interference on that channel, it affects your whole network. Many Mesh system struggle with this... To date, I haven't had this happen with my APs on different channels.
Hi. I'm newish to this and if someone could help that would be very much appreciated. I recently bought an L2 managed switch (Netgear GS308Ev4). I have my IP cameras plugged in via one port on the switch. The internet connection is plugged in via another port.
If the internet connection is to 'all' ports or to the same VLAN as the camera, then the cameras work fine.
However, if I then plug a laptop into another port; if it's on a different VLAN from the camera or not, and I run a scan on the network, I can see all devices on my network, including the cameras, despite them being on a different VLAN.
I am trying to stop someone unplugging a camera in my garden, plugging their laptop in and then seeing my network devices. Please help! Thanks.
What router are you using? VLANs and security like that require both a router that is capable of VLANs and a managed switch. If you are just using your ISP router, what you’re trying to do won’t work.
Challenge I am having is if your phone or tablet is not on the same VLAN as the device, some apps like Sonos, apples HomeKit and a few other automation tools have issues.
I agree with you. There are definitely some challenges there. With Sonos specifically, I almost always put it on my main/default devices network - which is less secure but makes it work better. I haven’t worked with HomeKit much yet but am in the process of implementing that and home assistant in my home. So more to come on that.
It seems like the new IoT auto discover feature might help. It make IoT devices accessible from the mail LAN automatically. Don’t know how they decide what devices are IoT and not though…