Isolated VLANs

Submitted by -
Status: New Idea

It would be helpful to be able to create a VLAN that is not automatically tagged on all ports on all devices. 

 

Where a VLAN might be useful for isolating certain types of traffic, such as high bandwidth applications, chatty services, or services that rely on broadcast, it might well be desirable to prevent that traffic from being carried across the entire network by default.

 

The current design requires creating a new port profile and manually applying it to ports and devices. Current tools assist in this manual process, but it is still a manual process, and new devices added to the network will use the “all” profile until configured otherwise, which can lead to periods of disruption and creates an opportunity for errors and oversights. 

 

A strong case could be made for going further and requiring VLANs to opt in to the “all” group in the first place. The current approach is more convenient in many situations, perhaps even most situations, but the all-by-default behavior conflicts with a more secure-by-default behavior, in which a client connected to a port should not be able to access VLANs not specifically tagged on that port. 

 

One way to balance the convenience against the security and performance benefits of isolation might be to allow a VLAN to “opt out” of the “all” group (which perhaps then ought to be renamed just to “default.”)

 

Keeping all VLANs on all ports maintains the convenience, while an option to isolate or opt out a VLAN would allow it to be managed more conservatively.

 

Stretch goal: automatically compute the path between all ports assigned to be native on a VLAN, and tag only the intermediate links as required, excluding any other ports. 

Comments
by
‎11-15-2018 08:06 PM - edited ‎11-15-2018 08:07 PM

I like it! My 'stretch goal' is a matrix of LANs with

checkboxes at each intersection to signify the

automatic route between the subnets. To make

or break the route, set or clear the checkbox.

 

It sure would be helpful if Ubiquiti would take this

out of the dark hole of CLI and make it graphic.    Dave

by
on ‎12-30-2018 09:05 AM

YES, please..