Reply
Member
Posts: 177
Registered: ‎10-24-2017
Kudos: 86
Solutions: 9
Accepted Solution

Networking question -> best practices

So I got myself 3 CORPORATE networks - CORP1 .. 3 with VLANs 10 .. 30. All good. All working.

Then - I read about Layer 2, Layer 3 and after my head stopped spinning I came to realize by me doing it the same I did it USG is doing all the heavy lifting as its somehow falls into Layer 3.

Whereas I could have just created VLANs 10 .. 30 and in which case the switch (US-8-150W) would have done the heavy-lifting as its Layer-2.

 

So - from best practices perspective - which is better? At face value seems 1st. one is better as I can define all sorts of firewall rules, blah-blah. If I opt for 2nd. option then how to do selective LAN traffic?

 

Next in on firewall - I can drop/reject in WAN_OUT or I should drop/reject in LAN_IN. LAN_IN looks better since the packet don't touch the firewall. (Use case: Assume 1 device don't want it to go into Internet). Which is considered best practices?

Did the answer helped you ? if yes, i would love your kudos on it

Accepted Solutions
Established Member
Posts: 1,564
Registered: ‎04-08-2014
Kudos: 490
Solutions: 79

Re: Networking question -> best practices

>> How would the isolation work with vanilla VLANs? Note: I have 1 corporate and let's say bunch of VLANs and I associate a port @ switch to a VLAN 1, another to VLAN 2, and few more ports spread between these 2 VLANs.

Let me clarify something. a vlan is a vlan whether it's UBNT or someone else. IOW, all vlan's are "vanilla". All a corporate network is, is a way to simplify the configuration of a vlan, and a dhcp server and NAT function on the router (USG in the land of Unifi Software Defined Networking (SDN).

>>By ISOLATION do you mean: device is connected to port 3 having VLAN 3 can NOTtalk to device on port 2 having VLAN 2 OR
ISOLATION here means the switch will send packets tagged with VLAN 3 to port 3 only and if tagged wth VLAN 2 to port 2 - essentially isolating the packets to specific tagged ports.

Second, think of devices connected to a vlan independent of what port they are connected to, since it's possible for a port to carry more than one vlan.

In your question above, the answer is "yes". But the thing to understand is that part of the "yes" answer presumes that you made the native vlan on port 2 be vlan 2 and the native vlan on port 3 be vlan 3. In both cases, traffic will be completely isolated. the machine in port 2 won't be able to see any broadcast traffic from the machine in port 3 and vice versa.

However, you can also have trunk ports which are what can carry multiple vlans. Think of a wireless access point. The AP has 2 SSID's configured. The first SSID let's call Wifi Network 2 and we will tell the AP to tag the packets from those machines as vlan 2. And we'll also createa SSID called WiFi Network 3 and we'll tell the AP to tag the packets from those machines as vlan 3. In this case, there isn't any way for machines on those 2 SSIDs to see each other. The AP will tag the packets with the appropriate vlan number and then send them out the trunk port to the switch.

There is a lot to digest here and it takes a decent understanding of the differences between layer 2 and layer 3 for vlans to really start to make sense. Bottom line, yes vlans provide security by keeping traffic contain to it's vlan.
Controller: 5.9.26 | Sites: 12 | Devices: 55 | Clients: ~250
USGs (4.4.28): XG8 (x1) | Pro4 (x4) | USG3 (x4)
UAPs (3.9.50): AC-Pro (x17) | AC-LR (x3) | Mesh-Pro (x2) | Mesh (x1) | Outdoor+ (x2)
USWs (3.9.50): US-16XG (x2) | US-40-500w (x3) | US-24-250w (x2)| US-8-150w (x3) | US-8-60w (x3) | US-8 (x2)

View solution in original post


All Replies
Regular Member
Posts: 316
Registered: ‎01-20-2017
Kudos: 58
Solutions: 19

Re: Networking question -> best practices

@bmninada

 

I don't know if I will be saying something wrong here, but it depends a lot about what you want to do with your network.

 

In my case, I need to do all control of VLANs on my Firewall. I only use the switches to distribute VLANs accordingly my needs, trunk, tag or untag VLANs, relay DHCP servers, etc.

 

Don't know if I helped you at all, but....

 

Best regards.

If I helped you, please accept my solution.
Don't forget to leave Kudos if you liked my post.
Member
Posts: 177
Registered: ‎10-24-2017
Kudos: 86
Solutions: 9

Re: Networking question -> best practices

Well - I am too. i.e. I have these various Corporate networks and VLAN numbers linked to it. However, as I have understood - its a Unifi standard - i.e. Corporate. In real networking world its some 802 number and its referred to as Layer 3. In other words - by doing so effectively I am taxing the router much more as it now decides on everything.

 

Whereas if its just a simple VLAN, then its again some other 802 number and its Layer 2. Layer 2 means switch will take care of routing leaving the router aside.

 

From best practices perspective I just wanted some opinions on what's normally considered best practice. On one hand I feel Layer 3 gives me more control and more settings but VLAN by itself I am reading is mostly for security. In which case - how? By just using VLAN at different ports I can isolate the devices or I explicitly need to check that box - isolate device. If latter - then what's the use of VLAN? etc., etc.

Did the answer helped you ? if yes, i would love your kudos on it
Established Member
Posts: 1,564
Registered: ‎04-08-2014
Kudos: 490
Solutions: 79

Re: Networking question -> best practices

You kinda have it but not quite.

Vlans are layer 2 (vlan 10,20,30,etc). think of a vlan as a network switch. Plug things into it and they can all arp each other and if you have ip addresses configured properly, they can ping each other (layer 3). [side note, you can have multiple subnets on the same switch/vlan, but those networks won't be able to talk to each other unless there is a router with an address in the subnets you wish to connect.]

subnets are layer 3 (192.168.10.1/24,192.168.20.1/24, 192.168.30.1/24)

If you just want isolation of layer 2 traffic you can get away with vlans and the traffic won't touch the firewall. Well, it won't touch the firewall until you get to layer 3 and want to go from one subnet to another or to the internet.

So in your "corporate" definition, you get both layer 2 separation using vlans as well as layer 3 separation using subnets. This is the best approach.

A switch (or Layer 2 device) will not do any routing. It kinda does the opposite and enforces separation of traffic.

Port isolation isn't really related to the discussion. It's a way to block unnecessary broadcast traffic from bogging down wireless networks. https://help.ubnt.com/hc/en-us/articles/115001529267

Regarding the FW rules, generally you want to place the rule closest to where you can drop the packet. This is really done to minimize processing packets in the router that will eventually be dropped (and it really isn't a security related thing). So most of my rules are on LAN_IN, since that's where I do the most filtering based on source/destination/protocol etc. Sometime I need to add a WAN_OUT rule, but it's rare.
Controller: 5.9.26 | Sites: 12 | Devices: 55 | Clients: ~250
USGs (4.4.28): XG8 (x1) | Pro4 (x4) | USG3 (x4)
UAPs (3.9.50): AC-Pro (x17) | AC-LR (x3) | Mesh-Pro (x2) | Mesh (x1) | Outdoor+ (x2)
USWs (3.9.50): US-16XG (x2) | US-40-500w (x3) | US-24-250w (x2)| US-8-150w (x3) | US-8-60w (x3) | US-8 (x2)
Member
Posts: 177
Registered: ‎10-24-2017
Kudos: 86
Solutions: 9

Re: Networking question -> best practices


@depasseg wrote:
You kinda have it but not quite.

If you just want isolation of layer 2 traffic you can get away with vlans and the traffic won't touch the firewall. Well, it won't touch the firewall until you get to layer 3 and want to go from one subnet to another or to the internet.

A switch (or Layer 2 device) will not do any routing. It kinda does the opposite and enforces separation of traffic.

Excellent. Got that. Awesome. The only part I did NOT get is what's quote. 

I fully understand when traffic won't touch vs. touch the firewall. 

@How would the isolation work with vanilla VLANs? Note: I have 1 corporate and let's say bunch of VLANs and I associate a port @ switch to a VLAN 1, another to VLAN 2, and few more ports spread between these 2 VLANs.

By ISOLATION do you mean: device is connected to port 3 having VLAN 3  can NOTtalk to device on port 2 having VLAN 2 OR

ISOLATION here means the switch will send packets tagged with VLAN 3 to port 3 only and if tagged wth VLAN 2 to port 2 - essentially isolating the packets to specific tagged ports. If this is the case, many places I read VLANs are used to secure the network. How does this secure the network? 

Did the answer helped you ? if yes, i would love your kudos on it
Established Member
Posts: 1,564
Registered: ‎04-08-2014
Kudos: 490
Solutions: 79

Re: Networking question -> best practices

>> How would the isolation work with vanilla VLANs? Note: I have 1 corporate and let's say bunch of VLANs and I associate a port @ switch to a VLAN 1, another to VLAN 2, and few more ports spread between these 2 VLANs.

Let me clarify something. a vlan is a vlan whether it's UBNT or someone else. IOW, all vlan's are "vanilla". All a corporate network is, is a way to simplify the configuration of a vlan, and a dhcp server and NAT function on the router (USG in the land of Unifi Software Defined Networking (SDN).

>>By ISOLATION do you mean: device is connected to port 3 having VLAN 3 can NOTtalk to device on port 2 having VLAN 2 OR
ISOLATION here means the switch will send packets tagged with VLAN 3 to port 3 only and if tagged wth VLAN 2 to port 2 - essentially isolating the packets to specific tagged ports.

Second, think of devices connected to a vlan independent of what port they are connected to, since it's possible for a port to carry more than one vlan.

In your question above, the answer is "yes". But the thing to understand is that part of the "yes" answer presumes that you made the native vlan on port 2 be vlan 2 and the native vlan on port 3 be vlan 3. In both cases, traffic will be completely isolated. the machine in port 2 won't be able to see any broadcast traffic from the machine in port 3 and vice versa.

However, you can also have trunk ports which are what can carry multiple vlans. Think of a wireless access point. The AP has 2 SSID's configured. The first SSID let's call Wifi Network 2 and we will tell the AP to tag the packets from those machines as vlan 2. And we'll also createa SSID called WiFi Network 3 and we'll tell the AP to tag the packets from those machines as vlan 3. In this case, there isn't any way for machines on those 2 SSIDs to see each other. The AP will tag the packets with the appropriate vlan number and then send them out the trunk port to the switch.

There is a lot to digest here and it takes a decent understanding of the differences between layer 2 and layer 3 for vlans to really start to make sense. Bottom line, yes vlans provide security by keeping traffic contain to it's vlan.
Controller: 5.9.26 | Sites: 12 | Devices: 55 | Clients: ~250
USGs (4.4.28): XG8 (x1) | Pro4 (x4) | USG3 (x4)
UAPs (3.9.50): AC-Pro (x17) | AC-LR (x3) | Mesh-Pro (x2) | Mesh (x1) | Outdoor+ (x2)
USWs (3.9.50): US-16XG (x2) | US-40-500w (x3) | US-24-250w (x2)| US-8-150w (x3) | US-8-60w (x3) | US-8 (x2)
Member
Posts: 177
Registered: ‎10-24-2017
Kudos: 86
Solutions: 9

Re: Networking question -> best practices


@depasseg wrote:
In both cases, traffic will be completely isolated. the machine in port 2 won't be able to see any broadcast traffic from the machine in port 3 and vice versa.

There is a lot to digest here and it takes a decent understanding of the differences between layer 2 and layer 3 for vlans to really start to make sense. Bottom line, yes vlans provide security by keeping traffic contain to it's vlan.

No - now I get it completely. The phase in bold is what I was missing. That alone drives the entire understanding (in my tiny brain) of what the heck security got to do with VLAN. As these broadcast traffic's untagged and more like a fishing expedition (say - by a hacker hunting for fresh devices) by stopping this traffic - switch delivers a pseudo security too. I know there might be more to it than this but at least I got it!! And also it answers my 1st. question - this is layer 2, so all of this is done at the switch itself. Good, good. 

Did the answer helped you ? if yes, i would love your kudos on it
Established Member
Posts: 1,564
Registered: ‎04-08-2014
Kudos: 490
Solutions: 79

Re: Networking question -> best practices

I'm glad that helped.

This video on Layer 2 MAC tables and broadcast/flood might be interesting:
https://www.youtube.com/watch?v=2A1aumQKUVI

These videos about vlans might be helpful too:
https://www.youtube.com/watch?v=dpoUjnfGbeo
https://www.youtube.com/watch?v=2hUUaG4o3DA
Controller: 5.9.26 | Sites: 12 | Devices: 55 | Clients: ~250
USGs (4.4.28): XG8 (x1) | Pro4 (x4) | USG3 (x4)
UAPs (3.9.50): AC-Pro (x17) | AC-LR (x3) | Mesh-Pro (x2) | Mesh (x1) | Outdoor+ (x2)
USWs (3.9.50): US-16XG (x2) | US-40-500w (x3) | US-24-250w (x2)| US-8-150w (x3) | US-8-60w (x3) | US-8 (x2)
Reply