UniFi: How to Securely Configure Switch Port VLAN Traffic Restrictions and Avoid VLAN Hopping

preview_player
Показать описание

Connecting With Us
---------------------------------------------------

Lawrence Systems Shirts and Swag
---------------------------------------------------

AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store

UniFi Affiliate Link

All Of Our Affiliates that help us out and can get you discounts!

Gear we use on Kit

Use OfferCode LTSERVICES to get 10% off your order at

Digital Ocean Offer Code

HostiFi UniFi Cloud Hosting Service

Protect you privacy with a VPN from Private Internet Access

Patreon

TImestamps
00:00 - UniFi Changes to Port VLAN Traffic Restrictions
00:48 UniFi Default Port VLAN Settings
03:41 When to use VLAN Traffic Restrictions
04:25 Where to Set The VLAN Traffic Restrictions

#unifi #networking
  1. Lawrence Systems
  2. LawrenceSystems
  3. Switch Port VLAN Traffic
  4. switch trunk port configuration
  5. switch ports in networking
  6. switch trunk port
Рекомендации по теме
UniFi: How to 0:09:13

UniFi: How to Securely Configure Switch Port VLAN Traffic Restrictions and Avoid VLAN Hopping

Configuring VLANs, Firewall 0:30:39

Configuring VLANs, Firewall Rules, and WiFi Networks - UniFi Network Application

Unifi Network Complete 0:43:19

Unifi Network Complete Setup 2024

UniFi Network Setup 0:38:31

UniFi Network Setup & Configuration Guide | 2023

5 Security Features 0:09:11

5 Security Features in UniFi You Need to Enable (And Why)

UniFi - Recommended 0:07:15

UniFi - Recommended settings for IoT devices

Unifi Network Optimization 0:08:10

Unifi Network Optimization

UniFi Network BEGINNERS 0:46:14

UniFi Network BEGINNERS Configuration Guide | 2024

Top 13 Unifi 0:40:02

Top 13 Unifi Network Setup Tips - Planning and Optimization

Unifi Network Complete 0:47:17

Unifi Network Complete Setup 2023

My Full Unifi 0:26:52

My Full Unifi Network Setup - Firewall Rules, VLANs, WiFi, and more

Securing Your Unifi 0:11:26

Securing Your Unifi Network

UniFi Management VLAN 0:10:13

UniFi Management VLAN & Network Security

Configure VLANs on 0:20:13

Configure VLANs on Unifi Switches

UniFi Network • 0:19:31

UniFi Network • Installation and configuration tutorial

Secure IoT Network 0:34:30

Secure IoT Network Configuration

How Secure is 0:21:27

How Secure is your IOT Network configuration? Make it secure with UniFi in 4 simple steps

Unifi for Beginners 0:08:55

Unifi for Beginners - How it Works and The Reasons for its Success

Ubiquiti UniFi Switch 0:09:03

Ubiquiti UniFi Switch Port Security

Secure your network 0:11:19

Secure your network - How to Setup OpenVPN Server on UniFi Dream Machine Pro

Unifi Security Gateway 0:17:35

Unifi Security Gateway - First Time Setup

Part 2 | 0:33:21

Part 2 | Ultimate Home Network 2021 | VLANs, Firewall Rules, and WiFi Networks for IoT UniFi 6.0

Unifi for Newbies 1:14:26

Unifi for Newbies - Securing with Firewall Rules

UniFi secure IoT 0:06:00

UniFi secure IoT network setup with Google Cast and AirPlay support

Комментарии
Автор

This is more in line with how a lot of the OEMs who are utilizing a Cisco style CLI. We’ve had to use this approach for years with them. While this is a little more work than the previous port profiles that unifi has had, it is very nice when you have a lot of custom port configs. We have a site where we were having to define an outrageous number of port configs — just for the way one switch needed to be. It made it a royal pain to find the configs that we normally needed. With the new UI, we’re down to three and all the custom stuff is isolated to just that switch. Thanks for the video.

plrpilot
Автор

Yeah, this is one of these things that I think I was getting right, but it is great to see this confirmed by you. Thanks Tom!

petervandebeek
Автор

BEWARE when upgrading from network controllers prior to 7.4 to newer versions. It can, and does mess up these restrictions when converting from the old port profiles method and you end up having ports missing VLANS. (The guest wifi doesn't work, or the voice VLAN is dropped and all the phones are dead etc is the typical end result)

Backup your config before upgrade, roll back if you have to or document and fix all the ports that have switch profiles after upgrade is complete.

UpcraftConsulting
Автор

Why is Unifi trying to reinvent the wheel with the confusing terminology? Traditional 802.1q and 802.1ad terminology have been easy to comprehend and research if you're new to networking.

justinyoung
Автор

Excellent video, thanks for posting, I ran into this when deploying a new Unifi set-up fat my in-laws house (far bigger and more complex than it sounds)... I honestly don't understand why they felt the need to do this, fundamentally this is what the Port Group Profiles should have done.. and UBNT should have focus efforts there, to make them more prominent and fixed, instead we now this confused mish-mash.

EViL
Автор

Yeah this didn't go well for me. The minute I tried setting my IOT AP to an IOT VLAN I created and Traffic Restrictions to allow only the same VLAN the AP showed up as unprovisioned. Only after a reverted back did it work. And I don't know if its because of something further "up stream" that I have configured WIFI or Networks section. VLAN's still are a pain in the ass for me. I have them setup for my work, IOT, and default but you can still VLAN hop and I've been hoping to get this working sooner rather than later as I REALLY want to get

KellicTiger
Автор

I wish they would just use Native and Allowed VLANs like in cisco devices, but i guess unifi needs to feel special 😂

laukage
Автор

Great video, very useful. Thanks Tom!

itandgeneral
Автор

It was set to this even I did not change anything. Maybe it got updated with updates over time. I haven’t noticed. That’s cool!

skorpion
Автор

I set up my unifi/ubiquiti with 4 vlans with one vlan for router/switch/UPS/NAS access, one for private networks (PCs), one for my cameras (hikvision), and one for IoT (alexas, google home devices, ESPs and everything else that is untrusted). My camera network cannot access the internet except the NVR which can access NTP and DNS, but all the other three VLANs are allowed all outbound.

MicheIIePucca
Автор

Great video. BTW, you can also change the name of the default network in the iOS UniFi Network app. I'm fairly confident that you can do this in the Android app as well, but I don't have an Android phone, so I cannot say for sure. I have also heard through the EA channel that they will be bringing this option back to the "New UI" in the near future, so we won't have to use the Legacy interface.

Polkster
Автор

I recently picked up a ubiquiti router/switch, an ap, and some unifi protect cameras. Could I follow this guide to make 3 vlans to secure my network? One for cameras, one for my local network, and one last vlan to put my homelab pc on so that I could securely self host?

I've been looking for a tutorial on securely setting up a network to do so, but I'm having trouble finding on. I was really looking forward to setting up a properly secured network and deploy jellyfin for my family with my new purchases on black friday, but I'm beginning to think I was way in over my head. This video makes it seem so simple, but I feel like maybe I'm not understanding something...

Infinitay
Автор

Turning on Traffic Restrictions and allowing only 1 other VLAN would be similar to a Voice VLAN setup on a Cisco switch. The selected VLAN would be untagged and the additional VLAN in the Traffic Restriction would be tagged. Is this correct?

wmcomprev
Автор

I wish that after setting up ‘allow and restrict’ options for your first port, the settings were saved as a port profile for use in the future.
Then on the next port, If you don’t like any of current profiles it will allow you to create a new one,

fishermansnook
Автор

Glad I watched this. Definitely some big vlan changes

kceks
Автор

Can you do a video off of this one that shows how to apply network profiles within unifi.

cableguy
Автор

Thanks Tom, always learn something off you

dannythomas
Автор

Great video Tom. I use UniFi APs but I think they have essentially made things more complex that it really needs to be on the switching side of things.

On Cisco and many others it’s a recommended good security practice to refrain from using the default VLAN (VLAN 1) by ensuring you are only allowing the required tagged VLANs on your trunk ports and removing VLAN 1 where you can

We disable the VLAN 1 on all our switches a create a dummy native VLAN in its place which doesn’t pass any traffic which we use on switch-to-switch trunk links and we also only tag the VLANs we require on the trunk links from our core to access switches such end-user VLANs rather than having them all. For example, there’s no need for our server VLAN IDs to be trunked to user access switches.

Yes you can tag all VLANs on trunk links going to order switches but it’s recommended to limit this and be especially careful about the native untagged VLAN to prevent against double tagging attacks.

Mitchell
Автор

Are there any videos that show the new interface? I just got some switches and I dont understand how to setup vlans without my switches going offline. Ive been at this for days, it looks like Im the only person who has the new interface.

Also if my controller (or whatever TF its called) is currently hosted on a windows machine does that machine HAVE to be on default vlan? If i change this machines network the switches go offline and they must be factory reset.

ryanbuster
Автор

Thanks for making this video. Could you make another one explaining when to use Traffic Restrictions over Ethernet Port Profiles?

kevin___