Configuring VLANS in UniFi (And How to Use Them)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey there youtube welcome to another take me out video thank you so much for being here i appreciate each and every one of you if you haven't done so already please subscribe and hit the bell icon so you will be notified when new videos come out in today's video i want to touch on a subject that i've been getting a lot of questions about and that's doing vlans in a ubiquiti unified environment and i do know that ubiquity is doing vlans a little differently than most other vendors out there so in today's video i want to start from the basics and grow into more advanced things we will see how to create vlans in ubiquitounify we will do everything in the new settings of a unified controller version 6 and up because that's where ubiquity is aiming for us to be we will create vlans but when creating vlans we actually didn't do much once we create the villains we will see what's the difference between just assigning a port to a specific villain and what's the difference between assigning a port to a trunk that can pass several villains through it there's a lot of difference over there so villains and segregation and separation of networks is the topic for today's video i hope this will be informative let's go over to the computer and see how this is done join me all right guys so we are at the computer and if you're already watching this you probably already know what a villain is and what what are they made for in in a summary if you don't vlans is a way to take a single physical network infrastructure and allow virtual networks to run through it basically if you have a single network cable you will be able to pass through in it several networks that are in theory all separated from each other now since it's a single ethernet cable you will not be able to go beyond the one gigabytes bandwidth it gives you but inside these confines of this one gigabyte throughput you will be able to pass through several vlans and you can control if each other can see each other can talk to each other that's the whole idea of separation and segregation of networks and as you will see in this video i have several vlans in my in my home network and one of them is an iot network which cannot talk to any other villains on the network it's completely isolated it can go out to the internet but nothing more than that so let's jump into my udm device and keep in mind that unify does vlans a little bit differently than many other vendors do but the first thing in order to create vlans we will need to go to the settings in to the settings menu and we are doing everything in the new settings menu which is controller version 6 and up this is the new design language a unifi ubiquity wants us to go this is where we'll go and we'll go to networks as you can see in this demonstration network i have several vlans already configured but let's say i didn't then we will only see the lan network which is the only default network that comes in the udm at least all we have to do in order to in order to create a vlan is just click on add new network we'll give our new a will give our new villain a name let's call it um i don't know test tmo vlan that's just an arbitrary name we'll skip on vpn settings we'll skip on content filtering and we'll open up the advanced tab we need to supply a villain tag this is what's called villain tagging almost every other vendor in ubiquity this is refers as villain id that's fine let's give it four we don't have a domain name for this purpose we want the dhcp server to be on and we want i don't like the auto scaling i want to set my own subnet let's give it 172.16.4 dot 0 24 and let's let's supply an ip range of 172.16.4. i don't know 50 to 172.16.4.200. [Music] oh sorry we'll need to supply a one here instead of a zero and that's great and as you can see we have some sort of a a chronology of a a of networks here it's the 172.16.1.2.3 and dot four so this is how you technically create a network but up until now we can create a thousand vlans that we in practically we didn't do anything we didn't put it to work so what can we do in order to make this villain work for us or be active at in at any at any point so just by creating the villain is not really doing anything what we need to do is to go into advanced features in switch ports this is where we can control on no matter how many switches we have in our networks maybe it's just the udm or if we have more switches adopted into our network we will need this switch port section here if we want to control which vlan goes where for example we have the default all profile and what he does let's let's click on view what it basically does is create a sort of a default trunk profile and that means that the native villain the native villain is the network that will get the device will get an ip address from and it will also tag all our other vlans for example in in the default all profile we have the lan network as the native that means if i plug in a computer to a port with the all profile assigned to it i will get an ip address from the 172.16 network in this specific case let's create a new profile a new port profile to so to better suit our needs all right we'll call it test tmo profile and what i want to achieve in this profile is the new villain to be the native and all other vlans to be trunked sorry so in the native network i will select the new test tmo vlan and now i get to choose which networks i want to also pass along this profile so i can select all or i just or i can select a specific network or two so i in this profile i will get a native network of vlan 4 and 3 and 2 will also be passed on in this case i want to select all it's just important for me in this demonstration that the new wheel and vlan 4 will be the native one that's great now i created a profile and a profile is just an object an object that i will need to assign to specific in a switch ports in order to get it actually working so in this case i only have one device which is the udm but it has a a built-in switch so let's go to devices select the device and if it was any other switch you will select it the same way go to ports and now let's say i want to assign port 1 or port 2 or whatever the new profile that i created so what i can do here is from the switch port profile i will select test tmo profile 4 and click apply and at that point if i if i plug in a device to port two on the switch i will get an ip address from the 172.16 subnet and if i have some sort of virtualization capabilities or if i'm able to manually set a vlan tag on the network interface i will be allowed to get an a an ip address or connect to the other vlans so i have an intel nac that i want to connect to the new port that we have configured in the meantime i will plug it in and power it on and i what i would like to see at the end of this process once the intel knock is booted i would want to see this intel nac gets an ip address of 172 16.4 dot something all right but what if i don't want a switch to be configured in any ranking not the default all not my new profile i want a switchboard to only pass on one network let's say it's a guest network in a hotel or something i don't want any profile or any trunking it's easy enough to do let's click on port 3 and you see now it's configured to pass this office network which is vlan 2. we'll just select the new vlan 4 and click apply [Music] now what will happen is that if i plug a device into port 3 i will also get an ip address from the new vlan 172.16.4.something but i won't be able even if if i plugged in an esxi server and i want to run a virtual machine that is configured to get an ipad from a different vlan it won't work because the vlan tag will be blocked on the port and will not continue on to our firewall let's go to the client step to see if we get an ip address from the new vlan and indeed it's 172.16. that means that our switch profile has been configured correctly and again if i had more devices beside the intel noc beside the udm story i will do the same thing i will select the device go to the a ports tab right here and the the switch profile will be there for me to choose but even even now that we learned how to create a vlan how to assign it how to assign it to a profile and how to get an actual device to connect to this new villain is just an arbitrary thing that we that we learn to do and we need to make it work for us for example if i want to create an iot vlan i can create the iot wheel and just as we created the new a vlan for and i can assign it to a switch profile and i can even assign it to a to a wi-fi network which is also something that i would i would like to show i can create a new wi-fi network and let's call this wi-fi network tmo wi-fi vlan 4 password super super secret password and now i can attach this wi-fi network to the test tmo vlan and every device that will connect to this new ssid via wi-fi will get a 172.16.4 dot something network address exactly like it was like if it was connected to the switch port that my intel lock is connected to very easy but again this is just an arbitrary action that we can that we can do and we are now arriving to the most important part of it of creating villains in the first place and that's managing how the traffic between the vlans will happen or will not happen so if you want to create for example an iot network like me you want to make sure that it can go out to the internet but i want to also make sure it cannot communicate to any of my internal villains whatsoever in order to do that we need to go to the security tab right here and open the internet threat management section right here we'll go to the firewall section right over here and as you can see i i created a group called rfc 1918 that's the standard addresses that are not routable on the internet for example 180 to or something 10.0.0 170.16 here are the actual addresses that i entered into the group and the reason i created this group is to create a firewall rule that is actually the baseline of any other firewall vendor in the market but is not the default in unify i want to create a starting situation of no traffic no internal traffic sorry between vlans that's the the starting point and this is how you create the firewall rule i already created it so let's review it we'll give it a name we'll enable it we'll also run before the pre-configured rules the action will be drop and the ipv4 protocol will be all the source this is where i selected address slash port group and i selected the group i created port import group any again the destination is the group in advance they didn't do anything and i created and i clicked on save and i created a starting point that no villain can talk to any other villain and now if i want to allow traffic from within vlans for example in my network i will show it in a minute i am allowing internal devices to go into my iot network sorry from iot network i am allowing a traffic inside my internal network but only to my synology nas and only in the plex port because i want to allow my smart tvs to reach my plex server and get get the content stream to the tv so i needed to create a rule i will show it that allow that's allowing the traffic from the specific network to the specific host on a specific port and this way i can manage exactly what i am allowing and what i am not allowing in other words everything that i define will be allowed other than that everything is blocked because of this rule right here and let's show an example i will go to my udm pro which is my sort of production network at home we'll go to the settings tab right here to security internet threat management firewall lan alright so here is the same rule i created on the udm on my demonstration udm and now i'm creating rules to allow certain traffic for example if i'm talking about plex i need to create two rules one is for let's say going over and the other is for traffic to come back to me so let's review this is the allow plex to iot and this is the allow iot to plex that means allowing iot traffic for example to reach plex and the other way around actually i always like it that the destination traffic will be above and let's review the iot duplex rule so i gave it a name i selected the run before the predefined rules the action is allow or accept my source will be a network in this case iot and the destination is my a nes device my synology nest device which i also created in the group section where we created the rfc in a group also and the port group is plex again i created it in the ports in the group section and same as before so i'm allowing the iot network to reach my synology server that is running my plex server but only on the plex specific port and in order to get the traffic to be actually available i needed to create a rule from the other way around that means from my synology server on my plex port traffic can go back to the iot network this is the uh the couple of parts or rules i need to create for everything i want to allow on and going through my vlans other than that if i haven't configured it specifically it will be blocked by my a block interval and rule here is the black sport for example i created a new group actually it's not a group it's per poor wording but it is what it is i created the plex group but it's not really a group port group only the black sport and now it became an object they can select inside firewall rules so we've created a vlan we saw how to create it and how to assign it to a port or or create a switchboard profile and then assign it to us to a switchboard and then we saw how to get a wi-fi network to a to be attached to this new vlan that we created and now we saw how we can create firewall rules to manage the traffic between our villains because without this without this management of traffic villains and separations and segregation is not worth anything at all this is exactly why it all comes down to firewall rules to manage the traffic and so this is how we create vlans this is how we create switchboard profiles this is how we assign the the vlan to directly to a switchboard or to a switchboard profile we saw in summary in a brief overview how to create firewall rules to manage the traffic and this is exactly the point of a splitting your network to vlans i hope this was informative i really wish that you if i missed something please write down in the comments below what i missed or what you would do otherwise i always like to read your comments if you haven't done so already please subscribe and hit the bell icon so you will be notified when new videos come out i will see you all in the next video thank you for watching [Music] you

Info

Channel: Tech Me Out

Views: 11,876

Rating: 4.8439026 out of 5

Keywords: Configuring VLANS in UniFi, ubiquiti, unifi, vlan, network, unifi trunk, networking, vlans, unifi switch, setup, dream machine pro, unifi dream machine, unifi dream machine pro, ubiquiti networks unifi, unifi switch trunk, ubiquiti unifi, unifi trunk setup, wireless vlan, keeping it simple, it blogs, it specialist, information technology, it, it jobs, it fundamentals, learn it, networking tutorial for beginners, dream machine, netowrking, uap, set up, firewall, ubiquiti switch trunk

Id: uCO5ZTCy6zA

Channel Id: undefined

Length: 22min 54sec (1374 seconds)

Published: Tue Jan 19 2021