I agree, the pipe analogy and the visuals in this video are probably the best explanation of the vlan concept I've ever seen in the past 15 years of my career.
DAVE, I have been in IT for a while and have done a lot of networking, but your Pipe description is the best metaphor I've heard for this thus far. Thank you!
Dave, I do appreciate how you just 'lay it out there' so simply for all of us! Things don't seem so intimidating the in style in which you teach. From a user +, Thank You!
This is a fantastic explanation of VLANs for networking newbies like me. Thank you Dave for making this video and including an example of configuring VLANs in Unifi hardware.
Great video! Small nitpick at 6:30. In Ethernet frames, destination MAC address comes before source MAC address (opposite the ordering of addresses and ports in IP and TCP/UDP headers).
Dave, you are easy to listen to, you make sense and cut out the guff. I have not touched networks in years (used to for my job) and this saved me the "dont use it you lose it recovery time" and I learnt stuff. Thanks Tibby
The most technical explanation of VLAN's is the segmentation of broadcast domains. Each MAC address table entry also has a VLAN property constraining local and broadcast traffic within itself. By using segmentation you force traffic to a router, switched virtual interface or firewall where you can define policy for traffic between VLAN's. However this is important: a broadcast storm on 1 VLAN WILL bring your entire local network down even if that traffic belongs to another VLAN on the same switched network. Only traffic living on another physical interface on an upstream router or firewall will not be affected since the broadcasts only are on 1 physical interface. The reason why switch CPU's spike in a broadcast storm is because they have to continually rewrite the mac table because source MAC addresses keep jumping between ports. And writing to the CAM memory has to be done by the CPU.
OUTSTANDING!! So many people I work with don't understand them, and confuse Vlan's with a ip segment!! Your water example is great, and I plan to share your video with others. Thank you very much!
Thank you for this video. Yesterday was the first day my home network consisted more than the ISP modem/router combo and a small unmanaged switch. I spent most of the day shooting myself in the foot through unknown trouble guessing and hopes.
Great video, I run 8 vlans with the by default untagged vlan is the guest network and carries the other vlans as tagged. The only exception is for cctv where those ports are untagged in the cctv network, but don’t carry the other tagged networks.
This mainly discusses network segmentation and isolation. I prefer to think of VLANs as a separate topic since you can do the former without the latter, especially in simple cases. I see VLANs as just a way that one cable can carry multiple isolated networks between VLAN aware equipment. A VLAN aware switch can be divided into several isolated switches, and its ports can be configured to be part of any one (or more) of the isolated switches, a single cable can carry groups of isolated networks between routers, switches and Wi-Fi access points. It's also worth noting that ordinary untagged traffic is just as isolated from the VLANs as they are from each other.
Just be mindful there are two different elements in play: wired VLANs and wireless SSIDs. While you can create an extremely long list of VLANs (around 4000), including one VLAN for each and every device (literally, if used for micro-segmentation, for instance), you have a limit of wireless SSIDs you can run on your equipment before you start to lose performance. A somewhat "secure" home wireless setup would be built with independent "private", a "guest" and "IoT" SSIDs. Each SSID would run on top of (or be "tagged" to) one wired VLAN, as you detailed on your video. Good stuff, Dave - now get the video listed so others can watch it too without having a link to it 👍
The UniFi Network Application supports WiFi Private Pre-Shared Keys (PPSK), so you can use multiple VLANs with only one SSID. You can still keep a second SSID for the "guest network" just for aesthetics; but there's no need for separate IoT, camera, etc. SSIDs when using PPSK, which the equipment Dave's shown does support. Thusly, no impact on performance due to too many SSIDs as you've correctly pointed out.
This is exactly what I do. I run a private SSID for my roommates and I, a guest SSID for well, guests, and an IoT SSID for IoT things like cameras and doorbells, plus another one for devices I don't trust (for example, a Windows XP machine I'm forced to connect to the internet). I only have four VLANs though, but I'm thinking about separating everything into it's own network that all have internet access. I just don't know how to do that
@@bjoern.gumboldt It all depends on the product and skill level. The average user will be running whatever garbage gear their ISP provides them, or whatever gear they can buy for cheap that is friendly enough for them to configure. For more advanced solutions, yes, the UniFi network and the PPSK are great. At home, I do have my own NAC server, which authenticates the client and instructs the network to enforce policies, including VLANs, ACLs and URL redirections, so I too only run one SSID for maybe 6 different use cases, all fully isolated from each other. However, this has a cost and such complexity that is unrealistic to average users.
Unless you use EAP ("enterprise") security, then you can configure different devices to authenticate to the same SSID separate accounts that map to different VLANs with most APs. But that's assuming the devices actually support EAP, which in practice absolutely none of them do. And even when they do they tend to be full of bugs, like Android's compatibility problems with default Let's encrypt certs (and crap documentation with even more crap error messages). So it will work with your laptops and phones, which you likely don't have any reason to isolate anyway, but all the stuff with sketchy firmware will need an extra dedicated SSID.
Dave, I love how you broke this down and simplify VLANs!! As a Lead Infrastructure Engineer I have to explain how VLANs work, I will definitely be using your analogy of the pipes inside a larger pipe. Thanks for sharing and keep the content coming! Great work.
This is good stuff! For people who are trying to learn networking, this is a really good explanation of generally the how and why. Great review for those of us who need to implement the stuff we learned.
Hey, Dave, I think videos like this may be one of your callings. You should do more. The digital world would be a better place for it! And easier to understand.
I've got a udm pro se and all ubiquiti hardware as well. Great video to explain how this all works. I sent the link to several friends who should understand this as well.
Great insights on VLANs, Dave! But let's not forget about VLAN hopping - a sneaky technique that can breach VLAN segregation. It's a real eye-opener for network security, showing that even VLANs aren't impervious to attacks. Always a good reminder to double-check our configurations and stay vigilant!
This stopped being an issue in the early 2000s with cisco and its clearly indicated to never use vlan1 in all of ciscos documentation to avoid this when mixing vendors with poor implementations.
It literally knows where in the CAM table each device is, What interface and vlan. The only place you're getting on another vlan in a proper deployment is a trunk port. Now on small home networking gear this is probably an issue but the last generation from cisco on the catalyst line and nexus line where it was an issue was in the early 2000s. @@perwestermark8920 Its been standard practice in both cisco's hardening guide, and the NSA security guidelines to never use vlan1. And never leave trunkport status to auto negotiation. edit: A quick google shows this is exactly the same as it was when the advisory went out initially for the 1900 series, 2900 series and 3500 series catalyst switches when this was discovered in the early 2000s. Don't use VLAN1/ the untagged vlan. I don't think there is a single person in the industry that does this because its been common knowledge how incredibly stupid the concept of using vlan1 mixed in is since at least 2001.
The moment he said it was done in software, my very first thought was "How easily can this be exploited or hacked?" - I definitely wouldn't trust something like this with my life, but still I'm sure it'll stop the vast majority of spyware.
7:10 As you explained, vlans operate on the data link layer which is layer 2 of the OSI model. Therefore the vlan segmentation is configured on a switch. And technically not on a router. However, you are correct as most home routers are a firewall, switch, router and modem all packed into one device.
Actually, a switch, at it's most basic, doesnt do any of this. This is still taken care of by routing. I.E. Smart switches, are basically still routers. "Dumb" switches cannot do any of this, they are basically glorified hubs that also still route IP traffick to specific network segments, without any other rules. The realm between "router", and "switch", nowadays has been greatly blurred.
@@jdmayfield88 I believe the point OP is trying to make with this comment, is that Switching and Routing are clearly defined and very different things, which is important to understand when wrapping your head around how VLANS work. And Even though dave is managing his network from the Unifi controller, which lets him configure VLANs and routing policies in one place, the VLANs are actually configured in the switches domain at L2, and the subnets, interfaces, and routes are the router's domain at L3. The two layers don't really care about or even know what the other is doing even if they are brought together and manageable through a slick SDN controller interface like this.
The IEEE 802.1 term for a device operating at layer two is “bridge”. I think switch is an implementation specific term and really only came to be used when we starred building custom silicon for networking. The original layer 2 bridges were PCs with multiple network cards. So were a lot of the early routers, which were often called gateways. Switch became used to distinguish repeaters (hubs) from devices that inspected the packets at near line rate rather than blindly repeating at the bit level.
@@TheBitWhisperer 100% correct. But I was trying to not get *too* into the weeds. FWIW, My intent wasn't to be pedantic or anything lol The subject is pretty esoteric, so I just wanted to close the loop a little bit for anyone watching and reading the comments who might be trying to wrap their heads around high level VLAN concepts. That's all :)
@TheBitWhisperer The term bridge however is commonly confused with a hub. Hubs being those old crap switches that broadcast packets across all their ports as opposed to L2 switches that tie each port to the MAC address plugged into it, and only routing packets destined to that MAC, to that port so devices plugged into other ports cannot sniff the traffic.
Love me some VLANs. I use quiete a bit of them on my home network, and this goes double for my job working at an MSP. Even cooler if you combine vlans with micro-segmentation :) Every network I have is segmented at L2, including my Internet pipe as this is directly piped into my vlan-aware switch from my modem that's in bridge mode. Inter-VLAN routing is handled by my firewall. It was helpful for me to do this to help me understand how vlans work and how to make them talk to each other (policies/acl's/routing/etc)
When it comes to broadcast and physical bandwidth utilization, consider those colored pipes as able to expand their diameter. VLANs only get limited on access ports on a switch that supports vlan segmentation. Trunks in Cisco terminology or ports with VLAN tagging as other brands designate it will still pass all VLANs through, and can be probed. Thus a single VLAN can saturate ALL ports that allow that VLAN through, thus possibly choking bandwidth on ports and cables for VLANs that share the same physical structure. If you are using 'dumb' switches, that is switches that don't support VLANs, they will pass all VLANs through it to all other ports on that switch. You'll need a switch that supports VLANs though to strip off that tagging, otherwise the end device might not accept the traffic, since it may consider the frame corrupt when it sees the VLAN tag still in the frame. A better way to look at VLANs are marked cars on a highway. You can still see all the cars and they take up space on the highway, but perhaps cars tagged with blue license plates are only allowed in and out of some exits, while cars tagged with red license plates can only go on others. Then there's the interchange exits where cars with any color license plate can get through. If red cars attended a convention that suddenly let out, those red cars could flood the highway and prohibit them blue cars from getting through.
It's safer to consider what will happen to tagged packets in a non VLAN aware switches as undefined, because apparently some switches just drop tagged packets.
Guess I must be getting old as I remember many of those items. As a small boy we lived in an apartment building where my dad was the super. It had a coal fired boiler. I remember the coal truck delivering coal down the cute into the coal bins. We also had an insulated box by the front door for milk delivery. The building had a dumb waiter for sending trash to the basement for loading in barrels for pickup. I attended a vocational high school in the late 1960’s where I trained to be an electrician. One of the things learned was how to install knob and tube wiring. Another thing I remember was when we moved in house there was a mail slot on the front door where the mail man dropped off your mail. So much has changed.
Whats creepier is I just finished a guest AP for a gym and just finished a phone call with my boss about if he wanted to bill for the programming hour(s) to add security to the wifi and rest of the network. Then this gets recommended. Good job algorithm. 🍻
Good timing, i am in the middle of planning my vlan setup now. I just setup opensense and my smart switch. Im trying to figure out proper rules and subnets that make sense. Hopefully i can figure it all out.
Great video. While learning how to setup VLANs back in the late 90s, I simply couldn't grasp the concept because there was no way to use it at home, and I was in high school. Once I learned the concept with Ethernet cables, I thought I had it nailed down. Plot twist - Enter WiFi! Thankfully the UIs became mostly standardized and much easier to deal with. Love Ubiquity as well!
Hey! What a great YT recommendation! I am rebuilding my whole network because gear I wanted 8 years ago is just on eBay now! Putting together a whole Ubiquiti system, and i'll need VLANs. I am going to swap over to WPA3, but a few devices still must have WPA2. So i'm (probably) gonna make a separate WPA2 VLAN that just connects to the Internet and not inter-device.
Cheers, hadn't really though about VLANs for home networks, only corporate, but your right given the amount of IOT devices even on security alone it would be worth it.
A method that many WiFis use for guest networks when the APs are separate from the router is for the AP to act like a firewall for the guest SSID, treats the wired network as an intermediate network, only allowing the guest traffic on the intermediate network (private network if you will) to access the default gateway on the private network. No VLAN needed in that case. But if your router is providing the WiFi, no need for VLANs since the router will directly firewall the dedicated WiFi networks. Only when you need the dedicated WiFi to traverse the wired infrastructure as well do you need VLAN. It is possible though the router treats the different WiFi networks as VLANs for identification simplicity.
Most interesting, I think for the first time I understand the basic use of VLANs, I will need to watch again and take notes. I think when I watch your videos I almost always learn something or gain more understanding about computing. Thank you.
TP-Link Omada FTW. Their APs can be run without a controller, support multiple SSIDs, and you can assign VLANs to the different SSIDs. When you add something like the ER605 for routing/firewall and the OC200 to manage all of it, you can create a significant number of SSIDs, each having their own VLAN, and an easily configurable router to boot. This man's knowledge no doubt Trump's my own, but I've been playing with networks since the days of 10 megabit token ring and I love how simple the Omada system for this very thing. Keep my kids on one network, my IoT device is on another, and my work separate from all of that.
I got an Omada setup running at a new house a couple months ago - loving it! The house was fairly extensively pre-wired with Cat5e, coax, and even some fiber, all run to a common location, at some point drywalled over but I was able to find it and install an in-wall structured media enclosure (house was built in 1999/2000). I had enough physical access to run some more Cat6 without having to tear anything up, and the 3-in-1 ER7217PC is small enough to fit comfortably in the structured media enclosure with my old modem/router combo box running in modem-only mode. I installed 5 EAP655-Wall access points, which each have 3 ethernet ports, and I've been blown away with how quick and easy it was to get everything running, and how much better WiFi fast roaming works compared to my consumer Netgear modem/router combo and WiFi mesh extender (CAX80 and EAX80). Going to get some VLANs set up in the very near future!
Thanks for explaining VLANs... I think though, that I will have to watch it again later due to a mild state of EMISOB (Early Morning Induced Slowness of Brain) 😅 All the best, Per (Denmark)
Hi Dave, network engineer here. Good job on the video, a few errors but we’re cool! 😂 I see your world and ours converging fairly rapidly. Looking at what you’re able to achieve with a GUI on home equipment is astonishing to me if not a little but scary! I work at an airport where our server team and my network team work closely together. Technology moves in waves in big business but I’m seeing the capability advance far quicker now. There already is a blurred line between server and network teams that’s going to be interesting to live through over the next few years. I appreciate you bringing networking to your channel. It’s an important collaboration that many must take for granted. In the corporate world having experts in both fields is a blessing. Writing code for operating systems is well out of my reach of understanding. However I always like to see the other side. Mainly to know I’m completely incapable of understanding a single like of code. Have a good Christmas mate.
Speaking as a server engineer and working for the Ambulance Service we work very closely with the network engineers. It really helps if each know at least a bit of the other, basic things like the OSI 7 Layer Model should be known by both. It is much easier to try and explain what you think a networking issue is if you can troubleshoot and give your diagnosis to the network team. I still love those topology diagrams comparing network to servers engineers involving "magical pixie dust" 😂
@@TequilaDave I work in the power industry and substations have huge networks that carry TCP packets about how the power is flowing. The info is coded into a TCP packet. Everything you can imagine from voltages, control signals, etc. Look up IEC 61850 if interested. Vlans are extremely important.
@BaZzZaa Another fellow network person here. I would not call Dave's videos "errors", but semantics that could be better clarified - one such as I did on another comment in his video about VLANs and SSIDs. The Ubiquity is not exactly "home gear". I would call it SoHo to Small Business friendly. Not exactly datacenter/carrier grade, that's for sure. But they have some brilliant products for dirty cheap, if compared with crappy ISP provided gear or the options we would be recommended at regular brick and mortar stores. About GUI changes, well, that has been more and more common lately. Not sure which gear you use, but many if not all of them do offer strong configuration capabilities via a GUI - be it in form of a native app or web app - to the point you will use CLI for initial configuration and perhaps some very obscure troubleshooting only. Keep in mind the world is progressing towards the cloud, and even while on-premises will still reign for a long while, programmability has been the key for almost a decade now. There will be fewer folks needed with CLI skills and much more with web and API skills - meaning those that understand code. Keep that in the back of your mind, but don't bury it too much so you won't get phased out ;) Merry Christmas!
@@hquest >"The Ubiquity is not exactly "home gear". I would call it SoHo to Small Business friendly. Not exactly datacenter/carrier grade, that's for sure. But they have some brilliant products for dirty cheap" I definitely agree. TP-Link Omada SDN is even cheaper than Ubiquiti, with a modicum more privacy. The difference vs mid to low tier enterprise grade gear is beyond performance. While the performance gap may actually be shrinking, the gap that's widening is support and especially how well the various features are tested by these vendors before they're rolled out.
Hey Dave, love the video, I've had a really similar ubiquiti setup for a while now (UDM-Pro->USW-Enterprise-24-PoE->(2x)U6-Pro) . What are your thoughts on using the L3 functionality of the newer Unifi switches (in terms of performance gains)? I've been wanting to move inter-vlan-routing to my switch, but losing multicast dns has been a bit of a deal breaker. I have been kicking around the idea of setting up a poe powered Pi that is setup with interfaces (multiple virtual on the one physical) for all the different vlans to get that functionality back, but haven't had the time to do it yet (theres no real need for the poe part, but I'm weird and like the idea of everything being powered off my switch, and I've got PoE capacity to spare in spades).
Out of the box, a lot of consumer grade equipment is configured to prevent the end-user from shooting her/himself in the foot, and that is usually a configuration which leans toward too permissive - so things work without needing to bring in a Cisco CCNP technician. It is fairly easy to get in over your head quickly. 802.1Q VLANs are a good thing and as Dave correctly stated help isolate traffic, but don’t necessarily equate to security measures. The security as Dave also said is in the inter-VLAN routing and that can be tricky and/or take some time to get right. In fact you can take a college level class which is entirely on the subject of LAN routing (and another class on enterprise routing). Something to keep in mind as administrator is to limit what protocols both layer 2 (at the data frame level) and layer 3 (at the IP addressing level) allowed at a given port. For example, ports which are connected to end user devices should not be allowed to accept in 802.1D spanning tree frames which could alter the network topology, or 802.1Q tagged frames which could allow users to spoof what VLAN they are on. There are exceptions. VOIP phones have a 3-port switch inside which directs VOIP to the phone electronics and regular traffic to a PC port, while the network port carries both VLANs to the switch. Another example is a VMware or HyperV server which may be running a virtual switch and virtual router within the server software, and sending multiple VLANs into the network. Spanning tree can be tricky. At its basic, spanning tree lets you plug multiple switches together any way you like and your network will magically work. Spanning tree does so by shutting down any port which receives back a spanning tree frame sent out from the same device on another port. This automatically prevents loops from forming in your network. You can even intentionally put redundant links between devices and one link will be kept shut off unless the other link fails. (We’ll save trunking with multiple operational parallel links for some other time). When one link fails, the other link will start up after a few seconds.. The trick comes in when you have multiple switching devices, usually arranged as a hub with spokes and maybe an outer wheel connecting the spokes for backup. You need to be sure the hub of your network stays the hub and not one of your spoke devices, usually weaker, becomes the network nexus. Even worse, a rouge user or infected PC might send out 802.1D frames to become the hub in order to intercept all traffic. A good quality switch will allow programming some sort of spanning tree security configuration. Network convergence can be controlled by assigning what you want to be the hub nexus device a low 802.1D ID number. Lower numbers have higher priority for controlling topology. The default for devices to use their physical MAC addresses as their 802.1D ID, thus whatever device has the numerically lowest MAC address becomes the network nexus. Once you have your topology locked down, then you can think about routing. That’s another course to take.
I used to set up the built-in guest wifi to provide visitors with wifi access without compromising my home network, but lately I've started using it myself for my own IoT devices. Nowadays, almost everyone has a good LTE/5G data plan anyway.
I’d tell you a joke about udp, but I’m afraid you may not get it.
Just tell it to me QUIC, problem solved 😂
idk what usp is but I get the joke
i bet if you told a tcp joke he would get it!
id tell you a joke about my brain. but i forgot where it is
@@TeaBagginsMcGee Indeed. This needs to be acknowledged.
The different colors in a pipe is the best analogy I've heard for vlans!
Thanks! I was hoping that would resonate with some folks!
I agree, the pipe analogy and the visuals in this video are probably the best explanation of the vlan concept I've ever seen in the past 15 years of my career.
Same! I totally agree! Once Dave said that, it all started to make sense!!!
the most straight to the point vlan video i've ever watched, thank you
I'm studying for my CCNA 200-301 I understood every word you said!!!!!
Then your studying is working. Heck yeah :)
DAVE, I have been in IT for a while and have done a lot of networking, but your Pipe description is the best metaphor I've heard for this thus far. Thank you!
I use a VLAN to block my mother in law from going on Facebook. Makes conversations with her less crazy
Excellent, straightforward introduction to VLANs. You knocked it out of the park!
Dave, I do appreciate how you just 'lay it out there' so simply for all of us! Things don't seem so intimidating the in style in which you teach.
From a user +,
Thank You!
The "NotPorn" VLAN was hilarious 😂😂
One of the best explanations of VLANs I have come across. Your analogy with the different coloured sub-pipes works great :)
This is a fantastic explanation of VLANs for networking newbies like me. Thank you Dave for making this video and including an example of configuring VLANs in Unifi hardware.
Unifi is awesome! ❤
Great explanation! That pipe-in-a pipe concept gave me the needed understanding of what VLANs are.
I wish i had this video in 1995. I would look younger today.
Dave - please do more of these type of videos as this was really useful
Great video! Small nitpick at 6:30. In Ethernet frames, destination MAC address comes before source MAC address (opposite the ordering of addresses and ports in IP and TCP/UDP headers).
I would really love more of these computer basics educational videos from you!
Dave, please don't ever stop making videos. Love the content and love learning about networking
Another good video. I like how you don't mess around and waste my time. Thank you!
Dave, you are easy to listen to, you make sense and cut out the guff. I have not touched networks in years (used to for my job) and this saved me the "dont use it you lose it recovery time" and I learnt stuff. Thanks Tibby
I've worked on data center network and systems deployments for years and i find this video compelling!
It can be difficult to find a person with deep background in these more esoteric topics, really appreciate the clarity of the presentation.
Goes for anything...
Thank you, Dave. Always enjoy learning from you.
This video was awesome, please make more videos like this with the detailed break down of the topic. I'm going to share this video with friends.
The most technical explanation of VLAN's is the segmentation of broadcast domains. Each MAC address table entry also has a VLAN property constraining local and broadcast traffic within itself. By using segmentation you force traffic to a router, switched virtual interface or firewall where you can define policy for traffic between VLAN's.
However this is important: a broadcast storm on 1 VLAN WILL bring your entire local network down even if that traffic belongs to another VLAN on the same switched network. Only traffic living on another physical interface on an upstream router or firewall will not be affected since the broadcasts only are on 1 physical interface.
The reason why switch CPU's spike in a broadcast storm is because they have to continually rewrite the mac table because source MAC addresses keep jumping between ports. And writing to the CAM memory has to be done by the CPU.
Another great video that explains what can be a complex subject in an easy to digest fashion. Cheers!
OUTSTANDING!! So many people I work with don't understand them, and confuse Vlan's with a ip segment!! Your water example is great, and I plan to share your video with others.
Thank you very much!
Most VLANs are used in tandem with their own IP range. You generally don't have 2 VLANs on the same subnet for example.
You can have multiple IPs for one VLAN, but only one VLAN per IP range. In practice 99% of the time it's a 1:1 mapping.
Thank You Dave for that whole detailed presentation!
Thank you , I was looking for info about VLANS a few months ago . This is much clearer than anything I previously found .
Hey Dave! This is great info and is VERY WELL presented. I always enjoy and look forward to you videos.
I appreciate that!
You just saved me thousands of hours explaining the cost and benefits of configured router, switching and wireless access. Thanks Dave.
Thank you for this video. Yesterday was the first day my home network consisted more than the ISP modem/router combo and a small unmanaged switch. I spent most of the day shooting myself in the foot through unknown trouble guessing and hopes.
Great video, I run 8 vlans with the by default untagged vlan is the guest network and carries the other vlans as tagged. The only exception is for cctv where those ports are untagged in the cctv network, but don’t carry the other tagged networks.
This mainly discusses network segmentation and isolation. I prefer to think of VLANs as a separate topic since you can do the former without the latter, especially in simple cases. I see VLANs as just a way that one cable can carry multiple isolated networks between VLAN aware equipment. A VLAN aware switch can be divided into several isolated switches, and its ports can be configured to be part of any one (or more) of the isolated switches, a single cable can carry groups of isolated networks between routers, switches and Wi-Fi access points. It's also worth noting that ordinary untagged traffic is just as isolated from the VLANs as they are from each other.
Just be mindful there are two different elements in play: wired VLANs and wireless SSIDs. While you can create an extremely long list of VLANs (around 4000), including one VLAN for each and every device (literally, if used for micro-segmentation, for instance), you have a limit of wireless SSIDs you can run on your equipment before you start to lose performance.
A somewhat "secure" home wireless setup would be built with independent "private", a "guest" and "IoT" SSIDs. Each SSID would run on top of (or be "tagged" to) one wired VLAN, as you detailed on your video.
Good stuff, Dave - now get the video listed so others can watch it too without having a link to it 👍
Each ssid will broadcast beacons, reducing overall performance.
The UniFi Network Application supports WiFi Private Pre-Shared Keys (PPSK), so you can use multiple VLANs with only one SSID. You can still keep a second SSID for the "guest network" just for aesthetics; but there's no need for separate IoT, camera, etc. SSIDs when using PPSK, which the equipment Dave's shown does support. Thusly, no impact on performance due to too many SSIDs as you've correctly pointed out.
This is exactly what I do. I run a private SSID for my roommates and I, a guest SSID for well, guests, and an IoT SSID for IoT things like cameras and doorbells, plus another one for devices I don't trust (for example, a Windows XP machine I'm forced to connect to the internet). I only have four VLANs though, but I'm thinking about separating everything into it's own network that all have internet access. I just don't know how to do that
@@bjoern.gumboldt It all depends on the product and skill level. The average user will be running whatever garbage gear their ISP provides them, or whatever gear they can buy for cheap that is friendly enough for them to configure.
For more advanced solutions, yes, the UniFi network and the PPSK are great. At home, I do have my own NAC server, which authenticates the client and instructs the network to enforce policies, including VLANs, ACLs and URL redirections, so I too only run one SSID for maybe 6 different use cases, all fully isolated from each other. However, this has a cost and such complexity that is unrealistic to average users.
Unless you use EAP ("enterprise") security, then you can configure different devices to authenticate to the same SSID separate accounts that map to different VLANs with most APs.
But that's assuming the devices actually support EAP, which in practice absolutely none of them do. And even when they do they tend to be full of bugs, like Android's compatibility problems with default Let's encrypt certs (and crap documentation with even more crap error messages). So it will work with your laptops and phones, which you likely don't have any reason to isolate anyway, but all the stuff with sketchy firmware will need an extra dedicated SSID.
LMAO. I did not expect the subtle humor with the VLAN names. You were so serious up until that point. Super informative video, thank you for this!
Dave, I love how you broke this down and simplify VLANs!! As a Lead Infrastructure Engineer I have to explain how VLANs work, I will definitely be using your analogy of the pipes inside a larger pipe. Thanks for sharing and keep the content coming! Great work.
This is good stuff! For people who are trying to learn networking, this is a really good explanation of generally the how and why. Great review for those of us who need to implement the stuff we learned.
Thank you Dave!! I truly needed to watch this video. Your explanation is very helpful.
Great presentation Dave. Cheers from OZ
I surprised you haven’t hit a million subscribers yet
You videos are awesome
Great video, Dave! I found it very helpful to me as an aspiring network administrator. Cheers!!
Hey, Dave, I think videos like this may be one of your callings. You should do more. The digital world would be a better place for it! And easier to understand.
I've got a udm pro se and all ubiquiti hardware as well. Great video to explain how this all works. I sent the link to several friends who should understand this as well.
Very good information - was dabbling with VLANs recently. Love the channel
Great insights on VLANs, Dave! But let's not forget about VLAN hopping - a sneaky technique that can breach VLAN segregation. It's a real eye-opener for network security, showing that even VLANs aren't impervious to attacks. Always a good reminder to double-check our configurations and stay vigilant!
This stopped being an issue in the early 2000s with cisco and its clearly indicated to never use vlan1 in all of ciscos documentation to avoid this when mixing vendors with poor implementations.
VLAN hopping really isn't a fun subject. Switches needs to be fast. Which means they can't be too smart at the same time.
It literally knows where in the CAM table each device is, What interface and vlan.
The only place you're getting on another vlan in a proper deployment is a trunk port.
Now on small home networking gear this is probably an issue but the last generation from cisco on the catalyst line and nexus line where it was an issue was in the early 2000s. @@perwestermark8920
Its been standard practice in both cisco's hardening guide, and the NSA security guidelines to never use vlan1. And never leave trunkport status to auto negotiation.
edit: A quick google shows this is exactly the same as it was when the advisory went out initially for the 1900 series, 2900 series and 3500 series catalyst switches when this was discovered in the early 2000s. Don't use VLAN1/ the untagged vlan.
I don't think there is a single person in the industry that does this because its been common knowledge how incredibly stupid the concept of using vlan1 mixed in is since at least 2001.
The moment he said it was done in software, my very first thought was "How easily can this be exploited or hacked?" - I definitely wouldn't trust something like this with my life, but still I'm sure it'll stop the vast majority of spyware.
Good ol double tagged vlans
7:10 As you explained, vlans operate on the data link layer which is layer 2 of the OSI model. Therefore the vlan segmentation is configured on a switch. And technically not on a router. However, you are correct as most home routers are a firewall, switch, router and modem all packed into one device.
Actually, a switch, at it's most basic, doesnt do any of this. This is still taken care of by routing. I.E. Smart switches, are basically still routers. "Dumb" switches cannot do any of this, they are basically glorified hubs that also still route IP traffick to specific network segments, without any other rules. The realm between "router", and "switch", nowadays has been greatly blurred.
@@jdmayfield88 I believe the point OP is trying to make with this comment, is that Switching and Routing are clearly defined and very different things, which is important to understand when wrapping your head around how VLANS work. And Even though dave is managing his network from the Unifi controller, which lets him configure VLANs and routing policies in one place, the VLANs are actually configured in the switches domain at L2, and the subnets, interfaces, and routes are the router's domain at L3.
The two layers don't really care about or even know what the other is doing even if they are brought together and manageable through a slick SDN controller interface like this.
The IEEE 802.1 term for a device operating at layer two is “bridge”. I think switch is an implementation specific term and really only came to be used when we starred building custom silicon for networking. The original layer 2 bridges were PCs with multiple network cards. So were a lot of the early routers, which were often called gateways. Switch became used to distinguish repeaters (hubs) from devices that inspected the packets at near line rate rather than blindly repeating at the bit level.
@@TheBitWhisperer 100% correct. But I was trying to not get *too* into the weeds. FWIW, My intent wasn't to be pedantic or anything lol
The subject is pretty esoteric, so I just wanted to close the loop a little bit for anyone watching and reading the comments who might be trying to wrap their heads around high level VLAN concepts. That's all :)
@TheBitWhisperer The term bridge however is commonly confused with a hub. Hubs being those old crap switches that broadcast packets across all their ports as opposed to L2 switches that tie each port to the MAC address plugged into it, and only routing packets destined to that MAC, to that port so devices plugged into other ports cannot sniff the traffic.
Love me some VLANs. I use quiete a bit of them on my home network, and this goes double for my job working at an MSP. Even cooler if you combine vlans with micro-segmentation :)
Every network I have is segmented at L2, including my Internet pipe as this is directly piped into my vlan-aware switch from my modem that's in bridge mode. Inter-VLAN routing is handled by my firewall. It was helpful for me to do this to help me understand how vlans work and how to make them talk to each other (policies/acl's/routing/etc)
Thanks, this could be very helpful for my home automation. Have a wonderful day
great job, thanks Dave
I really like your channel. This episode may have inspired me to finalise some network security !
Wonderful breakdown and very digestible while not being too simple to become useless
Clear and comprehensive. Thank you!
That was exactly what I needed!!! Thank you so much Dave!!! You da man!!! 👍
Thanks Dave. Very interesting and informative.
When it comes to broadcast and physical bandwidth utilization, consider those colored pipes as able to expand their diameter. VLANs only get limited on access ports on a switch that supports vlan segmentation. Trunks in Cisco terminology or ports with VLAN tagging as other brands designate it will still pass all VLANs through, and can be probed. Thus a single VLAN can saturate ALL ports that allow that VLAN through, thus possibly choking bandwidth on ports and cables for VLANs that share the same physical structure.
If you are using 'dumb' switches, that is switches that don't support VLANs, they will pass all VLANs through it to all other ports on that switch.
You'll need a switch that supports VLANs though to strip off that tagging, otherwise the end device might not accept the traffic, since it may consider the frame corrupt when it sees the VLAN tag still in the frame.
A better way to look at VLANs are marked cars on a highway. You can still see all the cars and they take up space on the highway, but perhaps cars tagged with blue license plates are only allowed in and out of some exits, while cars tagged with red license plates can only go on others. Then there's the interchange exits where cars with any color license plate can get through.
If red cars attended a convention that suddenly let out, those red cars could flood the highway and prohibit them blue cars from getting through.
It's safer to consider what will happen to tagged packets in a non VLAN aware switches as undefined, because apparently some switches just drop tagged packets.
Guess I must be getting old as I remember many of those items. As a small boy we lived in an apartment building where my dad was the super. It had a coal fired boiler. I remember the coal truck delivering coal down the cute into the coal bins. We also had an insulated box by the front door for milk delivery. The building had a dumb waiter for sending trash to the basement for loading in barrels for pickup. I attended a vocational high school in the late 1960’s where I trained to be an electrician. One of the things learned was how to install knob and tube wiring. Another thing I remember was when we moved in house there was a mail slot on the front door where the mail man dropped off your mail. So much has changed.
Love your videos. Thanks a lot for all!
Never heard it explained so well. Nice video
Physical switch port isolation is still needed to seperate different segments of the network.
You should teach computer concepts, you have an amazing talent for explaining complex things!
That’s exactly what he is and has been doing lol
@@triforcelink very true - I stand corrected
Great video for newbies. Well explained
Great video Dave. Thanks!
This definitely reminds me that I need to set up a more complex router than the one provided by the ISP. I needed that reminder.
Outstanding video - Many thanks
Thanks for this video vlans always left me head scratching
Yet another great video. Thank you!!!!
Kudos Dave for the concept of coloured pipes within pipes - a very nice way to visualize virtual LANS.
Whats creepier is I just finished a guest AP for a gym and just finished a phone call with my boss about if he wanted to bill for the programming hour(s) to add security to the wifi and rest of the network. Then this gets recommended. Good job algorithm. 🍻
Great video, thanks, Dave!
Love this DAve, I have wanted to ask for this since watching your Ubiquity video
Thanks Dave. This was informative.
1:07 thank you Dave for confirming the internet is a series of tubes
Good timing, i am in the middle of planning my vlan setup now. I just setup opensense and my smart switch. Im trying to figure out proper rules and subnets that make sense. Hopefully i can figure it all out.
Great video. While learning how to setup VLANs back in the late 90s, I simply couldn't grasp the concept because there was no way to use it at home, and I was in high school. Once I learned the concept with Ethernet cables, I thought I had it nailed down. Plot twist - Enter WiFi! Thankfully the UIs became mostly standardized and much easier to deal with. Love Ubiquity as well!
Great video ! Thank you!
As a networking degree holder myself, I appreciate the inclusion of the OSI model.
Hey! What a great YT recommendation! I am rebuilding my whole network because gear I wanted 8 years ago is just on eBay now! Putting together a whole Ubiquiti system, and i'll need VLANs. I am going to swap over to WPA3, but a few devices still must have WPA2. So i'm (probably) gonna make a separate WPA2 VLAN that just connects to the Internet and not inter-device.
Cheers, hadn't really though about VLANs for home networks, only corporate, but your right given the amount of IOT devices even on security alone it would be worth it.
A method that many WiFis use for guest networks when the APs are separate from the router is for the AP to act like a firewall for the guest SSID, treats the wired network as an intermediate network, only allowing the guest traffic on the intermediate network (private network if you will) to access the default gateway on the private network. No VLAN needed in that case.
But if your router is providing the WiFi, no need for VLANs since the router will directly firewall the dedicated WiFi networks. Only when you need the dedicated WiFi to traverse the wired infrastructure as well do you need VLAN. It is possible though the router treats the different WiFi networks as VLANs for identification simplicity.
Most interesting, I think for the first time I understand the basic use of VLANs, I will need to watch again and take notes. I think when I watch your videos I almost always learn something or gain more understanding about computing. Thank you.
TP-Link Omada FTW. Their APs can be run without a controller, support multiple SSIDs, and you can assign VLANs to the different SSIDs. When you add something like the ER605 for routing/firewall and the OC200 to manage all of it, you can create a significant number of SSIDs, each having their own VLAN, and an easily configurable router to boot.
This man's knowledge no doubt Trump's my own, but I've been playing with networks since the days of 10 megabit token ring and I love how simple the Omada system for this very thing. Keep my kids on one network, my IoT device is on another, and my work separate from all of that.
I got an Omada setup running at a new house a couple months ago - loving it! The house was fairly extensively pre-wired with Cat5e, coax, and even some fiber, all run to a common location, at some point drywalled over but I was able to find it and install an in-wall structured media enclosure (house was built in 1999/2000). I had enough physical access to run some more Cat6 without having to tear anything up, and the 3-in-1 ER7217PC is small enough to fit comfortably in the structured media enclosure with my old modem/router combo box running in modem-only mode. I installed 5 EAP655-Wall access points, which each have 3 ethernet ports, and I've been blown away with how quick and easy it was to get everything running, and how much better WiFi fast roaming works compared to my consumer Netgear modem/router combo and WiFi mesh extender (CAX80 and EAX80). Going to get some VLANs set up in the very near future!
I’m running my Omanda software controller on a raspberry pi.
Great info, i'm looking into doing this on my home network 👍👍
i just love your voice man, you can sell me anything. Thanks for the information much appreciated
Thanks for explaining VLANs... I think though, that I will have to watch it again later due to a mild state of EMISOB (Early Morning Induced Slowness of Brain) 😅 All the best, Per (Denmark)
Hi Dave, network engineer here.
Good job on the video, a few errors but we’re cool! 😂
I see your world and ours converging fairly rapidly. Looking at what you’re able to achieve with a GUI on home equipment is astonishing to me if not a little but scary!
I work at an airport where our server team and my network team work closely together. Technology moves in waves in big business but I’m seeing the capability advance far quicker now. There already is a blurred line between server and network teams that’s going to be interesting to live through over the next few years.
I appreciate you bringing networking to your channel. It’s an important collaboration that many must take for granted. In the corporate world having experts in both fields is a blessing.
Writing code for operating systems is well out of my reach of understanding. However I always like to see the other side. Mainly to know I’m completely incapable of understanding a single like of code.
Have a good Christmas mate.
Speaking as a server engineer and working for the Ambulance Service we work very closely with the network engineers. It really helps if each know at least a bit of the other, basic things like the OSI 7 Layer Model should be known by both. It is much easier to try and explain what you think a networking issue is if you can troubleshoot and give your diagnosis to the network team.
I still love those topology diagrams comparing network to servers engineers involving "magical pixie dust" 😂
What did he get wrong?
@@TequilaDave I work in the power industry and substations have huge networks that carry TCP packets about how the power is flowing. The info is coded into a TCP packet. Everything you can imagine from voltages, control signals, etc. Look up IEC 61850 if interested. Vlans are extremely important.
@BaZzZaa Another fellow network person here. I would not call Dave's videos "errors", but semantics that could be better clarified - one such as I did on another comment in his video about VLANs and SSIDs.
The Ubiquity is not exactly "home gear". I would call it SoHo to Small Business friendly. Not exactly datacenter/carrier grade, that's for sure. But they have some brilliant products for dirty cheap, if compared with crappy ISP provided gear or the options we would be recommended at regular brick and mortar stores.
About GUI changes, well, that has been more and more common lately. Not sure which gear you use, but many if not all of them do offer strong configuration capabilities via a GUI - be it in form of a native app or web app - to the point you will use CLI for initial configuration and perhaps some very obscure troubleshooting only.
Keep in mind the world is progressing towards the cloud, and even while on-premises will still reign for a long while, programmability has been the key for almost a decade now. There will be fewer folks needed with CLI skills and much more with web and API skills - meaning those that understand code. Keep that in the back of your mind, but don't bury it too much so you won't get phased out ;)
Merry Christmas!
@@hquest >"The Ubiquity is not exactly "home gear". I would call it SoHo to Small Business friendly. Not exactly datacenter/carrier grade, that's for sure. But they have some brilliant products for dirty cheap"
I definitely agree. TP-Link Omada SDN is even cheaper than Ubiquiti, with a modicum more privacy. The difference vs mid to low tier enterprise grade gear is beyond performance. While the performance gap may actually be shrinking, the gap that's widening is support and especially how well the various features are tested by these vendors before they're rolled out.
Hey Dave, love the video, I've had a really similar ubiquiti setup for a while now (UDM-Pro->USW-Enterprise-24-PoE->(2x)U6-Pro) .
What are your thoughts on using the L3 functionality of the newer Unifi switches (in terms of performance gains)? I've been wanting to move inter-vlan-routing to my switch, but losing multicast dns has been a bit of a deal breaker. I have been kicking around the idea of setting up a poe powered Pi that is setup with interfaces (multiple virtual on the one physical) for all the different vlans to get that functionality back, but haven't had the time to do it yet (theres no real need for the poe part, but I'm weird and like the idea of everything being powered off my switch, and I've got PoE capacity to spare in spades).
This really help me a lot i understanding Thankyou Dave :-)
Thanks Dave.
Great job!
Out of the box, a lot of consumer grade equipment is configured to prevent the end-user from shooting her/himself in the foot, and that is usually a configuration which leans toward too permissive - so things work without needing to bring in a Cisco CCNP technician. It is fairly easy to get in over your head quickly.
802.1Q VLANs are a good thing and as Dave correctly stated help isolate traffic, but don’t necessarily equate to security measures. The security as Dave also said is in the inter-VLAN routing and that can be tricky and/or take some time to get right. In fact you can take a college level class which is entirely on the subject of LAN routing (and another class on enterprise routing).
Something to keep in mind as administrator is to limit what protocols both layer 2 (at the data frame level) and layer 3 (at the IP addressing level) allowed at a given port. For example, ports which are connected to end user devices should not be allowed to accept in 802.1D spanning tree frames which could alter the network topology, or 802.1Q tagged frames which could allow users to spoof what VLAN they are on. There are exceptions. VOIP phones have a 3-port switch inside which directs VOIP to the phone electronics and regular traffic to a PC port, while the network port carries both VLANs to the switch. Another example is a VMware or HyperV server which may be running a virtual switch and virtual router within the server software, and sending multiple VLANs into the network.
Spanning tree can be tricky. At its basic, spanning tree lets you plug multiple switches together any way you like and your network will magically work. Spanning tree does so by shutting down any port which receives back a spanning tree frame sent out from the same device on another port. This automatically prevents loops from forming in your network. You can even intentionally put redundant links between devices and one link will be kept shut off unless the other link fails. (We’ll save trunking with multiple operational parallel links for some other time). When one link fails, the other link will start up after a few seconds.. The trick comes in when you have multiple switching devices, usually arranged as a hub with spokes and maybe an outer wheel connecting the spokes for backup. You need to be sure the hub of your network stays the hub and not one of your spoke devices, usually weaker, becomes the network nexus. Even worse, a rouge user or infected PC might send out 802.1D frames to become the hub in order to intercept all traffic. A good quality switch will allow programming some sort of spanning tree security configuration. Network convergence can be controlled by assigning what you want to be the hub nexus device a low 802.1D ID number. Lower numbers have higher priority for controlling topology. The default for devices to use their physical MAC addresses as their 802.1D ID, thus whatever device has the numerically lowest MAC address becomes the network nexus.
Once you have your topology locked down, then you can think about routing. That’s another course to take.
@wtmayhew Thank you (seriously) for the reality check on my level of [mis]understanding! Very interesting topics!
@@jefffuhr2393 Thanks for the supportive reply. I did my best to be accurate.
JUST USE "THEIR", ITS BETTER THEN "HIM/HERSELF".
CCNP you mean call a cisco tech for $5000 a year card
Exactly @@qwertykeyboard5901
Learning every day....
This channel is VG. That is “Virtual Gold” and it’s worth more than its weight🙏🏼
This was great!!👍 Thanks
Thanks for the class. I still need my chair to sit in while learning. Lol
VLANs are a big deal in enterprise environments. Even in a home LAN, the concept is very useful!
👏 Thank you, eXcellent presentation.
Great explanation
Thanks Dave
Great info!
I used to set up the built-in guest wifi to provide visitors with wifi access without compromising my home network, but lately I've started using it myself for my own IoT devices. Nowadays, almost everyone has a good LTE/5G data plan anyway.