I agree, the pipe analogy and the visuals in this video are probably the best explanation of the vlan concept I've ever seen in the past 15 years of my career.
Dave, I do appreciate how you just 'lay it out there' so simply for all of us! Things don't seem so intimidating the in style in which you teach. From a user +, Thank You!
DAVE, I have been in IT for a while and have done a lot of networking, but your Pipe description is the best metaphor I've heard for this thus far. Thank you!
This is a fantastic explanation of VLANs for networking newbies like me. Thank you Dave for making this video and including an example of configuring VLANs in Unifi hardware.
Dave, you are easy to listen to, you make sense and cut out the guff. I have not touched networks in years (used to for my job) and this saved me the "dont use it you lose it recovery time" and I learnt stuff. Thanks Tibby
Great video! Small nitpick at 6:30. In Ethernet frames, destination MAC address comes before source MAC address (opposite the ordering of addresses and ports in IP and TCP/UDP headers).
Thank you for explaining it completely!! There are many quick/easy vlan videos that miss important details, like the difference between port based and ethernet frame tagging vlan implementation. This was confusing me, and your video cleared it up.
OUTSTANDING!! So many people I work with don't understand them, and confuse Vlan's with a ip segment!! Your water example is great, and I plan to share your video with others. Thank you very much!
Love it Dave! So simple and yet still informative. In fact it prompted me to update my UniFi settings at home as your simple quick demo highlighted a couple of errors I had I my rules. Thank you from the top of Scotland!
The quality and color of your videos is outstanding. I was recently given an older 24-port dell managed switch and I plan to experiment with VLANs. Thanks for the info! subbed.
Thank you for this video. Yesterday was the first day my home network consisted more than the ISP modem/router combo and a small unmanaged switch. I spent most of the day shooting myself in the foot through unknown trouble guessing and hopes.
This mainly discusses network segmentation and isolation. I prefer to think of VLANs as a separate topic since you can do the former without the latter, especially in simple cases. I see VLANs as just a way that one cable can carry multiple isolated networks between VLAN aware equipment. A VLAN aware switch can be divided into several isolated switches, and its ports can be configured to be part of any one (or more) of the isolated switches, a single cable can carry groups of isolated networks between routers, switches and Wi-Fi access points. It's also worth noting that ordinary untagged traffic is just as isolated from the VLANs as they are from each other.
I subscribed to your channel Dave! Great explanations and even with my A.D.H.D., I get you, my neuro-divergent brother. The world needs more minds like ours, indeed! Great videos, keep 'em coming.
Dave, I love how you broke this down and simplify VLANs!! As a Lead Infrastructure Engineer I have to explain how VLANs work, I will definitely be using your analogy of the pipes inside a larger pipe. Thanks for sharing and keep the content coming! Great work.
Great video, I run 8 vlans with the by default untagged vlan is the guest network and carries the other vlans as tagged. The only exception is for cctv where those ports are untagged in the cctv network, but don’t carry the other tagged networks.
Just be mindful there are two different elements in play: wired VLANs and wireless SSIDs. While you can create an extremely long list of VLANs (around 4000), including one VLAN for each and every device (literally, if used for micro-segmentation, for instance), you have a limit of wireless SSIDs you can run on your equipment before you start to lose performance. A somewhat "secure" home wireless setup would be built with independent "private", a "guest" and "IoT" SSIDs. Each SSID would run on top of (or be "tagged" to) one wired VLAN, as you detailed on your video. Good stuff, Dave - now get the video listed so others can watch it too without having a link to it 👍
The UniFi Network Application supports WiFi Private Pre-Shared Keys (PPSK), so you can use multiple VLANs with only one SSID. You can still keep a second SSID for the "guest network" just for aesthetics; but there's no need for separate IoT, camera, etc. SSIDs when using PPSK, which the equipment Dave's shown does support. Thusly, no impact on performance due to too many SSIDs as you've correctly pointed out.
This is exactly what I do. I run a private SSID for my roommates and I, a guest SSID for well, guests, and an IoT SSID for IoT things like cameras and doorbells, plus another one for devices I don't trust (for example, a Windows XP machine I'm forced to connect to the internet). I only have four VLANs though, but I'm thinking about separating everything into it's own network that all have internet access. I just don't know how to do that
@@bjoern.gumboldt It all depends on the product and skill level. The average user will be running whatever garbage gear their ISP provides them, or whatever gear they can buy for cheap that is friendly enough for them to configure. For more advanced solutions, yes, the UniFi network and the PPSK are great. At home, I do have my own NAC server, which authenticates the client and instructs the network to enforce policies, including VLANs, ACLs and URL redirections, so I too only run one SSID for maybe 6 different use cases, all fully isolated from each other. However, this has a cost and such complexity that is unrealistic to average users.
Unless you use EAP ("enterprise") security, then you can configure different devices to authenticate to the same SSID separate accounts that map to different VLANs with most APs. But that's assuming the devices actually support EAP, which in practice absolutely none of them do. And even when they do they tend to be full of bugs, like Android's compatibility problems with default Let's encrypt certs (and crap documentation with even more crap error messages). So it will work with your laptops and phones, which you likely don't have any reason to isolate anyway, but all the stuff with sketchy firmware will need an extra dedicated SSID.
Great insights on VLANs, Dave! But let's not forget about VLAN hopping - a sneaky technique that can breach VLAN segregation. It's a real eye-opener for network security, showing that even VLANs aren't impervious to attacks. Always a good reminder to double-check our configurations and stay vigilant!
This stopped being an issue in the early 2000s with cisco and its clearly indicated to never use vlan1 in all of ciscos documentation to avoid this when mixing vendors with poor implementations.
It literally knows where in the CAM table each device is, What interface and vlan. The only place you're getting on another vlan in a proper deployment is a trunk port. Now on small home networking gear this is probably an issue but the last generation from cisco on the catalyst line and nexus line where it was an issue was in the early 2000s. @@perwestermark8920 Its been standard practice in both cisco's hardening guide, and the NSA security guidelines to never use vlan1. And never leave trunkport status to auto negotiation. edit: A quick google shows this is exactly the same as it was when the advisory went out initially for the 1900 series, 2900 series and 3500 series catalyst switches when this was discovered in the early 2000s. Don't use VLAN1/ the untagged vlan. I don't think there is a single person in the industry that does this because its been common knowledge how incredibly stupid the concept of using vlan1 mixed in is since at least 2001.
The moment he said it was done in software, my very first thought was "How easily can this be exploited or hacked?" - I definitely wouldn't trust something like this with my life, but still I'm sure it'll stop the vast majority of spyware.
Most interesting, I think for the first time I understand the basic use of VLANs, I will need to watch again and take notes. I think when I watch your videos I almost always learn something or gain more understanding about computing. Thank you.
Hi Dave, network engineer here. Good job on the video, a few errors but we’re cool! 😂 I see your world and ours converging fairly rapidly. Looking at what you’re able to achieve with a GUI on home equipment is astonishing to me if not a little but scary! I work at an airport where our server team and my network team work closely together. Technology moves in waves in big business but I’m seeing the capability advance far quicker now. There already is a blurred line between server and network teams that’s going to be interesting to live through over the next few years. I appreciate you bringing networking to your channel. It’s an important collaboration that many must take for granted. In the corporate world having experts in both fields is a blessing. Writing code for operating systems is well out of my reach of understanding. However I always like to see the other side. Mainly to know I’m completely incapable of understanding a single like of code. Have a good Christmas mate.
Speaking as a server engineer and working for the Ambulance Service we work very closely with the network engineers. It really helps if each know at least a bit of the other, basic things like the OSI 7 Layer Model should be known by both. It is much easier to try and explain what you think a networking issue is if you can troubleshoot and give your diagnosis to the network team. I still love those topology diagrams comparing network to servers engineers involving "magical pixie dust" 😂
@@TequilaDave I work in the power industry and substations have huge networks that carry TCP packets about how the power is flowing. The info is coded into a TCP packet. Everything you can imagine from voltages, control signals, etc. Look up IEC 61850 if interested. Vlans are extremely important.
@BaZzZaa Another fellow network person here. I would not call Dave's videos "errors", but semantics that could be better clarified - one such as I did on another comment in his video about VLANs and SSIDs. The Ubiquity is not exactly "home gear". I would call it SoHo to Small Business friendly. Not exactly datacenter/carrier grade, that's for sure. But they have some brilliant products for dirty cheap, if compared with crappy ISP provided gear or the options we would be recommended at regular brick and mortar stores. About GUI changes, well, that has been more and more common lately. Not sure which gear you use, but many if not all of them do offer strong configuration capabilities via a GUI - be it in form of a native app or web app - to the point you will use CLI for initial configuration and perhaps some very obscure troubleshooting only. Keep in mind the world is progressing towards the cloud, and even while on-premises will still reign for a long while, programmability has been the key for almost a decade now. There will be fewer folks needed with CLI skills and much more with web and API skills - meaning those that understand code. Keep that in the back of your mind, but don't bury it too much so you won't get phased out ;) Merry Christmas!
@@hquest >"The Ubiquity is not exactly "home gear". I would call it SoHo to Small Business friendly. Not exactly datacenter/carrier grade, that's for sure. But they have some brilliant products for dirty cheap" I definitely agree. TP-Link Omada SDN is even cheaper than Ubiquiti, with a modicum more privacy. The difference vs mid to low tier enterprise grade gear is beyond performance. While the performance gap may actually be shrinking, the gap that's widening is support and especially how well the various features are tested by these vendors before they're rolled out.
7:10 As you explained, vlans operate on the data link layer which is layer 2 of the OSI model. Therefore the vlan segmentation is configured on a switch. And technically not on a router. However, you are correct as most home routers are a firewall, switch, router and modem all packed into one device.
Actually, a switch, at it's most basic, doesnt do any of this. This is still taken care of by routing. I.E. Smart switches, are basically still routers. "Dumb" switches cannot do any of this, they are basically glorified hubs that also still route IP traffick to specific network segments, without any other rules. The realm between "router", and "switch", nowadays has been greatly blurred.
@@jdmayfield88 I believe the point OP is trying to make with this comment, is that Switching and Routing are clearly defined and very different things, which is important to understand when wrapping your head around how VLANS work. And Even though dave is managing his network from the Unifi controller, which lets him configure VLANs and routing policies in one place, the VLANs are actually configured in the switches domain at L2, and the subnets, interfaces, and routes are the router's domain at L3. The two layers don't really care about or even know what the other is doing even if they are brought together and manageable through a slick SDN controller interface like this.
The IEEE 802.1 term for a device operating at layer two is “bridge”. I think switch is an implementation specific term and really only came to be used when we starred building custom silicon for networking. The original layer 2 bridges were PCs with multiple network cards. So were a lot of the early routers, which were often called gateways. Switch became used to distinguish repeaters (hubs) from devices that inspected the packets at near line rate rather than blindly repeating at the bit level.
@@TheBitWhisperer 100% correct. But I was trying to not get *too* into the weeds. FWIW, My intent wasn't to be pedantic or anything lol The subject is pretty esoteric, so I just wanted to close the loop a little bit for anyone watching and reading the comments who might be trying to wrap their heads around high level VLAN concepts. That's all :)
@TheBitWhisperer The term bridge however is commonly confused with a hub. Hubs being those old crap switches that broadcast packets across all their ports as opposed to L2 switches that tie each port to the MAC address plugged into it, and only routing packets destined to that MAC, to that port so devices plugged into other ports cannot sniff the traffic.
Hey, Dave, I think videos like this may be one of your callings. You should do more. The digital world would be a better place for it! And easier to understand.
I've got a udm pro se and all ubiquiti hardware as well. Great video to explain how this all works. I sent the link to several friends who should understand this as well.
Guess I must be getting old as I remember many of those items. As a small boy we lived in an apartment building where my dad was the super. It had a coal fired boiler. I remember the coal truck delivering coal down the cute into the coal bins. We also had an insulated box by the front door for milk delivery. The building had a dumb waiter for sending trash to the basement for loading in barrels for pickup. I attended a vocational high school in the late 1960’s where I trained to be an electrician. One of the things learned was how to install knob and tube wiring. Another thing I remember was when we moved in house there was a mail slot on the front door where the mail man dropped off your mail. So much has changed.
Cheers, hadn't really though about VLANs for home networks, only corporate, but your right given the amount of IOT devices even on security alone it would be worth it.
Great start from 90,000 ft Dave! Where should I go to learn in detail everything I need to know from theory to nuts and bolts on how to set up my own VLANs?
Hey! What a great YT recommendation! I am rebuilding my whole network because gear I wanted 8 years ago is just on eBay now! Putting together a whole Ubiquiti system, and i'll need VLANs. I am going to swap over to WPA3, but a few devices still must have WPA2. So i'm (probably) gonna make a separate WPA2 VLAN that just connects to the Internet and not inter-device.
When it comes to broadcast and physical bandwidth utilization, consider those colored pipes as able to expand their diameter. VLANs only get limited on access ports on a switch that supports vlan segmentation. Trunks in Cisco terminology or ports with VLAN tagging as other brands designate it will still pass all VLANs through, and can be probed. Thus a single VLAN can saturate ALL ports that allow that VLAN through, thus possibly choking bandwidth on ports and cables for VLANs that share the same physical structure. If you are using 'dumb' switches, that is switches that don't support VLANs, they will pass all VLANs through it to all other ports on that switch. You'll need a switch that supports VLANs though to strip off that tagging, otherwise the end device might not accept the traffic, since it may consider the frame corrupt when it sees the VLAN tag still in the frame. A better way to look at VLANs are marked cars on a highway. You can still see all the cars and they take up space on the highway, but perhaps cars tagged with blue license plates are only allowed in and out of some exits, while cars tagged with red license plates can only go on others. Then there's the interchange exits where cars with any color license plate can get through. If red cars attended a convention that suddenly let out, those red cars could flood the highway and prohibit them blue cars from getting through.
It's safer to consider what will happen to tagged packets in a non VLAN aware switches as undefined, because apparently some switches just drop tagged packets.
Thanks for explaining VLANs... I think though, that I will have to watch it again later due to a mild state of EMISOB (Early Morning Induced Slowness of Brain) 😅 All the best, Per (Denmark)
I question if homes really need multiple VLANs. If you have IoT, I can see that. For broadcast storms I wouldn't worry about those. They only occur when you have redundant links between switches which causes loops. Spanning-tree protocol is designed to handle that. As well as LACP, and VPC. At an enterprise level though, VLANs are everything.
NotPorn is such a classic move. As a quick aside, I know you're always striving to better your channel, so I'd like to suggest considering a lapel mic, or something similar. At some points in time during this video, your animated speaking lead to you moving toward and away from your mic - this wasn't super noticeable on my phone's speaker, but once I swapped to my Bluetooth headset, the changes in volume and intensity were quite jarring. It's nothing that will stop me from watching your content, just something I thought you may want to be aware of 🙂 Much love as always, Dave!
it's doing my head in. i learnt all my networking in the old school. i have no problem understanding the basic concepts of VLANs but, the rub is in setting it up, and not bricking myself out from devices. knowing what to tag/untag/exclude at each of my devices is giving me a headache. I have a edgerouter, and edgeswitch, and a unifi UAP....and i need to segregate some things on the switch and some on the UAP....without the UAP getting blocked to get to controller on my PC. I watched a few videos and am not much wiser as to how to set it up properly. Any suggestions on reading material, so i can figure out what to T/U/E at each network device?
Good timing, i am in the middle of planning my vlan setup now. I just setup opensense and my smart switch. Im trying to figure out proper rules and subnets that make sense. Hopefully i can figure it all out.
What if I want green and red networks to access a shared resource? For example, I would like my "smart" TV to ideally be in its own network, but it also needs to be able to access the DLNA server (NAS) and I have to be able to access the NAS from green as well.
Whats creepier is I just finished a guest AP for a gym and just finished a phone call with my boss about if he wanted to bill for the programming hour(s) to add security to the wifi and rest of the network. Then this gets recommended. Good job algorithm. 🍻
I like your videos Dave, but I must levy some criticism - any time I see someone online talk about VLANs (which seems like a popular video topic lately) and I *don't* hear them talk about the concept of a broadcast domain, it's an instant failure. You can do network segmentation on the network layer/L3 of the OSI model. But there are reasons we use VLANs - distinctly because of broadcast domains. You briefly mentioned broadcast storms/switching loops but you should have spent a much greater amount of time here.
I am new to vlans, thanks for the video; so my comment could be wrong. But it would seem that using VLANs, you could run single cable (the "white" pipe) from the your main network router which defines the VLANs to the bedroom part of the house, and then put a managed network switch the supports 802.1Q (say NETGEAR 5-Port Gigabit Ethernet Plus Switch (GS305E)) there; and assign the kids VLAN to two ports, and run a cable to a jack in each kids room; assign office vlan to a third port and cable that to an un-managed hub in your home office, and a guest VLAN to a fourth port, and connect that an WiFi access point? If so, this explaination would be great to add to the video
Think about eletrical wires, one is blue - neutral, one is red -power, one is green - ground. They run together but are separated using the plastic casing.
The most technical explanation of VLAN's is the segmentation of broadcast domains. Each MAC address table entry also has a VLAN property constraining local and broadcast traffic within itself. By using segmentation you force traffic to a router, switched virtual interface or firewall where you can define policy for traffic between VLAN's. However this is important: a broadcast storm on 1 VLAN WILL bring your entire local network down even if that traffic belongs to another VLAN on the same switched network. Only traffic living on another physical interface on an upstream router or firewall will not be affected since the broadcasts only are on 1 physical interface. The reason why switch CPU's spike in a broadcast storm is because they have to continually rewrite the mac table because source MAC addresses keep jumping between ports. And writing to the CAM memory has to be done by the CPU.
"They can't see me, but I can see them." This is what I've been looking for! Does it allow phone apps and PCs to still function with LAN protocols while all IoT devices are on their own VLANs? The LIFX app, for instance, uses UDP packets to address all devices with multicast. I'd like my phone to still be able to see them. Would you also recommend creating more VLANs for each brand of device? Nest, WeMo, LIFX, etc. Separate them all into their own VLANs?
The different colors in a pipe is the best analogy I've heard for vlans!
Thanks! I was hoping that would resonate with some folks!
I agree, the pipe analogy and the visuals in this video are probably the best explanation of the vlan concept I've ever seen in the past 15 years of my career.
Same! I totally agree! Once Dave said that, it all started to make sense!!!
@@DavesGarage Yes, I am revising some of the basics, that really helped me
@@DavesGarage This analogy resonated with me, wonderfully!
Dave, I do appreciate how you just 'lay it out there' so simply for all of us! Things don't seem so intimidating the in style in which you teach.
From a user +,
Thank You!
I'm studying for my CCNA 200-301 I understood every word you said!!!!!
Then your studying is working. Heck yeah :)
Dave, please don't ever stop making videos. Love the content and love learning about networking
DAVE, I have been in IT for a while and have done a lot of networking, but your Pipe description is the best metaphor I've heard for this thus far. Thank you!
Excellent, straightforward introduction to VLANs. You knocked it out of the park!
This is a fantastic explanation of VLANs for networking newbies like me. Thank you Dave for making this video and including an example of configuring VLANs in Unifi hardware.
Unifi is awesome! ❤
Dave, you are easy to listen to, you make sense and cut out the guff. I have not touched networks in years (used to for my job) and this saved me the "dont use it you lose it recovery time" and I learnt stuff. Thanks Tibby
It can be difficult to find a person with deep background in these more esoteric topics, really appreciate the clarity of the presentation.
Goes for anything...
One of the best explanations of VLANs I have come across. Your analogy with the different coloured sub-pipes works great :)
Great video! Small nitpick at 6:30. In Ethernet frames, destination MAC address comes before source MAC address (opposite the ordering of addresses and ports in IP and TCP/UDP headers).
I've worked on data center network and systems deployments for years and i find this video compelling!
Thank you for explaining it completely!! There are many quick/easy vlan videos that miss important details, like the difference between port based and ethernet frame tagging vlan implementation. This was confusing me, and your video cleared it up.
I’d tell you a joke about udp, but I’m afraid you may not get it.
Just tell it to me QUIC, problem solved 😂
idk what usp is but I get the joke
i bet if you told a tcp joke he would get it!
id tell you a joke about my brain. but i forgot where it is
@@TeaBagginsMcGee Indeed. This needs to be acknowledged.
Great explanation! That pipe-in-a pipe concept gave me the needed understanding of what VLANs are.
OUTSTANDING!! So many people I work with don't understand them, and confuse Vlan's with a ip segment!! Your water example is great, and I plan to share your video with others.
Thank you very much!
Most VLANs are used in tandem with their own IP range. You generally don't have 2 VLANs on the same subnet for example.
You can have multiple IPs for one VLAN, but only one VLAN per IP range. In practice 99% of the time it's a 1:1 mapping.
Love it Dave! So simple and yet still informative. In fact it prompted me to update my UniFi settings at home as your simple quick demo highlighted a couple of errors I had I my rules. Thank you from the top of Scotland!
Hey Dave! This is great info and is VERY WELL presented. I always enjoy and look forward to you videos.
I appreciate that!
I would really love more of these computer basics educational videos from you!
Another good video. I like how you don't mess around and waste my time. Thank you!
Another great video that explains what can be a complex subject in an easy to digest fashion. Cheers!
I use a VLAN to block my mother in law from going on Facebook. Makes conversations with her less crazy
Dave - please do more of these type of videos as this was really useful
This video was awesome, please make more videos like this with the detailed break down of the topic. I'm going to share this video with friends.
The quality and color of your videos is outstanding. I was recently given an older 24-port dell managed switch and I plan to experiment with VLANs. Thanks for the info! subbed.
I surprised you haven’t hit a million subscribers yet
You videos are awesome
the most straight to the point vlan video i've ever watched, thank you
Thank you for this video. Yesterday was the first day my home network consisted more than the ISP modem/router combo and a small unmanaged switch. I spent most of the day shooting myself in the foot through unknown trouble guessing and hopes.
This mainly discusses network segmentation and isolation. I prefer to think of VLANs as a separate topic since you can do the former without the latter, especially in simple cases. I see VLANs as just a way that one cable can carry multiple isolated networks between VLAN aware equipment. A VLAN aware switch can be divided into several isolated switches, and its ports can be configured to be part of any one (or more) of the isolated switches, a single cable can carry groups of isolated networks between routers, switches and Wi-Fi access points. It's also worth noting that ordinary untagged traffic is just as isolated from the VLANs as they are from each other.
Thank you , I was looking for info about VLANS a few months ago . This is much clearer than anything I previously found .
I subscribed to your channel Dave! Great explanations and even with my A.D.H.D., I get you, my neuro-divergent brother. The world needs more minds like ours, indeed! Great videos, keep 'em coming.
VLANs are a big deal in enterprise environments. Even in a home LAN, the concept is very useful!
Excellent, easy to understand video, Thank you, very helpful!
The "NotPorn" VLAN was hilarious 😂😂
You just saved me thousands of hours explaining the cost and benefits of configured router, switching and wireless access. Thanks Dave.
Great video, Dave! I found it very helpful to me as an aspiring network administrator. Cheers!!
Thank you, Dave. Always enjoy learning from you.
Dave, I love how you broke this down and simplify VLANs!! As a Lead Infrastructure Engineer I have to explain how VLANs work, I will definitely be using your analogy of the pipes inside a larger pipe. Thanks for sharing and keep the content coming! Great work.
Thank You Dave for that whole detailed presentation!
Great video, I run 8 vlans with the by default untagged vlan is the guest network and carries the other vlans as tagged. The only exception is for cctv where those ports are untagged in the cctv network, but don’t carry the other tagged networks.
Just be mindful there are two different elements in play: wired VLANs and wireless SSIDs. While you can create an extremely long list of VLANs (around 4000), including one VLAN for each and every device (literally, if used for micro-segmentation, for instance), you have a limit of wireless SSIDs you can run on your equipment before you start to lose performance.
A somewhat "secure" home wireless setup would be built with independent "private", a "guest" and "IoT" SSIDs. Each SSID would run on top of (or be "tagged" to) one wired VLAN, as you detailed on your video.
Good stuff, Dave - now get the video listed so others can watch it too without having a link to it 👍
Each ssid will broadcast beacons, reducing overall performance.
The UniFi Network Application supports WiFi Private Pre-Shared Keys (PPSK), so you can use multiple VLANs with only one SSID. You can still keep a second SSID for the "guest network" just for aesthetics; but there's no need for separate IoT, camera, etc. SSIDs when using PPSK, which the equipment Dave's shown does support. Thusly, no impact on performance due to too many SSIDs as you've correctly pointed out.
This is exactly what I do. I run a private SSID for my roommates and I, a guest SSID for well, guests, and an IoT SSID for IoT things like cameras and doorbells, plus another one for devices I don't trust (for example, a Windows XP machine I'm forced to connect to the internet). I only have four VLANs though, but I'm thinking about separating everything into it's own network that all have internet access. I just don't know how to do that
@@bjoern.gumboldt It all depends on the product and skill level. The average user will be running whatever garbage gear their ISP provides them, or whatever gear they can buy for cheap that is friendly enough for them to configure.
For more advanced solutions, yes, the UniFi network and the PPSK are great. At home, I do have my own NAC server, which authenticates the client and instructs the network to enforce policies, including VLANs, ACLs and URL redirections, so I too only run one SSID for maybe 6 different use cases, all fully isolated from each other. However, this has a cost and such complexity that is unrealistic to average users.
Unless you use EAP ("enterprise") security, then you can configure different devices to authenticate to the same SSID separate accounts that map to different VLANs with most APs.
But that's assuming the devices actually support EAP, which in practice absolutely none of them do. And even when they do they tend to be full of bugs, like Android's compatibility problems with default Let's encrypt certs (and crap documentation with even more crap error messages). So it will work with your laptops and phones, which you likely don't have any reason to isolate anyway, but all the stuff with sketchy firmware will need an extra dedicated SSID.
Very good information - was dabbling with VLANs recently. Love the channel
Wonderful breakdown and very digestible while not being too simple to become useless
Great insights on VLANs, Dave! But let's not forget about VLAN hopping - a sneaky technique that can breach VLAN segregation. It's a real eye-opener for network security, showing that even VLANs aren't impervious to attacks. Always a good reminder to double-check our configurations and stay vigilant!
This stopped being an issue in the early 2000s with cisco and its clearly indicated to never use vlan1 in all of ciscos documentation to avoid this when mixing vendors with poor implementations.
VLAN hopping really isn't a fun subject. Switches needs to be fast. Which means they can't be too smart at the same time.
It literally knows where in the CAM table each device is, What interface and vlan.
The only place you're getting on another vlan in a proper deployment is a trunk port.
Now on small home networking gear this is probably an issue but the last generation from cisco on the catalyst line and nexus line where it was an issue was in the early 2000s. @@perwestermark8920
Its been standard practice in both cisco's hardening guide, and the NSA security guidelines to never use vlan1. And never leave trunkport status to auto negotiation.
edit: A quick google shows this is exactly the same as it was when the advisory went out initially for the 1900 series, 2900 series and 3500 series catalyst switches when this was discovered in the early 2000s. Don't use VLAN1/ the untagged vlan.
I don't think there is a single person in the industry that does this because its been common knowledge how incredibly stupid the concept of using vlan1 mixed in is since at least 2001.
The moment he said it was done in software, my very first thought was "How easily can this be exploited or hacked?" - I definitely wouldn't trust something like this with my life, but still I'm sure it'll stop the vast majority of spyware.
Good ol double tagged vlans
Great video for newbies. Well explained
Kudos Dave for the concept of coloured pipes within pipes - a very nice way to visualize virtual LANS.
Thank you Dave!! I truly needed to watch this video. Your explanation is very helpful.
Most interesting, I think for the first time I understand the basic use of VLANs, I will need to watch again and take notes. I think when I watch your videos I almost always learn something or gain more understanding about computing. Thank you.
You should teach computer concepts, you have an amazing talent for explaining complex things!
That’s exactly what he is and has been doing lol
@@triforcelink very true - I stand corrected
Hi Dave, network engineer here.
Good job on the video, a few errors but we’re cool! 😂
I see your world and ours converging fairly rapidly. Looking at what you’re able to achieve with a GUI on home equipment is astonishing to me if not a little but scary!
I work at an airport where our server team and my network team work closely together. Technology moves in waves in big business but I’m seeing the capability advance far quicker now. There already is a blurred line between server and network teams that’s going to be interesting to live through over the next few years.
I appreciate you bringing networking to your channel. It’s an important collaboration that many must take for granted. In the corporate world having experts in both fields is a blessing.
Writing code for operating systems is well out of my reach of understanding. However I always like to see the other side. Mainly to know I’m completely incapable of understanding a single like of code.
Have a good Christmas mate.
Speaking as a server engineer and working for the Ambulance Service we work very closely with the network engineers. It really helps if each know at least a bit of the other, basic things like the OSI 7 Layer Model should be known by both. It is much easier to try and explain what you think a networking issue is if you can troubleshoot and give your diagnosis to the network team.
I still love those topology diagrams comparing network to servers engineers involving "magical pixie dust" 😂
What did he get wrong?
@@TequilaDave I work in the power industry and substations have huge networks that carry TCP packets about how the power is flowing. The info is coded into a TCP packet. Everything you can imagine from voltages, control signals, etc. Look up IEC 61850 if interested. Vlans are extremely important.
@BaZzZaa Another fellow network person here. I would not call Dave's videos "errors", but semantics that could be better clarified - one such as I did on another comment in his video about VLANs and SSIDs.
The Ubiquity is not exactly "home gear". I would call it SoHo to Small Business friendly. Not exactly datacenter/carrier grade, that's for sure. But they have some brilliant products for dirty cheap, if compared with crappy ISP provided gear or the options we would be recommended at regular brick and mortar stores.
About GUI changes, well, that has been more and more common lately. Not sure which gear you use, but many if not all of them do offer strong configuration capabilities via a GUI - be it in form of a native app or web app - to the point you will use CLI for initial configuration and perhaps some very obscure troubleshooting only.
Keep in mind the world is progressing towards the cloud, and even while on-premises will still reign for a long while, programmability has been the key for almost a decade now. There will be fewer folks needed with CLI skills and much more with web and API skills - meaning those that understand code. Keep that in the back of your mind, but don't bury it too much so you won't get phased out ;)
Merry Christmas!
@@hquest >"The Ubiquity is not exactly "home gear". I would call it SoHo to Small Business friendly. Not exactly datacenter/carrier grade, that's for sure. But they have some brilliant products for dirty cheap"
I definitely agree. TP-Link Omada SDN is even cheaper than Ubiquiti, with a modicum more privacy. The difference vs mid to low tier enterprise grade gear is beyond performance. While the performance gap may actually be shrinking, the gap that's widening is support and especially how well the various features are tested by these vendors before they're rolled out.
7:10 As you explained, vlans operate on the data link layer which is layer 2 of the OSI model. Therefore the vlan segmentation is configured on a switch. And technically not on a router. However, you are correct as most home routers are a firewall, switch, router and modem all packed into one device.
Actually, a switch, at it's most basic, doesnt do any of this. This is still taken care of by routing. I.E. Smart switches, are basically still routers. "Dumb" switches cannot do any of this, they are basically glorified hubs that also still route IP traffick to specific network segments, without any other rules. The realm between "router", and "switch", nowadays has been greatly blurred.
@@jdmayfield88 I believe the point OP is trying to make with this comment, is that Switching and Routing are clearly defined and very different things, which is important to understand when wrapping your head around how VLANS work. And Even though dave is managing his network from the Unifi controller, which lets him configure VLANs and routing policies in one place, the VLANs are actually configured in the switches domain at L2, and the subnets, interfaces, and routes are the router's domain at L3.
The two layers don't really care about or even know what the other is doing even if they are brought together and manageable through a slick SDN controller interface like this.
The IEEE 802.1 term for a device operating at layer two is “bridge”. I think switch is an implementation specific term and really only came to be used when we starred building custom silicon for networking. The original layer 2 bridges were PCs with multiple network cards. So were a lot of the early routers, which were often called gateways. Switch became used to distinguish repeaters (hubs) from devices that inspected the packets at near line rate rather than blindly repeating at the bit level.
@@TheBitWhisperer 100% correct. But I was trying to not get *too* into the weeds. FWIW, My intent wasn't to be pedantic or anything lol
The subject is pretty esoteric, so I just wanted to close the loop a little bit for anyone watching and reading the comments who might be trying to wrap their heads around high level VLAN concepts. That's all :)
@TheBitWhisperer The term bridge however is commonly confused with a hub. Hubs being those old crap switches that broadcast packets across all their ports as opposed to L2 switches that tie each port to the MAC address plugged into it, and only routing packets destined to that MAC, to that port so devices plugged into other ports cannot sniff the traffic.
Super straightforward and helpful, awesome video man
This channel is VG. That is “Virtual Gold” and it’s worth more than its weight🙏🏼
Hey, Dave, I think videos like this may be one of your callings. You should do more. The digital world would be a better place for it! And easier to understand.
I've got a udm pro se and all ubiquiti hardware as well. Great video to explain how this all works. I sent the link to several friends who should understand this as well.
Guess I must be getting old as I remember many of those items. As a small boy we lived in an apartment building where my dad was the super. It had a coal fired boiler. I remember the coal truck delivering coal down the cute into the coal bins. We also had an insulated box by the front door for milk delivery. The building had a dumb waiter for sending trash to the basement for loading in barrels for pickup. I attended a vocational high school in the late 1960’s where I trained to be an electrician. One of the things learned was how to install knob and tube wiring. Another thing I remember was when we moved in house there was a mail slot on the front door where the mail man dropped off your mail. So much has changed.
Never heard it explained so well. Nice video
This definitely reminds me that I need to set up a more complex router than the one provided by the ISP. I needed that reminder.
I really like your channel. This episode may have inspired me to finalise some network security !
Physical switch port isolation is still needed to seperate different segments of the network.
That was exactly what I needed!!! Thank you so much Dave!!! You da man!!! 👍
Great presentation Dave. Cheers from OZ
Cheers, hadn't really though about VLANs for home networks, only corporate, but your right given the amount of IOT devices even on security alone it would be worth it.
Great start from 90,000 ft Dave!
Where should I go to learn in detail everything I need to know from theory to nuts and bolts on how to set up my own VLANs?
Probably a Cisco mgmt course, or the prep for one that deals with VLANs and Subnets. On RUclips, I'd check out Network Chuck and Techno Tim.
Hey! What a great YT recommendation! I am rebuilding my whole network because gear I wanted 8 years ago is just on eBay now! Putting together a whole Ubiquiti system, and i'll need VLANs. I am going to swap over to WPA3, but a few devices still must have WPA2. So i'm (probably) gonna make a separate WPA2 VLAN that just connects to the Internet and not inter-device.
Learning every day....
I see from the VLAN name that I've found the right place with like-minded people...carry on, sir.
When it comes to broadcast and physical bandwidth utilization, consider those colored pipes as able to expand their diameter. VLANs only get limited on access ports on a switch that supports vlan segmentation. Trunks in Cisco terminology or ports with VLAN tagging as other brands designate it will still pass all VLANs through, and can be probed. Thus a single VLAN can saturate ALL ports that allow that VLAN through, thus possibly choking bandwidth on ports and cables for VLANs that share the same physical structure.
If you are using 'dumb' switches, that is switches that don't support VLANs, they will pass all VLANs through it to all other ports on that switch.
You'll need a switch that supports VLANs though to strip off that tagging, otherwise the end device might not accept the traffic, since it may consider the frame corrupt when it sees the VLAN tag still in the frame.
A better way to look at VLANs are marked cars on a highway. You can still see all the cars and they take up space on the highway, but perhaps cars tagged with blue license plates are only allowed in and out of some exits, while cars tagged with red license plates can only go on others. Then there's the interchange exits where cars with any color license plate can get through.
If red cars attended a convention that suddenly let out, those red cars could flood the highway and prohibit them blue cars from getting through.
It's safer to consider what will happen to tagged packets in a non VLAN aware switches as undefined, because apparently some switches just drop tagged packets.
1:07 thank you Dave for confirming the internet is a series of tubes
i just love your voice man, you can sell me anything. Thanks for the information much appreciated
Thanks for explaining VLANs... I think though, that I will have to watch it again later due to a mild state of EMISOB (Early Morning Induced Slowness of Brain) 😅 All the best, Per (Denmark)
Nice, ta. However, the video on virtualisation is NOT currently linked in this video's description, as mentioned at 17:09 - maybe it was forgotten?
Love this DAve, I have wanted to ask for this since watching your Ubiquity video
Thanks for this video vlans always left me head scratching
Clear and comprehensive. Thank you!
I question if homes really need multiple VLANs. If you have IoT, I can see that. For broadcast storms I wouldn't worry about those. They only occur when you have redundant links between switches which causes loops. Spanning-tree protocol is designed to handle that. As well as LACP, and VPC. At an enterprise level though, VLANs are everything.
NotPorn is such a classic move.
As a quick aside, I know you're always striving to better your channel, so I'd like to suggest considering a lapel mic, or something similar. At some points in time during this video, your animated speaking lead to you moving toward and away from your mic - this wasn't super noticeable on my phone's speaker, but once I swapped to my Bluetooth headset, the changes in volume and intensity were quite jarring.
It's nothing that will stop me from watching your content, just something I thought you may want to be aware of 🙂 Much love as always, Dave!
you got a new subscribe sir- I like your delivery style.
Thanks and welcome!
it's doing my head in. i learnt all my networking in the old school. i have no problem understanding the basic concepts of VLANs but, the rub is in setting it up, and not bricking myself out from devices. knowing what to tag/untag/exclude at each of my devices is giving me a headache. I have a edgerouter, and edgeswitch, and a unifi UAP....and i need to segregate some things on the switch and some on the UAP....without the UAP getting blocked to get to controller on my PC. I watched a few videos and am not much wiser as to how to set it up properly. Any suggestions on reading material, so i can figure out what to T/U/E at each network device?
Good timing, i am in the middle of planning my vlan setup now. I just setup opensense and my smart switch. Im trying to figure out proper rules and subnets that make sense. Hopefully i can figure it all out.
As a networking degree holder myself, I appreciate the inclusion of the OSI model.
What if I want green and red networks to access a shared resource?
For example, I would like my "smart" TV to ideally be in its own network, but it also needs to be able to access the DLNA server (NAS) and I have to be able to access the NAS from green as well.
Thank you for sharing your knowledge appreciate it.
Whats creepier is I just finished a guest AP for a gym and just finished a phone call with my boss about if he wanted to bill for the programming hour(s) to add security to the wifi and rest of the network. Then this gets recommended. Good job algorithm. 🍻
I like your videos Dave, but I must levy some criticism - any time I see someone online talk about VLANs (which seems like a popular video topic lately) and I *don't* hear them talk about the concept of a broadcast domain, it's an instant failure. You can do network segmentation on the network layer/L3 of the OSI model. But there are reasons we use VLANs - distinctly because of broadcast domains. You briefly mentioned broadcast storms/switching loops but you should have spent a much greater amount of time here.
Yet another great video. Thank you!!!!
I am new to vlans, thanks for the video; so my comment could be wrong. But it would seem that using VLANs, you could run single cable (the "white" pipe) from the your main network router which defines the VLANs to the bedroom part of the house, and then put a managed network switch the supports 802.1Q (say NETGEAR 5-Port Gigabit Ethernet Plus Switch (GS305E)) there; and assign the kids VLAN to two ports, and run a cable to a jack in each kids room; assign office vlan to a third port and cable that to an un-managed hub in your home office, and a guest VLAN to a fourth port, and connect that an WiFi access point? If so, this explaination would be great to add to the video
Thanks Dave. Very interesting and informative.
great job, thanks Dave
Thanks, this could be very helpful for my home automation. Have a wonderful day
Think about eletrical wires, one is blue - neutral, one is red -power, one is green - ground. They run together but are separated using the plastic casing.
The most technical explanation of VLAN's is the segmentation of broadcast domains. Each MAC address table entry also has a VLAN property constraining local and broadcast traffic within itself. By using segmentation you force traffic to a router, switched virtual interface or firewall where you can define policy for traffic between VLAN's.
However this is important: a broadcast storm on 1 VLAN WILL bring your entire local network down even if that traffic belongs to another VLAN on the same switched network. Only traffic living on another physical interface on an upstream router or firewall will not be affected since the broadcasts only are on 1 physical interface.
The reason why switch CPU's spike in a broadcast storm is because they have to continually rewrite the mac table because source MAC addresses keep jumping between ports. And writing to the CAM memory has to be done by the CPU.
Thanks, Dave! Appreciate ya...
Outstanding video - Many thanks
Love your videos. Thanks a lot for all!
Here I am splitting my 5Ghz from my 2.4Ghz and running 3 different physical routers. Thanks for this!
"They can't see me, but I can see them." This is what I've been looking for! Does it allow phone apps and PCs to still function with LAN protocols while all IoT devices are on their own VLANs? The LIFX app, for instance, uses UDP packets to address all devices with multicast. I'd like my phone to still be able to see them.
Would you also recommend creating more VLANs for each brand of device? Nest, WeMo, LIFX, etc. Separate them all into their own VLANs?
Great info, i'm looking into doing this on my home network 👍👍
Great video, thanks, Dave!
Great video Dave. Thanks!