8.1.113 just dropped as an RC. There is more ACL features worth mentioning under Global switch settings as well as note about what is coming next. Seems like they have a lot planned 😁
Cisco calls these VLAN ACLs. If you're using the Layer 3 switch as your Default Gateway and routing between the VLANs at the switch instead of using the router-on-a-stick method, such as when the UDM is the gateway and does the routing between VLANs, VLAN ACLs are what's needed to block the inter VLAN traffic. Doing the routing in the switch is much faster than sending the traffic to the router and back to the switch again.
When doing SFP+ through aggregation switches you don't want to go back to the router for VLAN stuff. Be interesting to see where this goes in terms of utility.
Glenn said there are a lot more fine grained ACL rules coming soon too. You can create them like firewall rules but for L3 switch and VLAN control. He said this: "You'll be able to set the Action (block or allow), then the protocol, the switches, and source/destination." "plans to get it into the next minor release."
Is it possible to use the DHCP server from the unifi router to the pro max? Somehow I don't receive any IP-adresses when I configure the switch on the vlan.
VLAN ACLs is a step back in security as a firewall should be the sole thing segmenting and controlling traffic between networks that use uncontrolled devices (aka end user devices). What you need as a feature on a switch now is VLAN is device isolation. This feature prevents ARP poisoning, DHCP & DNS spoofing on the network and any devices is "alone" with the gateway as the only device that it can talk to.
In any large network the proper way to have everything routed is a firewall/gateway that only handles internet bound traffic, your top L3 switch which is normally an aggregation switch handles all VLAN routing and segmentation, and the l2 switches are below that connecting end devices. VLAN ACLs are not a step back at all, but a step towards having all the proper rules for a real network. Homes might not need them or care, but they are absolutely necessary for anything but the smallest of business environments.
@@LordSalissThat's the old Cisco 3-tier approach to route traffic outside your network. But internal East-West traffic that requires routing now requires a NGFW, not an L3 switch.
It completely depends on the environment and security posture. In some scenarios it makes sense to use L3 switches and ACLs vs Firewalls In lager networks both are often used but also combined with VRFs. Where the VLAN SVIs sit on the L3 distribution/core but traffic moving between VRF zones has to go to via the firewall, normally NGFWs are used where traffic can be inspected.
Finally!
Been waiting on this for a long time!
8.1.113 just dropped as an RC. There is more ACL features worth mentioning under Global switch settings as well as note about what is coming next. Seems like they have a lot planned 😁
Cisco calls these VLAN ACLs. If you're using the Layer 3 switch as your Default Gateway and routing between the VLANs at the switch instead of using the router-on-a-stick method, such as when the UDM is the gateway and does the routing between VLANs, VLAN ACLs are what's needed to block the inter VLAN traffic. Doing the routing in the switch is much faster than sending the traffic to the router and back to the switch again.
When doing SFP+ through aggregation switches you don't want to go back to the router for VLAN stuff. Be interesting to see where this goes in terms of utility.
@@randominternet5586 why SFP+ specifically?
@@psycl0ptic I imagine the link between the gateway and switch is less than 10gb
Glenn said there are a lot more fine grained ACL rules coming soon too. You can create them like firewall rules but for L3 switch and VLAN control. He said this:
"You'll be able to set the Action (block or allow), then the protocol, the switches, and source/destination." "plans to get it into the next minor release."
Is it possible to use the DHCP server from the unifi router to the pro max? Somehow I don't receive any IP-adresses when I configure the switch on the vlan.
Could I do ACL in Combination with firewall rule on UDM Pro MAX? Also, can VLANs which are isolated, be assigned to WLAN?
YES !! I can't wait to get this done on some of my Grandstream stuff ! I need to buy some unifi switches soon to !
Do you notice any speed gains running the router off the switch?
Yes you would be able to because a switch can move and route packets at wire speed
I see UNAS in the firewall rules 👀
That's for the unas green product -- not a UniFi nas.
Finally ... better later then never :)
Yes....after they implement the rest of your standard L3 functions and a year has gone by without major incident.
It’s a step in the right direction but does it allow access to a DHCP relay or DNS on a blocked VLAN?
Solid video
I have a bad feeling that this where its gonna stop, unifi does not wow me anymore.
VLAN ACLs is a step back in security as a firewall should be the sole thing segmenting and controlling traffic between networks that use uncontrolled devices (aka end user devices).
What you need as a feature on a switch now is VLAN is device isolation. This feature prevents ARP poisoning, DHCP & DNS spoofing on the network and any devices is "alone" with the gateway as the only device that it can talk to.
In any large network the proper way to have everything routed is a firewall/gateway that only handles internet bound traffic, your top L3 switch which is normally an aggregation switch handles all VLAN routing and segmentation, and the l2 switches are below that connecting end devices. VLAN ACLs are not a step back at all, but a step towards having all the proper rules for a real network. Homes might not need them or care, but they are absolutely necessary for anything but the smallest of business environments.
@@LordSalissThat's the old Cisco 3-tier approach to route traffic outside your network. But internal East-West traffic that requires routing now requires a NGFW, not an L3 switch.
It completely depends on the environment and security posture. In some scenarios it makes sense to use L3 switches and ACLs vs Firewalls
In lager networks both are often used but also combined with VRFs. Where the VLAN SVIs sit on the L3 distribution/core but traffic moving between VRF zones has to go to via the firewall, normally NGFWs are used where traffic can be inspected.
Its IPv4 only so no use to us that live in this century