Wiki

User Tools

Site Tools

Trace:
ubiquiti:vlan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
ubiquiti:vlan [2020/12/09 23:40] – created peterubiquiti:vlan [2020/12/10 01:30] (current) – [Ubiquiti - VLAN] peter
Line 1: Line 1:
 ====== Ubiquiti - VLAN ====== ====== Ubiquiti - VLAN ======
  
 +VLANs (Virtual Local Area Networks), segregate traffic within a network.
 +
 +They allow a single physical Ethernet network to appear to be multiple logical networks.
 +
 +Benefits for using VLANs include:
 +
 +  * VLANs keep traffic from different networks separated from each other.
 +  * They enhance network security by preventing wireless devices from accessing LAN resources.
 +  * Increased performance by limiting broadcast domains.
 +
 +While VLAN's are effective for separating network segments and limiting broadcast traffic, it is often a requirement for subnets separated by VLAN's to be able to communicate.  This can be accomplished only through a Layer 3 enabled device that can route between the VLAN's.  Even if both VLAN's exist on a device, their traffic will be segregated unless mediated by a layer 3 routing device.
 +
 +VLAN enabled ports are generally categorized in one of two ways, tagged or untagged.
 +
 +  * VLANs can be port-based (assigning a physical port on a device to a VLAN) or tag-based (tagging particular kinds of traffic with a VLAN tag, as defined by 802.1q).
 +
 +Unifi, usually by default, have all switch ports able to consume both tagged and untagged traffic, but this can be modified.  This is known as trunking, i.e. to have a specific port enabled for VLAN tagging, and the other ports for general access.
 +
 +----
 +
 +===== Other Considerations =====
 +
 +  * For greater security, no SSID should be untagged, i.e. be on the "native VLAN".
 +  * The amount of broadcast traffic on the trunk port to which an AP is attached should be limited.
 +    * Limiting broadcast traffic improves wireless performance.
 +
 +----
 +
 +
 +===== Common Terms =====
 +
 +|VLAN|Virtual Local Area Network, logical identifier for isolating a network.|
 +|Trunk|A port enabled for VLAN tagging.|
 +|Access|A port that does not tag and only accepts a single VLAN.|
 +|Encapsulation|The process of modifying frames of data to include additional information.|
 +|802.1Q|The most common encapsulation method for VLAN tagging.|
 +|Native VLAN|The VLAN associated with all untagged traffic on a trunk.|
 +
 +----
 +
 +===== VLAN's and IP-intefaces =====
 +
 +  * **VLAN** is a Layer 2 (L2) technology; data is sent between clients using mac-addresses.
 +  * VLANs limits broadcast/flooding a domain.
 +  * Only clients in the same VLAN and with IP-addresses in the same subnet, can send data to each other.
 +  * It is not possible to configure any DHCP on A VLAN, since VLAN is a L2 technology and DHCP requires an IP-interface, which is a L3 technology, so this VLAN should either be connected to an external DHCP-server or use static IP-addresses on the clients.
 +
 +  * **IP-interfaces** is a Layer 3 (L3) technology; data is send between clients using IP-addresses.
 +
 +----
 +
 +===== Summary of VLANs =====
 +
 +Ubiquiti always uses **VLAN 1** as the untagged native VLAN.
 +
 +  * Each VLAN is identified by a unique 802.1Q ID.
 +  * VLAN IDs are 1 through 4094.
 +
 +----
 +
 +[[Ubiquiti:VLAN:Trunk Port|Trunk Port]]
 +
 +----
 +
 +<WRAP info>
 +**NOTE:**  There are many different network types that can be created:
 +
 +Any of these networks can be allocated to a VLAN.
 +
 +  * **Corporate** is a general purpose network and by default is assigned to LAN.  
 +    * The UniFi controller will provision not only the VLAN itself but also a matching IP subnet for this VLAN.
 +    * Clients associated to the VLAN uses the IP-interface as a default gateway to reach anything outside the VLAN, like other hosts on other VLAN's, the internet and so on.
 +    * On this VLAN it's possible to configure a DHCP-server locally on the switch to provide IP-addresses to clients.
 +    * IP subnets exist at Layer 3, whereas UniFi switches are purely Layer 2.
 +    * Therefore, if you have no USG, there's no point in creating a "Corporate" VLAN.
 +
 +  * **Guest** will apply the Guest Control setting if you enable the Guest Portal.
 +
 +  * **VLAN Only** will remove any subnet options and can be used to define VLANs for pure VLAN tagging purposes by Unifi switches.
 +    * This allows you to add/remove a VLAN tag to network packets on a switch port (for instance) connected to another, non-Unifi network device that expects/sends these.
 +    * It is not possible to configure any DHCP on this, since VLAN is a L2 technology and DHCP requires an IP-interface, which is a L3 technology, so this VLAN should either be connected to an external DHCP-server or use static IP-addresses on the clients.
 +    * This is the best choice to use for a VLAN, if not using a USG.
 +
 +  * **VPN Client** is USG specific.
 +  * **Site-to-Site VPN** is USG specific.
 +  * **Remote user VPN** is USG specific.
 +
 +</WRAP>
  
-[[Ubiquiti:VLAN]][[Ubiquiti:VLAN]] 
ubiquiti/vlan.1607557201.txt.gz · Last modified: 2020/12/09 23:40 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki