Unifi Layer 3 Switching
Вставка
- Опубліковано 1 чер 2024
- In this video we take a look at Unifi Layer 3 switching. I create two networks that will be using the Unifi USW 24 Pro PoE switch as the layer 3 switch.
We also create access control list within the Unifi USW 24 Pro PoE command line to block out inter-vlan routing
------------------------------------------------------------------------------------
◼️Hire us on our website
mactelecomnetworks.com/
◼️Join our discord server:
/ discord
◼️Contact me on email:
cody@mactelecomnetworks.com
------------------------------------------------------------------------------------
◼️Find us on social media:
◾Instagram:
/ mactelecomnetworks
◾Facebook:
/ mactelecomnetworks
◾Twitter:
/ mactelecomn
◾TikTok:
/ mactelecomnetworks
Linkedin:
/ cody-maccallum-29311b6b
------------------------------------------------------------------------------------
Time stamps
Intro 0:00
Intro to layer 3 switching 0:27
Creating networks on a Layer 3 switch 1:03
Tagging switch ports with vlans ( switch port profiles) 2:24
Inter-vlan routing with layer 3 switch 3:32
Creating an access control list on Unifi USW 24 Pro switch 5:08
Testing the access control list 8:30 - Наука та технологія
Good video, not sure they will ever get that option into the UI anytime soon.
Thanks Tom. I doubt it will ever be implemented into the UI but who knows what the future holds :)
Will it even persist after a reboot?
Thank you! I'm excited to use this
This was a fantastic video, I loved the little demos you do to sanity check as you go, thank you so much!
Great video as always. I followed your video to set up the networks and ACL but i still getting reply when i ping the other host.
I liked your videos, good job!
Hey Cody, great video but I'm curious on the performance of inter vlan routing/L3 routing. As you can do L3 routing in UDM Pro functionally but performance is really bad. I can only get just above 1Gbps throughput. L3 routing at 10Gbps would be the one thing that would warrant buying the unifi pro line switches. Are you planning on doing any performance testing of L3 routing using the pro switches?
Amazing to see that even Ubiquiti has similar CLI commands to Cisco. I'd like to see a video on Ubiquiti commands
Nice job!
I thought I needed a layer 3 switch. I do not. Thanks!
A good simple explanation & demo of setting up Layer 3 switching on a UniFi switch. Personally I'm not too worried about not having the ACL functionality in the GUI because I don't have a use for that typically. If I want to filter a L3 interface I put it on a firewall but the option still needs to be there. The more worrying thing is the DHCP relay not working on a VLAN interface on a L3 switch.
Switch commands? yes please.
You are fantastic at making how to videos! The best unifi youtuber since Howie.
Keep in mind that, its a "best practice" to have all Vlans on the edge router(fw) of course it depends from scenario but, lets say youve got an UTM (sophos, forti, paloalto etc) and having all vlans on those, allows you to apply additional layer of protection enabling traffic filtering etc.
It really depends how much traffic is been pushed through. We have around 2000 vlans at work and 4 core switches all in a mesh whilst the firewall is routing more sensitive and less trusted networks for greater flexibility and easier management than ACLs on a switch. Intervlan routing for Wired clients is done on the L3 switches.
@@davidsomething4867 sure you're right. It depends from scenarios ;)
Can you please do a video to explain this. UniFi Switch - Layer 3 Routing
Layer 3 Routing allows a UniFi Switch to route traffic between VLANs and to other destinations using static routes. It is possible use L3 Routing with a UniFi Gateway or third-party gateway.
cannot get internet access from a layer 3 switch when it is set using unifi XG or Router console.
Really a new video is needed. form theone two years ago. Thsi doesnt seem to work as it is described.
Update is shown in this video
Unifi Network update 8.1.113 : Switch ACLs, OSPF
ua-cam.com/video/wzeQUZLbgSs/v-deo.html
Great video! Do you have a more in-depth video for firewalling and configuring the firewall options in the UDM Pro? Also, a command video would be helpful to watch. Thanks for all you do.
Hi Matthew,
here is a video I did last year on firewall rules
ua-cam.com/video/vEQkCow7wdU/v-deo.html
I most likely will do an overview of the CLI in a video coming up
@@MactelecomNetworks awesome thank you! At a glance, the Cli is very similar to Cisco.
I saw that you configured "Block inter-vlan routing rule" in the firewall to prevent RFC1918 to RFC1918. But I also noticed that you configured VLAN ACLs to prevent inter-VLAN communication. Is this necessary? Why are you doing this?
Have the cli commands changed with the new releases? ip access-group % Unrecognized command
Is possible if you can make an updated video of the layer 3 switch configuration? Thank you.
Good video you might want to look into L3 and DHCP relay and see what the results are.
Someone pointed out to me that its not working I hadn't tried it but will give it a try later this week
Would be interested in seeing you test adding of additional static routes for the VLANs. It is exposed to the UI for the pro switches but doesn’t seem to actually do anything. If you then add via the cli it all kicks into life and works but doesn’t survive a reboot. Can’t seem to get any traction with UniFi to fix what has to be a bug. One of their firmware releases states the support for it.
Great video. Now just have to wait for UniFi to implement it in the UI. Hopefully they will before I need to purchase my next switch, as i need L3 routing and would prefer to stay with UniFi.
Ya the command line is a little slow that’s for sure
@@MactelecomNetworks not so worried about using a CLI. Mostly concerned that my changes will be persistent.
Does most of the cisco switch commands work with ubiquiti? Like saving to nvram is "copy run start" . You did "write mem" but I was curious if the cisco ones work too.
Thanks for the Video, does the Switch get an IP-Adress in every VLAN or how does Unifi Handle this?
As I’ve stuffed up my ACLs - anyone know what command I can use to edit them - and the access group?
Thanks for the video…. I would love to see someone do a proper video in mDNS across VLANs as out of the box this feature does not work properly for my network. I am unable to cast, get the Sonos speakers work across vlan network.
Please make a video on all the commands that we can run on ubiquiti products.....also all the debug commands
nice video Cody, Just a shame there is no persistence when you make config changes in the CLI. I'm in the process of trying to write a script, so when it does reboot it should put everything back on automatically but I've had a few delays on getting round to finishing it.
Something else worth noting is the DHCP Relay does not work on L3 switches. The UniFi console allows you to create one, but doesn't actually do anything which is frustrating when you have Windows Server DHCP setup.
That’s good to know I didn’t test the dhcp relay
Nice Sharing!
Did you ever do a video on UDM pro firewall rules?
Hi this is a video I did last year on firewall rules
ua-cam.com/video/vEQkCow7wdU/v-deo.html
Are there any news / updates on this topic?
Can you set up the Access List from the unifi gui? This would be annoying to configure on mass deployments of unifi layer 3 switches.
No you can not at this time
Hi Cody, question - you sometimes use a command prompt and other times a Pudy session. What’s the difference?
Putty is used to access SSH sessions, a command prompt is local
Great video. I wish UniFi had ACLs built-into Network to make it easier to configure. Just so I understand correctly, all routing is done through the switch except interVLAN (which goes through the router). Does an L3 network still have ability to have WAN access? Would there be any benefit in moving an IoT or camera network/VLAN to an L3 network? I would still need interVLAN routing as my UNVR is on my main LAN.
Thanks for all your videos!
Hard to believe it's only just now making it to Unifi... guess I'm so used to working with Cisco.
It’s been out for a little while but for home and small business you don’t really need it
@@MactelecomNetworks Hey! Needs are individual. 😊 I sure want this for my SMB network.
Is this SSH to create temporary ACL rules still the only way to make these rules for setting up inter-vlan blocking for L3 switches?
There is an update coming out that will allow us to do it in the gui interface. It’s currently in early access
@@MactelecomNetworks Awesome. I guess that's about perfect timing for me. lol. I do have Early Access on my account, and I am about to put my L3 switch in later today which is why I have been going around watching videos on Unifi ACLs. Is the place to make those ACL rules in something like Settings -> Routing -> Policy-Based Rules? Or do I make them in Settings -> Security -> Traffic & Firewall Rules?
I did figure out the area to configure the ACLs. It is unfortunately an all or nothing thing right now. Block a whole VLAN from another VLAN. I wish I could make exception rules or just specific rules, as I want to block most devices but let 1-2 from some VLANs have access to another VLAN.
I posted on Ubiquiti forums asking for more ACL features and Glenn @UI said they are a work in progress and more capability is expected to release in the next minor update for EA 😁
Is it possible to configure NAT on a USW-Pro 24-port? We don't have the resources to combine the switch with a UDM pro, and we are currently in the process of using a Mikrotik router for NAT.
Is there any updates to this since last year? I know they added dhcp relay. But what about the firewall rules?
Do you know if you can set any of the ports on the usw for wan
You cannot
Isnt this why there are layer2 "smart" switches? to offload the segmentation (vlAN) to the switch without having to tax the router?
Doesn't the switch default the settings upon a reboot when applying via SSH? Did they ever fix this in Controller?
Can this L3 switch setup works with normal commercial router such as Asus / TP Link?
I am a little confused at why you would want to restrict inter-vlan routing from the ACLs you are creating. Aren't you trying to offload the UDM, hence wanting traffic to go between the two VLAN (155 and 160) directly?
This is an old video im actually going to take down. You can now do ACLs in the UDM interface
ua-cam.com/video/wzeQUZLbgSs/v-deo.html
Why is the direction in when you are pinging out from vlan 155 to vlan 160?
your PING command is ENTERING the port that is tagged with vlan155. So it is a "in"
Super dumb question. But can I do later 3 intervlan routing on the USW-24-G2 and the UDM pro?
You can do it, always could but the performance is not great. On my 10Gbps home network I only get about 1Gbps throughput when doing inter vlan routing using UDMP.
@@carlnakamura4861 thanks for the reply. I tried to configure intervlan routing quickly it couldn't get it to work. Running all my traffic through the SFP port and I couldn't get it to work. May have to create a separate trunk port for each vlan, maybe?
would you recommend this over the usw 24 por switch? its only 100 more
Yup has 2.5gb interfaces and I like how the ports are in one row. In saying that if you need PoE++ you need to go with the usw 24 pro
if i have L3 switches and 3rd party FW where would i create the rules?
I like the way you pronounce "out" and "about" 😁 For me it's like "owt" and "abowt" hehehe... So where ya from? I'm from Belgium and Dutch (Flemisch) speaking so maybe that's why it's funny to me 😉 Apart from that, great video! Still learning the unifi setup I have and your vids are helping me a lot!
Lol I’m Canadian
Hi Cody,
Why you did not just creat the ACL instead of the ACL + Firewall rule ?
The firewall rule was created just to show that it doesn't work for layer 3 routing done on the switches. You would not do this in practice, he just did it to show the point.
Still waiting for that ACL to be functional in controller GUI...
You may be waiting a while
@@MactelecomNetworks from my several years experience with unifi, I no longer wait for anything. If it does not have it now, I would just choose another solution. New shiny aggregation switch? No, edgeswitch still works great, has L3 and proper ACL. New router? No, pfsense still my go to.
Isnt config you did in console removed once you reboot switch ?
It is and I believe I said that in the video ( haven’t watched it in a while )
@@MactelecomNetworks so basically that part of video where you setup ACLs directly in console is useless right ?
Just want to know how can i create a wireless vlan/ lan that has only access to local area network not internet please ... without using static ip
I was hoping to create a second wireless access point to do this and I can switch from one wireless access point to the other when i need internet and when I don’t... will pay also as im only home user Thank you
Where do you learn all these commands? is this python or another languange?
These are almost identical to Cisco command line interface so I was easily able top navigate. I may do a video on Unifi command line
You said "aggravation" switch pro. Hahah
I have a total 4 VLAN vlan10 Data, vlan11 printer, VLAN 12 Wifi, and VLAN 20 for voice, I need to configure inter-VLAN routing unify 24 port enterprise switch could you please help me
Are you looking at configuring it through a layer 3 switch? Which router/firewall do you use? If you're using a UDM pro inter-vlan routing is enable by default
@@MactelecomNetworks through UDM only i can able to reach different VLAN but continuously the ping getting dropping
Technically, Layer 3 is routing/IP Layer. Switching is Layer2. #NetworkNickOfficial
Multi-Layer Switch. Does it do layer 4?
It’s a layer 3 switch or yes a multilayer switch which implies multilayer ( layer 2 and layer 3)
It does routing between vlans as well as static routes ( which I’m not sure is working Atm) no layer 4
The only reason i could think of why UI are stalling from implementing L3 routing is it will cripple their gateway products from providing the analytics to run their glossy whizz-bang reports. It's just not on their UX pipeline. Quite a poor stance to be honest.
Can you just mirror a port?
To be honest, I don't recommend using the L3 functionality of Switch because your traffic will never hit a UDM firewall and you will be unaware of traffic that is traversing between VLANs. Just my opinion. Static routing doesn't take that much resource from your UDM unless you have millions of routes in your routing table. At that point, you might want to look elsewhere.
But I may want to route more bits per second than any of the ports of the UDM is capable of?
I need someone to tell me I dont need layer 3 entrprise switches for my home. I know I dont need it now, but what if one day I do?! lol
If you're not doing a massive amount of intervlan routing and you have something like a UDM you don't need this. Most of my VLAN traffic I have that way specifically because I don't want it touching other networks. So for those this would not be needed or have any function. But there are certainly scenarios where you do need that (if you're doing more than your UDM can handle, or if you want to offload it so the UDM can do other things). Then these L3 switches can be useful. But if you don't need isolation then you can either not use separate VLANs, or if you do you can leave the access open (the default). Only if you need the separation AND if you need to isolate them for the most part while still allowing other traffic would you follow the steps that have been provided in this video.
Thanks Cody, been wanting to see a bit more of the Unifi Layer 3 switchig stuff for a while. The bit on the ACLs via the CLI, be interesting to see if firmware updates interfere with this :-) . I don't think I'll be moving away from Aruba to Unifi Layer3 switching anytime soon though as the features (Dynamic routing, IPv6, Stacking or redundancy) are jus not there yet, maybe they will be eventually :-)
I doubt a lot of people will go in through the CLI to make these ACLs but thought I would show it anyways. Im hoping they have something in the works to get it into the UI.
Speaking of Aruba more videos coming in the next few weeks
@@MactelecomNetworks Thank you :-)
I don’t agree with Tom. The video lacks the what I think is the most important step in teaching and learning: Explaining why. I see a bunch of commands entered. Why did you choose the one command before the other. I wouldn’t know, because I couldn’t tell after watching this video. Another thing, the text is very small when watching plus you constantly put your face where the contents are. Just want to be helpful back to you.
Thanks for the feedback. This was more to show you that you can do it. If I were to explain all the commands the video would be hours long
This video is more advanced and typically for people who already know networking. But I will take your advice in the future thanks
@UCYAXrH-tVzs6HjDcERyOd8A Hi Cody. I meant to comment on Toms "Good video" made six months earlier in this chat. 😂 Anyway, since I commented the above I've watched a few more of your videos. Found the one with "CLI" in the topic. I'll watch it in hope to learn more about the L3 routing related commands from this one. 😊 Appreciate you responding.
@@MR-vj8dn lol I realized that after and delete my previous comment . I do appreciate positive criticism they were good point
Oh, above I responded to your earlier response. Anyway, I understand. I'm not used to the Ubiquiti stuff. I trained with older stuff as 3Com and a bit with HP / Aruba. I'm going to check out a few other videos in your channel now that I work for a company using Ubiquiti gear. Maybe I can convert some of my knowledge to fit this specific equipment. Thanks! 👍
Worst implementation ever of layer-3 routing on a switch. Furthermore, the ACL's should be configured and applied on the switch where the particular layer-3 VLANs are terminated. Unifi needs to go back to the drawing board because this is a convoluted implementation and still burdens the UDM-Pro with processing the ACL's for layer-3 boundaries that are on other devices. This will become a problem as the number of layer-3 VLANs and related ACLs grows. It's also weird that they expose the inter-VLAN routing interface to the GUI. Hopefully it can't be modified because I would venture to guess that would cause problems and/or require "you" to re-IP your network if that network was in use prior to terminating layer-3 on other switches. I can't think of any other manufacturer of layer-3 switches that dedicates a separate network to inter-VLAN routing. I would compare this to the "interesting" way Mikrotik wrote SwitchOS and RouterOS.
I think I took this comment the wrong way. Are you complaining about how I had spoken about it or Ubiquiti?
Ok you were talking more so Ubiquiti I was confused 😂 you make good points
I just thought I’d make a video as I’d been asked so many times
@@MactelecomNetworks The work that you do is awesome. I definitely enjoy your videos because they are very informative. Ubiquiti should rethink their implementation of layer-3 in the Unifi product line.
@@rayk32 ya I totally read the first comment wrong 😂 glad you enjoy the videos.
The layer 3 is still in alpha so hopefully they end up improving it
@@rayk32 Yed, video's are very informative. But Ubiquiti should indeed rethink L3 AND their "firewall". It feels like they're forcing people to use the UDM or UDM-pro but the devices are mediocre at best. (Although the low price makes up for it)