ubnt guest wireless or separate VLAN?
-
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@JaredBusch said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
So.... exactly like a VLAN? You just described a VLAN, in fact.
No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.
I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.
That was my point.
-
@dafyre said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@JaredBusch said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
So.... exactly like a VLAN? You just described a VLAN, in fact.
No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.
I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.
That was my point.
But you said that you would keep VLANs because .... and it seemed like you were saying that VLANs were more secure in this case.
-
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@JaredBusch said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
So.... exactly like a VLAN? You just described a VLAN, in fact.
No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.
I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.
That was my point.
But you said that you would keep VLANs because .... and it seemed like you were saying that VLANs were more secure in this case.
I would. What happens when the Guest traffic gets to the other end of the Metro E connection? Does it drop it? Does it send it on to the internet? Or what?
With VLANs (and good documentation), you know exactly what it does.
-
@dafyre said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@JaredBusch said in ubnt guest wireless or separate VLAN?:
@scottalanmiller said in ubnt guest wireless or separate VLAN?:
@dafyre said in ubnt guest wireless or separate VLAN?:
and 2) It's more secure. the Guest mode on the UBNT would still have to pass across the MetroE connection, and your systems at the other end would still need to know how to deal with it.
So.... exactly like a VLAN? You just described a VLAN, in fact.
No. Completely not like a VLAN. Even if @dafyre doesn't know how to phrase it correctly.
I meant the description was exactly the same... that it has to transit the metroE and if the equipment on the other end doesn't honour it the security evaporates.
That was my point.
But you said that you would keep VLANs because .... and it seemed like you were saying that VLANs were more secure in this case.
I would. What happens when the Guest traffic gets to the other end of the Metro E connection? Does it drop it? Does it send it on to the internet? Or what?
With VLANs (and good documentation), you know exactly what it does.
My point was that that's the same in both cases. Both of your posts describe the same situation for both approaches. VLAN only works because you handle it on both ends. Guest works too in the same situation.
-
The VLAN concept depends on end to end network support and planning. Identical to how the UBNT guest system works.
-
Or does it... That'd be a good question for a UBNT person...
There's a number of ways they could achieve this without relying on the "other end" of the connection supporting their guest mode stuff.
-
@dafyre said in ubnt guest wireless or separate VLAN?:
Or does it... That'd be a good question for a UBNT person...
There's a number of ways they could achieve this without relying on the "other end" of the connection supporting their guest mode stuff.
That would make it better than VLAN then
-
@JaredBusch said
It is not as easy as that to make it a secure guest network.
Yes but it depends what you mean by "secure"
Not having the ability for the client machines to talk to each other without layer-3 switches needed is a big boon.
-
My understanding of how Ubiquiti handles guest mode is that it drops packets destined for internal networks. What I don't know is like I think some others were getting at - what if the user tries to go to another local subnet outside the subnet their on. I guess I'll just keep the VLAN thing.
-
@Mike-Davis said in ubnt guest wireless or separate VLAN?:
My understanding of how Ubiquiti handles guest mode is that it drops packets destined for internal networks. What I don't know is like I think some others were getting at - what if the user tries to go to another local subnet outside the subnet their on. I guess I'll just keep the VLAN thing.
My understanding is that it totally drops those packets too. In some ways, that makes it more secure than a VLAN because just hijacking a physical switch is not enough to grab the packets.