Thanks for the content as always. If you set the MAC ACL for different VLANs which were both created on a Layer 3 switch would it work or not? Would it provide the L3 switch interface MAC address as the destination or the actual client destination MAC? Would be interesting to know!
Thanks for the Grate Video. I have last week Buy a USW-PRO-MAX-24-POE but under ssh i cant go to tellnet Localhost. My Old US-24 POE can this and in you Video can log in the normal Pro.
yep, I have a 48-max and it also does not run telnet. It's sad that Ubiquiti is moving farther and farther away from an "enterprise" brand. LED replaces CLI, what a shame...
@@hz777 My opinion is the CLI this fetur that the swiches makes so good. But witout then is a Dlink Switch DGS-1510 better have for the one Switch more Fetures. But Unifi have the good network controller , that have't dlink and that you use more Switches is the Unifi universus much Better.
Again, fantastic video. I'm not sure I would have ever figured out (on my own) why the IP version wouldn't work. To me, I think it would have been smarter for UniFi to make sure that you could do the blocking through the GUI Interface across vlans. My reasoning is that you could assign a static IP to a specific Mac address with in the unifi GUI, and then create your rules to block or allow. My reason for saying this is that, For example, on my phone I can use its designated Mac address, or a random address. Because of that, I would have to create too static ip addresses for both Mac addresses for one device in order to control its allowed or denied access to areas on my network - and if you have a device that can clone a MAC address, well then everything goes out the window. That is why I think UniFi should have given full flexibility to the IP functionality rather than the Mac functionality. Am I thinking about this correctly? Your thoughts?
I agree with what you said regarding the MAC address. It's very easy to be faked. I think there is a potential reason for Ubiquiti to put more limitations on the UI for IP ACL rule: it's easier to prevent users from doing stupid things for gateway and cloud key. If I remember it correctly, you can only select client Mac address, instead of UniFi device Mac address when defining Mac ACL rules. To limit the same on ip ACL rules will be much more complicated.
@@hz777 I guess If I want to focus on Limiting device access to my network (IoT devices, guest, etc) I could: 1. Networks>L3 Network Isolation (ACL) enable this for the vlans I want to restrict 2. Networks>L3 Device Isolation (ACL) enable this on each of the vlans that is important (ie: IoT and Guest Networks) 3. Security>ACL Rules - Using this I could "ALLOW" using MAC addresses certain IoT devices to talk to each other (for example, a google home to communicate with a thermostat) - I am assuming that these rules come before the other 2 - could you confirm that for me? It is not the best security as it is "Security thorough Obscurity" - the hacker would have to KNOW what the MAC address is of the devices are that are allowed to talk to each other, and even then the rules would only allow the hacker to access or impersonate those devices . . . . That's not so bad, but if it was a NAS device, then that could be problematic . . . but they'd still need to GUESS what the MAC address of the NAS is. Again, not the best. Does that sound like I am thinking about this correctly?
@@Greg.M - The first step can be replaced with firewall rules in most cases, and I personally prefer firewall rules. - The second step is for MAC ACL if I understand you correctly. If so it's not L3. Yes, it's the best way to achieve isolation in the same vlan. - Yes, "alow-rules" should be treated as exceptions, and yes they will be executed first in the generated access lists in the switch. In fact, for this step if firewall rules work (i.e. not the same vlan or not L3 switch vlan) I would prefer firewall rules.
@@hz777 Can you confirm that the router is set as your gateway and not the switch . . . or would it matter? I am not sure what you meant when you said ". . . not L3 switch vlan).
Thanks for the content as always. If you set the MAC ACL for different VLANs which were both created on a Layer 3 switch would it work or not? Would it provide the L3 switch interface MAC address as the destination or the actual client destination MAC? Would be interesting to know!
I have several relatively new ACL related videos. Yes it's supported and you just provide the client devices' Mac addresses.
@hz777 sorry, I haven't got to all of the recent videos yet! Thanks for the reply 🙂
Thanks for the Grate Video.
I have last week Buy a USW-PRO-MAX-24-POE but under ssh i cant go to tellnet Localhost. My Old US-24 POE can this and in you Video can log in the normal Pro.
yep, I have a 48-max and it also does not run telnet. It's sad that Ubiquiti is moving farther and farther away from an "enterprise" brand. LED replaces CLI, what a shame...
@@hz777 My opinion is the CLI this fetur that the swiches makes so good. But witout then is a Dlink Switch DGS-1510 better have for the one Switch more Fetures. But Unifi have the good network controller , that have't dlink and that you use more Switches is the Unifi universus much Better.
Again, fantastic video. I'm not sure I would have ever figured out (on my own) why the IP version wouldn't work.
To me, I think it would have been smarter for UniFi to make sure that you could do the blocking through the GUI Interface across vlans. My reasoning is that you could assign a static IP to a specific Mac address with in the unifi GUI, and then create your rules to block or allow. My reason for saying this is that, For example, on my phone I can use its designated Mac address, or a random address. Because of that, I would have to create too static ip addresses for both Mac addresses for one device in order to control its allowed or denied access to areas on my network - and if you have a device that can clone a MAC address, well then everything goes out the window.
That is why I think UniFi should have given full flexibility to the IP functionality rather than the Mac functionality.
Am I thinking about this correctly?
Your thoughts?
I agree with what you said regarding the MAC address. It's very easy to be faked. I think there is a potential reason for Ubiquiti to put more limitations on the UI for IP ACL rule: it's easier to prevent users from doing stupid things for gateway and cloud key. If I remember it correctly, you can only select client Mac address, instead of UniFi device Mac address when defining Mac ACL rules. To limit the same on ip ACL rules will be much more complicated.
@@hz777 I guess If I want to focus on Limiting device access to my network (IoT devices, guest, etc) I could:
1. Networks>L3 Network Isolation (ACL) enable this for the vlans I want to restrict
2. Networks>L3 Device Isolation (ACL) enable this on each of the vlans that is important (ie: IoT and Guest Networks)
3. Security>ACL Rules - Using this I could "ALLOW" using MAC addresses certain IoT devices to talk to each other (for example, a google home to communicate with a thermostat) - I am assuming that these rules come before the other 2 - could you confirm that for me?
It is not the best security as it is "Security thorough Obscurity" - the hacker would have to KNOW what the MAC address is of the devices are that are allowed to talk to each other, and even then the rules would only allow the hacker to access or impersonate those devices . . . .
That's not so bad, but if it was a NAS device, then that could be problematic . . . but they'd still need to GUESS what the MAC address of the NAS is.
Again, not the best.
Does that sound like I am thinking about this correctly?
@@Greg.M
- The first step can be replaced with firewall rules in most cases, and I personally prefer firewall rules.
- The second step is for MAC ACL if I understand you correctly. If so it's not L3. Yes, it's the best way to achieve isolation in the same vlan.
- Yes, "alow-rules" should be treated as exceptions, and yes they will be executed first in the generated access lists in the switch. In fact, for this step if firewall rules work (i.e. not the same vlan or not L3 switch vlan) I would prefer firewall rules.
@@hz777 Can you confirm that the router is set as your gateway and not the switch . . . or would it matter?
I am not sure what you meant when you said ". . . not L3 switch vlan).
I mean a vlan has a switch as the "router" by "L3 Switch VLAN"