Multiple Subnets on Multiple Switches, No VLAN

Discussion in 'Networking' started by TechMonkey, Sep 22, 2019.

  1. TechMonkey

    TechMonkey New Member

    Joined:
    Sep 22, 2019
    Messages:
    8
    Likes Received:
    0
    Hello everyone. I am trying to build out a network, and the issues, and responses I'm getting to those issues are making it sound like what i want to do is impossible. fyi i am using all unifi gear

    So, the goal: to pre-configure device IPs (cameras, smart home devices, computers, Wifi ap's etc) BEFORE connecting the device to the network, and then have the IP of the device automatically force the device to follow the preset routing rules for that network. The goal is to be able to connect any device into any switch, any port, and have it "just work."

    for example, I buy 2 new APs and 6 security cameras. I connect the APs to a offline laptop and configure them to 192.168.1.150 and 192.168.1.151, then I connect to the cameras and call them 192.168.2.10, 192.168.2.11, 192.168.2.12, etc etc..

    now since, all of this, except one camera and one AP is for my new Out building, I connect them to my garage switch which is using the address 10.0.0.4. then i go to the front of the house and connect the last AP and camera to the house switch which is 10.0.0.3. The kicker is that the DVR is connected to the MAIN switch(10.0.0.2), but can still see the cameras data "automatically" and the APs "automatically" grab all the correct ssid and dhcp instructions just like if you plugged them into two ports side by side.

    • First off, CAN that work? Can it be pre-configured to be "that easy"?
    • secondly, do i HAVE to use layer 3 switches or can I make this work with firewall rules?
    • lastly, its it going to be possible to make PC on one switch talk to a PC on another switch like they are plugged into the same switch? (assuming they are on the same subnet, but with different switch IPs)
    I appreciate the help of front. I am just trying to find out if my goal is possible before i spend anymore time one it.
     
    #1
    Last edited: Sep 22, 2019
  2. Haitch

    Haitch Member

    Joined:
    Apr 18, 2011
    Messages:
    113
    Likes Received:
    13
    In a traditional setup, no - it just won't work. But if you can get a device for the router that supports multi-homed IP addressing, then yeah - it can be made to work with all on the default vlan. Will make network pros cringe, but is doable.
     
    #2
  3. TerryPhillips

    TerryPhillips New Member

    Joined:
    May 7, 2019
    Messages:
    23
    Likes Received:
    6
    Sounds interesting and FWIW - I have a complete homogeneous Unifi network with Pro4 SG, 4 switches (24pt POE, 3x 8pt POE) , 4x Pro HD APs and CloudKey controller configured with 3 wifi SSIDs (on different VLANs) and additional wired VLANs for lab stuff (some routed, some not) and 2 internet connections. My unfi hardware has static IPs but most everything else is DHCP served per VLAN. Whichever SSID you connect to, or configured port, you get the desired network, "that easy"...

    You state you're running into issues. It would help to understand what those are. But more importantly what your network design goals and motivations are. It helps to see the big picture before trying to fix one bad pixel on the screen.

    Q1: Are you utilizing a Ubiquiti Secure Gateway device and Controller and Switches?

    "force the device to follow the preset routing rules for that network"
    Q2: You make note of 192.168.2.* and a 10.* network, are there more networks?
    Q3: Are you trying to separate traffic, what from what and why?

    To answer your questions:
    • First off, CAN that work? Can it be pre-configured to be "that easy"?
      A: IF you're running a homogeneous Unifi network with SG, switches, APs and controller, then I'd say you're actually making it more difficult than it needs be.
    • secondly, do i HAVE to use layer 3 switches or can I make this work with firewall rules?
      A: Kind of the same answer, in a Unifi network, multiple networks are pretty easy to manage as the SG builds some default rules for routing between networks.
    • lastly, its it going to be possible to make PC on one switch talk to a PC on another switch like they are plugged into the same switch? (assuming they are on the same subnet, but with different switch IPs)
      A: Don't confuse a "switch (management) IP" with the networks it passes. depending on configs, it possible for any of the 3
      1. PC traffic and Switch Mgt IPs to navigate all switches.
      2. PC traffic to navigate all switches but no Switch Mgt IPs
      3. Switch Mgt IPs to navigate all switches but no PC traffic
    "responses I'm getting to those issues"...
    I see you're new here so I assume you're getting info from other places? Possibly the Unifi forum? If not, check it out, if so then feel free to share a link to any previous post if there's any relevant additional info to be shared.
     
    #3
  4. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,863
    Likes Received:
    428
    Reserved IP/MAC via DHCP ? (Reservations exists in each network possibly)

    Maybe just explain what the end goal is and could be a far easier solution than your thinking about ?
     
    #4
  5. TechMonkey

    TechMonkey New Member

    Joined:
    Sep 22, 2019
    Messages:
    8
    Likes Received:
    0
    I stated that, exactly. " So, the goal: to pre-configure device IPs (cameras, smart home devices, computers, Wifi ap's etc) BEFORE connecting the device to the network, and then have the IP of the device automatically force the device to follow the preset routing rules for that network. The goal is to be able to connect any device into any switch, any port, and have it "just work."

    yes i understand you will have to adopt things like AP's but the AP should at least be "preset" for joining the correct lan group (via the static IP you give it)

    so as an example... the router is 192.168.1.1 and the Pi hole is 192.168.1.2. all devices on the entire network are directed in DHCP to the router for DNS, but the router is pointed at the pihole for dns.. which for whatever reason is on a different switch in a completely different area of the the network. Since I setup the pihole offline and set up that static IP, when I plugged it in to any random port on any random switch it should automatically follow the rules for the 192.168.1.x network. but instead what happens is that the router cant even reach it, because the pihole is on a different network than the switch and it doesnt know the route. How do I give the router that route? but I dont want to route it in a manner that says "point a point b point c" i want to do it in a manner that says "there is a pihole on the network, find it and use it" Ive already told it to use it with the DNS settings.

    I guess what im trying to say, is how to I make it all one big network and segregate devices based on IP and "network" firewall rules. sorry if that doesnt make sense. Im trying to explain it as best as possible.
     
    #5
  6. TechMonkey

    TechMonkey New Member

    Joined:
    Sep 22, 2019
    Messages:
    8
    Likes Received:
    0
    All devices are unifi.

    think about this a different way. Lets say i own 3 apartments. and each apartment has a switch. and the switches are 10.0.0.1 , .2 , .3. they all connect back to my router (192.168.1.1) now I have setup another network (192.168.29.0) that is for IP cameras only. and all these cameras can do is feed back through the router to the internet to a preconfigured server. But I want to put cameras in each apartment so I set set the static IP of the camera offline. (192.168.29.1.10; .11; .12) Now I just want to tell my electrician, "Hey here is 3 cameras. go install one in each apartment, pull the cable and connect to the switch. dont worry about the port just plug it in." Now essentially I should be done. The DVR server should automatically see those 3 new cameras added to its network and start accepting the data. (ignore the DVR server settings to make this work for now, just assume the server is ready to accept the traffic.)

    Now take it a step further. we now want to add IOT devices. there is lan drops in each room. lets say its a smart lamp. I make a network for IOT that is 192.168.54.0. of course the network is segregated from everything and only reaches the internet and DNS server. So now I buy 3 lamps, I connect them to my offline PC and set them up as 192.168.54.10; .11; .12, and tell my electrician "hey go install these lamps in the living rooms. just plug them in to the wall. Now the router sees the 3 new devices and automatically routes them based on the rules for the .54 network.

    see where im going with this? The issue im having is that I want each lamp and camera in each apartment to be able to talk to each other. right now they cant because the devices dont know that their subnet exist outside of the switch they are connected too.

    (to take this a step further,I wouldn't even really assign a static IP, I would just assign a DHCP server address, and each network would have a dhcp server. ) the real goal here is to just make it not matter what switch or port you plug anything into. (this is why im trying to use IPs and not add the extra hassle of setting up Vlans)
     
    #6
    Last edited: Sep 23, 2019
  7. TerryPhillips

    TerryPhillips New Member

    Joined:
    May 7, 2019
    Messages:
    23
    Likes Received:
    6
    Most importantly: Do you utilize a Unify Controller, either CloudKey, Pi or software?

    If so:
    Do you have a main switch the other switches wire back to, and your SG connects to?
    For each network address range, did you setup a network in your controller? Are they "LAN/Corporate" networks or what?
    If your 3 switches are 10.0.0.1, .2, .3, what's the 10.0.0.x address for the SG?
    Do you require separation from your various networks? If you truly had 3 apartments and 3 different network address ranges, in a flat non-vlan environment there would be nothing stopping Appt 1 from snooping on appt 2, or your camera network... IP address ranges are not security boundaries without routing/firewalls involved and only then per total physical switch. Vlans are generally used for this.
     
    #7
    Last edited: Sep 23, 2019
  8. packmule

    packmule New Member

    Joined:
    Mar 21, 2019
    Messages:
    5
    Likes Received:
    1
    Lots of great suggestions here, centered around understanding your existing environment and your goals. I've read all your posts, and it's still not clear to me how your existing Ubiquiti network is configured. Can you share a topology diagram? How many VLANs do you have? How many IP networks? How many wireless networks? If multiple VLANs, what device handles L3 routing?

    On most simple home networks, pre-configuring devices with an IP, then putting it on a random switch port will only "just work" if the switch port is configured as an access port for the correct VLAN. Pre-configuring a device for IP X Y or Z isn't scalable. Most solutions to your general concern of 'near zero-touch' device deployment focus on changing things on the back end such as switch port VLAN assignment (static or dynamically set), DHCP reservations, identity management and authentication (RADIUS auth / MAB, etc) rather than changing anything on the client.

    My simple home network includes separate VLANs for corporate wireless, home wireless, home IOT wired/wireless, and home wired. All home wireless SSIDs use simple PSK authentication. All wired and wireless IP networks use DHCP. If I want a predictable IP for clients, I set a DHCP reservation for the client MAC address. If I want a Chromecast on the IOT network, I set it up on the IOT wireless network. If I want to add an XBox via wired to the IOT network, I set the switch port VLAN correctly, then it just works.

    In an enterprise environment, your general goal of 'near zero-touch' deployment of devices across a variety of wired and wireless VLANs requires a combination of technologies including user and device identity management and profiling (Cisco ISE, Aruba ClearPass, Forescout, etc), dynamic vlan assignment (802.1x, Forescout, etc), and dhcp. That works at scale, but isn't practical for a SOHO environment unless you're setting up a lab to learn the tech.
     
    #8
    Last edited: Sep 23, 2019
  9. packmule

    packmule New Member

    Joined:
    Mar 21, 2019
    Messages:
    5
    Likes Received:
    1
    Going back to the title of your thread "Multiple Subnets on Multiple Switches, No VLAN" ... there is always a VLAN, even if it's untagged and the default VLAN 1.

    You can have multiple IP subnets on a single VLAN. With multiple subnets on a single VLAN, you are putting multiple L3 broadcast domains on a single L2 VLAN. It can work, but it's not really best practice. I see it used occasionally when needing to add IP space to an existing VLAN where you can't easily renumber, or during a transition period when migrating from one IP network to another.

    Most new network deployments won't use multiple IP networks per VLAN for a variety of reasons. Typically DHCP servers won't assign IPs to secondary networks unless the DHCP scope for the primary network is exhausted. So, you'll be stuck using static IPs for devices on secondary networks in most cases. Also, features such as virtual routers / VRFs used to create multiple L3 routing tables are generally tied to an interface/subinterface, hence VLAN rather than an IP network.
     
    #9
    Last edited: Sep 23, 2019
  10. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,863
    Likes Received:
    428
    I think what your trying to do exactly is either too hard or going about it the wrong way. There is as far as I am aware no elegant way to manage this.

    I can think of ways to do it like make everything a trunk port with all vlan’s tagged and just have devices tag the vlan needed but for other things that has so many downsides. Yes you can have a default vlan for all devices and a tag for the special ones. I guess that’s the way I would do it it but it’s really not a sensible approach I think.
     
    #10
  11. TechMonkey

    TechMonkey New Member

    Joined:
    Sep 22, 2019
    Messages:
    8
    Likes Received:
    0
    sorry for the delay getting back to this guys. Arkansas stomach flu is no joke.

    I dont know that I am clearly explaining what I want to do here. Essentially all I want to do is to have multiple networks that can work across all my switches. so how does network 3 on switch one, know how to route to network 3 on switch 5.

    let me give you another scenario. picture a 10 story building. on each floor you have management employees and regular employees. All your regular employees have access to each other, and 1 server. All the management employees have access to all the employees computers, as well as other servers.

    So the way I would like to set this is a switch 1 for floor 1. switch 2 for floor 2. etc. When i hire a new employee I would give him a static IP on his computer, and he goes to any floor and plugs in his PC. Because he was statically assigned to the employee network, he only has access to the items the firewall rules allow.

    Same for management employees. The key is, I want any manager or employeee to be able to connect to any port on any switch with no thought to vlans or what port they are using. just plug in and go. let the firewall and the router do the work. (yes I know theoretically they could change their IP and access other networks, thats ok in this case)

    The think I cant figure out, is how to make it so managers on floor 1, can access employees on floor 8. how do I make routes so this can work?
     
    #11
  12. BlueFox

    BlueFox Active Member

    Joined:
    Oct 26, 2015
    Messages:
    657
    Likes Received:
    231
    Unmanaged switches are not going to do any routing. They operate at layer 2, so frames will go wherever they need to based on MAC addresses.

    With your proposed scenario, you don't have 3 networks. It's really just one, with things being constrained on an IP level since you have 3 different subnets. It's still going to be one broadcast domain for everything if you aren't utilizing VLANs.
     
    #12
  13. TechMonkey

    TechMonkey New Member

    Joined:
    Sep 22, 2019
    Messages:
    8
    Likes Received:
    0
    for clarity, what I was calling "a network" is how they are defined in the unifi controller. i understand its just one big physical network. the problem is that I have 2 seperate switches plugged into 2 seperate ports on my router. simlar subnets on different switches are not able to connect across the router. This is what I am trying to figure out how to route.
     
    #13
  14. BlueFox

    BlueFox Active Member

    Joined:
    Oct 26, 2015
    Messages:
    657
    Likes Received:
    231
    It's not working because it's not something that can be routed. You're splitting your broadcast domain for any given network with that setup. Routing is only for trying to reach addresses outside of the subnet that the device is on.

    The closest you're going to get is to do MAC-to-VLAN mapping on every switch for every single device you have and then route between VLANs accordingly. This will require devices that are capable of this and correct topology.

    Honestly you're just making this pretty difficult. Why bother configuring everything on some laptop when you could just have a multihomed DHCP server?
     
    #14
  15. TerryPhillips

    TerryPhillips New Member

    Joined:
    May 7, 2019
    Messages:
    23
    Likes Received:
    6
    Hypothetical example of an organization with 3 departments, call them IT, Sales and Service.

    Network Architecture Requirements:
    • Based on all hardware being Unifi series
    • Each dept is on its own floor, plus a data center on yet a separate floor (going for super simple mental representation...)
    • Each dept is on a separate network / VLAN
    • Each dept has their own WiFi SSID (not necessary unless you want forced separation via FW rules)
    • Each dept's WiFi network IP address range is shared with dept's wired network. I.e., same VLAN
    • Each WiFi network is available on ALL floors
    • The will be a max of 3 Access points per floor
    • There is a single video surveillance network with both wired and/or WiFi cameras in every dept
    • There will be a max of 6 wired cameras per dept.
    • There is a management network for the Unifi hardware
    • Unifi Secure Gateway (SG) i.e., router, CloudKey Controller/DVR and a distro switch are in the DC
    • Each dept has POE switch(s) located on the same floor with users
    • There are enough ports per floor for every wired drop, wired camera(s) and Access Points(s)
    • DHCP will be delivered via SG for each network
    Network Segments:
    • Management Network 192.168.1.1/24 Default VLAN (again, keeping it simple)
    • Video Network 192.168.10.1/24 VLAN 10
    • IT Network 192.168.20.1/24 VLAN 20
    • Sales Network 192.168.30.1/24 VLAN 30
    • Services Network 192.168.40.1/24 VLAN 40
    Implementation:
    If you want static IP addresses on your Unifi devices, assign them in the 192.168.1.0/24 range and no VLAN.
    As per the network requirements outlined above, the SG, Unifi Controller and main distro are racked in the DC. For sake of example, Distro switch ports are utilized as:
    • Port 1 <-> SG LAN1 Port
    • Port 2 <-> Unifi Controller/DVR combo
    • Port 3 <-> IT switch Port 1
    • Port 4 <-> Sales switch Port 1
    • Port 5 <-> Services switch Port 1
    Each Dept switch has a port config of:
    • Port 1 <-> Distro Port X
    • Port 2-4 <-> WiFi APs
    • Port 5 -10 <-> Wired camera ports
    • Port 11-XX <-> Client ports

    Begin the Unifi setup with only the Unifi controller (UC), switches and APs all plugged together. Leave the Cameras and clients for later...
    From within the UC goto Settings\Network
    • Select Edit on the "LAN" network
    • Rename to Management
    • VLAN: blank
    • GW/SN: 192.168.1.1/24
    • Optionally, enable and set DHCP range, excluding a predetermined range for your static devices
    • Save
    • Validate: You should be able to ping all Unifi devices, plus they should be visible in the Devices section of the UC.
    Video Network
    • From within the UC goto Settings\Network
    • Click "+ Create New Network"
    • Name: Video
    • Leave LAN1 selected
    • VLAN: 10
    • GW/SN: 192.168.10.1/24
    • Optionally, enable and set DHCP range, excluding a predetermined range for your static devices
    • Any other option parameter you wish to config
    • Save
    Repeat above pattern for IT, Sales and Services Networks/VLANs

    From within the UC goto Settings\Wireless Network
    Create 4 wireless networks:
    • Name: Video w\Use VLAN 10
    • Name: IT w\Use VLAN 20
    • Name: Sales w\Use VLAN 30
    • Name: Services w\Use VLAN 40
    • From Devices: Validate all 4 WiFi networks are provisioned to each AP, that they are enabled with correct VLAN on each AP
    At this point you have 5 networks and all 5 will be present on every port of every switch and 4 of them presented via all APs. The Switch to Switch port need to stay that way (Trunks) as do the ports the APs are plugged into. Port that can be changed would be on each Dept Switches. To do so, select Devices then the switch you wish you update. From the device slideout, select the Port icon, checkbox each range of ports you wish to modify, then click "edit Selected" at the bottom of the list. Select the appropriate "Switch Port Profile" (VLAN) to assign to the ports and Apply.
    • Ports 5-10 set to "Video" network
    • Port 11-XX set to the corresponding Dept network/VLAN
    Things to NOTE:
    • A Unifi SG by default has open firewall rules and routing between all networks built from the "Corporate LAN" profile. Even though there are 5 networks, there's nothing stopping them from talking to one another. Very important if it were 3 apartments vs one org with 3 depts...
    • By default there is a Switch Port Profile created for each VLAN. Custom profiles can be created for having more than One, but not ALL VLANs assigned to a port.
    • The US & SG also support RADIUS auth than can assign port VLANs based on authentication profiles or as simple as MAC addresses, but that's a whole other topic. There's also MAC whitelisting per port if you want a simple way to secure something like video ports to specific cameras. Not 100% secure (say mac spoofing) but an option none the less...
    To your last post, open routing and firewall rules still holds true if the SG ports LAN1 and LAN2 have individual networks assigned to them, as built from the "Corporate LAN" profile, with or without VLANs. The example might be way overkill for what you're trying to achieve, but feel free to post your complete list of "Network Architecture Requirements" if you want something more specific.
     
    #15
    Last edited: Oct 5, 2019

Share This Page