31 lines
17 KiB
HTML
31 lines
17 KiB
HTML
<!doctype html><html lang=en><head><title>UniFi VLAN Migration to Zone-Based Architecture · Eric X. Liu's Personal Page</title><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=color-scheme content="light dark"><meta name=author content="Eric X. Liu"><meta name=description content="Embarking on a network migration to a properly segmented VLAN architecture is a rite of passage for any serious home lab or small business operator. The goal is clear: improve security and organization by separating traffic. However, the path from a flat network to a segmented one is often paved with subtle but critical configuration details that can lead to hours of frustrating troubleshooting.
|
|
This article documents that journey. It details the pitfalls encountered, the core networking concepts that were essential to understand, and the best practices that ultimately led to a stable, secure, and logical network design built on a zone-based firewall model."><meta name=keywords content="software engineer,performance engineering,Google engineer,tech blog,software development,performance optimization,Eric Liu,engineering blog,mountain biking,Jeep enthusiast,overlanding,camping,outdoor adventures"><meta name=twitter:card content="summary"><meta name=twitter:title content="UniFi VLAN Migration to Zone-Based Architecture"><meta name=twitter:description content="Embarking on a network migration to a properly segmented VLAN architecture is a rite of passage for any serious home lab or small business operator. The goal is clear: improve security and organization by separating traffic. However, the path from a flat network to a segmented one is often paved with subtle but critical configuration details that can lead to hours of frustrating troubleshooting.
|
|
This article documents that journey. It details the pitfalls encountered, the core networking concepts that were essential to understand, and the best practices that ultimately led to a stable, secure, and logical network design built on a zone-based firewall model."><meta property="og:url" content="/posts/unifi-vlan-migration-to-zone-based-architecture/"><meta property="og:site_name" content="Eric X. Liu's Personal Page"><meta property="og:title" content="UniFi VLAN Migration to Zone-Based Architecture"><meta property="og:description" content="Embarking on a network migration to a properly segmented VLAN architecture is a rite of passage for any serious home lab or small business operator. The goal is clear: improve security and organization by separating traffic. However, the path from a flat network to a segmented one is often paved with subtle but critical configuration details that can lead to hours of frustrating troubleshooting.
|
|
This article documents that journey. It details the pitfalls encountered, the core networking concepts that were essential to understand, and the best practices that ultimately led to a stable, secure, and logical network design built on a zone-based firewall model."><meta property="og:locale" content="en"><meta property="og:type" content="article"><meta property="article:section" content="posts"><meta property="article:published_time" content="2025-09-22T00:00:00+00:00"><meta property="article:modified_time" content="2025-09-23T06:14:45+00:00"><link rel=canonical href=/posts/unifi-vlan-migration-to-zone-based-architecture/><link rel=preload href=/fonts/fa-brands-400.woff2 as=font type=font/woff2 crossorigin><link rel=preload href=/fonts/fa-regular-400.woff2 as=font type=font/woff2 crossorigin><link rel=preload href=/fonts/fa-solid-900.woff2 as=font type=font/woff2 crossorigin><link rel=stylesheet href=/css/coder.min.c8e4eea149ae1dc7c61ba9b0781793711a4e657f7e07a4413f9abc46d52dffc4.css integrity="sha256-yOTuoUmuHcfGG6mweBeTcRpOZX9+B6RBP5q8RtUt/8Q=" crossorigin=anonymous media=screen><link rel=stylesheet href=/css/coder-dark.min.a00e6364bacbc8266ad1cc81230774a1397198f8cfb7bcba29b7d6fcb54ce57f.css integrity="sha256-oA5jZLrLyCZq0cyBIwd0oTlxmPjPt7y6KbfW/LVM5X8=" crossorigin=anonymous media=screen><link rel=icon type=image/svg+xml href=/images/favicon.svg sizes=any><link rel=icon type=image/png href=/images/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/images/favicon-16x16.png sizes=16x16><link rel=apple-touch-icon href=/images/apple-touch-icon.png><link rel=apple-touch-icon sizes=180x180 href=/images/apple-touch-icon.png><link rel=manifest href=/site.webmanifest><link rel=mask-icon href=/images/safari-pinned-tab.svg color=#5bbad5></head><body class="preload-transitions colorscheme-auto"><div class=float-container><a id=dark-mode-toggle class=colorscheme-toggle><i class="fa-solid fa-adjust fa-fw" aria-hidden=true></i></a></div><main class=wrapper><nav class=navigation><section class=container><a class=navigation-title href=/>Eric X. Liu's Personal Page
|
|
</a><input type=checkbox id=menu-toggle>
|
|
<label class="menu-button float-right" for=menu-toggle><i class="fa-solid fa-bars fa-fw" aria-hidden=true></i></label><ul class=navigation-list><li class=navigation-item><a class=navigation-link href=/posts/>Posts</a></li><li class=navigation-item><a class=navigation-link href=https://chat.ericxliu.me>Chat</a></li><li class=navigation-item><a class=navigation-link href=https://git.ericxliu.me/user/oauth2/Authenitk>Git</a></li><li class=navigation-item><a class=navigation-link href=https://coder.ericxliu.me/api/v2/users/oidc/callback>Coder</a></li><li class=navigation-item><a class=navigation-link href=/>|</a></li><li class=navigation-item><a class=navigation-link href=https://sso.ericxliu.me>Sign in</a></li></ul></section></nav><div class=content><section class="container post"><article><header><div class=post-title><h1 class=title><a class=title-link href=/posts/unifi-vlan-migration-to-zone-based-architecture/>UniFi VLAN Migration to Zone-Based Architecture</a></h1></div><div class=post-meta><div class=date><span class=posted-on><i class="fa-solid fa-calendar" aria-hidden=true></i>
|
|
<time datetime=2025-09-22T00:00:00Z>September 22, 2025
|
|
</time></span><span class=reading-time><i class="fa-solid fa-clock" aria-hidden=true></i>
|
|
5-minute read</span></div></div></header><div class=post-content><p>Embarking on a network migration to a properly segmented VLAN architecture is a rite of passage for any serious home lab or small business operator. The goal is clear: improve security and organization by separating traffic. However, the path from a flat network to a segmented one is often paved with subtle but critical configuration details that can lead to hours of frustrating troubleshooting.</p><p>This article documents that journey. It details the pitfalls encountered, the core networking concepts that were essential to understand, and the best practices that ultimately led to a stable, secure, and logical network design built on a zone-based firewall model.</p><h3 id=lesson-1-demystifying-the-native-vlan>Lesson 1: Demystifying the Native VLAN
|
|
<a class=heading-link href=#lesson-1-demystifying-the-native-vlan><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
|
|
<span class=sr-only>Link to heading</span></a></h3><p>The most significant source of initial problems was a fundamental misunderstanding of the “Native VLAN” setting on a switch port.</p><p><strong>The Misconception:</strong> It’s easy to assume that the “Native Network” on a port should be set to the VLAN you want the connected device to be on. For example, if a switch should be on the “corp” network (VLAN 10), one might set its management VLAN to <code>corp</code> and the upstream switch port’s Native Network to <code>corp</code> as well.</p><p><strong>The Reality:</strong> The Native VLAN on a trunk port has a specific purpose: it determines which VLAN any <strong>untagged</strong> traffic belongs to. A trunk port is designed to carry traffic for multiple VLANs by adding a “tag” to each packet. The one exception is the traffic for the Native VLAN, which is sent <em>without</em> a tag.</p><p>This leads to a critical rule: <strong>for a trunk link to function correctly, the Native VLAN must be the same on both ends of the connection.</strong> When they mismatch, management traffic from devices like switches and access points gets lost, sending them offline.</p><h3 id=lesson-2-the-power-of-a-dedicated-management-vlan>Lesson 2: The Power of a Dedicated Management VLAN
|
|
<a class=heading-link href=#lesson-2-the-power-of-a-dedicated-management-vlan><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
|
|
<span class=sr-only>Link to heading</span></a></h3><p>This realization about the Native VLAN led directly to the next critical architectural decision: isolating the network’s control plane. The initial plan involved using VLAN 1 for a DMZ, but this is a significant security risk, as VLAN 1 is often the default “catch-all” network.</p><p><strong>The Best Practice:</strong> The industry-standard solution is to create a dedicated <strong>Management VLAN</strong>. This network’s sole purpose is to be the home for the management interfaces of your router, switches, and access points.</p><p>The final, secure architecture was as follows:</p><ol><li>A new network, “Management” (e.g., VLAN 1, <code>192.168.1.0/24</code>), was created.</li><li>This network was assigned to its own “Management” firewall zone with highly restrictive rules.</li><li>All trunk ports connecting switches and access points were configured with “Management” as the <strong>Native VLAN</strong>.</li><li>All other user-facing VLANs (<code>corp</code>, <code>iot</code>, <code>dmz</code>) were configured as <strong>Tagged VLANs</strong> on these trunk ports.</li></ol><p>This isolates the network’s control plane from the data plane, vastly improving the security posture.</p><h3 id=lesson-3-mastering-inter-vlan-communication>Lesson 3: Mastering Inter-VLAN Communication
|
|
<a class=heading-link href=#lesson-3-mastering-inter-vlan-communication><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
|
|
<span class=sr-only>Link to heading</span></a></h3><p>With traffic properly segmented at Layer 2, the next challenge was controlling communication at Layer 3. This is the job of the router and its firewall, and it presented a common challenge: providing DHCP to clients when the server resides in a different VLAN.</p><p>DHCP requests are broadcasts and are not passed between VLANs by a router. The solution is to use a <strong>DHCP Relay</strong>.</p><ol><li>On the network configuration for a client VLAN (e.g., <code>corp</code>), the DHCP mode was changed from “Server” to “Relay”.</li><li>The IP address of the actual DHCP server was specified.</li></ol><p>This instructs the router to listen for DHCP broadcasts, catch them, and forward them as a unicast packet directly to the DHCP server. For this to work, the firewall must allow this traffic, and the DHCP server itself must be configured with a “scope” or pool of IP addresses for the client’s subnet.</p><h3 id=the-final-architecture-a-zone-based-firewall-model>The Final Architecture: A Zone-Based Firewall Model
|
|
<a class=heading-link href=#the-final-architecture-a-zone-based-firewall-model><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
|
|
<span class=sr-only>Link to heading</span></a></h3><p>The culmination of these lessons is a network architecture defined by clear, logical zones, each with a distinct purpose and trust level. This model simplifies firewall management and provides a robust security posture that is easy to understand at a glance.</p><h4 id=network-zones-and-their-roles>Network Zones and Their Roles
|
|
<a class=heading-link href=#network-zones-and-their-roles><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
|
|
<span class=sr-only>Link to heading</span></a></h4><p>The final configuration groups the individual VLANs into distinct zones, forming the foundation of the security policy.</p><ul><li><strong>Internal:</strong> Contains the <code>corp</code> network. This is the most trusted zone for daily work.</li><li><strong>DMZ:</strong> Contains the <code>dns</code> and <code>prod</code> networks for semi-trusted, exposed services.</li><li><strong>IoT:</strong> Contains the <code>iot</code> network. This is a low-trust zone for smart devices.</li><li><strong>Management:</strong> Contains the <code>management</code> network. This is a highly privileged, isolated zone for network infrastructure.
|
|
<img src=/images/unifi-vlan-migration-to-zone-based-architecture/472bf0cd504f4cd7ab7a33cd3322a5f1.png alt="S3 File"></li></ul><h4 id=the-security-policy-matrix>The Security Policy Matrix
|
|
<a class=heading-link href=#the-security-policy-matrix><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
|
|
<span class=sr-only>Link to heading</span></a></h4><p>The true power of this model is realized in the firewall’s zone matrix, which dictates the default traffic flow between each zone.
|
|
<img src=/images/unifi-vlan-migration-to-zone-based-architecture/663d732d14fc4fa8ad051c6926523efb.png alt="S3 File"></p><p>This matrix enforces the desired security policy with clear, high-level rules:</p><ul><li><strong>Complete IoT Isolation:</strong> The <code>IoT</code> row shows that devices in this zone are blocked from initiating any communication with any other internal zone. Their only allowed path is out to the internet.</li><li><strong>Protected Management Plane:</strong> The <code>management</code> row and column are almost entirely red. The critical network infrastructure is blocked from initiating contact with any user-facing zone, and vice-versa, following the principle of least privilege.</li><li><strong>Controlled DMZ Access:</strong> The <code>DMZ</code> is prevented from initiating connections to the trusted <code>Internal</code> zone, preventing a compromised public-facing server from being used as a pivot point to attack internal devices.</li></ul><h4 id=granular-intra-zone-control>Granular Intra-Zone Control
|
|
<a class=heading-link href=#granular-intra-zone-control><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
|
|
<span class=sr-only>Link to heading</span></a></h4><p>Beyond the high-level zone policies, the configuration also implements granular rules to control traffic <em>within</em> a single zone, providing defense-in-depth.</p><p>These rules explicitly define the communication paths between services. For instance, rules allow a specific device to access a Kubernetes load balancer while another rule allows general DNS access within the zone. This ensures that even within a semi-trusted zone, services can only communicate in expected and necessary ways, further reducing the potential attack surface.</p><p>By adhering to these principles, what began as a day of frustrating troubleshooting evolved into a robust, layered, and logically segmented network that balances simplicity with strong security practices.</p><hr><h3 id=references>References
|
|
<a class=heading-link href=#references><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
|
|
<span class=sr-only>Link to heading</span></a></h3><ul><li><a href=https://help.ui.com/hc/en-us/articles/7258465146519-Troubleshooting-UniFi-Device-Connectivity class=external-link target=_blank rel=noopener>Troubleshooting UniFi Device Connectivity</a></li><li><a href=https://help.ui.com/hc/en-us/articles/9592924981911-Virtual-Network-VLAN-Troubleshooting class=external-link target=_blank rel=noopener>Virtual Network (VLAN) Troubleshooting</a></li></ul></div><footer><div id=disqus_thread></div><script>window.disqus_config=function(){},function(){if(["localhost","127.0.0.1"].indexOf(window.location.hostname)!=-1){document.getElementById("disqus_thread").innerHTML="Disqus comments not available by default when the website is previewed locally.";return}var t=document,e=t.createElement("script");e.async=!0,e.src="//ericxliu-me.disqus.com/embed.js",e.setAttribute("data-timestamp",+new Date),(t.head||t.body).appendChild(e)}(),document.addEventListener("themeChanged",function(){document.readyState=="complete"&&DISQUS.reset({reload:!0,config:disqus_config})})</script></footer></article><link rel=stylesheet href=https://cdn.jsdelivr.net/npm/katex@0.16.4/dist/katex.min.css integrity=sha384-vKruj+a13U8yHIkAyGgK1J3ArTLzrFGBbBc0tDp4ad/EyewESeXE/Iv67Aj8gKZ0 crossorigin=anonymous><script defer src=https://cdn.jsdelivr.net/npm/katex@0.16.4/dist/katex.min.js integrity=sha384-PwRUT/YqbnEjkZO0zZxNqcxACrXe+j766U2amXcgMg5457rve2Y7I6ZJSm2A0mS4 crossorigin=anonymous></script><script defer src=https://cdn.jsdelivr.net/npm/katex@0.16.4/dist/contrib/auto-render.min.js integrity=sha384-+VBxd3r6XgURycqtZ117nYw44OOcIax56Z4dCRWbxyPt0Koah1uHoK0o4+/RRE05 crossorigin=anonymous onload='renderMathInElement(document.body,{delimiters:[{left:"$$",right:"$$",display:!0},{left:"$",right:"$",display:!1},{left:"\\(",right:"\\)",display:!1},{left:"\\[",right:"\\]",display:!0}]})'></script></section></div><footer class=footer><section class=container>©
|
|
2016 -
|
|
2025
|
|
Eric X. Liu
|
|
<a href="https://git.ericxliu.me/eric/ericxliu-me/commit/2b2203c">[2b2203c]</a></section></footer></main><script src=/js/coder.min.6ae284be93d2d19dad1f02b0039508d9aab3180a12a06dcc71b0b0ef7825a317.js integrity="sha256-auKEvpPS0Z2tHwKwA5UI2aqzGAoSoG3McbCw73gloxc="></script><script defer src=https://static.cloudflareinsights.com/beacon.min.js data-cf-beacon='{"token": "987638e636ce4dbb932d038af74c17d1"}'></script></body></html> |