We have invested in quite a bit of Unifi switching (USW-Pro-48-PoE and close range) and love it by the way. I’m using a Linux built CloudKey.
We are split across two sites by a layer 3 switch doing the routing for the 2nd site. (not VPN).
on our main site we have a HP 3800fibre switch that i would like to replace with a USW-AGGREGATION-PRO.
This HP switch also does the routing for all our 1st site (firewall vlan etc…) so guess would need two of my question.
My question is do we get a Dream Machine (or 2) to replace our layer 3 switches, or do we get USGs? I’m concerned of buying the wrong thing. We have 1200 users and although not using UniFi wifi, almost all users have a 2nd device so the number is higher. (a 3rd of users are at the 2nd site).
currently 7 switches on 2nd site and 27 switches on the main.
I hear leaving the cloudkey on linux would allow more resources to be assigned, as hardware cloudkeys have limits due to spec.
any advise and happy to give more detail where required.
We like the UniFi switches but we don’t recommend any UniFi routing equipment such as UDM or USG, use something else such as pfsense for router/firewall. Running the UniFi controller software on Linux makes the most sense to me, that is how we do it.
On your Layer 3 switch today, do you have any ACLs set up so that certain things in one subnet cannot connect to certain things in another subnet?
Things to be aware with Unifi Layer 3 switching:
There are no ACLs today - the hardware supports it, but there is no GUI to program them, and no indication from Ubiquiti that they plan to work on it
When you set up your first L3 network assigned to a switch, Unifi auto-creates another network (subnet and VLAN) for communication between the L3 switch and the router. If not using a Unifi router, then you MUST create this VLAN and subnet on your router manually. The L3 switch will be programmed to use the first IP in this subnet as its default gateway, so the first IP is what your router needs to have. The specifics of this “Inter-VLAN Routing” network are here https://help.ui.com/hc/en-us/articles/360042281174-UniFi-USW-How-to-Enable-L3-Routing-on-UniFi-Switch
I believe controller 6.2 added static routes for L3 switches, but they definitely do not have any dynamic routing protocols.
Regarding your earlier question, the UDM/UDM-Pro runs its own controller and can only be managed by itself. There is a Beta product UXG-Pro which is the UDM-Pro minus the HDD and switch, that can be adopted to external controllers. That has been in Beta for a very long time, and is stable and ready for general release, so the fact that it isn’t makes people suspect that it never will be. It is a lot more stable than some other products that were rushed from EA to GA.
Another thing to consider while thinking about Unifi L3 switches:
Do you have your two sites as separate Sites in the Unifi controller, or a single Site?
The L3 switch will only be in one Site, so if you have two you would need to duplicate any networks from the other one in order for it to create the appropriate VLANs and interfaces.
Unifi has an assumption that Sites aren’t connected together on the LAN side, that each Site has its own internet connection(s). It may get weird with Clients and other data if you did go with a Unifi Agg switch but have two Sites.
I don’t want Microsoft running my routing
I thought the routing service had been in windows for a long time. i might have a look just so i know its limits. – Thanks
It may have come in with 2008R2, but think 2012 or 2012R2 was when they really started talking about it. And I agree, not the best choice but a possible option.
We do a LOT of Unifi networks…switches, and APs…and point to point/point to multi point stuff.
However, we prefer to use full UTMs at the edge, our “go to” is Untangle. We used to do a bit of PFSense in the old days. Ubiquitis gateways are…a notch above a basic NAT router like any old home grade Stinksys or DStink or TPStink or Nutgear…with a tiny bit of “wanna-be UTM” features, and the way they integrate into the switches and APs so you get a really cool management interface with the Unifi controller, they are lacking in “routing” features.
