At Layer-2, Enterprise Networks rely on VLANs to logically isolate user traffic into the desired network areas, like with users with different network access. For enterprise networking, UniFi identifies two users types, Corporate and Guest, as capable of sending trusted and untrusted traffic, respectively.
Note: Regardless of user type, Bandwidth Controls should almost always be assigned to Wireless Stations, and are configured in UniFi User Groups.
|Figure A - Enterprise Network Topology for UniFi Devices / User Types (Corporate & 'Guest', where Admin is a type of 'Corporate' user in a separate VLAN, 10).|
By default, UniFi places no restrictions on ‘Corporate’ User traffic, since it is assumed to belong to a trusted Enterprise user. For example, the Admin users in the MGMT VLAN would still be placed into a 'Corporate' network type, albeit a separate VLAN, as shown here (VLAN 10).
Note: Despite no default restrictions for Corporate Users, the Ubiquiti Deep Packet Inspection engine provides administrative insight into all User Traffic sent over the UniFi Network.
|Figure B - UniFi Networks created for the purpose of varying User types ('Corporate' = Trusted & Admin/MGMT users, 'Guest' = untrusted users).|
In comparison to trusted corporate user traffic, Guest user traffic, by default receives a few important restrictions, including:
- Other restrictions include Pre & Post-Authorization Access to RFC 1918 Private LAN IP Ranges, as configured, under the Guest Control Settings tab.
- Client Isolation, which means, Local traffic, such as layer-2 broadcasts, or unicast messages between Guests on the same local, is blocked. By default, this means that guest traffic is only intended to pass upstream or downstream, such as for internet use.
The pre/post authorization access controls refer to network ranges that Guest users can send traffic to, either before or after they are Authorized to use the network. With the Guest Portal active, Guest Authorization occurs automatically once the Guest authenticates via an admin defined method. With the Guest Portal inactive, Guest Authorization occurs automatically.
By default, the Post-Authorization Restrictions prevent access to all IP addresses reserved for internal networks. In summary, with default Guest Controls left untouched, the UniFi system only trusts Guests to use the Network for the purpose of Internet access.
|Figure C - Pre/Post Authorization Access Controls available in UniFi Guest Control Settings panel.|