 time here from our systems in Unify in mid 2023 with the version 7.4 of their network application and shoulder made changes to the way you set port profiles and VLANs by adding an option called traffic restrictions and removing what used to be the all network which was essentially a trunk port. Now here is November of 2023 and we're going to be using Unify version 7.5.187 the latest available right now and I'm going to show you how to set those traffic restrictions up and what happens when you don't set them up properly which is essentially you will allow VLAN hopping because without the traffic restrictions and just setting the VLAN to the port the other VLANs will still pass through the port and that's an important distinction to know because you don't want to set these things up insecurity so let's get started. Now the first thing I want to cover is when two and one not to use these traffic restrictions by default when you get a brand new out of the box then adopt it Unify switch get all the firmware up to date it's going to have the default no traffic restrictions which is what you want for starting out. When you have it coming into your firewall in my example here I'm using PF sense but this will substitute for whichever firewall you're using that can pass VLAN traffic or even if you're using one of the Unify ones when you come out of one of the LAN ports with the VLAN tags attached to it in this case it's this particular port I've just labeled IGC 2 in my PF sense you want that port that is uplinking to the first switch to have it set to no traffic restrictions if you want all of the VLANs that are defined both in the firewall and also defined inside the Unify system to pass of note Unify in the past long ago used to pass all VLANs even if they weren't defined they've actually changed this and unless they've changed it back to my knowledge they will only pass defined VLANs so if you define them within your firewall you will always have to define them again into the switch to get them to pass along to the next port if you're using a Unify firewall it's going to define them at the same time so it's not as big of a deal next thing is when you're connecting any two switches together the ports between those switches should be set to all if they're Unify switches this is going to be the default and the reason why is that way when the VLANs that are defining your firewall are passed along to the first switch and if you have another switch down the line and you would like all those VLANs to go no traffic restrictions between them should exist now if you want to restrict traffic we'll be talking about that where you may not want those to go to another switch usually not the case usually all of your switches you want the same and you do it at the port level of each switch now the final note would be if you're going to a non-unify switch same answer again let's say you're going from a Unify switch to a Cisco switch the Cisco switch you'll want to set to trunk port all coming into the Cisco and inside of the Unify you'll do the same thing no traffic restrictions and the same thing goes for access points the restrictions on the access points you can think of these a little bit differently because by default yes it'll work fine if you send all of them but maybe you want to restrict what goes out to your SSIDs because maybe there's some that you'll never send out there so you could say to be more locked down you may want only send the traffic to the different access points that will actually be used by the access points but if you leave them all they will definitely work it's always good to start it all and then work backwards once you know you have a working config and restrict the things you're not using so I'll make that as a side note it's up to you but the default port settings will work but now let's talk about when to use traffic restrictions and where it's really important and we're going to get to the demo to show you exactly where these settings are but I want to point out in this scenario here if we have a computer a camera any device attached to a specific port this is definitely where you want to use traffic restrictions because the goal would be to set that port to the VLAN only that you want it to access and we can use the cameras in the example where maybe you want to have a camera LAN and this VLAN with the cameras is going to be restricted to only the things you want it to talk to you don't want the traffic restrictions turned off on that because then someone could actually plug into that port and even though it would be default sending the camera network it's actually still sending all of them if you don't set the traffic restrictions now let's show you how this works by setting this up directly in the port manager inside of unify we're going to click on my usw 24 poe we're going to go to the port manager and as I said in the demo we're going to be demoing this with port number 14 by default I just have it labeled as port testing VLAN I have it set to default one thing I really want to note here especially if it's hard to see is the little scroll bar right here I don't know why they made this scroll is hard and thin as they did to grab but I will note this has caused confusion where people can't see the traffic restrictions because when you click it it drops down below and you have this and it's a little bit hard to see I just want to make sure that's clear that if you don't think you have it just scroll up and down and you'll look for this little bar right here now the traffic restrictions on there are turned off because we have it at default let's say we wanted it to be camlan 60 that's my camera network so if we set it here but don't put any traffic restrictions this will actually not just switch it so the default is 60 but still send all of the other traffic the way we stop this from happening is we can say block and select block all we want to know what networks we're blocking or do we want to allow and only allow certain networks and you can hit allow and leave it blank it'll actually work this way where you don't select anything and you're only allowing nothing so block all the networks and they do have a block all option right here and we hit apply it's the more logical way to do this and when we do this now we've restricted that port to exactly what we want it to do now this is my demo computer I haven't plugged into this it just refreshes with a local address when the address changes here so 192.168.60.102.60 is my camera network so this is definitely on my camera network like we'd expect it to be and if I try to select another network let's say I tried to vlan hop to my 777 management network by choosing this we go here and we see it just says local address 127001 because I've told it no you can't get any other vlan's but let's go ahead and test what happens when we turn off traffic restrictions we'll go back over here to port 14 we're just going to uncheck the box for traffic restrictions we're going to hit apply give it a second to refresh the switch and now the system is able to actually vlan hop and grab my management network which is at 107777.1 and then it's simply because I turn the traffic restrictions off now we can actually take and build this out slightly differently by saying let's go ahead and choose camlan 60 but do traffic restrictions to allow and we'll be implicit here and we're just going to allow one more network on here so we have this tom's management vlan we don't want the management vlan on there but what if we wanted the 337 network on there so we said we're going to send this as the default but then we're also going to add this traffic so we're going to have to apply these changes and now you see the system can get a local address of 192.168.13.100 because that is what the vlan is for that but if we go ahead and go back to the normal network it'll go back to the camlan network by default so let's try to vlan hop though over to our management network and we can see that it fails this is why it's so important that if you want any particular device to only get access to the network that you segment to such in this case as the cam network we want to make sure traffic restrictions are on block and choose to block all apply the changes making sure you have block all on is going to be critical and making sure the only network that's accessible on that port is the network that you have chose as the primary network now one more thing worth noting is that you can change your default network name even if you don't have a unified firewall this used to be an editable field it's no longer allowed to be edit in the new UI but you can edit it in the old UI so if you switch back to the old UI you can change the name of your default network if you want to I bring it up because you may have noticed some of mine are changed that you've seen in videos I used to be able to change them now I can only change them in the old UI just something worth noting like and subscribe if you want to see some more content from the channel also head over to my forums if you want the script that I use to display the colorful IP address I thought it was just kind of novel something I was playing with but hey I'll leave a link to that down in the forums where you can just copy and paste that code it's just kind of a novel little bash script that was in my Debian VM for this demo if you want to connect me on the socials head over to lauranceystems.com you can connect with whatever socials you find me there and thank you