Meraki VLANs with Unifi network
Posted by RazaDazza@reddit | sysadmin | View on Reddit | 11 comments
This may just be a general networking question but figured I'd post it here. This is my first sysadmin job and I have no certs (Yikes, I know). I wasn't working in IT before, it's always been a hobby, and I was a benchtech/helpdesk during college for a couple years. Not a complete moron. I know just enough to get myself into trouble.
Some context before the question. I'm a tenant in an office building that we previously owned and managed so we are still managing all the IT services for the building. We are a healthcare company with servers on site containing patient data. We have our own DNS server here and site-to-site tunneling to 5 other locations.
Topology: ISP>MX105>Splits here into MS130-24P(My network) and USW Pro-48(Other tenants)>Gen2 Cloudkey, 14 Unifi APs, PowerEdge-48
I recently changed this while upgrading from a MX100 to a MX105 because I had a rogue client assigning DHCP that ended up being a TPLink wifi extender someone had brought in when I dug into it. I don't want things like that putting my servers at risk. Before the network was all together and while switching I setup the network so everyone else is on separate hardware from us. I then create a VLAN assigned to the port the USW connects to. I also set it to Google DNS instead of our DNS server. This created a lot of DHCP issues for the other tenants. People hardwired to the network had no issues but the Unifi APs had no internet. I did some googling and saw that I also need to change the VLANs for the wireless SSIDs to also be the same VLAN ID. I did that but people were still having DHCP issues. Worked for some didn't for others. This is where I need help. Do I need to set the VLAN ID per port on the two Unifi switches as well? I tried this and then lost communication with the switches. I'm not sure if that means uplink ports need to be on default 1 as well since that's how Unifi communication goes out? The landlord also has a camera system that couldn't pull DHCP when I changed this so I reverted it all since I didn't want to to mess that up for him. Anyways, this new to me. Never had to mess with VLANs or had to do intranetwork VLAN assignments. What is the cleanest way for me to segment their network from ours?
stufforstuff@reddit
Unifi kiddie toys on a SHARED medical network - you are a HIPAA Lawyers wet dream. You need to AIR GAP ISOLATE the two businesses ASAP.
RazaDazza@reddit (OP)
That's the idea here buddy. Thanks for the help.
stufforstuff@reddit
1) don't use Unifi anything in a business environment - it's consumer grade equipment with consumer grade features with zero zip nadda tech support.
2) NEVER share a network between a medical network (under HIPAA regulations) and a Business network. You need to SEPERATE the two networks (i.e. AIR GAP).
Get TWO internet services, one for you and one for the business you apparently share a building with. Each business needs their own Firewall. For isolation, there can be NO overlap (no sharing of any devices, network subnets, anything).
There - is that clear enough???
RazaDazza@reddit (OP)
1) The Unifi equipment isn't mine. I don't use Unifi. That's the landlord's wifi setup. My office is all hardwired and we use Meraki for our switch and firewall.
2) All accessible HIPAA information is server side, locked behind AD access (no one in the building is an AD user besides us), and only assigned to specific users in AD who access it via RDP. So no one intra-network can access it unless given access or via stolen credentials.
There is no regulation requiring two ISPs even if it may be best practice. VLANs and firewall rules to prevent traffic between is within regulations. The only HIPAA related information on site is previous patient data that we are required to hold on to for a certain amount of time. We are a management company, not a care provider. Providers are their own sites with their own networks.
Thank you for your incredibly condescending response to my question that you provided zero helpful input on as my question was about VLANs not about "should I do this" as I am already aware I need to.
stufforstuff@reddit
You are CLUELESS about HIPAA Compliance. You have TWO NETWORKS behind one firewall - that is a violation (fines start at $15000 and go up quickly). Who your AD users are don't matter, network access to that server is what matters. I could care less about your vlan problem - if you're not going to air gap your medical network you're screwed.
But you do you - it's not my money that will get fined out of existence.
thortgot@reddit
VLAN segmentation is commonly done in a HIPAA environments. You don't need an air gap to segment the environments.
Can you structure it that way? Yes. That doesnt make a requirement though.
stufforstuff@reddit
So you would trust passing a HIPAA Compliance audit with a shared network BEHIND a shared firewall with only poorly configured VLANS on a Fisher Price Unifi rig? Good luck with that.
Moontoya@reddit
Iirc you can't setup vlans on unifi switches/aps without using a unifi usg router
Best staying on all meraki IMHO
Broad-Celebration-@reddit
You don't say anything about DHCP. Where does your DHCP live? Is there DHCP configured on the new vlan you created? What do you mean it works for some? Certain devices on unifi APs work? Are the devices that get DHCP on the same APs? Are the port configurations for all the AP's identical? What vlan are the wired ports on the unify switch configured for that are working?
RazaDazza@reddit (OP)
DHCP server is the MX105. DHCP was being handed out to some clients on the same APs and not to others. VLAN was set to the same native VLAN ID as the port I set on the MX105.
HugeConfusion9505@reddit
I had to do a similar setup but I used the dream machine as my controller. If you go into settings and networks just add a network and assign it the subnet then set DHCP as relay. Add your DHCP server to it so it knows where to send that traffic and then assign it to the individual ports on your switch. To keep two different networks from butting heads set your profile as the newly created network and select block all for other vlan traffic.