still confused on when to use Groups vs networks

Comments

1 comment

  • Avatar
    Michael Bierman

    Generally all devices in Groups have the same rules. Think of them as a “super device” that you can use to easily apply the same rules to an entire set of devices. Since you can’t cut and paste rules, this is great.

    You can also apply rules to all devices on the same subnet, but it is not always the case that devices on the same subnet have the same rules. Often they don’t. This is one way that Groups and subnets differ.

    Almost always, the reason to put devices on a separate subnet is to keep them from having access to other devices or to keep other devices from having access to them. That doesn’t hold with Groups. Groups can’t stop devices from seeing each other, only subnets can.

    With Groups and subnets you make rules that allow/block access to the WAN but you can’t make rules to block/allow devices on the same network to see each other, but you can make rules to allow/block a device or Group from accessing another subnet.

    The fact that Groups can include devices in different subnets can be confusing, but can also serve a purpose. As long as you understand how it works, it is fine. As a practice, I don’t include devices that span subnets but there are legit use cases for that. 

    1
    Comment actions Permalink

Please sign in to leave a comment.