still confused on when to use Groups vs networks
I get that Networks are more of a physical separation at the ip address level of the devices and i think that Groups are more of a separation by logical tagging the devices; however, in both cases you apply the same rules for allowing & blocking. So what chose one over the other what are the pros & cons of one vs the other? I think by having both it gives the possibility of layering rules but when i add a device to a Group it tells me that all other rules are ignored; does this include the Network rules as well?
-
Generally all devices in Groups have the same rules. Think of them as a “super device” that you can use to easily apply the same rules to an entire set of devices. Since you can’t cut and paste rules, this is great.
You can also apply rules to all devices on the same subnet, but it is not always the case that devices on the same subnet have the same rules. Often they don’t. This is one way that Groups and subnets differ.
Almost always, the reason to put devices on a separate subnet is to keep them from having access to other devices or to keep other devices from having access to them. That doesn’t hold with Groups. Groups can’t stop devices from seeing each other, only subnets can.
With Groups and subnets you make rules that allow/block access to the WAN but you can’t make rules to block/allow devices on the same network to see each other, but you can make rules to allow/block a device or Group from accessing another subnet.The fact that Groups can include devices in different subnets can be confusing, but can also serve a purpose. As long as you understand how it works, it is fine. As a practice, I don’t include devices that span subnets but there are legit use cases for that.
Please sign in to leave a comment.
Comments
1 comment