I’m reaching out for help with configuring VLANs on a UniFi switch (USW-24-POE) prior to its adoption by a UniFi controller. My specific challenge lies in the fact that the controller itself resides in a VLAN, creating a chicken-and-egg situation:
I need to configure VLANs on the switch to allow the controller to adopt it.
However, I need the controller to adopt the switch in order to configure those VLANs.
Efforts So Far
UniFi Support: I contacted UniFi support, and while the team was willing to assist, they couldn’t provide a solution for this particular scenario.
Documentation and Forums: I’ve reviewed official documentation and forums extensively but have not been able to identify a viable approach.
CLI Commands: I attempted to configure VLANs using CLI commands on the switch (including suggestions from autocomplete in the CLI), but I couldn’t determine the correct sequence to achieve pre-adoption VLAN configuration.
Current Workaround
I set up an ephemeral controller to adopt the switch, configure the VLANs, and then attempt to use the switch in my network. However, this is not a viable long term solution.
Request
I would appreciate guidance on either of the following:
Steps or documentation for configuring VLANs on the switch prior to adoption via CLI.
A method to change the controller the switch reports to (e.g., via SSH or another method) after being adopted by the ephemeral controller, so I can configure VLANs and then reassign the switch to the main controller.
Please let me know if additional details are needed to help clarify the situation further.
You really only have a few options. As configuring a switch outside of the controller is frowned upon.
Make your controller VLAN native
Create a firewall rule to your controller to only allow adoption. The set the management VLAN afterwards in the controller. Then disable the firewall rule.
Thanks for the suggestions! Unfortunately, neither option will work for my setup:
Making the Controller VLAN Native
This isn’t really an option for me, I cannot change the controller to the native VLAN.
Firewall Rule for Adoption
I don’t think this will work either. In my tests, the switch still needs the VLAN to be configured before it can route traffic properly. Without that, it doesn’t seem to forward anything to the controller.
Also, just to add, the controller is only reachable through this switch, which makes things a bit more complicated overall.
It is hard for me to believe that of all the commands available in the CLI none of them can accomplish what I need. Are you certain it cannot be achieved thorugh the CLI?
If you have any other workaround in mind let me know.
Just to clarify, I’m not looking to configure the VLANs through the CLI and leave them there permanently. I understand that’s not best practice.
I just need the switch to be aware of the VLANs long enough for it to be adopted by the controller. After that, all configurations will be managed properly through the controller.
Sorry for the delay, I only managed to try this yesterday.
Unfortunately those commands do not work, some of them don’t exist. telnet is not available, en seems to do nothing, config I replaced with configure which I assume is the same, but then the other ones are not there.
I’ve tried some alternatives but I had to configure it again and leave it working as it was before. I’ll try again ASAP and see if I can figure out the correct commands
I even updated the firmware as I thought maybe it was too old and telnet was something that was added on recent versions, but it still wasn’t available
It seems like my particular switch does not have telnet and was sort of replaced by cli, which is what I used and then issued the configure command. I guess it would be the same as telnet localhost and then en and config. But the similarities stop there.
There’s a interface GigabitEthernet 3 and then interface switchport [...] which look promising, but so far I haven’t been able to get it to work how the way I need it.
configure adoption hints DNS or dhcp 43 to point to the controller on the networks you need
configure firewall to open ports
use a DNS name for the inform.
As long as you plug the switch into any network that has a route to controller should be fine.
Can work over the internet with a DNS name key.domain.com etc
You could always just ssh into the switch and run…
set-inform http://[controller_ip_address]:8080
The issue with that is this switch is where the controller is plugged into, so there’s no way for it to reach it if that VLAN is not set beforehand.
Option 43 won’t work in this scenario as it still needs to be ble to reach the controller and it won’t.
The set-inform only works from a factory default state, I’ve tried it and it just won’t get adopted by the controler, it seems like it tries but after some timeout it just goes back to the last good known one, which in my case would be the ephemeral one I used to configure the VLAN in the first place.
Another workaround that was suggested by Ubiquiti support was to take a backup of the ephemeral controller and restore it in the “persistent” one, but that’d wipe my other configs, so it is not really a solution for the scenario.
I don’t think there’s a way around of it needing that VLAN configured before being adopted by a controller. I am open to other options though.
I have another switch and two APs adopted by the “main” controller right now.
A pfSense box is acting as the router in this network.
If I’m getting you correctly, just using a port from the router won’t solve it, even if I ignore that it’ll probably wreak havoc across the whole network.
I could temporarily plug the controller to the router to a port I could set up to serve that VLAN, if that’s what you are sugesting. It is far from ideal as those two are quite some distance away and I cannot just parade with the controller in my hand, but if I’m not mistaken it could work.
I’d like something more “reproducible” as this might happen again and physically moving equipement to solve it is not desirable, particularly when I’m quite sure there must be a way to do this via SSH as @xMAXIMUSx first suggested, albeit with a different set of commands forf my switch.
Simple solution would be just plug the controller into the managed switch to get your problem resolved.
Really didn’t matter where the controller is. Even plug it into the router directly.
Temporarily doing it is possible, not ideal but achievable. I think I can get (or make) a cable long enough for it to be plugged directly to the router and either move or ignore other services running in that server.
I still think there should be a way to solve this in software. The controller is able to configure it, so I don’t see why you wouldn’t be able to do it via SSH. Also for anyone reading this in the future, if it was me, I’d like to find how to configure those VLANs, as not everyone might be able to just plug the controller elsewhere.
Disclaimer: I have not read all posts in the thread, but the first few of them.
They way I have done it:
I assume you have an existintg network setup where the controller is not listening on the default “native”
you need to have the controller running and connected to at least another switch that has already been adopted and configured to use a static IP and VLAN tag for management
the new unifi device needs to be considered not a functional component until it has been adopted
configure a port on the already adopted switch for the new switch, make the port use the VLAN as native (and no tagged VLANS) where the controller is listening
attach the new switch to the port, it will be adopted after a few minutes
configure the static IP and the management VLAN tag for the new switch
now you can attach the new switch where you want to use it
So the cable coming into the new switch is that tagged?
Set the downlink port of the main switch to your new switch as management vlan only.
Plugin New switch, as now should be on the management vlan.
