I have a network using several VLANS… non USG. I want the Unifi Switches and APs to be managed on the VLAN 9 network. I set the switchport on a non-unifi switch to be tagged all VLANS and untagged VLAN 9. The switch gets the proper IP address. My question is then, what do I set the switchports to that the APs plug into? Since VLAN 9 is untagged to the switch I can’t set the port for the AP to untagged VLAN 9. Does the preset “LAN” network on the Unifi switch carry VLAN 9 now and if so does it need to match in the controller under networks/LAN to be what the actual network is? Hope this makes sense what I’m asking.
Do you have multiple SSID’s on different VLAN’s for your AP’s? Typically you set a trunk port for your AP and then on the UniFi AP you set the VLAN tag on each SSID you setup.
1 Like
There are a couple of ways to do this. One is to have vlan 9 tagged on all the kit and change the management vlan to 9. The other is to untag 9 (and tag the rest) and leave the management vlan at 1.
Do you have vlan9 defined on your unifi gear? That’s the first step either way.
You then just need to be really methodical about what you tag / untag to make sure you don’t loose things. Be prepared to find a paperclip and reset some things.
I currently set the upstream port switch to tagged all VLANS except VLAN 9 is untagged. This gives the switch the IP address in the 192.168.9.0/24 network. The AP is in port 2, I have this set to native vlan 9 and the rest tagged. For some reason though the AP will not get an IP for the “9” network.
I think I have this figured out now. Just some clarification needed. Since there is no USG in the network, the “LAN” network in the controller doesn’t do anything and is not the same “LAN” network that is being used on the switch port to the AP, I set that port to native LAN and tagged ALL and now the AP gets the correct IP address and all SSID’s are working with the correct VLANS. I was under the assumption that the LAN network on the controller was the same LAN network on the switch, but this is not the case correct?
When you start untagging things on the links between switches, what “LAN” (not-a-VLAN or VLAN1) actually is changes locally. When you set the link to the switch to untag vlan 9, you are saying that all traffic without a VLAN tag should be changed to be VLAN 9. This also means, for security reasons, that the switch should drop anything that comes in on that port as tagged for VLAN 9. You’ve effectively removed VLAN 9 as an option for anything on that downstream switch, because VLAN 1 on that downstream switch becomes VLAN 9 on the upstream switch. And in reverse, anything in VLAN 1 on the upstream has no way to communicate with anything on the downstream.
Due to this complexity of remembering what VLAN 1 means where, I prefer to leave all links between switches in the “All” port profile, and use the Management VLAN configuration on the switch to tell it whether it should communicate. For APs, I prefer the same, although it is certainly less complex (especially when dealing with hundreds of APs) to set the VLAN via untagging the switch port versus changing their management VLAN setting.
This is for sure the “best” way to do it but even as someone that understands vlans I still manage to loose devices from time to time by forgetting to move from native/U 9 to tagged all.