01-19-2017 01:11 AM
Not a Networking expert at all, some basic knowledge but have been days trying to make sense of Unifi´s approach to VLANs on its Unifi switch line.
I have read every post in the Internet, seen all videos but still have lots of doubts (some probably due to my inexperience). I also don´t have a Lab, but I am pretty sure there are lots of people out there in my situation and so thought that if I propose a tentative thorough explanation, then you experts out there could help with some doubts (italics) and correct whatever is not right ….So, let me give it a try (everything in italics is tentative):
Defining VLANs or Trunks in UNIFI Switches is a two or three steps process.
Why two or three ¿?
It could be two steps only… but the way UNIFI Controller does it would leave you with very limited configuration options, basically assigning "ALL Networks/VLANs" (N/V) or just ONE Network/VLAN to a port.
As in many cases (most I imagine) you will need something in the middle (more than one VLAN but not ALL), then you define that in a Profile (at Switch level) that you later assign to the port.
Beware that I call it Profile in this note but Unifi does not, they just have a section called Networks/VLANs under Switch Configuration where you define this “Profiles” but bear in mind they still call them Networks/VLANs (Hit Create to define a new “Profile”).
It is true that any combination of Neworks/VLANs will be a new (more complex) Network but still Unifi´s choice to not call them something else makes everything very confusing.
So three steps:
1) Define Netwoks/VLANs in Controller Settings
2) Manage or Create Network Profiles for the Switch in Switch Configuration
3) Assign Networks/VLANS or Profiles to the Port(s)
When you manage Network Profiles for the Switch (in Switch Configuration) you can:
- Create new Profiles combining LANs/VLANs defined at controller level to be assigned later to ports (More on this below …)
- Delete any of the defined Networks/VLANs created at controller level => The deleted N/V will not be configurable in profiles or at port level
Defining Port Behavior
When assigning N/V to the port you have many different options. I will list them but to understand what any of them means we will have to settle a few concepts first (so keep reading)
- You can assign the Port to “All” Networks/VLANs (behavior explained later)
- Or just to a certain VLAN (behavior below)
- Or a certain Profile (see below)
- Or a certain LAN with VLAN defined (same as VLAN but useful for USG users)
- Or a certain LAN without VLAN defined
- If it is the default LAN, then VLAN 1 is assumed.
- What is assumed for any other LAN with no VLAN defined ¿? => I don´t know
- You can also disable the Port
What is a Native VLAN ¿?
Basically it is the VLAN to which the port "belongs" but with a very specific behavior:
- The Native VLAN defines how incoming (from the cable) untagged packets should be tagged before sending them to the switch (rest of ports) => So they are tagged with the Native VLAN number (called PVID).
- Any tagged incoming (from the cable) packets will be accepted and forwarded tagged (unchanged) to the Switch
- A Native VLAN will egress any packet received from the switch that is "Tagged with the Native VLAN number" to the cable untagged (will accept, untag and send it to the cable). This is very relevant for compatibility with non Vlan aware devices. In a managed switch all packets flow internally tagged (¿?). By default all ports are Native VLAN 1, it means that any untagged incoming packet will be tagged VLAN 1 and forwarded to all other switch ports (each port will then filter the packet coming from the switch according to its own definition)
- A Native VLAN won´t accept any packet coming from the switch with any tag other than that of its Native VLAN (not sure)
When you create a new VLAN in controller settings the option to assign it to a port will appear at port settings.
Assigning it is the equivalent of saying that the port will have that as its Native VLAN. That Native VLAN number is also called the PVID.
So any Port with a Native VLAN assigned (either way: directly or thru a profile) will communicate with non-vlan aware devices and will tag incoming packets with the PVID tag, will accept incoming (from the cable) packets with any other tag and pass it to the switch, but will not accept tagged packets from the switch other than those with the Native VLAN tag (repeating but to make it clear).
So what happens when you want the port to send various VLANs to the cable ¿?.
This is what is called a Trunk …
In UNIFI you can define a port as a Trunk by
- Assigning it to “ALL Networks/VLANs” (behavior in this case detailed later)
- Or by assigning it to a Profile that allows more than one VLAN (also explained later)
What is a Profile ¿?
Remember that Unifi does not call this Profiles, they call them Networks/VLANs but it is what you can create under Switch Configuration (Using the Create button).
A Profile is used to define what VLANs will be accepted at the port (coming from the switch), and whether that port has a Native VLAN or not.
- If Native VLAN is left “None” then
- The port will not tag incoming untagged packets (from the cable) ¿? Will it drop them ¿? or Will it tag them as VLAN 1 and pass them thru ¿?
- The port will pass thru tagged incoming packets. All of them ¿? or only those corresponding to VLANs checked in the tagged section ¿?
- If a Native VLAN is defined then the behavior of the port is the one described above for Native VLANs
- Then in the “Tagged” section, if you "allow" (check) any other VLAN then any packet arriving at the Port from the switch with those VLAN numbers will be accepted and forwarded tagged to the cable
You will normally define a profile with a Native VLAN and some Tagged VLANs. But you can also leave Native VLAN as “none”. It would be a Trunk with various VLANs accepted (from the switch) and forwarded to the cable tagged (those checked in tagged section).
So, What happens when you leave the Native VLAN as "none" in a Profile ¿?
As stated above, I am not sure of the ingress behavior (from the cable).
- What will it do with incoming untagged packets ¿?.
- What tagged packets (from the cable will it pass thru to the switch ¿? All (as in a Native VLAN)
or only those for the VLANs marked as tagged in the profile´s tagged section ¿?
What is the equivalent Profile of ALL Networks/VLANs ¿?
Remember a Profile means defining a Native VLAN (or None) and Tagging certain VLANs.
So I guess ALL is the equivalent of Native VLAN 1 and all other VLANs tagged but not sure.
Potentially you could have many different LANs and VLANs defined at controller level, all will appear in the pull down list at Port config so which Native VLAN will be taken
- None ¿?
- VLAN 1
- Any other criteria ¿?
In any case let´s assume ALL means Native VLAN 1 and all other VLANs tagged. So behavior will be:
- All VLANS pass thru (both ways)
- Whatever the Native VLAN is (experts help !), it will behave as described above. So again assuming it is VLAN 1:
- All untagged incoming packets will be tagged VLAN 1 and forwarded to corresponding switch ports …
- What are corresponding ports ¿?
- Any Port configured with All => Packets on such ports will egress untagged (because they are Native VLAN 1)
- Any Port with a Profile with Native VLAN 1 => Packets on such ports will egress untagged
- Any Port with a Profile defined with any other Native VLAN but with VLAN 1 tagged => Packets on such ports will egress Tagged VLAN 1
- Any Port with Default LAN (created by the controller on initial setup, has Native VLAN 1 even if it doesn´t show in controller settings) => Packets on such ports will egress untagged
- Any Port with a Profile with no Native VLAN but with VLAN 1 Tagged => Packets on such ports will egress Tagged VLAN 1
How do you create Trunks (Again) ¿?
- Defining a port as All Networks/VLANs
- Assigning a Profile that has one or more Tagged VLANs with no Native VLAN
- Assigning a Profile that has one or more Tagged VLANs with Native VLAN
What happens when you assign a VLAN just defined in controller settings to a Port. ¿?
In this case it is assumed that the port has that VLAN as Native and no other tagged VLANS allowed
It is the equivalent of defining a Profile with that VLAN as Native and no other tagged VLANS and assigning that Profile to the Port
Can you make a Port member of various VLANs but still always egress untagged packets ¿?
I haven´t found a way to do that in UNIFI, you cannot define a Profile that accepts different VLANs (defined one as Native and others as Tagged or no Native and all Tagged) but that once the packet is accepted at the port (not filtered) then is forwarded (to the cable) untagged for all VLANs, it will only untag those of the Native VLAN. Many other switches allow you to define a port as untagged on egress but still member of many VLANs.
This is very useful if you want to segment the switch but the uplink goes to a non VLAN aware device as a Home/Soho ISP provided Router.
The Unifi Trunk definition is good if your Uplink is connected to other Managed Switches/Devices which is the normal situation in bigger installations.
So Help wanted …
Thank you !
01-19-2017 04:36 AM
@remoreno great post and very good wording the only question is what was the questions that you were wanting answered?
your statement about all vlans is correct by my observations.
So I guess ALL is the equivalent of Native VLAN 1 and all other VLANs tagged but not sure. <Correct>
Your steps for defining trunks is also correct. Create network on controller under settings, On one switch in your enviroment create network / vlan profile and select what networks should be tagged / untagged / native.
Correct about creating the vlan in controller and just assigning it. (If you dont put it in to a profile though it will only be local to the switch's unless you use the 'All' for your uplinks)
sorry dont know the answer to the last question.
01-19-2017 04:46 AM - edited 01-19-2017 04:48 AM
Wow, there's a lot here, and I'll admit to not being a expert, but a couple of thoughts that might help.
First you say that "untagged packets should be tagged before sending them to the switch", which I think is incorrrect. The native VLAN is where all untagged traffic goes, so if untagged traffic comes into that port, is is forwarded on the Native VLAN (which I think defaults to 1 like most switches if you don't change that).
Next, can you show me a screenshot of the Profiles? I'm not sure where this is in the controller. But, in regards to setup, I think this is the same as every other switch I've worked with.
Define the Networks/VLANs
Assign them to ports
Now, to your point regarding assigning them to switchports. It is typical to either be a "Access port" (1 vlan, usually for 1 end-user/device) or a "Trunk" (all VLANS, typically to another switch or wireless access point), so this is why the dropdown in the UniFi port admin page. You can do otherwise, though I typically don't, I did do this on my wireless access point uplink on the switch by defining a custom VLAN tag (saw a post somewhere on this) you can set what tags will be passed (what VLANs are allowed). Here are some screenshots. Here I removed the management VLAN from the WiFi access points.
06-25-2017 04:03 PM
Awesome stuff, you're a life saver. I was banging my head against the wall for hours until reading this post and realizing I could create "profiles" of tagged networks and define my own native vlan for that profile.
Very confusing way Unifi handle their vlan configs, but this really cleard it up for me.
08-05-2017 12:25 PM
@remorenoI would imagine the answer to your last question "Can you make a Port member of various VLANs but still always egress untagged packets ¿?" would be unnecessary because non-VLAN aware devices would just ignore the VLAN ID 802.1Q Header added to the Ethernet frame. So in theory we do not need to untag them. BUT, probably like you (only worse), I am not that experienced and trying hard to learn this aspect of networking.
08-19-2017 01:36 AM
I am still a little confused about the following:
If you define a profile to allow more VLANs on one port for example a port where the AP is connected to.
All the wireless clients are logged in with radius authentication and therefore assigned to their correct t vlan.
The when the client sends a broadcast to the network this broadcast is then done tagged or untagged?
I think untagged, but will the switch port than tag it correctly and send it to all other vlans that are configured on the switch?
Or will it be tagged with the native vlan configured on that profile? If so how in Earth can you serve multiple vlans on WiFi and not adjust clients to send the correct tag for their vlan?