VLANS: latest cause of premature hariloss

[MrMcMuffinJr]

So I am trying to segregate my network into 4/5 Virtual LANS. 1(Native/Core) 13(cameras) 17(Main WLAN) 20(IoT WLAN) 24(other wired devices).

Hardware

A-Router:USG

B-Current Switch: Cisco SG200-50P

C-New Switch: Dell PowerConnect 5548P

D-Cam Switch: Cisco 2960C

 

Topology

A(LAN)->(g50)B(g49)->(g48)C(g9)->(g1)D

 

What it can do:

looks like in it's current state, all I can do is ping the management interface on the new switch. I can also ping the gateways of all the vlans from the new switch so I know the trunk on that port is working.

 

important notes

-My current assumption is an inter-vlan routing issue on the Dell but my limited experience makes it difficult for me to troubleshoot. I'll provide all the relevant configs with obvious redactions.

-The 2960 should be a Vlan 13 only switch for cameras.

-The SG200 will eventually be replaced by the dell when this is all working

-only thing that was done on the USG was creation of networks, Vlan assignment and DHCP. all else is default. ignore 5 and 13.

 

How you can help me

I'm basically asking you guys to look at the configs and see if I'm missing something. 

 

 

Dell

vlan database
vlan 13,17,20,24
exit
voice vlan oui-table add 000181 Nortel__________________
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 001049 Shoretel________________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00907a Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
iscsi target port 860 address 0.0.0.0
iscsi target port 3260 address 0.0.0.0
iscsi target port 9876 address 0.0.0.0
iscsi target port 20002 address 0.0.0.0
iscsi target port 20003 address 0.0.0.0
iscsi target port 25555 address 0.0.0.0
hostname core
management access-list SSH
permit service ssh
exit
aaa authentication enable default line
aaa authentication login default line
line ssh
password *************** encrypted
exit
line console
password ************* encrypted
exit
username Ryan password encrypted ************* pri
vilege 15
ip ssh server
ip domain name core.lan
line console
motd-banner
exit
line ssh
motd-banner
exit
line telnet
motd-banner
exit
banner motd ^C
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWNXXK0OOO0KXNWMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWXOdlcccc::::::ccox0XWMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMWXOl;,''''''''''',,'.':lxKNMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMNk:'.',''........',,'.';clox0NMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMXd,..,;,,,,,,,,,;;clllclllllclxNMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMXo'.',;cloodddddxxkkOOOO0OkdocclxXMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMXko;,;coxkOOO000000000000KKKKkolc:xNMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMXdcdl,:okO00000000000000KKKXXXKkoccdk0NMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMWk;''..:dkOOkkkxkkO0000OOOO00XXKOo:,,:o0WMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMWO:.   .;dkkxdooodxkO00OkxxddxkO0Oo,. .;dKWMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMWx,..  .:xOOkdcccoxkOO0kxxdocldkO0x,   .:dXMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMWO;..  .:k0OkxdoodxxkOK0xddoloxO0KO;  ..'lKMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMM0:.....cO0000OOOkkkOOKK0kkkO0KXXXO;  ...lXMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMXl'''..:k00000000OOO0KKKOO0KKKKKKk,....'dWMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMNx;,,'.;x000000000OOO0OOO00KKK000o.....,OWMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMM0c'....oO000K0000OOOOOO0K00000Ok:. ...;kNWMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMNd'.  .:k0000000OOO0OO000K00Odol.   ..'cOWMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMXd;'',lkO000OOOOkkkkkxxkkOk:....  .,ldONMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMWX0KXK0OOOOOOOOOOkkkkkkkkx;. ..,:oOKXWMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMWWX0OOOOOOO0000OOO00OOOdlcllokXNNWMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMWWKOxkOOOkOOOO0000000000Oxxk00OKNWMMMMMMMMMMMMMMM
MMMMMMMMMMWWNXXKK00000000Oxc,.,dOOOkkkkOO00000OOOkkxdc;:oOKXXXXNWWMMMMMMMMM
MMMMMWNX0Okkxdddddol:;;;'..  'lxkOOOkkkkkOOOOkxxdxxxx:...,:lddxk0KKXNWWMMMM
MMMN0kxdddddooool:'.        .cddkOOOOkkkOOOOOkxddxkkkd,.   .',;cooddxkOKNMM
MWKxoodddoooll:'..           ;ddxkOOOOOkOOOOkxddxxxkko'     ....',;::clokXM
^C
!
interface vlan 1
 ip address dhcp
!
interface vlan 13
 name Camera
!
interface vlan 17
 name *******
!
interface vlan 20
 name *****
!
interface vlan 24
 name LAN
!
interface gigabitethernet1/0/3
 description MainAP
 switchport mode trunk
 switchport trunk allowed vlan remove 2-16,18-19,21-4094
!
interface gigabitethernet1/0/5
 description MainAP
 switchport mode trunk
 switchport trunk allowed vlan remove 2-16,18-19,21-4094
!
interface gigabitethernet1/0/7
 description SouthAP
 switchport mode trunk
 switchport trunk allowed vlan remove 2-16,18-19,21-4094
!
interface gigabitethernet1/0/9
 description CamSWUplink
 switchport mode trunk
 switchport trunk allowed vlan remove 2-12,14-4094
!
interface gigabitethernet1/0/10
 switchport access vlan 13
!
interface gigabitethernet1/0/11
 description CK
 no switchport
 switchport trunk allowed vlan remove 2-12,14-4094
!
interface gigabitethernet1/0/13
 description Lore
!
interface gigabitethernet1/0/15
 description Data
!
interface gigabitethernet1/0/17
 description Printer
!
interface gigabitethernet1/0/18
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/19
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/20
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/21
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/22
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/23
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/24
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/25
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/26
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/27
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/28
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/29
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/30
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/31
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/32
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/33
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/34
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/35
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/36
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/37
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/38
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/39
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/40
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/41
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/42
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/43
 description LAN
!
interface gigabitethernet1/0/44
 description LAN
!
interface gigabitethernet1/0/45
 description LAN
!
interface gigabitethernet1/0/46
 description LAN
!
interface gigabitethernet1/0/47
 description LAN
!
interface gigabitethernet1/0/48
 description Uplink
 switchport mode trunk
!






Default settings:
Service tag: *******

SW version 4.1.0.12 (date  22-Jul-2013 time  16:32:43)

Gigabit Ethernet Ports
=============================
no shutdown
speed 1000
duplex full
negotiation
flow-control on
mdix auto
no back-pressure

interface vlan 1
interface port-channel 1 - 32

spanning-tree
spanning-tree mode RSTP

qos basic
qos trust cos
eee enable

 

 

2960C

Building configuration...

Current configuration : 1703 bytes
!
! Last configuration change at 00:50:18 UTC Mon Jan 2 2006
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CameraSW
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 ****************
!
username Ryan privilege 15 password 0 ****************
no aaa new-model
system mtu routing 1500
!
!
!
ip domain-name Cameras.lan
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 13
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 13
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 13
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 13
 switchport mode access
!
interface FastEthernet0/5
 switchport access vlan 13
 switchport mode access
!
interface FastEthernet0/6
 switchport access vlan 13
 switchport mode access
!
interface FastEthernet0/7
 switchport access vlan 13
 switchport mode access
!
interface FastEthernet0/8
 switchport access vlan 13
 switchport mode access
!
interface FastEthernet0/9
 switchport mode access
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface GigabitEthernet0/1
 switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address dhcp
 shutdown
!
!
ip http server
ip http secure-server
!
!
line con 0
 password *******************
 logging synchronous
 login
line vty 0 4
 login
 transport input ssh
line vty 5 15
 login
 transport input ssh
!
end

 

Thanks!

[brwainer]

The dell is not doing inter-vlan routing, and you don't want it to be (trust me - especially if you're having issues with just VLAN switching). As an experienced Dell and Cisco switch user, I don't see anything wrong with the two configs you posted. Just to clean things up, I do suggest removing the "interface vlan 13 -> name" and others, except for vlan 1, and replacing them with "vlan 13 -> name". Technically right now you haven't named the VLANs (layer 3), you've named an IP interface on each of the VLANs (layer 3). If you run something like "show vlan brief", you wouldn't see the VLAN names right now.

 

The fact that you can ping all the VLAN gateway IPs from the dell switch does not prove the trunk is working. The dell switch only has an IP address in VLAN 1, therefore it is sending the pings to the USG via its default gateway address of 10.0.1.1. The USG is then responding to the pings because it happens to know that the IP you're trying to reach is itself, and it is sending the pings back to the source IP of whatever the dell switch got in VLAN 1 via DHCP. By default there are no firewall rules between "Corporate" networks in Unifi, if you want the USG to keep the separate you have to make those rules yourself.

 

Anyway, at this point I question your SG200 config, please share it.

[MrMcMuffinJr]

20 minutes ago, brwainer said:

The dell is not doing inter-vlan routing, and you don't want it to be (trust me - especially if you're having issues with just VLAN switching). As an experienced Dell and Cisco switch user, I don't see anything wrong with the two configs you posted. Just to clean things up, I do suggest removing the "interface vlan 13 -> name" and others, except for vlan 1, and replacing them with "vlan 13 -> name". Technically right now you haven't named the VLANs (layer 3), you've named an IP interface on each of the VLANs (layer 3). If you run something like "show vlan brief", you wouldn't see the VLAN names right now.

 

The fact that you can ping all the VLAN gateway IPs from the dell switch does not prove the trunk is working. The dell switch only has an IP address in VLAN 1, therefore it is sending the pings to the USG via its default gateway address of 10.0.1.1. The USG is then responding to the pings because it happens to know that the IP you're trying to reach is itself, and it is sending the pings back to the source IP of whatever the dell switch got in VLAN 1 via DHCP. By default there are no firewall rules between "Corporate" networks in Unifi, if you want the USG to keep the separate you have to make those rules yourself.

 

Anyway, at this point I question your SG200 config, please share it.

The SG 200 is defaulted with all ports untagged. I have tested with the dell connected to the USG which yielded unhelpful results. as for the first paragraph. I did as instructed. on the cam switch I randomly did a no shut on the native vlan interface and it randomly got an IP. I’ll see if I can also get an IP on its access port on the 13 subnet

[brwainer]

23 minutes ago, MrMcMuffinJr said:

The SG 200 is defaulted with all ports untagged.

So... why are you expecting it to pass VLANs then? You need to define the VLANs, and set the ports 49 and 50 as trunk.

 

25 minutes ago, MrMcMuffinJr said:

I have tested with the dell connected to the USG which yielded unhelpful results.

Like what? Your config looks fine to me.

 

26 minutes ago, MrMcMuffinJr said:

on the cam switch I randomly did a no shut on the native vlan interface and it randomly got an IP. I’ll see if I can also get an IP on its access port on the 13 subnet

getting an IP address on the native vlan interface is not surprising, and doesn't teach us anything about whether the other VLANs will work or not.

 

I suggest moving one switch at a time, from the router to the end, and on each one make one or more access ports to test the VLANs. If you can't get an IP while on the SG200 in vlan 13, you won't get an IP on the Dell or camera switch in vlan 13.

[MrMcMuffinJr]

7 hours ago, brwainer said:

So... why are you expecting it to pass VLANs then? You need to define the VLANs, and set the ports 49 and 50 as trunk.

 

Like what? Your config looks fine to me.

 

getting an IP address on the native vlan interface is not surprising, and doesn't teach us anything about whether the other VLANs will work or not.

 

I suggest moving one switch at a time, from the router to the end, and on each one make one or more access ports to test the VLANs. If you can't get an IP while on the SG200 in vlan 13, you won't get an IP on the Dell or camera switch in vlan 13.

So I had a little success this morning which might have been my problem all along. I bypassed the SG200 and tried to ping 10.0.1.1 from fa0/1 on the camera switch and it worked. so that tells me that there has to be something wrong with DHCP. I will include a photo of my config which I was planning  to copy to the other networks once testing is complete.

[brwainer]

17 minutes ago, MrMcMuffinJr said:

So I had a little success this morning which might have been my problem all along. I bypassed the SG200 and tried to ping 10.0.1.1 from fa0/1 on the camera switch and it worked. so that tells me that there has to be something wrong with DHCP. I will include a photo of my config which I was planning  to copy to the other networks once testing is complete.

I don’t see an issue with the DHCP server config. By “bypassed the SG200” you mean you connected the USG LAN to port 48 on the Dell?

 

Do you get an IP from port 10 of the Dell, which is access vlan 13?

 

While you have a client device on a vlan 13 port, run “show mac address vlan 13” from the Dell and/or Cisco switches. You should see both the router and client MACs. There will also be a number of virtual MACs showing up that you can ignore, like all 0’s or all f’s, those are there because of certain switch functions.

[MrMcMuffinJr]

12 hours ago, brwainer said:

I don’t see an issue with the DHCP server config. By “bypassed the SG200” you mean you connected the USG LAN to port 48 on the Dell?

 

Do you get an IP from port 10 of the Dell, which is access vlan 13?

 

While you have a client device on a vlan 13 port, run “show mac address vlan 13” from the Dell and/or Cisco switches. You should see both the router and client MACs. There will also be a number of virtual MACs showing up that you can ignore, like all 0’s or all f’s, those are there because of certain switch functions.

I wiped and started fresh on the Dell while utilizing LAN 2 on the USG for testing so everyone isn't cut off. vlans 13 and 24 are working flawlessly including with the camera switch. The only thing that doesn't appear to work is the .1 subnet but that I think is because it's on LAN 1 rather than 2. wonder if there is a way around that. I could always just try it on LAN1 in the morning when nobody will be disrupted.

[brwainer]

5 hours ago, MrMcMuffinJr said:

I wiped and started fresh on the Dell while utilizing LAN 2 on the USG for testing so everyone isn't cut off. vlans 13 and 24 are working flawlessly including with the camera switch. The only thing that doesn't appear to work is the .1 subnet but that I think is because it's on LAN 1 rather than 2. wonder if there is a way around that. I could always just try it on LAN1 in the morning when nobody will be disrupted.

I’m not super familiar with using LAN2 on the USG, but I think you’re right that the two LAN ports act independently, they can actually have different subnets on VLAN1 (and all VLANs really)

[MrMcMuffinJr]

5 hours ago, brwainer said:

I’m not super familiar with using LAN2 on the USG, but I think you’re right that the two LAN ports act independently, they can actually have different subnets on VLAN1 (and all VLANs really)

I switched back to LAN1 to test the core net work, which is the default that the USG creates. I think that narrows down my problems to VLAN 1. that default network IS VLAN 1 right?

 

Edit: heres the updated config

Core(config)# do sh run
no spanning-tree
vlan database
vlan 13,17,20,24
exit
voice vlan oui-table add 000181 Nortel__________________
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 001049 Shoretel________________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00907a Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
iscsi target port 860 address 0.0.0.0
iscsi target port 3260 address 0.0.0.0
iscsi target port 9876 address 0.0.0.0
iscsi target port 20002 address 0.0.0.0
iscsi target port 20003 address 0.0.0.0
iscsi target port 25555 address 0.0.0.0
hostname Core
!
interface vlan 1
 ip address 10.0.1.100 255.255.255.0
!
interface vlan 13
 name ****
!
interface vlan 17
 name ****
!
interface vlan 20
 name ****
!
interface vlan 24
 name LAN
!
interface gigabitethernet1/0/3
 description MainAP
 switchport mode trunk
!
interface gigabitethernet1/0/5
 description MainAP
 switchport mode trunk
!
interface gigabitethernet1/0/7
 description SouthAP
 switchport mode trunk
!
interface gigabitethernet1/0/9
 description CAMs
 switchport mode trunk
!
interface gigabitethernet1/0/11
 description CK
!
interface gigabitethernet1/0/13
 description Lore
!
interface gigabitethernet1/0/15
 description Data
!
interface gigabitethernet1/0/17
 description Printer
!
interface gigabitethernet1/0/18
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/19
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/20
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/21
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/22
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/23
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/24
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/25
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/26
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/27
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/28
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/29
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/30
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/31
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/32
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/33
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/34
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/35
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/36
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/37
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/38
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/39
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/40
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/41
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/42
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/43
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/44
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/45
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/46
 description LAN
 switchport access vlan 24
!
interface gigabitethernet1/0/47
 description Uplink
 switchport mode trunk
!
interface gigabitethernet1/0/48
 description Uplink
 switchport mode trunk
!
interface tengigabitethernet1/0/1
 description Uplink10G
 switchport mode trunk
!
interface tengigabitethernet1/0/2
 description Uplink10G
 switchport mode trunk
!






Default settings:
Service tag: 973CVS1

SW version 4.1.0.12 (date  22-Jul-2013 time  16:32:43)

Gigabit Ethernet Ports
=============================
no shutdown
speed 1000
duplex full
negotiation
flow-control on
mdix auto
no back-pressure

interface vlan 1
interface port-channel 1 - 32

spanning-tree
spanning-tree mode RSTP

qos basic
qos trust cos
eee enable

 

[brwainer]

Inside a VLAN-aware router or switch, it is common convention to treat all packets without a VLAN tag as being in VLAN1 by default, and to strip the VLAN header from packets of VLAN 1 as they leave. This is simply because it is easier for hardware and software to treat all packets as being in a VLAN instead of having separate handling methods. Setting a port to “access” or “trunk native” or “untag”or “PVID” some specific VLAN is just changing the inbound/outbound translation for that port from VLAN 1 to VLAN x.

 

The default network in Unifi lacks a VLAN definition. At the actual programming level, the USG will use VLAN1 internally when not given a different vlan. The packets of VLAN1 will not have a VLAN header when they leave the LAN1 port. Unifi does not have an option to change which VLAN is the one used for non-tagged packets. By the way, do not try to set “1” as the VLAN number for the network. While there are legitimate reasons to send traffic as tagged VLAN 1, Unifi will not act properly even if it allows it.

 

When the packets enter the switch, assuming the port is “trunk” and has no “trunk native vlan” statement, they will come in as VLAN1. In other words, although it isn’t shown in the config or even the “defaults” section, ports 47 and up have a hidden “switchport trunk native vlan 1” config. Therefore, when the USG LAN1 is plugged into 47 or 48, I would expect that the default network is accessible from VLAN 1 ports, like 11-17.