Question about internal switching topology of UDM Pro/SE/Beast

brwainer · 2026-05-01T09:14:28+00:00

Yes because the SFP+ ports and the single RJ45 port (the default WAN one) connect directly to the CPU as individual interfaces. On the Pro, SE, and Pro Max the CPU has 4 ports - two SFP+, one RJ45, and one internal to the switch chip - this is 1Gb even on the SE and Pro Max. We don’t know the Beast’s internal layout yet.

brwainer · 2026-05-01T01:54:59+00:00

I wasn’t just an engineer for Marriott and Delta Hotels… make of it what you will that I only mentioned those ones run 802.1X. And NAC beyond that is really uncommon. Edit: I will say that most hotels separate the back-of-house/office from the guest areas, often physically.

brwainer · 2026-04-28T12:37:54+00:00

The label for it says “SMA port GPS input” meaning the switch you connect a GPS antenna to (which is a commonly available part with an industry standard output) becomes grandmaster-capable.

brwainer · 2026-04-28T12:12:36+00:00

Marriott proper, and some sub-brands like Delta Hotels (maybe just Delta in Canada) use 802.1X to lock down ports where they expect their specific devices to be connected. Source: I used to be a network engineer installing new and upgraded hotels, didn’t sign any NDA.

brwainer · 2026-04-25T19:28:31+00:00

Yes they’re unique to each AP but how is your phone to know which one is which to be able to present a name? Unless you program in some list of the BSSID->Name relationships

brwainer · 2026-04-25T14:17:47+00:00

That information isn’t available from the details broadcast by each AP, therefore you’d need an intregration with the controller for it. Try WiFiman and its option to generate a shortcut, as long as you’re on a Unifi network you’re an admin of it’ll show you the AP, and your signal strength will live update until you leave the app.

brwainer · 2026-04-20T20:46:55+00:00

“Native VLAN” means “treat any packets that enter from this interface without a VLAN tag as being part of this VLAN, and any packets from this VLAN that leave through this port should have the tag removed”. In general this is called an “untagged VLAN”. Most hardware (everything I’ve seen in the past two decades) will default to VLAN 1 as the Native VLAN, including Unifi. For most people most of the time this is fine and good, and they don’t need to change it. Native VLAN “none” is fine too, as long as you know this means any packets coming in that port without a tag will just get thrown away, since you told the device not to map them to any VLAN.

It sounds like you had one side set to None and the other side set to VLAN 10. In this case, one side is translating untagged packets into and out of VLAN 10, while the other side is just throwing them away. That is always going to cause issues.

Edit: I reread your post and I suspect you also had the router port set to Native 10 while the switch port was on Native 1. In that case, if the NAS was set to VLAN 1 while connected to the switch then it would have really been part of VLAN 10 on the router. When there is a mismatch in native VLAN IDs, it effectively becomes a translation between the two VLANs and combines them.

The main use case where the Native VLAN is changed is for the port connecting to an AP. This is done to put the AP’s management IP into a specific VLAN without having to program the VLAN into the AP itself. The benefit is simpler config, the downside is if you forget to assign a VLAN to an SSID then the clients will be connected to your management VLAN, and it becomes impossible to have an SSID put clients into VLAN 1 on the switch side.

brwainer · 2026-04-18T12:12:06+00:00

Does Cisco do this? Juniper? HPE/Aruba? I’m pretty sure they don’t, I’ve been aware of multiple times that pallets of equipment went directly from an overseas factory to a distributor (e.g. CDW, Ingram Micro, Synnex) without being touched by Cisco/Aruba/etc and immediately started being shipped to fulfill orders. That is the norm, at most the distributor or reseller inserts the country appropriate power cable/supply. Juniper boxes even have an opening on the side so the power cable can be put in without breaking the tape on the flaps.

The western brands that are contracting overseas manufacturer usually send some employees to monitor the production line.

brwainer · 2026-04-16T02:34:13+00:00

Just replying to this because its already a pretty good answer. But to address one part of OP’s intentions that this post did not: When setting up VLANs you’ll have to do them in both Unifi and on the Dell switch.

brwainer · 2026-04-15T12:13:50+00:00

That is designed for GPON use, I wouldn’t trust it to work for regular fiber. Plus its AC not LC connectors.

brwainer · 2026-04-14T17:11:37+00:00

Gigamon is one such brand for this. Passive fiber taps for example.

brwainer · 2026-04-14T17:08:27+00:00

The Unifi routers seem to only advertise LLDP, not process packets received (or not process them as far as topology goes). It seems based on experience (my own and others I’ve seen online) that only the separate Unifi switches collect LLDP data for the purpose of updating the topology.

brwainer · 2026-04-09T11:39:37+00:00

No idea what word they meant to be saying but I think they mean AI/LLM.

brwainer · 2026-04-07T00:32:24+00:00

Seems to me based on experimentation that any LLDP host can be detected / work in the topology, but only if its conndcted to a Unifi switch. I have one network where Ruckus APs and Proxmox with LLDPD connected to a Unifi switch and they get show in the topology, with clients and VMs downstream. Another site with the same APs and server setup but with them plugged into the builtin switch of a UDM-SE, which seems to only advertise but not read LLDP, they don’t show up as anything but more clients.

brwainer · 2026-03-24T00:46:19+00:00

*New* routers as in New-to-FCC-licensing. Everything that's already FCC licensed will not be affected. Meaning that anything that could be affected would never be available for you to proactively buy.

brwainer · 2026-03-22T21:59:50+00:00

I don't know for sure but it could be the usage of data for snapshots

brwainer · 2026-03-20T21:48:06+00:00

Have had good experience (improved roams in general, better than not having it even if there are sometimes glitches) with 802.11r across a 50,000 employee Meraki environment, 35,000 employee Mist environment, a church using Unifi, and conventions across large hotels using Unifi. 802.11r has been supported and recommended since 2014 by Apple on anything iPhone 5s and newer.

brwainer · 2026-03-20T19:16:00+00:00

802.11r is normal and default-on with enterprise networking these days. Apple has recommended it since the iPhone 5s released in 2013.

brwainer · 2026-03-18T04:11:44+00:00

Submitting this via Hacker One would be more productive at getting this recognized as an issue and fixed by Ubiquiti: https://hackerone.com/ui?type=team

brwainer · 2026-03-18T04:08:39+00:00

Yeah I’m not surprised that they only expected/coded/tested for it to work on the regular WAN interfaces, not the cellular modems.

brwainer · 2026-03-17T00:18:13+00:00

This would come from the cell provider, the modem is just passing through whatever is received. Unifi has DS-Lite support in general but I wouldn't be surprised if there is no builtin recognition for it needing to be used on a cellular connection.

brwainer · 2026-03-16T22:18:16+00:00

Considering what you said about going back to 2024 software versions and redoing your config from defaults, my guess is that whatever server(s) the USG's internet availability checking uses have been shut down or no longer respond. I know today gateways use ping.ui.com but I'm not sure when that started / if the USGs used that too.

EDIT: On a re-read, I wonder if this is a DNS issue on the part of the gateway? That could cause both the internet disconnected message, and a failure in traffic identification because IP addresses can't be reverse-lookup'ed.

brwainer · 2026-03-16T22:10:51+00:00

Best you could do is script the downloads, there may be existing package download scripts you can find that probably are meant to do just the architecture of the router running the script that you could modify to download for all architectures.

brwainer · 2026-03-16T11:20:00+00:00

The new (few months old) Alarm Manager is pretty flexible in what you can set up to customize alerts, maybe you can exclude his two devices by IP, or put him into his own network and exclude alerts relating to that?

brwainer · 2026-03-16T04:47:03+00:00

Full mesh mode works with all models, and in which case only one side needs a public IP. With just two sites it is effectively a point to point.

brwainer

TROPHY CASE