Why Default Switch Configuration Is Never Sufficient for Enterprise

Out of the box, a UniFi switch is configured with all ports on VLAN 1, spanning tree in default mode, PoE delivering power to all ports indiscriminately, and no traffic control or aggregation. For a home user, this is fine. For an enterprise environment with security requirements, performance expectations, and compliance obligations, this is the starting point for a configuration that must be hardened substantially before it is production-ready.

VLAN Configuration on UniFi Switches

Port Profiles: Access vs. Trunk

Every switch port in an enterprise deployment must be configured with a specific port profile:

  • Access port: Carries a single untagged VLAN. Used for end devices (workstations, IP phones, cameras) that should only see one network segment.
  • Trunk port: Carries multiple tagged VLANs. Used for uplinks to other switches, routers, and access points that need to carry traffic from multiple VLANs simultaneously.

In UniFi, port profiles are created once and applied to multiple ports. A 'Corporate Workstation' profile sets the native VLAN to 10 and allows no other VLANs. A 'Distribution Trunk' profile passes all production VLANs tagged. Creating and applying profiles consistently across all switches eliminates configuration drift.

Native VLAN Configuration

The native VLAN (untagged VLAN on a trunk port) should never be VLAN 1 in production. VLAN 1 is the default and a well-known attack vector (VLAN hopping). Change the native VLAN on all trunk ports to an unused management VLAN ID, and ensure no user devices are configured to use that VLAN.

Link Aggregation (LAG) Configuration

Link aggregation (802.3ad LACP) combines multiple physical ports into a single logical link with aggregated bandwidth and automatic failover. Configuration steps in UniFi:

  • Navigate to Switch Settings > Port Manager
  • Select the ports to aggregate (must be on the same switch)
  • Click 'Create LAG' and enable LACP
  • Configure the resulting LAG interface with the appropriate port profile

Common LAG use cases: server connections requiring more than 1 Gbps, uplinks between distribution and core switches, NVR connections for high camera-count security systems.

PoE Budget Management

PoE (Power over Ethernet) powers access points, IP cameras, VoIP phones, and other network devices through the Ethernet cable. Managing PoE budgets correctly prevents two failure modes:

  • Overload: Total power draw exceeds the switch's PoE budget, causing ports to lose power randomly
  • Brownout: Borderline budget causes intermittent power cycling of high-draw devices like WiFi 7 APs

In UniFi, monitor the PoE dashboard on each switch to see actual power consumption per port and total budget utilization. Set a maximum of 80% budget utilization as your safety threshold. Configure PoE port priority — critical APs and cameras should have higher priority than peripherals.

Spanning Tree Protocol Optimization

STP prevents broadcast storms in networks with redundant physical paths. Default STP behavior is functional but not optimal for enterprise environments:

  • Enable RSTP (Rapid Spanning Tree) instead of legacy STP — convergence time drops from 30-50 seconds to 1-2 seconds
  • Configure edge ports (ports connecting to end devices) with PortFast — they skip the STP listening/learning states and become active immediately
  • Enable BPDU Guard on edge ports — if a BPDU (spanning tree packet) arrives on an edge port, it's evidence of an unauthorized switch being connected, and the port shuts down automatically

Storm Control and Traffic Protection

Broadcast storms can saturate an entire network segment in seconds. Storm control limits the rate of broadcast, multicast, and unknown unicast traffic on each port. When traffic exceeds the configured threshold (typically 10-20% of port capacity), excess frames are dropped before they can cascade into a storm.

Frequently Asked Questions

How do I identify which ports are carrying too much traffic?

UniFi's switch dashboard shows per-port utilization graphs. Ports consistently above 70% utilization during business hours are candidates for LAG or uplink upgrade. The packet error counters also reveal cabling issues that degrade performance without obvious connectivity failures.

Can I mix UniFi and non-UniFi switches in the same network?

Yes, with caveats. Non-UniFi switches can participate in a UniFi network using standard 802.1Q VLAN tagging and STP. However, they won't appear in the UniFi dashboard, can't be remotely configured through the controller, and don't receive automatic firmware updates. For a fully managed environment, a homogeneous UniFi switching fabric is strongly recommended.

What is DHCP snooping and should we enable it?

DHCP snooping prevents rogue DHCP servers from responding to client requests on your network. When enabled, only 'trusted' ports (your actual DHCP server or gateway) can send DHCP offers. All other DHCP offers are dropped. This should be enabled on all production VLANs. It is one of the highest-value, lowest-risk security features available on UniFi switches.