Ubiquiti UniFi Switch Configuration for VMware Homelab
Overview
This guide provides step-by-step instructions for configuring Ubiquiti UniFi switches to support the VLAN design outlined in the VLAN Configuration Guide. This configuration enables proper network isolation for VMware infrastructure including management, vMotion, storage, and NSX-T networks.
Prerequisites
- Ubiquiti UniFi Network Controller (local or cloud)
- UniFi switches with sufficient 10G/multi-gig ports
- Access to UniFi Controller web interface
- ESXi hosts with dual NICs (Intel NUCs with USB adapters)
Network Architecture Overview
┌─────────────────────────────────────┐
│ Ubiquiti UXG-Lite │ Gateway
│ 192.168.10.1/24 │
└──────────────┬──────────────────────┘
│ Uplink
┌──────────────┴──────────────────────┐
│ Garage Switch (US-8) │ Distribution
│ 8x 1G RJ45 │
└──────────────┬──────────────────────┘
│ 10G Trunk (VLAN tagged)
┌──────────────┴──────────────────────┐
│ USW-Aggregation (Office) │ 10G Core Switch
│ 8x 10G SFP+ + 1x 1G RJ45 │
└─────────────┬───┬───┬───┬───────────┘
│ │ │ │
┌─────────┘ │ │ └────────┐
│ │ │ │
┌───▼───┐ ┌───▼▼───▼──┐ ┌────▼────┐
│ NUC-1 │ │ NUC-2 │ │ NUC-3 │
│ ESXi │ │ ESXi │ │ ESXi │
└───────┘ └───────────┘ └─────────┘
VLAN Design Summary
| VLAN ID | Name | Purpose | Native | Network |
|---|---|---|---|---|
| 10 | Management | ESXi mgmt, vCenter | Yes | 192.168.10.0/24 |
| 20 | vMotion | VM migration | No | 192.168.20.0/24 |
| 30 | vSAN | Storage traffic | No | 192.168.30.0/24 |
| 40 | NSX-TEP | Overlay tunnels | No | 192.168.40.0/24 |
| 50 | NSX-Edge-Uplink | North-south routing | No | 192.168.50.0/24 |
| 100 | TKG-Management | K8s management | No | 192.168.100.0/24 |
| 110 | TKG-Workload | K8s workloads | No | 192.168.110.0/24 |
| 200 | NUC-Management | Testing only | No | 192.168.200.0/24 |
Step 1: Access UniFi Controller
Cloud-based Controller
- Navigate to unifi.ui.com
- Login with your Ubiquiti account
- Select your site
Local Controller
- Open web browser to your controller IP
- Login with admin credentials
- Navigate to UniFi Network interface
Step 2: Create Networks (VLANs)
2.1 Navigate to Networks
- Settings → Networks
- Create New Network (repeat for each VLAN)
2.2 Management Network (VLAN 10)
Network Configuration:
Name: Management
Purpose: Corporate
Network Group: LAN
VLAN: 10
Gateway/Subnet: 192.168.10.1/24
DHCP:
Mode: DHCP Server
DHCP Range: 192.168.10.100 - 192.168.10.199
Lease Time: 86400 (24 hours)
Domain Name: lab.markalston.net
Auto Scale Network: Disabled
Advanced Options:
- IGMP Snooping: Enabled
- Multicast DNS: Enabled
- DHCP Guarding: Enabled
Management Network IP Allocation Strategy
Static IP Reservations (192.168.10.1-99)
192.168.10.1 - UXG-Lite Gateway
192.168.10.2-6 - Network Infrastructure (switches, APs)
192.168.10.7 - Mac Pro ESXi
192.168.10.8 - esxi-nuc-01
192.168.10.9 - esxi-nuc-02
192.168.10.10 - esxi-nuc-03
192.168.10.11 - vCenter Server (VCSA)
192.168.10.15 - NSX Manager
192.168.10.20-50 - Infrastructure VMs (future NSX components, etc.)
192.168.10.51-99 - Reserved for expansion
DHCP Pool (192.168.10.100-199)
- Laptops/workstations accessing the management network
- Temporary VMs during testing/deployment
- IPMI/iDRAC interfaces (if not statically assigned)
- Network troubleshooting tools and temporary devices
- Guest management access for consultants/vendors
Reserved High Range (192.168.10.200-254)
- Reserved for future static assignments
Design Benefits:
- Clear Separation: Static IPs (1-99) for critical infrastructure, DHCP (100-199) for temporary devices
- Security: Easy firewall rules targeting specific ranges, DHCP devices get restrictive policies
- Operations: No IP conflicts, easy device identification by IP, simplified troubleshooting
- Future-Proof: Room for expansion without conflicts, supports additional infrastructure
2.3 vMotion Network (VLAN 20)
Network Configuration:
Name: vMotion
Purpose: Corporate
Network Group: LAN
VLAN: 20
Gateway/Subnet: 192.168.20.1/24
DHCP:
Mode: None (Static IPs only)
Domain Name: lab.markalston.net
Auto Scale Network: Disabled
Advanced Options:
- IGMP Snooping: Disabled
- Multicast DNS: Disabled
2.4 vSAN Network (VLAN 30)
Network Configuration:
Name: vSAN
Purpose: Corporate
Network Group: LAN
VLAN: 30
Gateway/Subnet: 192.168.30.1/24
DHCP:
Mode: None (No gateway needed)
Domain Name: lab.markalston.net
Auto Scale Network: Disabled
Advanced Options:
- IGMP Snooping: Disabled
- Multicast DNS: Disabled
- Block LAN to WLAN: Enabled
2.5 NSX TEP Network (VLAN 40)
Network Configuration:
Name: NSX-TEP
Purpose: Corporate
Network Group: LAN
VLAN: 40
Gateway/Subnet: 192.168.40.1/24
DHCP:
Mode: DHCP Server
DHCP Range: 192.168.40.10 - 192.168.40.100
Lease Time: 86400
Domain Name: lab.markalston.net
Auto Scale Network: Disabled
2.6 NSX Edge Uplink Network (VLAN 50)
Network Configuration:
Name: NSX-Edge-Uplink
Purpose: Corporate
Network Group: LAN
VLAN: 50
Gateway/Subnet: 192.168.50.1/24
DHCP:
Mode: DHCP Server
DHCP Range: 192.168.50.10 - 192.168.50.50
Lease Time: 86400
Domain Name: lab.markalston.net
Auto Scale Network: Disabled
2.7 TKG Management Network (VLAN 100)
Network Configuration:
Name: TKG-Management
Purpose: Corporate
Network Group: LAN
VLAN: 100
Gateway/Subnet: 192.168.100.1/24
DHCP:
Mode: DHCP Server
DHCP Range: 192.168.100.50 - 192.168.100.200
Lease Time: 86400
Domain Name: lab.markalston.net
Auto Scale Network: Disabled
2.8 TKG Workload Network (VLAN 110)
Network Configuration:
Name: TKG-Workload
Purpose: Corporate
Network Group: LAN
VLAN: 110
Gateway/Subnet: 192.168.110.1/24
DHCP:
Mode: DHCP Server
DHCP Range: 192.168.110.50 - 192.168.110.200
Lease Time: 86400
Domain Name: lab.markalston.net
Auto Scale Network: Disabled
2.9 NUC Management Network (VLAN 200) - Optional
Network Configuration:
Name: NUC-Management
Purpose: Corporate
Network Group: LAN
VLAN: 200
Gateway/Subnet: 192.168.200.1/24
DHCP:
Mode: DHCP Server
DHCP Range: 192.168.200.10 - 192.168.200.50
Lease Time: 3600 (1 hour - short for testing)
Domain Name: lab.markalston.net
Auto Scale Network: Disabled
Step 3: Configure Switch Port Profiles
3.1 Navigate to Profiles
- Settings → Profiles
- Switch Port tab
3.2 Create ESXi Host Profile
Profile Name: ESXi-Host-Trunk
Port Configuration:
Native Network: Management (VLAN 10)
Tagged Networks:
- vMotion (VLAN 20)
- vSAN (VLAN 30)
- NSX-TEP (VLAN 40)
- NSX-Edge-Uplink (VLAN 50)
- TKG-Management (VLAN 100)
- TKG-Workload (VLAN 110)
- NUC-Management (VLAN 200)
Advanced Settings:
Auto PoE: Off
Port Isolation: Off
Storm Control: Enabled (10% broadcast, 10% multicast)
Port Security: Disabled
Native VLAN: 10 (Management)
3.3 Create Management Only Profile
Profile Name: Management-Only
Port Configuration:
Native Network: Management (VLAN 10)
Tagged Networks: None
Advanced Settings:
Auto PoE: Off
Port Isolation: Off
Storm Control: Enabled
3.4 Create Inter-Switch Trunk Profile
Profile Name: Switch-Trunk
Port Configuration:
Native Network: Management (VLAN 10)
Tagged Networks: All Networks
Advanced Settings:
Auto PoE: Off
Port Isolation: Off
Storm Control: Disabled (for trunk links)
STP: Enabled
Step 4: Apply Port Profiles to Physical Ports
4.1 Garage Switch (US-8) Configuration
- Devices → Select Garage Switch
- Ports tab
Port Assignments:
Port 1: Switch-Trunk (Uplink to UXG-Lite)
Port 2: Switch-Trunk (Downlink to USW-Aggregation)
Port 3: Management-Only (Patch panel/infrastructure)
Port 4: Management-Only (Available)
Port 5: Management-Only (Available)
Port 6: Management-Only (Available)
Port 7: Management-Only (Available)
Port 8: Management-Only (Available)
4.2 Office Switch Configuration
4.2a US-8-60W (Intel NUC Cluster Switch)
- Devices → Select US-8-60W
- Ports tab
| Port | PoE Mode | Speed | Connection | Profile | Native VLAN |
|---|---|---|---|---|---|
| 1 | - | GbE | esxi-nuc-01 nic | ESXi-Host-Trunk | Management |
| 2 | - | GbE | esxi-nuc-02 nic | ESXi-Host-Trunk | Management |
| 3 | - | GbE | esxi-nuc-03 nic | ESXi-Host-Trunk | Management |
| 4 | - | GbE | esxi-nuc-01 usbnic | ESXi-Host-Trunk | Management |
| 5 | Off | GbE | esxi-nuc-02 usbnic | ESXi-Host-Trunk | Management |
| 6 | Off | GbE | esxi-nuc-03 usbnic | ESXi-Host-Trunk | Management |
| 7 | PoE | GbE | mikrotik-crs304 | Lab-Trunk | Default |
| 8 | PoE | GbE | Uplink to Garage | Switch-Trunk | Management |
4.2b USW Lite 16 PoE (Management Infrastructure Switch)
- Devices → Select USW Lite 16 PoE
- Ports tab
| Port | PoE Mode | Speed | Connection | Profile | Native VLAN |
|---|---|---|---|---|---|
| 1 | PoE+ | GbE | Uplink to USW 8 60W Garage Switch | Switch-Trunk | Management |
| 2 | Off | GbE | macpro nic | ESXi-Host-Trunk | Management |
| 3 | PoE | GbE | mikrotik-crs304 | Lab-Trunk | Default |
| 4 | Off | GbE | macpro nic | ESXi-Host-Trunk | Management |
| 5 | PoE+ | GbE | carbonite nic2 | Management | Default |
| 6 | Off | GbE | ms-a2-01 vmotion nic | ESXi-Host-Trunk | Management |
| 7 | PoE+ | GbE | carbonite nic1 | Management | Default |
| 8 | Off | GbE | ms-a2-02 vmotion nic | ESXi-Host-Trunk | Management |
| 10 | - | GbE | ms-a2-02 nic | ESXi-Host-Trunk | Management |
| 11 | - | GbE | ms-a2-01 nic | ESXi-Host-Trunk | Management |
| 12 | - | - | Default | ||
| 13 | - | - | Default | ||
| 14 | - | - | Default | ||
| 15 | - | - | Default | ||
| 16 | - | - | Default |
4.2c Future USW-Aggregation (10G Core Switch)
When deployed, the USW-Aggregation will be configured as follows:
SFP+ Port Assignments:
SFP+ 1: Switch-Trunk (Uplink to USW Lite 16 PoE)
SFP+ 2: ESXi-Host-Trunk (MS-A2 #1 - 10G)
SFP+ 3: ESXi-Host-Trunk (MS-A2 #2 - 10G)
SFP+ 4: ESXi-Host-Trunk (MS-A2 #3 - 10G)
SFP+ 5: ESXi-Host-Trunk (Future expansion)
SFP+ 6: ESXi-Host-Trunk (Future expansion)
SFP+ 7: ESXi-Host-Trunk (Synology NAS - 10G upgrade)
SFP+ 8: Available
RJ45 Management Port:
Port 1: Management-Only (Direct controller access)
Step 5: Configure Advanced Switch Settings
5.1 Enable Jumbo Frames (Optional)
For vMotion and storage networks:
- Devices → Select switch
- Settings → Advanced
- Enable Jumbo Frames: Yes (9000 bytes)
5.2 Configure Spanning Tree
- Settings → Networks → Global Switch Settings
- STP Mode: RSTP (Rapid Spanning Tree)
- STP Priority: Default (32768)
5.3 Storm Control Settings
- Settings → Profiles → Switch Ports
- Storm Control:
- Broadcast: 10%
- Multicast: 10%
- Unknown Unicast: 10%
Step 6: Firewall Rules (Optional but Recommended)
6.1 Create Firewall Groups
- Settings → Security → Firewall Groups
ESXi-Hosts Group:
Type: Address/Port Group
Address/Port Group Type: IPv4 Address Group
Group Members:
- 192.168.10.8 (esxi-nuc-01)
- 192.168.10.9 (esxi-nuc-02)
- 192.168.10.10 (esxi-nuc-03)
- 192.168.10.7 (macpro)
Infrastructure Group:
Type: Address/Port Group
Address/Port Group Type: IPv4 Address Group
Group Members:
- 192.168.10.11 (vCenter)
- 192.168.10.15 (NSX Manager)
6.2 Create Firewall Rules
- Settings → Security → Firewall Rules
Allow vMotion Traffic:
Name: Allow-vMotion
Rule Applied: Before Predefined Rules
Action: Accept
IPv4 Protocol: All
Source: ESXi-Hosts
Destination: ESXi-Hosts
Source Port: Any
Destination Port: Any
Network: vMotion
Block Inter-VLAN by Default:
Name: Block-Inter-VLAN
Rule Applied: Before Predefined Rules
Action: Drop
IPv4 Protocol: All
Source: Any
Destination: Any
Advanced: Enable Logging
Step 7: Quality of Service (QoS) Configuration
7.1 Create Traffic Rules
- Settings → Security → Traffic & Firewall Rules
Prioritize Management Traffic:
Name: Management-Priority
Description: High priority for ESXi management
Matching Target: Network
Network: Management
Action: Specify DSCP
DSCP: 46 (Expedited Forwarding)
Prioritize vMotion Traffic:
Name: vMotion-Priority
Description: High priority for vMotion
Matching Target: Network
Network: vMotion
Action: Specify DSCP
DSCP: 34 (Assured Forwarding)
Prioritize Storage Traffic:
Name: Storage-Priority
Description: High priority for storage
Matching Target: Network
Network: vSAN
Action: Specify DSCP
DSCP: 26 (Assured Forwarding)
Step 8: Monitoring and Troubleshooting
8.1 Enable Port Statistics
- Devices → Select switch
- Ports → Port Statistics
- Monitor for:
- Dropped packetsI’m
- Error rates
- Utilization
8.2 VLAN Verification Commands
From ESXi host:
# Check VLAN configuration
esxcfg-vswitch -l
# Test connectivity
vmkping -I vmk1 192.168.20.9 # vMotion test
vmkping -I vmk2 192.168.30.9 # Storage test
From UniFi Controller:
- Devices → Switch → Events
- Look for VLAN-related messages
- Check port link status
8.3 Common Issues and Solutions
No Connectivity After VLAN Configuration:
- Verify native VLAN matches ESXi management
- Check trunk port configuration
- Confirm switch port profile applied correctly
vMotion Failures:
- Verify VLAN 20 on both source and destination hosts
- Check VMkernel adapter configuration
- Test with vmkping
Slow Performance:
- Enable jumbo frames end-to-end
- Check for duplex mismatches
- Monitor switch utilization
Step 9: Validation Checklist
- All networks created in controller
- Port profiles configured correctly
- ESXi ports assigned to trunk profile
- Native VLAN set to Management (10)
- All required VLANs tagged on ESXi ports
- Firewall rules configured (optional)
- QoS policies applied (optional)
- Port statistics monitoring enabled
- ESXi hosts can reach gateway on VLAN 10
- Inter-VLAN routing working where needed
Step 10: Documentation
10.1 Record Configuration
Document the following for future reference:
Switch Configuration Summary:
Controller: unifi.ui.com
Site: [Your Site Name]
Networks Created: 8
- Management (VLAN 10) - Native
- vMotion (VLAN 20)
- vSAN (VLAN 30)
- NSX-TEP (VLAN 40)
- NSX-Edge-Uplink (VLAN 50)
- TKG-Management (VLAN 100)
- TKG-Workload (VLAN 110)
- NUC-Management (VLAN 200)
Port Profiles Created: 4
- ESXi-Host-Trunk (Native VLAN 10, Tagged: 20,30,40,50,100,110,200)
- Management-Only (Native VLAN 10, No tags)
- Switch-Trunk (Native VLAN 10, All VLANs tagged)
- Default (Native VLAN 1, No tags)
Physical Port Assignments:
Garage US-8:
Port 1: Uplink to UXG-Lite (Switch-Trunk)
Port 2: Downlink to USW Lite 16 PoE (Switch-Trunk)
Office US-8-60W (NUC Cluster):
Port 1: Uplink to USW Lite 16 PoE (Switch-Trunk)
Port 2: esxi-nuc-01 (ESXi-Host-Trunk)
Port 3: esxi-nuc-02 (ESXi-Host-Trunk)
Port 4: esxi-nuc-03 (ESXi-Host-Trunk)
Office USW Lite 16 PoE (Management Infrastructure):
Port 1: Uplink to US-8-60W (Switch-Trunk)
Port 2: Mac Pro NIC 2 (ESXi-Host-Trunk)
Port 3: Reserved MS-A2 #1 (ESXi-Host-Trunk)
Port 4: Mac Pro NIC 1 (Management-Only)
Port 5: Carbonite NIC 1 (Management-Only)
Port 6: Reserved MS-A2 #2 (ESXi-Host-Trunk)
Port 7: Carbonite NIC 2 (Management-Only)
Port 8: Reserved MS-A2 #3 (ESXi-Host-Trunk)
Port 16: UAP-AC-Lite (ESXi-Host-Trunk)
Future USW-Aggregation (10G Core):
SFP+ 1: Uplink to USW Lite 16 PoE (Switch-Trunk)
SFP+ 2-4: MS-A2 hosts (ESXi-Host-Trunk)
SFP+ 7: Synology NAS 10G upgrade (ESXi-Host-Trunk)
10.2 Configuration Backup
- Settings → System → Backup
- Download Backup
- Store backup file securely
- Schedule regular backups
Next Steps
After UniFi switch configuration:
- Configure ESXi Distributed Switch: Create DVS in vCenter with matching VLANs
- Test Network Connectivity: Verify all VLANs work correctly
- Deploy NSX-T: Use configured Edge Uplink network
- Set Up TKG: Leverage dedicated management and workload networks
Related Documentation
- VLAN Configuration Guide - Overall VLAN design
- vCenter Initial Configuration - DVS setup
- ESXi Installation Guide - Host preparation
Important Notes:
- Always test configuration changes in a lab environment first
- Keep native VLAN (10) untagged for ESXi management simplicity
- Document all changes for troubleshooting and future reference
- Consider enabling port-level monitoring for performance analysis