Friday 3 June 2016

Enabling VLAN assignment on Ubiquiti UniFi-IW APs

Whilst I've had a fair number of fairly serious headaches when it comes to the deployment of Ubiquiti's UniFi wireless system since term began, sometimes, progress is made, and features they've long promised start to materialise.

They recently released the official new V5.x line of controller software, and an update to the firmware of the Cloud Key controller, to v0.5.0. After waiting a few days and hearing not much wailing and gnashing of teeth on the UNBT forums, I took the plunge to upgrade this morning, which didn't go smoothly (a tale for another time and place). Generally, the AP firmware is full of holes (800+ posts on a thread is not a good sign), so you sort of have to live at or uncomfortably close to the bleeding edge to keep your "customers" happy with these products. Or, you know, pick another platform (at far higher cost).

Anyway...

One of the things this new v5.x line of controller software does is properly enable VLAN control/assignment of/to the front ethernet ports on the UniFi UAP-IW, which is a neat little gadget that combines a basic enterprise 2.4GHz wireless AP with two wired Ethernet sockets, one of which features passthrough PoE. This makes it ideal for either very high density deployments (like in hotel rooms, and in our context, boarding houses) or in "edge" areas you're trying to serve at relatively low cost, but in a fairly feature-rich way.

Ubiquiti UniFi AP IW. Picture from https://www.ubnt.com/unifi/unifi-ap-wall/


These gadgets will enable you to provide, for example, a boarding school house person with a 2.4GHz wireless connection, a PoE powered VOIP phone and a network connection for a wired ethernet device. About the only downsides are a) they're limited to 100Mb/s, and b) they're deep enough - once you've got an ethernet flylead plugged in the back - not to really fit into standard wall boxes (at least around these parts) and c) no 5GHz radios. If it's mounted into an actual wall, you could probably hollow out a little more masonry at the back and have a great time installing loads of them, or you might add another "sticking out of the wall" box over a sunk into the wall box. And you can probably live without 5GHz in the odd spot, and for a few users, 100Mb/s is enough.

The other downside is that 50% of the devices of this type I've seen totally kill UniFi wireless AP networks (when your sample size is n=2, and one of them is really buggered, that's not a particularly surprising percentage!) - that sort of misbehaviour seems to be quite unusual.

Now, with the latest software, they actually allow you to control the VLAN assignment per port, and not just use whatever untagged VLAN you throw at the input port at the back. In other words, they become actually useful in an enterprise network, and will finally fulfill what I ordered them for (the house person exercise above).

Of course, this isn't well documented (or perhaps, they've done silly things like bury it in a PDF manual, but I can't find it). So, let's WABM it...!



Howto: Enabling custom VLAN assignments on a Ubiquiti UniFi UAP-IW

Firstly, make sure the VLANs you want to assign are defined in the UniFi controller under Settings>Networks:
Define each VLAN you want to deploy to your UniFi network.
In the example above, you'll see I've added our voice VLAN, whose VLAN ID is 319; many enterprise would have a voice VLAN per building (in the same way as you normally have a subnet per workgroup in a building); we don't have many VOIP phones yet, in part because before my arrival, the school opted for a horridly expensive Avaya IP Office system. You can always add more with the Create New Network button at the bottom; you'll probably generally only want "VLAN Only" types. You should also make sure you define your Management VLAN, even if you have previously not due to using untagged ports on that VLAN to reach the APs (tagged trunk management is a new thing in UniFi!).

Next, you're probably going to want to make sure that the access point knows which VLAN it should be using for management traffic (so you can then tag it, and hopefully not end up with clients trying to connect). Select the AP in the Device view of the UniFi controller software, click on the Configuration tab; expand Services; Enable the port VLAN by ticking the box and select the correct wireless management VLAN you have defined in the previous step; save your changes:
Set up the management VLAN on the UAP-IW

 Next, you want to assign the right VLAN to the ports on the front of the unit. Under the rather sensibly labelled "ports" tab of the AP device view, you can click on the pencil icon to edit the settings for each port, as you want them.
Click on the pencil icons to edit the VLAN assignment for each of the two ports.
You can rename them if you wish, but be consistent with what the front panel says to avoid confusion.
Once you've edited both ports appropriately, click Apply Changes and the controller will provision the changes to the device.

Editing the port VLAN assignment
Above, you can seem me editing the second port; the first port is very similar.
Port Name at the top, select the relevant VLAN from your defined network(s)
Click Apply
Click Apply Changes. 
Finally, test to make sure it does what you expect. Our only UAP-IW lives in a houseperson's flat, so I've not personally tested to see it work as expected, but it ought to. We have another one, but it seems to have a low-level bug that causes the entire UniFi network to fall over. So I'm not terribly excited to plug it in again. We have 6 more on back-order, which we may receive next week, so perhaps I'll get to testing them and report back here in due course.

It presumably goes without saying that you need to ensure that the VLANs you're trying to use need to be correctly configured on the access switch port your UAP-IW is connected to. It can be a fully tagged trunk once your UAP-IW has been configured with a management VLAN.

What's missing

One thing that would be nice to know is if we could have a mechanism to enable 2 (or more) VLANs on the front port - one (or more) tagged, and one untagged, to the front ports (particularly the PoE one) - this would neatly help you to ensure for example that only VOIP phones end up on your VOIP subnet; you can then use industry standard mechanisms (like LLDP or DHCP options) that VOIP phones typically use to get on the voice VLAN whilst passing client subnet traffic to a client sitting behind them (or to automagically serve clients that happen to plug into a VOIP phone enabled port whilst staying clear of the VOIP subnet). People LOOOOVE to just mess around with cables and plug things in the wrong place. (Of course, NAC is probably the long term answer; in the short term, do not have promiscuous DHCP on your voice VLAN [or wifi management VLAN] and manually add VOIP phone and AP MAC addresses to the relevant DHCP server scope as you add such devices to the network). As Ubiquiti make a line of VOIP phones, you'd have thought this would be "a no brainer" to implement in their own gear presumably aimed at similar markets. This page discusses some voice VLAN architecture decisions.

It would also be clever if they labelled the ports "VOIP Phone ONLY" and "Laptop" instead of PoE OUT + DATA and DATA, but that's a minor cosmetic issue (which you can fix with a label maker...), or even a little "window" slot for you to insert your own port label.

Finally, they should ultimately allow VLAN assignment to the ports via RADIUS, ideally allowing for a 802.1x through a NAC like PacketFence to control what VLAN a given device is assigned to, depending on the user who plugs a device into that port.

A Caveat

The UAP-IW - at least the versions I've seen - are not fully compliant with the published PoE standards. The specs say you should accept either Mode A or Mode B - experience shows the IW only supports Mode A - and the vast majority of my PoE injectors are Mode B. You'll have no issues powering them, provided you have things that provide Mode A PoE - like Ubiquiti's own switches, or certain PoE injectors. Read the specs carefully. If your device won't power up, suspect this.

2 comments:

  1. Incidentally, if you connect non-PoE device to the PoE front jack, it will turn the UAP-IW off (because they don't seprately negotiate PoE to the device, they just pass through some of the PoE from the switch/injector). This is to protect non-PoE devices.

    So make sure people with access to these understand how they work....

    https://help.ubnt.com/hc/en-us/articles/214120788-UniFi-My-UAP-IW-isn-t-working

    ReplyDelete
  2. Also, UBNT have released and AC version now (only currently intermittently available through the beta store for US customers) - probably worth holding out for those...!
    https://community.ubnt.com/t5/UniFi-Beta-Blog/UAP-AC-IW-Available-NOW-Beta-Store-Again/ba-p/1819345

    ReplyDelete