proxmox/docs/04-configuration/UDM_PRO_PORT_PROFILES_GUIDE.md

UDM Pro Port Profiles Configuration Guide

Last Updated: 2025-01-20
Status: Manual Configuration Required

---

Overview

This guide provides instructions for configuring port profiles on the UDM Pro for VLAN trunking and access ports. Port profiles define how switch ports handle VLAN traffic (tagged/untagged, native VLAN, etc.).

---

Port Profile Types

1. Trunk Port Profiles (802.1Q)

Trunk ports carry multiple VLANs using 802.1Q tagging. Used for:

• Proxmox host uplinks
• Switch-to-switch connections
• Devices that need access to multiple VLANs

2. Access Port Profiles

Access ports carry a single VLAN (untagged). Used for:

• End devices (computers, servers on single VLAN)
• Management devices
• Simple network connections

---

Configuration Steps

Accessing Port Profiles

1. Access UniFi Network Web Interface:

   • Open browser: https://192.168.0.1
   • Log in with admin credentials

2. Navigate to Port Profiles:

   • Go to Settings → Profiles → Port Profiles
   • Or: Settings → Switching → Port Profiles
   • Or: Devices → Select switch → Ports → Port Profiles

---

Trunk Port Profile Configuration

Creating a Trunk Port Profile for All VLANs

1. Create New Profile:

   • Click Create New Port Profile or Add Profile
   • Name: All-VLANs-Trunk or Service-VLANs-Trunk

2. Configure VLAN Settings:

   • Native Network/VLAN: MGMT-LAN (VLAN 11)
   • Tagged Networks/VLANs: Add all service VLANs:
     • VLAN 11 (MGMT-LAN)
     • VLAN 110 (BESU-VAL)
     • VLAN 111 (BESU-SEN)
     • VLAN 112 (BESU-RPC)
     • VLAN 120 (BLOCKSCOUT)
     • VLAN 121 (CACTI)
     • VLAN 130 (CCIP-OPS)
     • VLAN 132 (CCIP-COMMIT)
     • VLAN 133 (CCIP-EXEC)
     • VLAN 134 (CCIP-RMN)
     • VLAN 140 (FABRIC)
     • VLAN 141 (FIREFLY)
     • VLAN 150 (INDY)
     • VLAN 160 (SANKOFA-SVC)
     • VLAN 200 (PHX-SOV-SMOM)
     • VLAN 201 (PHX-SOV-ICCC)
     • VLAN 202 (PHX-SOV-DBIS)
     • VLAN 203 (PHX-SOV-AR)

3. Advanced Settings:

   • 802.1X: Disabled (unless using port-based authentication)
   • STP: Enabled (recommended)
   • Port Isolation: Disabled (for trunk ports)

4. Save Profile:

   • Click Apply or Save
   • Verify profile is created

---

Access Port Profile Configuration

Creating Access Port Profiles

Management VLAN Access Port

1. Create Profile:

   • Name: MGMT-LAN-Access
   • Native Network/VLAN: MGMT-LAN (VLAN 11)
   • Tagged Networks: None (access port, single VLAN)
   • Port Mode: Access

2. Use Cases:

   • Management devices
   • Administrative workstations
   • Devices that only need management network access

Service VLAN Access Ports (as needed)

Create separate access port profiles for each service VLAN if needed:

• Name: [VLAN-NAME]-Access (e.g., BESU-VAL-Access)
• Native Network/VLAN: The specific service VLAN
• Tagged Networks: None

---

Applying Port Profiles to Switch Ports

Method 1: Per-Port Configuration

1. Access Switch Configuration:

   • Go to Devices
   • Select the switch (UDM Pro or UniFi Switch)
   • Click on Ports tab

2. Configure Each Port:

   • Click on the port number
   • Select Port Profile: Choose the appropriate profile
     • Proxmox uplinks: Use All-VLANs-Trunk
     • Management devices: Use MGMT-LAN-Access
     • Service devices: Use appropriate access profile

3. Save Configuration:

   • Click Apply Changes
   • Port will be reconfigured

Method 2: Bulk Port Configuration

1. Select Multiple Ports:

   • In switch port view, select multiple ports (checkbox)
   • Use Shift+Click or Ctrl+Click for multiple selection

2. Apply Profile:

   • Select port profile from dropdown
   • Click Apply or Apply to Selected

---

Port Profile for Proxmox Hosts

Recommended Configuration

Uplink Ports (Proxmox → UDM Pro/Switch):

• Profile: All-VLANs-Trunk (or custom trunk profile)
• Native VLAN: VLAN 11 (MGMT-LAN)
• Tagged VLANs: All service VLANs (110-203)
• Port Speed: Auto or 1G/10G (match interface capability)

Proxmox Bridge Configuration

On Proxmox hosts, configure Linux bridges with VLAN tags:

• vmbr0: Native VLAN (VLAN 11) - Management
• vmbr110: VLAN 110 (BESU-VAL)
• vmbr111: VLAN 111 (BESU-SEN)
• etc.

---

Verification

Verify Port Profile Configuration

1. Check Port Status:

   • Go to Devices → Switch → Ports
   • Verify port profile is assigned
   • Check port status (connected, speed, VLAN info)

2. Test Connectivity:

   • Test connectivity from devices on different VLANs
   • Verify trunk ports carry multiple VLANs
   • Verify access ports only carry single VLAN

3. Check VLAN Traffic:

   • Use network monitoring tools
   • Verify tagged/untagged traffic as expected
   • Check VLAN tags on trunk ports

---

Port Profile Best Practices

Trunk Ports

• Native VLAN: Use management VLAN (VLAN 11) for consistency
• Tagged VLANs: Include all VLANs needed by connected device
• STP: Enable Spanning Tree Protocol (prevents loops)
• Port Security: Consider port security if needed

Access Ports

• Single VLAN: Only assign one VLAN per access port
• Native VLAN: Set to the desired access VLAN
• No Tagged VLANs: Access ports should not have tagged VLANs
• Port Security: Enable if needed to limit MAC addresses

---

Troubleshooting

Port Not Working

• Verify port profile is assigned
• Check port is enabled
• Verify physical connection
• Check port speed/duplex settings
• Review port statistics for errors

VLAN Traffic Not Passing

• Verify VLANs are included in trunk port profile
• Check VLAN tags are correct
• Verify devices are configured for VLAN tagging
• Check firewall rules aren't blocking traffic
• Review switch logs for VLAN-related errors

Native VLAN Mismatch

• Ensure native VLAN matches on both ends of connection
• Verify native VLAN is configured correctly
• Check for VLAN ID mismatches

---

Related Documentation

• UDM_PRO_STATUS.md - Configuration status
• UDM_PRO_CONFIGURATION_CHECKLIST.md - Complete checklist

---

Last Updated: 2025-01-20