2260/2360 and UNP's

element1064 · November 11, 2025, 7:47am

Good day

I have a customer running on 20 ALE switches with a mixture between 2260 and 2360 running UNP’s for Data VLAN 10, Voice VLAN 869 and WLAN AP’s VLAN 100 with multiple VLAN’s for the WLAN SSID’s. I have a problem where there are Ubiquiti Unifi AP’s connected and placed into VLAN 100 via a UNP OUI which is working, but the problem is that there are often users connecting to the WLAN and gets “Blocked” by the switch and some users connect with no issue. Is there anyone who has experienced this or might know what the cause is? I will paste my UNP config below as well as an output with command “show unp user” where the switch is blocking users.

! DA-UNP:
unp profile “Data-10”
unp profile “Voice-869”
unp profile “Maytex_WLAN”
unp profile “defaultWLANProfile”
unp profile “Data-10” map vlan 10
unp profile “Voice-869” map vlan 869
unp profile “Maytex_WLAN” map vlan 100
unp profile “defaultWLANProfile” map vlan 1
unp port-template DataTemplate direction both default-profile “Data-10” classification ap-mode admin-state enable
unp port 1/1/1-44 port-type bridge
unp port 1/1/1-44 port-template DataTemplate
unp classification mac-oui 60:22:32 profile1 “Maytex_WLAN”
unp classification lldp med-endpoint ip-phone profile1 “Voice-869”

Port Username -------±---------------- 1/1/1 24:9a:d8:a6:63:bc 1/1/2 60:22:32:7e:a2:81 1/1/2 60:22:32:7e:a2:81 1/1/2 d4:0a:dc:51:6d:99 1/1/3 2c:0e:3d:9d:4d:bb 1/1/3 60:22:32:6e:93:3c 1/1/3 d2:51:9a:01:87:45 1/1/3 dc:21:5c:06:51:df 1/1/3 f2:29:f2:80:da:84 1/1/4 38:fc:98:10:9e:c9 1/1/4 60:22:32:7e:86:55 1/1/4 8a:35:5e:14:1a:03 1/1/4 92:b0:8d:ba:f6:32 1/1/5 60:22:32:85:7d:c5 1/1/7 6c:0b:5e:56:ab:30 1/1/13 44:8a:5b:b5:bc:29 1/1/15 44:db:d2:42:5d:10 1/1/15 64:00:6a:46:46:5b 1/1/16 24:9a:d8:95:fc:a1 1/1/16 e0:70:ea:d9:f4:27 1/1/17 24:9a:d8:91:db:aa 1/1/17 d8:9e:f3:9b:7d:fb 1/1/18 24:9a:d8:86:3d:fe 1/1/18 c0:25:a5:9b:48:e1 1/1/23 00:17:c8:9f:4d:bb 1/1/24 00:24:9b:4f:4a:20 1/1/43 04:03:12:19:8d:5b 1/1/44 e0:2e:fe:56:ee:53 Mac address IP Vlan Profile Type Status
---±----------------±--------------±—±-------------------------------±-----------±----------
24:9a:d8:a6:63:bc 192.168.105.50 869 Voice-869 Bridge Active
60:22:32:7e:a2:81 - 70 - Bridge Block
60:22:32:7e:a2:81 10.0.100.4 100 Maytex_WLAN Bridge Active
d4:0a:dc:51:6d:99 - 70 - Bridge Block
2c:0e:3d:9d:4d:bb - 81 - Bridge Active
60:22:32:6e:93:3c 10.0.100.5 100 Maytex_WLAN Bridge Active
d2:51:9a:01:87:45 10.0.12.50 50 - Bridge Active
dc:21:5c:06:51:df 10.0.12.92 50 - Bridge Active
f2:29:f2:80:da:84 10.0.12.81 50 - Bridge Active
38:fc:98:10:9e:c9 10.0.12.102 50 - Bridge Active
60:22:32:7e:86:55 10.0.100.3 100 Maytex_WLAN Bridge Active
8a:35:5e:14:1a:03 10.0.13.68 70 - Bridge Active
92:b0:8d:ba:f6:32 10.0.12.82 50 - Bridge Active
60:22:32:85:7d:c5 10.0.100.2 100 Maytex_WLAN Bridge Active
6c:0b:5e:56:ab:30 10.0.8.254 10 Data-10 Bridge Active
44:8a:5b:b5:bc:29 10.0.8.211 10 Data-10 Bridge Active
44:db:d2:42:5d:10 192.168.105.58 869 Voice-869 Bridge Active
64:00:6a:46:46:5b 10.0.8.238 10 Data-10 Bridge Active
24:9a:d8:95:fc:a1 192.168.105.61 869 Voice-869 Bridge Active
e0:70:ea:d9:f4:27 10.0.8.236 10 Data-10 Bridge Active
24:9a:d8:91:db:aa 192.168.105.54 869 Voice-869 Bridge Active
d8:9e:f3:9b:7d:fb 10.0.8.218 10 Data-10 Bridge Active
24:9a:d8:86:3d:fe 192.168.105.60 869 Voice-869 Bridge Active
c0:25:a5:9b:48:e1 10.0.8.248 10 Data-10 Bridge Active
00:17:c8:9f:4d:bb 10.0.8.20 10 Data-10 Bridge Active
00:24:9b:4f:4a:20 10.0.8.253 10 Data-10 Bridge Active
04:03:12:19:8d:5b 10.0.8.242 10 Data-10 Bridge Active
e0:2e:fe:56:ee:53 10.0.8.209 10 Data-10 Bridge Active

Total users : 28

Cristek · November 12, 2025, 5:46pm

What are vlan 50 70 and 81? SSID tagged vlans?
Also, according to your print, only vlan 70 has devices that get blocked.
Whats different for vlan 70 from the other 2 vlans?

element1064 · November 14, 2025, 10:18am

Good day, yes VLAN 50, 60, 70, 80 and 81 are tagged VLANs each one belonging to an SSID, its not only VLASN70 that gets blocked, its different for every switch of users getting blocked. One day it works perfect next day 90% of users gets blocked. I dont understand what can cause this. I had to remove the UNP on the AP ports as the customer got really upset. Now the AP ports are configured statically

Cristek · November 14, 2025, 2:00pm

Try declaring them on the switch:

unp profile “something-50”
unp profile “something-50” map vlan 50
etc etc for 60 70 80 81

Does that make a difference?

And if it doesnt, try adding this to see if it makes any difference:
unp classification vlan-tag 50 profile1 “something-50”

But I’m curious if you are able to solve it, which part of this solves it Do update us!

element1064 · November 17, 2025, 7:28am

I have tried unp profile “something-50” with unp profile “something-50” map vlan 50" and made no difference. When you do a show unp user profile it shows it does not even look at that configuration. I will however try unp classification vlan-tag 50 profile1 “something-50” and keep you posted

thanjavuru · November 17, 2025, 8:16am

no unp port ‘port-number’ ap-mode may help as AP-mode meant for Stellar APs.

element1064 · November 17, 2025, 9:44am

ap-mode is enabled and unp profile “defaultWLANProfile” is more meant for Stellar APs

thanjavuru · November 18, 2025, 11:13am

you are not using Stellar APs right? so try to disable and give a try.

element1064 · November 18, 2025, 1:54pm

yes I am not using Stellar APs, customer is using Ubiguiti AP’s, sorry I dont understand what must I disable?

thanjavuru · November 19, 2025, 8:15am

try to disable ap-mode in the configuration

unp profile “defaultWLANProfile” map vlan 1
unp port-template DataTemplate direction both default-profile “Data-10” classification ap-mode admin-state enable

element1064 · November 21, 2025, 12:10pm

If I disable AP mode the SSID’s on the Wifi will not work when using UNP configuration for the AP’s

thanjavuru · November 21, 2025, 12:30pm

I did not undstnd why disabling AP-mode will impact ssids

Cristek · November 21, 2025, 10:04pm

And did you try my other idea? Did it affect anything?

unp classification vlan-tag 50 profile1 “something-50”

element1064 · November 22, 2025, 6:46am

Hi, yes I did try that config and when you do a “show unp user details” you can see that it does not look at that config when the user is connected to a SSID, under profile details its just blank.

Cristek · November 22, 2025, 7:36pm

From my experience, the ‘blank’ profile means that this host was assigned to a vlan via ‘ap-mode’, therefore the tagged traffic cannot be classified via the rule I suggested as ap-mode takes precedence over it.
The problem is that ap-mode is designed for stellar in mind and might cause some issues with other APs.
My last idea is to still use unp classification vlan-tag 50 profile1 “something-50” but remove the ap-mode. If everything goes according to plan, the AP gets assigned to whatever vlan you want via it’s mac address (mac-oui 60:22:32), and then, whatever tagged traffic comes in into that port gets classified via the ‘vlan-tag’ command.
If this doesnt work, then no more ideas from my end.
Let me know as this will be useful information for future customers as well!

element1064 · November 23, 2025, 5:58am

Now that is clever, never thought of that, thanks buddy I will try your suggestion. Wow thank you

element1064 · November 24, 2025, 8:50am

Tested the config in my lab and it seems to be working so I guess this will be the process for non ALE WiFi AP’s. Thank you so much for a brilliant idee

Cristek · November 24, 2025, 11:15am

Thanks for letting me know. This was a good learning exercise for me as well!

element1064 · November 24, 2025, 11:54am

If a Guest SSID has a Captive Portal, do I need to configure anything exstra within the unp profile to assist the Captive Portal?

Cristek · November 24, 2025, 3:37pm

I wouldn’t think so, no, nothing comes to mind.