Port profiles in UniFi network devices are centralized configuration templates that simplify network management by allowing administrators to apply consistent settings to multiple switch ports simultaneously, including port mode (uplink, edge), VLAN assignments, and STP configurations; the STP Edge feature specifically prevents client-facing ports from being incorrectly blocked by STP protocols, which is particularly important for devices like Wi-Fi access points and cameras that may broadcast traffic and trigger false loop detection.
Install our extension to search inside any video instantly.
Finally Fixed: UniFi Port Profiles
Added:All right, how's it going everyone? So, after the UniFi network update 10.4.57, you really should be using port profiles.
This update brought a lot of great features to port profiles, and also updated the way STP RSTP work. By using STP edge, and really locking out that issue that you would see sometimes on larger deployments where random ports would kept getting blocked via STP, even though they should not have been.
And so, with this fix, you now set up your client down facing ports to use STP edge, so they will not be flagged as accidentally causing STP loops, and keep getting random devices like Apple TVs or Wi-Fi access points blocked in an endless cycle. You can do this without port profiles, but it is so much easier to do with port profiles, and now I really think most people who are using VLANs in any kind of complex network deployment with UniFi should immediately just go straight to port profiles, because they make it so much easier to manage everything, and update your deployment without having to go in and remember how every single thing is configured, and update tons of ports manually. So, in this tutorial, we're going to go over kind of a full guide to setting up port profiles, and deploying them for a fairly moderate deployment that I've got right here that symbolizes a larger one. If you've got security camera VLANs, Wi-Fi access points, clients, servers, all those kinds of things, we're going to build out a full port profile deployment so that everything is all managed, and all you have to do is put what end device that port is plugged into, and automatically has all the proper configurations made to it.
Then later on, there's new update, new features come out that you want to apply to specific clients, you don't have to revisit those ports.
You update all in one place. And as I said at the top of this video, a lot of this came from the update to the way STP works in UniFi, and this is a very welcome change. Without going too far into depth, STP and RSTP are protocols designed to prevent network loops, and also actually allow redundancy for network connections. So, instead of using things like link aggregation for redundant links that only work under stack switches or to the same switch, you can use STP or the newer RSTP to create intentional loops in your network.
So, you can have all of your core switches connected to one another, and normally this would cause a thing called a network loop, which will destroy your entire network in a matter of minutes normally, as traffic is just forwarded continuously and amplifies out. But, with RSTP, it will detect that and disable that port. And then, if all of a sudden another switch goes down, now it knows that this port is open and in use, and now it will automatically open that port back on up. So, now you got a redundant capability without having to use the more complex protocols that have come out now. But, one issue with it is newer devices will sometimes broadcast Wi-Fi and wired Ethernet, making them look like there's a network loop even when there's not. And so, this was a major issue, and for certain deployments, I was actually just fully disabling STP altogether to keep it from causing all these blocks.
But, now with this update, it resolves all of them and it's so much easier when you use it with client profiles.
UniFi also has this very great help article. I'm going to leave a link down in the description below to it that covers how RSTP and STP now work, as well as how they work with this new thing called STP Edge, which is designed for those client-facing ports, which should not be considered for STP topology changes, but still may accidentally cause a loop. So, they've got this STP Edge, which should hopefully solve that problem. And so, we're going to go over deploying this on this deployment right here. And I'll leave a link down in the description below to this article. And if people are interested, I will do a full video on STP and actually deploying it because I am now planning on using it in my network for some redundancy. And so, if you're interested in that, leave a comment down below. But, definitely check out this help article as it really helps clarify a lot of these things. And so, now we're going to go through and set up a full port profile deployment for this UniFi demo network.
As you can see, it's fairly simple right now, but we still have all the VLANs built out and it's got all the critical components here to showing you how you want to set up port profiles so that way you can customize it to exactly your deployment. Okay, so first off, what are port profiles?
And probably the easiest way to show port profiles is to come in over here and actually show them.
You can find them under the network section over here.
And these right here are our port profiles. Essentially, you'll see right here, you have all the settings you can apply to all of your switch ports all in one place. And the way this works is instead of having to redundantly set every single one of your ports to the exact same settings, instead what you do is you go through and you create these profiles and now you assign every single one of your switch ports to one of these profiles and that way you can update them all at once, you can control them all at once, and you don't have to repeat yourself.
You don't have that case where, "Oh, I set this up 3 years ago and best practices change and I forgot to change it for this port."
No, instead you have all of your ports set up with port profiles and now when those best practices change, your deployments change, something changes, you can update it all in one location and you have a consistent deployment across everything.
And especially with this new STP Edge, it's really now the time to just go ahead and do it because you can do it once and now you are set.
So, a really key part of port profiles is really what I'd say three different things.
First, the port mode.
Uplink means you're hooking up to another switch.
Edge means it is a client facing device.
The next one is going to be your VLAN settings. This is by far the most common thing you're going to be changing because the reason you're using these ports is to assign them to different VLANs.
So, you can have your guest, cameras, whatever you've got set up here.
And also setting up the tagged VLAN management.
Then lastly, they are our advanced settings.
Especially if you're in the kind of pro AV space, these are really critical so you can have everything running in one location. And another thing to commonly turn off is flow control if you do not need it. But we're going to go through and actually customize all of our port profiles for exactly what we would want to deploy. So, before we go through and set this up, let's look at our VLANs. So, this is a demo server that I've had for a while and you can see right here I've got a few VLANs.
Default, which is what we're going to be using for all of our networking gear, cameras, which is going to be for both cameras as well as if we've got like door access with UniFi access, office, which is where we're going to be putting all of our office computers, servers, a different VLAN for protection. So, all the servers that are running will be on there. And really you could have multiple of them.
And finally, guest. Don't worry about this cross connect one, this was for another demo. So, normally without port profiles, if I was getting a device to plug into one of these switches, I would come in and I would go to the switch port that it's being plugged into and I would choose some settings. I'd come in right here. I would say, "Hey, this is going to be on X, Y, and Z VLAN.
I'm going to block all and assign it to each one of them. Instead, we're going to want every single one of our port profiles, for the most part, to just be under right here. So, now every single one of our switch ports is just configured with a profile. You may have custom one-offs, and that's okay. You don't have to have 100% of your port profile set here. But, anything you're doing more than two or three times, you'll probably just want to do with a port profile, as it's just self-documenting as well. So, now let's go in and let's start setting these guys on up, and let's talk about what clients we're going to have.
So, the very first port profile I will always create is networking gear.
You can call it networking gear, networking uplink. So, this is going to be the one for every single one of your switches, at least all of your managed switches. If you have unmanaged switches, non-UniFi switches, just dumb switches, it may be worth creating a separate one, depending on how you want to manage the VLANs, because if you are going through an unmanaged switch, you're going to want to pass the single VLAN that you want through it and block all other VLANs. But, for this networking uplink, this is going to be the profile we use every single time we're hooking up between two UniFi switches, and it's going to be on both sides. So, with this connection right here, I'll apply it to both places, that way they're speaking the same language.
In general, you will want to choose your native VLAN, probably to be the default VLAN one, as the primary VLAN through it. It keeps it much simpler, and you will allow all. That's because you want all VLANs to be able to traverse to all of your switches. You may have a custom case where you need to not have that, but in the vast majority of cases, you trust your switches to handle all the VLANs you want them to. Then, we want to come in here and set up a few things.
The biggest one is, if you want to, you can set them as STP uplinks.
If you are going to do that, you only want STP uplinks on your non-root switch. So, essentially, this would be anybody who's hooking up to a higher port.
Here, we're going to keep it simpler.
We're going to assume you've got a small deployment. If you've got a very massive deployment, to really optimize our STP, you will use these STP uplinks on all your kind of client switches, so they know which ports to look at.
But, for something that will work for just about everybody, we want STP on.
You may want flow control on, but that is kind of a network level question. And the nice thing about this is, you can update this later on, and everything will change.
We're going to allow all of our VLANs, and we're going to make this a uplink.
And now, we're going to go ahead and just apply that. So, that's what we're going to use anytime we're going in between two switches or two pieces of networking gear, as well as what we hook up to our router.
The next thing we want to go ahead and do is create one for our access points.
So, for access points, we're going to want to set them to edge, so they don't cause those same issues. And this is where, if you are in a higher security environment, you may also choose to only pass through the VLANs that have Wi-Fi.
So, if our security cameras and our servers never have Wi-Fi, there's no Wi-Fi network on that VLAN, we could only pass through default, guest, and office.
Now, if I all of a sudden made a Wi-Fi network for my servers, people would be able to connect that SSID, but nothing would work, because I am blocking those uplinks. I'm blocking those VLANs down it. But, by doing this, we can ensure that if somehow somebody pulls a cable out of one of our access points, and tries to get into the server VLAN, they will be blocked from doing so.
And so, you can see down here, it's already enabled our proper STP settings, because we've enabled this as a STP edge. So, it's automatically going to have the BDU guard enabled.
Next up, we're going to create another one for cameras.
And same thing, cameras will be edge.
For them, their native VLAN is just going to be on that camera VLAN.
They only need to be on the camera VLAN, and we're going to block all. So, that way if we've got an exterior camera, somebody goes up on a ladder, breaks it, plugs into it, it cannot get on any other VLANs. It is only able to be on that camera VLAN.
And we will disable flow control. You just don't need it for cameras.
And we can see right here, everything else is set up and ready for us.
Now, we're going to set another one for office computers.
Set it to edge, block all, and put it on that office VLAN.
Now, that exact same thing, we probably will also want to enable non-STP loop protection.
Mostly because I have seen in the past where people plug in a switch or anything like that that is non-UniFi, a dumb switch, and accidentally create a network loop.
This will help with extra caution. So, essentially, if there is a case where somebody plugs in something that's causing a broadcast storm, that port will be completely disabled until somebody comes in here and manually authorizes it, manually turns it back on.
So, when you've got a bunch of office ports and who knows what people are plugging into it, and they may cause some crazy things, having this thing as a non-STP loop protection can help be that last line of defense.
And once again, it is focused on only that office VLAN, and nobody can be smart, plug into one of the wall jacks, and hop on in the server VLAN just by doing this.
And now, finally, let's add one for our servers. And this is where stuff can be a little bit more interesting.
And it really depends on the servers you're running.
Servers will also be an edge device.
We are assuming they do not have any other networking gear going on, anything like that.
And now the question comes down to what VLANs do we want to pass through? And it really kind of comes down to how you are setting up. What are you doing with your servers? A very common setup may be that you have the default VLAN be the server VLAN.
But you may also want to allow your servers to hop on the office VLAN.
So, what this is is a thing called tagged VLANs.
So, let's say I'm virtualizing.
I can have my default VLAN be for the servers.
But maybe I've got a file server on there that I want to be on that same office VLAN.
By setting it like this, all devices by default will be on the server VLAN.
But we're going to trust our servers.
So, we're going to allow the servers to specify, "Hey, I also want to have this device on the office LAN." And with this setup, they cannot then request to be on the guest LAN or anything like that.
It's only the ones that we check off here.
It really comes down to what do you trust your devices to be able to do?
And in general, you want to use at least trust.
If something doesn't need access to it, don't give them access to it. Even though they probably will not. If you get a virus or you get attacked, by having least privileges, you're really going to limit what things can happen.
So, that's where it really comes down to, especially when you've got larger server deployment.
You want to have a server port profile because you can add and remove VLANs from their ability to access. And if you've got a more complex deployment, you may even set up one for virtualization, one for management, and a bunch of different port profiles like that.
But we're going to just go with that for here.
And we're not going to set up non-STP loop protection here because we just don't need it. We're going to assume that everybody in the server room knows what they're doing and they're not going to break stuff.
And then you may also just choose to completely disable PoE.
Who knows, maybe some of your servers have a PoE functionality on off. Really, it's whatever you want to do here.
Now, the other thing we're not going to do here is we're not going to create a guest one. In the vast majority of cases, you don't let your guests just plug in.
If you wanted to, if you had like a conference room that you wanted isolated that you expect guests to be able to plug their computers into, you could do that here as well. But for most deployments, guests are just going to be on Wi-Fi. Okay, so now we've gone through and we've set up our profiles.
We have set them up so that every single one of our clients, we don't have to remember what settings we use for them.
Instead, we just know what device is going to be plugged into it.
And we set it to that port profile on our switch.
This way, we don't have to have redundant information, and we're going to have a much lower chance of screwing something up because we forgot a specific setting.
And now, if something changes where, "Hey, we want all of our access points to also be able to be on the camera VLAN."
We can do that all in one click. All right, so now let's go in and actually deploy these out. Let's actually set these on our port profiles.
And I would recommend doing this off hours because you may have some interrupts. You may need to reboot some devices to get them on the proper port profiles, especially if stuff has not been done properly in the past. All right, so in general, I like to kind of start at the bottom of the network and come up. And so the reason we want to start at the bottom kind of work our way up is it allows us to resolve issues as they come up with much, much smaller deployments, rather than having to deal with a whole lot of issues.
And so, what I like to do is start at the very last thing. So, in this case, it's going to be this Flex 2 and 1/2 G.
What we're going to do is we are going to specify exactly what these other devices are going to be hooked up to.
So, I'm assuming the rest of these four ports are just going to be for office computers.
So, what I'm going to do is I'm going to set them to a port profile of office computers.
Now, you will see some things here cannot be applied specifically to this unit.
The biggest ones being STP edge and BDU guard.
You're not using this thing as a distribution switch, so that should not be a big deal, but just that is one thing to note.
So, now we've set each of these port profiles to the office computers. So, now anybody can plug their computer into it and it will be on the office VLAN, all set ready to go.
Now, we are going to go to our uplink port, port number five and set that to our networking uplink.
Great. Now, we're going to go up the next level.
So, now we have a few devices here.
We're going to go ahead and we are going to choose the switch and the router and we are going to set both of those guys to being networking uplinks.
And we're going to select our access point right here to being an AP.
Now, it's up to us what we want to plug in the rest of these ports.
If you are really trying to have true ownership and true control over a chaotic business sometimes the best thing to do is if it's not configured, if it's not ready for something, disable it.
This way, you kind of force people to not just randomly plug stuff into ports and you make sure you know exactly what's plugged in.
The other option is to go somewhere in between and just set every single one of these to being on the office VLAN, something that makes sense. It's really up to how you are set up. It comes down to who's going to be plugging stuff in and how sensible they are. If you've got a networking closet and these are all runs to offices, yeah, absolutely. Set them all to office ports. Assume that any runs to offices, people are going to plug their laptops into them.
But it really comes down to your exact setup. In general, I would highly recommend at least deploying them to something that makes sense, like an office one. That way it will work for the intended purpose, but it is also restricted out from any of the other VLANs.
And finally, the last thing to do is actually plug it in on our router. And this is one of the cases where you don't really need to do a port profile here and it probably does not make sense to do a port profile.
Instead, this is the case to make a sensible one.
Call it switch uplink and allow all VLANs on through it.
Now, what I like to do is I moved a bunch of stuff around, so it's going to be popping on different VLANs and everything like that. It makes sense to go ahead and do a reboot of it.
To now just kind of get everything fresh. Let everything pull its new IP addresses. Comes down to how janky everything was before. If you're moving a bunch of devices to different VLANs by doing this, it's worth rebooting all of your switches.
That way the devices all pull new IP addresses. They clear their DHCPs.
And that way you don't have to go into every single device and power cycle them, but you will always have devices that need power cycling. Whenever you're moving these things around, and that is just something to deal with.
And that's why you want to do these things off hours.
All right, so now this is a great example of exactly what happened.
I have to manually uplink everybody previously on that camera VLAN. And so all of my devices were on the wrong one. But now I've set all those different pieces is up. When I'm rebooting it here, everything should come up and end up on the right subnets and VLANs. However, if you had a very janky deployment and you've got statically assigned devices on UniFi and random port profiles, you might want to really sit down and make sure that there is going to be kind of continuation and that all your devices can successfully get to your UniFi controller when you do do these updates.
If you done everything properly, shouldn't have any issues, but especially if this has been a long-standing thing and there's been some janky VLAN selections, it's really worth taking some time here because otherwise you may be resetting some devices to get them back on their proper VLANs.
All right, so now we're just going to wait for all these devices to boot back on up. And because I've cleaned everything up and we're keeping networking gear on that dot one VLAN, we should see these come back up with their proper dot one IPs.
And so now just like that, everything's got its proper IP addresses and everything is going to end up exactly where we want it.
Now, if we need to go in and we change, "Hey, we're going to plug in something in port four."
All we've got to do is just update that to, "Hey, it's now a security camera."
Everything's ready to go. It's an access point. Everything's ready to go. And you don't have to go in and remember all these different settings and you can update everything in one location.
It makes it so much easier to have best practices as time goes on and it makes management much simpler. But once again, do not feel like you have to set every single port as a port profile.
I would say once you do something more than twice, that's when it needs to be its own port profile for sure. All right. Well, that's going to be it for this tutorial. If you have any other questions, put those down in the comments below. And if you want to hire me, there's a link for that down in the description below. And have a good one.
Bye.
>> [music] >> Ooh.
Ooh.
Ooh.
Ooh.
Related Videos
BMW Built A Radial Engine So Good It Made The Spitfire Obsolete Overnight
MachineTitans999
123 views•2026-06-18
UÇAK MOTOLARI ÇALIŞMA PRENSİMİ
PistonTV
428 views•2026-06-17
The Bizarre Design Flaw That Ruined The Convair 990
Jet-Deck
631 views•2026-06-19
Why Are Rocket Nozzles Bell-Shaped? Propulsion | Aerospace engineering | GATE | Viru Sir IITian
conceptlibrary
189 views•2026-06-15
US Navy's Helios laser tech
Striketech0310
6K views•2026-06-18
NEW ENGINEERING DESIGN FOR IAM MARWA APPALOOSA FARM @iammarwa
findingian001
443 views•2026-06-17
The Air Force Built a Jet With Wings Swept the Wrong Way
TheAbsurdArchiveYT
639 views•2026-06-16
China Is Building a Machine the World Can’t Stop
TechAIVision-f6p
192 views•2026-06-15
