Hey Guys:
We are a small business, and recently added a couple of new switches to our network to support a VLAN for a new camera system. All of the switches are Ubiquiti 48-Port 500W POE switches, and we have the ports mapped to the 2 different networks (normal data LAN and the video/camera VLAN). Everything seems to be configured and wired and working, but if leave the video/camera VLAN attached, within a minute it starts getting STP port blocking errors and the network degrades to an unusable state very quickly.

I am (obviously) not an expert with these things, but feel like I have a decent handle on it, but this is making me pull my hair out. I've scoured the Ubiquiti boards, set the switches in descending RSTP priority (closest to firewall highest => on down), disabled "Uplink Connectivity Monitor," tried resetting/reconfiguring, and still have the same issue.

Obviously this is very high level, I have much more detail but didn't want to get too long winded here if there was no one out there that was willing to help. I have a full diagram of the switches, and how they are set up (which cables are connected to which switches and to what ports), which I can share with anyone that might can help. If you have any thoughts or expertise, I'd MUCH appreciate any help! Thanks y'all.

What configuration do you have on the ports connecting the switches?

Would be more than happy to take a look. First thing I'd check though is the trunk settings between the switches. Also are all switches on the VLAN the same type/make/model? There have been some issues with STP/RSTP protocol incompatibilities between different vendors.

Edit: Just saw that all of the switches are the same type, not just the added ones.

We do have 1 switch/router that is an oddball, which I added to support a 10Gb network on the video/camera VLAN. It's a Mikrotik, running RouterOS, here's a link to the exact model:

https://mikrotik.com/product/crs309_1g_8s_in

Thanks guys, so hopefully this diagram makes it a bit clearer. The other 6 switches are all identical Ubiquiti 48 Port 500W POE Switches. I put this together as a quick reference, so it's not perfect, but should give you an exact idea of what is configured where. Please let me know if there's anything here that sticks out as a potential issue, or if I can provide more info that might help.

Really appreciate the time, thank you!

https://steelalloysvc-my.sharepoint.com/:u:/p/jasondeere/EUdPgbJzPXNLpbRopYoI1KsBqvunghH6I_UuRWNRWD-syA?e=6OqQHn

A few things:

1. Why do you have dual NICs on your NVR and NAS configured for each network?
2. You have your ports on your MikroTik all showing as being in the red vlan, are they trunks, or configured statically for that VLAN?
3. Is the blue VLAN intended to be an unrouted VLAN?
4. STP is a little flipped. Higher priority value is actually least preferred when selecting root. So you want your root to have a priority of 4096, and then go up from there.

I'm assuming that all of the non-fiber ports on the UBNT switches are mapped so that untagged traffic is tagged with the appropriate VLAN. Also, what VLAN IDs are you using; in some cases, such as with the UBNTs, VLAN 1 is the default VLAN, and in trunking reverts to a native/untagged port.

You say that the Video/Camera VLAN gets attached and then everything starts going down. Are you referring to the Mikrotik switch powering on or just activating the VLANs on the UBNT switches?

mickeyrig06sq3 said:

---

A few things:

1. Why do you have dual NICs on your NVR and NAS configured for each network?
2. You have your ports on your MikroTik all showing as being in the red vlan, are they trunks, or configured statically for that VLAN?
3. Is the blue VLAN intended to be an unrouted VLAN?
4. STP is a little flipped. Higher priority value is actually least preferred when selecting root. So you want your root to have a priority of 4096, and then go up from there.

---

First off, thanks for the reply, appreciate it. Answers:

1. Probably not necessary on the NAS unit, but the main reason is that I wanted to be able to access the NVR from our main network. If there's another way to handle it, I'm certainly willing to listen I just didn't know another way to do that. Also, we will have offsite mobile devices that need to access the NVR via an app from outside our network, and I'll have to configure that at some point soon. So that was my main reasoning, easy access.

2. The Mikrotik is minimally configured, in bridge mode, with an IP address of 192.168.1.1. Forgive me, I'm not familiar w/ whether or not the ports are configured as trunks. Like I say, I believe there to be minimal configuration done on this switch, so I would wager almost everything is default and dumb other than the main network/IP config of the switch itself. I obviously have access to all of these devices though, and can get you whatever info you need.

3. The blue LAN is our main LAN, where all of our normal office network traffic exists. We have a Juniper firewall that links into "Switch #1" on the diagram there. That and a local Windows server are what controls the network config (DHCP, etc.)

4. I tried setting the STP in ascending order, starting w/ the switch closest to (attached to) the firewall, based on everything I read that sounded correct, going up from there to subsequent switches/blocks of switches. I read several things about it, and tried a few different configs, but what they are on the diagram is where we're currently set. Basically the 4 main switches are in our main server room in our office here. The other 2 new switches were added in 2 different offices on the premises, with both of them connected to our main office via fiber optic cabling. That's the ones labeled "Receiving" and "Shipping"

Hope this helps, thanks again for any/all help!

nwspmp said:

---

I'm assuming that all of the non-fiber ports on the UBNT switches are mapped so that untagged traffic is tagged with the appropriate VLAN. Also, what VLAN IDs are you using; in some cases, such as with the UBNTs, VLAN 1 is the default VLAN, and in trunking reverts to a native/untagged port.

You say that the Video/Camera VLAN gets attached and then everything starts going down. Are you referring to the Mikrotik switch powering on or just activating the VLANs on the UBNT switches?

---

Yes, correct, all non-fiber ports are mapped to their appropriate VLANs, not just "All" or whatever it defaults to. All ports are directly mapped.

OK so yes this was a bit nebulous from me, sorry, but exactly what I mean is when I connect the fiber port (SFP+ Port 2) on the Shipping switch to the Mikrotik switch, things go south. The exact issue that happens is that the Unifi software shows an error on Switch #3 that "Port 51 blocked by STP protocol". Every other cable is connected and working as shown in the diagram, but if I connect that cable, that's when the issues begin.

Thank you!

Echoes97 said:

---

nwspmp said:

---

I'm assuming that all of the non-fiber ports on the UBNT switches are mapped so that untagged traffic is tagged with the appropriate VLAN. Also, what VLAN IDs are you using; in some cases, such as with the UBNTs, VLAN 1 is the default VLAN, and in trunking reverts to a native/untagged port.

You say that the Video/Camera VLAN gets attached and then everything starts going down. Are you referring to the Mikrotik switch powering on or just activating the VLANs on the UBNT switches?

---

Yes, correct, all non-fiber ports are mapped to their appropriate VLANs, not just "All" or whatever it defaults to. All ports are directly mapped.

OK so yes this was a bit nebulous from me, sorry, but exactly what I mean is when I connect the fiber port (SFP+ Port 2) on the Shipping switch to the Mikrotik switch, things go south. The exact issue that happens is that the Unifi software shows an error on Switch #3 that "Port 51 blocked by STP protocol". Every other cable is connected and working as shown in the diagram, but if I connect that cable, that's when the issues begin.

Thank you!

---

So Receiving Switch and Switch #4 are both working fine with the Video VLAN and the other switches are working fine with the Corp Data VLAN, but when the trunk from Shipping Switch is connected to the Mikrotik, the system goes into the error state, right?

If so, check the port 51 settings for the Receiving Switch and the Shipping Switch to make sure they're the same (VLAN, trunking, etc). Also, make sure there are no devices plugged into the Shipping Switch Video VLAN designated ports and plugged into another Video VLAN port on another switch. Not super likely but possible.

nwspmp said:

---

Echoes97 said:

---

nwspmp said:

---

I'm assuming that all of the non-fiber ports on the UBNT switches are mapped so that untagged traffic is tagged with the appropriate VLAN. Also, what VLAN IDs are you using; in some cases, such as with the UBNTs, VLAN 1 is the default VLAN, and in trunking reverts to a native/untagged port.

You say that the Video/Camera VLAN gets attached and then everything starts going down. Are you referring to the Mikrotik switch powering on or just activating the VLANs on the UBNT switches?

---

Yes, correct, all non-fiber ports are mapped to their appropriate VLANs, not just "All" or whatever it defaults to. All ports are directly mapped.

OK so yes this was a bit nebulous from me, sorry, but exactly what I mean is when I connect the fiber port (SFP+ Port 2) on the Shipping switch to the Mikrotik switch, things go south. The exact issue that happens is that the Unifi software shows an error on Switch #3 that "Port 51 blocked by STP protocol". Every other cable is connected and working as shown in the diagram, but if I connect that cable, that's when the issues begin.

Thank you!

---

So Receiving Switch and Switch #4 are both working fine with the Video VLAN and the other switches are working fine with the Corp Data VLAN, but when the trunk from Shipping Switch is connected to the Mikrotik, the system goes into the error state, right?

If so, check the port 51 settings for the Receiving Switch and the Shipping Switch to make sure they're the same (VLAN, trunking, etc). Also, make sure there are no devices plugged into the Shipping Switch Video VLAN designated ports and plugged into another Video VLAN port on another switch. Not super likely but possible.

---

Correct, the Receiving Switch, Switch #4, and the Mikrotik all seem to be working fine. I can see all of the cameras hooked up to those 2 switches just fine from the NVR computer. And the data side of that is working fine as well.

I quadruple checked the port settings on the Receiving and Shipping SFP+ ports, and they're identical as far as I can tell. And there's definitely no devices plugged into the Shipping Switch Video VLAN ports, only cameras for sure. And there's no cabling between the 2 sides of the switch. Very simple setup, which is why this is more than aggravating!

Thank you very much for taking time to respond, I have asked the guy that ran our fiber cabling to come back with a good tester and make 100% sure that our fiber is rock solid between the office and the shipping building. Hopefully he can do that soon so we can mark that off the potential issues list.

Appreciate it!

Echoes97 said:

---

nwspmp said:

---

Echoes97 said:

---

nwspmp said:

---

I'm assuming that all of the non-fiber ports on the UBNT switches are mapped so that untagged traffic is tagged with the appropriate VLAN. Also, what VLAN IDs are you using; in some cases, such as with the UBNTs, VLAN 1 is the default VLAN, and in trunking reverts to a native/untagged port.

You say that the Video/Camera VLAN gets attached and then everything starts going down. Are you referring to the Mikrotik switch powering on or just activating the VLANs on the UBNT switches?

---

Yes, correct, all non-fiber ports are mapped to their appropriate VLANs, not just "All" or whatever it defaults to. All ports are directly mapped.

OK so yes this was a bit nebulous from me, sorry, but exactly what I mean is when I connect the fiber port (SFP+ Port 2) on the Shipping switch to the Mikrotik switch, things go south. The exact issue that happens is that the Unifi software shows an error on Switch #3 that "Port 51 blocked by STP protocol". Every other cable is connected and working as shown in the diagram, but if I connect that cable, that's when the issues begin.

Thank you!

---

So Receiving Switch and Switch #4 are both working fine with the Video VLAN and the other switches are working fine with the Corp Data VLAN, but when the trunk from Shipping Switch is connected to the Mikrotik, the system goes into the error state, right?

If so, check the port 51 settings for the Receiving Switch and the Shipping Switch to make sure they're the same (VLAN, trunking, etc). Also, make sure there are no devices plugged into the Shipping Switch Video VLAN designated ports and plugged into another Video VLAN port on another switch. Not super likely but possible.

---

Correct, the Receiving Switch, Switch #4, and the Mikrotik all seem to be working fine. I can see all of the cameras hooked up to those 2 switches just fine from the NVR computer. And the data side of that is working fine as well.

I quadruple checked the port settings on the Receiving and Shipping SFP+ ports, and they're identical as far as I can tell. And there's definitely no devices plugged into the Shipping Switch Video VLAN ports, only cameras for sure. And there's no cabling between the 2 sides of the switch. Very simple setup, which is why this is more than aggravating!

Thank you very much for taking time to respond, I have asked the guy that ran our fiber cabling to come back with a good tester and make 100% sure that our fiber is rock solid between the office and the shipping building. Hopefully he can do that soon so we can mark that off the potential issues list.

Appreciate it

---

In that case then, as a long shot, set the Shipping and Receiving switches to have different RSTP priorities. I don't have my UBNT switches here at the office to check, but I can't recall if they have per-VLAN RSTP setup or if it's a combined one for all ports and the UBNT and Mikrotik switches handle it differently. Even RouterOS and SwOS technically handle RSTP election differently.

However, I tend to think the problem may be a little worse than that. If the RSTP interaction between the two isn't the same (one of them sends the RSTP on all trunked VLANs versus it being selectable on the others) then the two switches with both of the VLANs could have some issues. One thing I saw in researching this is that some people with the UBNT and Mikrotik interactions disable RSTP and use STP alone. Try that; in the Ubiquiti settings for the port 51 on the Receiving and Shipping switches, disable RSTP and set it to use STP only. Longer shot too, but may be worth a try.

Also, the Mikrotik and the UBNT switches; what firmwares are they running? Up to date? All the same?

Quote:

---

OK so yes this was a bit nebulous from me, sorry, but exactly what I mean is when I connect the fiber port (SFP+ Port 2) on the Shipping switch to the Mikrotik switch, things go south. The exact issue that happens is that the Unifi software shows an error on Switch #3 that "Port 51 blocked by STP protocol". Every other cable is connected and working as shown in the diagram, but if I connect that cable, that's when the issues begin.

---

So the port 51 being blocked on switch #3 is actually working correctly. Spanning tree will put one of the switch interconnect links into a blocking state to prevent loops. The fact that your network is becoming unusable is the exact opposite of what should be occurring when STP comes into play.

Can you post a screen shot of the configurations for the ports linking shipping switch to microtik and shipping switch to switch #1?

mickeyrig06sq3 said:

---

Quote:

---

OK so yes this was a bit nebulous from me, sorry, but exactly what I mean is when I connect the fiber port (SFP+ Port 2) on the Shipping switch to the Mikrotik switch, things go south. The exact issue that happens is that the Unifi software shows an error on Switch #3 that "Port 51 blocked by STP protocol". Every other cable is connected and working as shown in the diagram, but if I connect that cable, that's when the issues begin.

---

So the port 51 being blocked on switch #3 is actually working correctly. Spanning tree will put one of the switch interconnect links into a blocking state to prevent loops. The fact that your network is becoming unusable is the exact opposite of what should be occurring when STP comes into play.

Can you post a screen shot of the configurations for the ports linking shipping switch to microtik and shipping switch to switch #1?

---

I thought that too, but the interconnects between the Mikrotik switch and the Shipping and Receiving switches are (according to the diagram) on a separate VLAN from the Corp Data ports, and so shouldn't see as a loop. Rather, it should behave as the Mikrotik is core and the UBNT switches with the Video VLANs are edge switched hanging off. Corp Data should appear as a wholly separate network.

Now if one of them was populating the same RSTP info to both VLANs over the trunks, then that would make sense to me, seeing as the Shipping and Receiving switches are both dual homed, so if it's populating RSTP for the Video VLAN into the Corp Data VLAN, then RSTP would interpret that as a loop, since the Corp Data homes to both as well.

Definite screenshot of the switch configs would be helpful!

Quote:

---

3. The blue LAN is our main LAN, where all of our normal office network traffic exists. We have a Juniper firewall that links into "Switch #1" on the diagram there. That and a local Windows server are what controls the network config (DHCP, etc.)

---

Is the firewall being utilized as the gateway for the users?

nwspmp said:

---

Echoes97 said:

---

nwspmp said:

---

Echoes97 said:

---

nwspmp said:

---

I'm assuming that all of the non-fiber ports on the UBNT switches are mapped so that untagged traffic is tagged with the appropriate VLAN. Also, what VLAN IDs are you using; in some cases, such as with the UBNTs, VLAN 1 is the default VLAN, and in trunking reverts to a native/untagged port.

You say that the Video/Camera VLAN gets attached and then everything starts going down. Are you referring to the Mikrotik switch powering on or just activating the VLANs on the UBNT switches?

---

Yes, correct, all non-fiber ports are mapped to their appropriate VLANs, not just "All" or whatever it defaults to. All ports are directly mapped.

OK so yes this was a bit nebulous from me, sorry, but exactly what I mean is when I connect the fiber port (SFP+ Port 2) on the Shipping switch to the Mikrotik switch, things go south. The exact issue that happens is that the Unifi software shows an error on Switch #3 that "Port 51 blocked by STP protocol". Every other cable is connected and working as shown in the diagram, but if I connect that cable, that's when the issues begin.

Thank you!

---

So Receiving Switch and Switch #4 are both working fine with the Video VLAN and the other switches are working fine with the Corp Data VLAN, but when the trunk from Shipping Switch is connected to the Mikrotik, the system goes into the error state, right?

If so, check the port 51 settings for the Receiving Switch and the Shipping Switch to make sure they're the same (VLAN, trunking, etc). Also, make sure there are no devices plugged into the Shipping Switch Video VLAN designated ports and plugged into another Video VLAN port on another switch. Not super likely but possible.

---

Correct, the Receiving Switch, Switch #4, and the Mikrotik all seem to be working fine. I can see all of the cameras hooked up to those 2 switches just fine from the NVR computer. And the data side of that is working fine as well.

I quadruple checked the port settings on the Receiving and Shipping SFP+ ports, and they're identical as far as I can tell. And there's definitely no devices plugged into the Shipping Switch Video VLAN ports, only cameras for sure. And there's no cabling between the 2 sides of the switch. Very simple setup, which is why this is more than aggravating!

Thank you very much for taking time to respond, I have asked the guy that ran our fiber cabling to come back with a good tester and make 100% sure that our fiber is rock solid between the office and the shipping building. Hopefully he can do that soon so we can mark that off the potential issues list.

Appreciate it

---

In that case then, as a long shot, set the Shipping and Receiving switches to have different RSTP priorities. I don't have my UBNT switches here at the office to check, but I can't recall if they have per-VLAN RSTP setup or if it's a combined one for all ports and the UBNT and Mikrotik switches handle it differently. Even RouterOS and SwOS technically handle RSTP election differently.

However, I tend to think the problem may be a little worse than that. If the RSTP interaction between the two isn't the same (one of them sends the RSTP on all trunked VLANs versus it being selectable on the others) then the two switches with both of the VLANs could have some issues. One thing I saw in researching this is that some people with the UBNT and Mikrotik interactions disable RSTP and use STP alone. Try that; in the Ubiquiti settings for the port 51 on the Receiving and Shipping switches, disable RSTP and set it to use STP only. Longer shot too, but may be worth a try.

Also, the Mikrotik and the UBNT switches; what firmwares are they running? Up to date? All the same?

---

Sorry for the late reply, been crazy busy here at work with other stuff, but thank you very much. This evening when everyone leaves I can try and switch the RSTP settings on the Rec and Shipping switches, to see if that helps at all. If that doesn't, I'll try changing them to STP only.

Firmware-wise, all the of the UBNT switches are the same, which is 4.0.80.10875. Mikrotik is running RouterOS 6.45.1 (not sure on the firmware version, will check).

Thank you for the suggestions, appreciate it!

OK y'all, here are some screen shots of the port configs on the Receiving and Shipping switches. One thing that caught my attention as a potential issue here is that the "Uplink" on the SFP+ data (not video) port on the Receiving Switch (which is working) is showing "Shipping" switch as the uplink. How could that be??? It's linked to Office Switch #2 (which is of course eventually jumpered to Shipping Switch). Maybe somehow this is the loop??

See here:

https://imgur.com/a/qIx0oWC

Note, that port 49 on both switches is the data port which links into our main network switches directly (via SFP+ ports as shown in the initial diagram). Port 49 from Receiving links to Port 49 on Office Switch #2. Port 49 from Shipping links to Port 49 on Office Switch #1. Those ports on all 4 switches are segmented to the SAHLAN LAN.

Port 50 on both Receiving and Shipping both link to the Mikrotik, and both of those ports are segmented to the SAHVID VLAN. Note that port 50 on the shipping switch is currently disabled because of these network issues when I enable it. But it is configured to SAHVID when it's enabled, so I believe they are segmented correctly. The other 2 SFP ports on both Shipping and Receiving switches are disabled.

One more screenshot request; would you send the Port Profile setups. A screencap of the settings for each Profile (SAHLAN and SAHVID). I'm wondering if one of the uplink ports is configured to trunk all VLANs, which could cause a loop on the video VLAN, leading to a port closure.

Quote:

---

OK y'all, here are some screen shots of the port configs on the Receiving and Shipping switches. One thing that caught my attention as a potential issue here is that the "Uplink" on the SFP+ data (not video) port on the Receiving Switch (which is working) is showing "Shipping" switch as the uplink. How could that be??? It's linked to Office Switch #2 (which is of course eventually jumpered to Shipping Switch). Maybe somehow this is the loop??

---

Is that Uplink entry auto-generated based on what the device sees as its neighbor? If so, you may want to go verify your physical connections to ensure they're matching up with your diagram.

mickeyrig06sq3 said:

---

Quote:

---

OK y'all, here are some screen shots of the port configs on the Receiving and Shipping switches. One thing that caught my attention as a potential issue here is that the "Uplink" on the SFP+ data (not video) port on the Receiving Switch (which is working) is showing "Shipping" switch as the uplink. How could that be??? It's linked to Office Switch #2 (which is of course eventually jumpered to Shipping Switch). Maybe somehow this is the loop??

---

Is that Uplink entry auto-generated based on what the device sees as its neighbor? If so, you may want to go verify your physical connections to ensure they're matching up with your diagram.

---

I believe so, from what I can see. I definitely did not set that value. And you can see in the initial diagram I posted, that the "Shipping" switch is (via fiber) directly linked between port 49 on it and port 49 on Office Switch #1. And likewise, the "Receiving" switch is (via fiber) directly linked between port 49 on it and port 49 on Office Switch #2.

There is no way that the Receiving Switch is hooked into the Shipping Switch, except via the jumper cable that's running between Office Switch #1 and #3, and then from #3 to #2. So Office switch #2 is the end of the office chain, but has the Receiving switch plugged into it.

Not sure if that has anything to do with it, but that's how the data side of the network is set up.

Hey Guys:
So I had had one person try and help me remotely, and we disabled STP everywhere, and did a couple of other things, but still having issues in seeing traffic where we should, and still a couple of the switches seem a bit unstable. I'm really at a loss here, and don't really know anyone that is at a level high enough that could come in and help (or help remotely).

I wanted to see if maybe anyone on this thread that felt capable might be willing to take a look remotely (or in person if in the Houston area?). I'd be happy to pay you for your time, I know it's a hassle. Please let me know if so, I'd really appreciate it.

Thanks again to everyone who took the time to comment and try and help!