Re: VLAN config with SG350x and Unifi gateway

jnapier4 · ‎11-09-2025

I have recently installed a Unifi gateway to replace and old gateway in a small business. Everything is working properly but I am receiveing a lot of dropped packets on the LAN side and that concerns me. I am wondering if someone can confirm proper VLAN configuration before I start replacing SPF+ adapters!

I have the following VLANs on my SG350x. Inter-VLAN routing is enabled and I want to ensure this routing stays on the switch.

A static route on the SG350x has been created - 0.0.0.0/0 to 192.168.1.1

The Unifi gateway is configured with the same VLANs

VLAN1 - 192.168.1.1/24
VLAN20 - 10.235.20.1/24
VLAN30 - 10.235.30.1/24
VLAN40 - 10.235.40.1/24
VLAN60 - 10.235.60.1/24
VLAN100 - 10.235.100.1/24

Everything is tagged except for VLAN1. I want the VLAN routing to stay on the switch and to just use the gateway for Internet traffic. Are there any improvements that can be made to this conifguration?

Thanks,
Joel

balaji.bandi · ‎11-09-2025

First, I stay away from VLAN 1 and utilize different VLANs where possible; also, the switch does not perform any NAT.

Ensure that if you have an uplink router performing NAT and routing with your provider, you have a route back to the switch to work as expected.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jnapier4 · ‎11-10-2025

Thank you for your response. I understand your VLAN1 comment.

From my understanding of the configuration, all internal clients point to a gateway address on the switch (10.235.x.2) so intervlan traffic does not get forwarded to the gateway. If the address is not routable by the switch, then the switch uses 0.0.0.0 and passes that tagged traffic to 192.168.1.1 - (lan address of gateway device). The gateway then NATs the request and returning traffic is routed back through the correct VLAN using the VLAN onthe gateway (10.235.x.1). Essentailly the gateway is acting just like an extension of the switch to NAT internet traffic only (which the SG350x switch cannot do). The switch does intervlan routing for internal traffic and the gateway router routes external traffic.

Would it be better to use a layer3 port on the sg350x and connect it directly to the gateway router for each vlan? We still want all the intervlan routing to happen on the switch.

I'm looking for alternative configuration that follow best practices.

Giuseppe Larosa · ‎11-10-2025

Hello @jnapier4 ,

>> I want the VLAN routing to stay on the switch and to just use the gateway for Internet traffic.

For achieving this you need a dedicated L3 interface between the router and the switch.

You will remove the VLAN based interfaces on the router except the one dedicated to inter device communication

You will need static routes on the router pointing to the switch IP address for all internal subnets.

In addition the device needs to be configured to perform NAT for all the destination subnets of the static routes.

This is a key point not all small business devices allow this.

Hope to help

Giuseppe

elwin-berrar · ‎11-10-2025

The routing logic is fine, but dropped packets usually come from inconsistent tagging or a mismatch on the uplink trunk between the switch and the gateway. Before touching SFPs, verify that both sides carry the exact same VLANs as tagged and that the management or native VLAN is identical on both ends because this is what most often causes silent loss in mixed Cisco and Unifi setups.