Network Design Β· Logical Architecture

SSIDs, VLANs, authentication, RF plan, WAN and switch port map for the 530.62 sqm floor β€” 3 SSIDs over 5 VLANs on 7Γ— U7 Pro XGS, terminated on a USW-Pro-XG-10-PoE and a reused UCG-Fiber. Physical placement and the coverage model live on the 2D Plan page.

3
SSIDs broadcast
5
VLANs (2 no-SSID)
~375 peak
Concurrent clients
5 Gbps
UCG-Fiber IDS/IPS

1 Β· SSID / VLAN plan

SSIDAuthenticationBandsVLANSubnetPolicy
SWC-Corp MLO WPA3-Enterprise β€” 802.1X EAP-TLS via Entra ID (PPSK fallback, see Β§2) 5 + 6 GHz 20 10.20.20.0/23 Managed devices only; /23 because 150 staff Γ— 2–3 devices β‰ˆ 400 addresses β€” a /24 would exhaust
SWC-Guest WPA2/WPA3 transition + voucher portal (zero personal-data fields β€” DPA-safe, see Β§5) 2.4 + 5 GHz 30 10.20.30.0/24 Client isolation, bandwidth cap 10/10 Mbps, internet-only, 2 h DHCP lease
SWC-IoT WPA2-PSK 2.4 GHz 40 10.20.40.0/24 Printers, meeting-room TVs; allow CORP→IoT (printing), deny IoT→CORP
β€” (no SSID) Wired / management only β€” 10 10.20.10.0/24 APs, switch, gateway UI. Never broadcast.
β€” (no SSID) Reserved β€” 50 10.20.50.0/24 Future UniFi Protect CCTV, no internet egress
Why only 3 SSIDs Every SSID beacons per band, per AP, at the lowest basic rate β€” pure airtime tax. UniFi itself hard-caps at 4 SSIDs per band with meshing enabled (meshing is off here β€” all APs wired), and community consensus is to stay at ≀ 3–4. VLANs do not need their own SSID: RADIUS (802.1X) and PPSK both assign VLANs per user on a single SSID. verified

2 Β· Authentication

Target: 802.1X EAP-TLS tied to Entra ID

The company already runs M365/Entra + Intune + Tactical RMM β€” no on-prem AD, so password EAP (MSCHAPv2) cannot work against cloud-only Entra. Certificates are the path:

  • Intune Cloud PKI add-on issues per-device certs β€” ~$2/user/mo (β‚±0 if already on Intune Suite β€” verify licensing) verified
  • RADIUSaaS (~€1.50/user/mo up to 275 users) speaks RadSec direct to the UCG-Fiber β€” TLS-encrypted RADIUS to the cloud, no on-prem VM to build or patch verified
  • Certificates auto-revoke with the Entra account β€” offboarding kills WiFi access the same hour as e-mail

Indicative opex at 150 users: PKI β‰ˆ β‚±17,400/mo + RADIUSaaS β‰ˆ β‚±14,550/mo estimate

Fallback: PPSK day-one, migrate after

If subscription procurement slips past the office opening, launch SWC-Corp on per-user PPSK (private pre-shared keys): free, native UniFi, per-key VLAN assignment, works with every client type. Migrate to EAP-TLS once PKI + RADIUS are live.

  • Never launch on a single shared corporate PSK
  • PPSK offboarding is manual (150 keys, no Entra tie) β€” acceptable as a bridge, a credential-exposure risk if it becomes permanent
  • Note: the UCG-Fiber's built-in RADIUS only authenticates local UniFi user entries β€” it cannot validate against Entra, so it is not a corp-WiFi IdP verified

3 Β· RF configuration

APLocation5 GHz6 GHz2.4 GHz
AP1Open-plan North36 / 40 MHz80 MHz PSCoff
AP2Open-plan Center149 / 40 MHz80 MHz PSCch 1, low
AP3Open-plan South44 / 40 MHz80 MHz PSCoff
AP4Conference Room60 / 40 MHz, low80 MHz PSCoff
AP5South Amenity reused153 / 40 MHz80 MHz PSCch 6, low
AP6Reception / Entrance157 / 40 MHz80 MHz PSCoff
AP7North Block / Meeting64 / 40 MHz80 MHz PSCch 11, low
GLOBAL min-RSSI βˆ’75 dBm Β· band steering prefer 5/6 GHz Β· MLO on SWC-Corp Β· min basic rate 12 Mbps (2.4) / 24 Mbps (5) Β· TX power Medium (open-plan) / Low–Medium (meeting cells) Β· meshing off (all APs wired)
Regulatory anchors β€” DFS and PH 6 GHz 5 GHz is anchored on non-DFS channels 36 / 44 / 149 / 157: Mactan-Cebu International Airport sits ~10 km away and DFS radar hits are plausible β€” a hit forces an AP to vacate its channel mid-day. AP4/AP7 use DFS 60/64 as low-power in-room cells where a rare hit is tolerable; swap to non-DFS if events show up in logs. 6 GHz in the Philippines is the lower 500 MHz only (NTC MC 002-07-2024) β€” plan 80 MHz PSC-aligned channels, do not expect the full 1200 MHz that US documentation assumes. 2.4 GHz broadcasts from only 3 of 7 APs (ch 1/6/11, low power) to avoid self-interference.

4 Β· WAN & gateway

WAN design

  • Primary: business fiber β†’ SFP+ WAN port on the UCG-Fiber (direct or via ONU). Order in July β€” Cebu enterprise fiber installs run 4–8 weeks and are the #1 deadline risk.
  • Secondary: 5G CPE (~β‚±8,000 estimate) on the 2.5GbE port as WAN failover β€” and as day-one internet if the fiber slips past mid-August.

UCG-Fiber capability check verified

5 Gbps IDS/IPS throughput Β· zone-based inter-VLAN L7 firewall, 55,000+ signatures Β· rated 500+ clients / 50+ UniFi devices Β· 2Γ— 10G SFP+, 1Γ— 10GbE RJ45 WAN, 4Γ— 2.5GbE Β· native RadSec. This site is 9 UniFi devices and ~375 peak clients β€” full IPS at 1 Gbps line rate with ~5Γ— headroom. Do not also route a future second floor through it (client ceiling).

Single point of failure β€” accepted, mitigated One gateway, one switch, one primary WAN; the UCG class has no HA pairing. Mitigation: (1) keep the old-office gear as cold spares instead of selling β€” a cloud-restore onto a spare is hours, a PH re-order is days; (2) weekly .unf config backup exported off-box via a TRMM job, on top of (3) Ubiquiti cloud backups tied to the site; (4) MFA enforced on the Ubiquiti account (hardware key for admins). A replacement gateway restores the full network config (same-or-newer UniFi OS).

5 Β· Switch port map β€” USW-Pro-XG-10-PoE

PortTypeAssignmentNotes
110GbE PoE++AP1 β€” Open-plan NorthTrunk: native VLAN 10, tag 20/30/40
210GbE PoE++AP2 β€” Open-plan CenterTrunk, as port 1
310GbE PoE++AP3 β€” Open-plan SouthTrunk, as port 1
410GbE PoE++AP4 β€” Conference RoomTrunk, as port 1
510GbE PoE++AP5 β€” South Amenity (reused unit)Trunk, as port 1
610GbE PoE++AP6 β€” Reception / EntranceTrunk, as port 1
710GbE PoE++AP7 β€” North Block / MeetingTrunk, as port 1
810GbE PoE++Spare drop C8 (conference room)Patched, port disabled until used
910GbE PoE++Spare β€” wired printer(s)Access VLAN 40
1010GbE PoE++Spare β€” meeting-room TVAccess VLAN 40
SFP+ 110G SFP+UCG-Fiber uplinkDAC (UACC-DAC-SFP10), trunk all VLANs
SFP+ 210G SFP+SpareFuture second switch / NAS

PoE budget: 7 Γ— 29 W nameplate = 203 W of the switch's 400 W (51%). This is exactly why the original 8-port idea fails β€” the USW-Pro-XG-8-PoE's 155 W budget locks the design at 5 APs. Full comparison on the Hardware page.

Guest WiFi compliance β€” PH Data Privacy Act (RA 10173)

A guest portal that collects names/emails is "processing of personal information" under RA 10173 and the NPC's amended IRR: consent flow, privacy notice at collection, retention schedule, 72-hour breach notification, DPO obligations. verified The design avoids nearly all of it:

6 Β· Firmware & management policy

Firmware

  • Official release channel only β€” never Early Access in production
  • APs + switch: auto-update window Sunday 02:00 PHT
  • Gateway: manual update after a 2-week soak on the release

Remote access

  • UniFi Site Manager (unifi.ui.com) for remote multi-site management β€” no inbound port-forwards
  • MFA enforced on the Ubiquiti account; hardware key for admins
  • Local-only fallback admin kept in the vault

Monitoring hooks

  • Site Manager alerts webhooked into the existing Teams channel
  • TRMM job archives the weekly .unf export off-box (existing Tactical RMM stack)
  • XGS dedicated spectral-analysis radio β†’ per-AP RF interference visibility from day one

Sources & data

UCG-Fiber / U7 Pro XGS / USW-Pro-XG-10-PoE: techspecs.ui.com Β· SSID & PPSK/RADIUS VLAN behavior: help.ui.com Β· Cloud PKI pricing: learn.microsoft.com/intune/cloud-pki Β· RADIUSaaS + RadSec: docs.radiusaas.com Β· RA 10173 + IRR: privacy.gov.ph Β· PH 6 GHz: NTC MC 002-07-2024. Full source list, propagation model and vendor quotes: knowledge base. Raw dataset: data-raw/network-architecture.json (2026-07).