Network Design Β· Logical Architecture
SSIDs, VLANs, authentication, RF plan, WAN and switch port map for the 530.62 sqm floor β 3 SSIDs over 5 VLANs on 7Γ U7 Pro XGS, terminated on a USW-Pro-XG-10-PoE and a reused UCG-Fiber. Physical placement and the coverage model live on the 2D Plan page.
1 Β· SSID / VLAN plan
| SSID | Authentication | Bands | VLAN | Subnet | Policy |
|---|---|---|---|---|---|
| SWC-Corp MLO | WPA3-Enterprise β 802.1X EAP-TLS via Entra ID (PPSK fallback, see Β§2) | 5 + 6 GHz | 20 | 10.20.20.0/23 | Managed devices only; /23 because 150 staff Γ 2β3 devices β 400 addresses β a /24 would exhaust |
| SWC-Guest | WPA2/WPA3 transition + voucher portal (zero personal-data fields β DPA-safe, see Β§5) | 2.4 + 5 GHz | 30 | 10.20.30.0/24 | Client isolation, bandwidth cap 10/10 Mbps, internet-only, 2 h DHCP lease |
| SWC-IoT | WPA2-PSK | 2.4 GHz | 40 | 10.20.40.0/24 | Printers, meeting-room TVs; allow CORPβIoT (printing), deny IoTβCORP |
| β (no SSID) | Wired / management only | β | 10 | 10.20.10.0/24 | APs, switch, gateway UI. Never broadcast. |
| β (no SSID) | Reserved | β | 50 | 10.20.50.0/24 | Future UniFi Protect CCTV, no internet egress |
2 Β· Authentication
Target: 802.1X EAP-TLS tied to Entra ID
The company already runs M365/Entra + Intune + Tactical RMM β no on-prem AD, so password EAP (MSCHAPv2) cannot work against cloud-only Entra. Certificates are the path:
- Intune Cloud PKI add-on issues per-device certs β ~$2/user/mo (β±0 if already on Intune Suite β verify licensing) verified
- RADIUSaaS (~β¬1.50/user/mo up to 275 users) speaks RadSec direct to the UCG-Fiber β TLS-encrypted RADIUS to the cloud, no on-prem VM to build or patch verified
- Certificates auto-revoke with the Entra account β offboarding kills WiFi access the same hour as e-mail
Indicative opex at 150 users: PKI β β±17,400/mo + RADIUSaaS β β±14,550/mo estimate
Fallback: PPSK day-one, migrate after
If subscription procurement slips past the office opening, launch SWC-Corp on per-user PPSK (private pre-shared keys): free, native UniFi, per-key VLAN assignment, works with every client type. Migrate to EAP-TLS once PKI + RADIUS are live.
- Never launch on a single shared corporate PSK
- PPSK offboarding is manual (150 keys, no Entra tie) β acceptable as a bridge, a credential-exposure risk if it becomes permanent
- Note: the UCG-Fiber's built-in RADIUS only authenticates local UniFi user entries β it cannot validate against Entra, so it is not a corp-WiFi IdP verified
3 Β· RF configuration
| AP | Location | 5 GHz | 6 GHz | 2.4 GHz |
|---|---|---|---|---|
| AP1 | Open-plan North | 36 / 40 MHz | 80 MHz PSC | off |
| AP2 | Open-plan Center | 149 / 40 MHz | 80 MHz PSC | ch 1, low |
| AP3 | Open-plan South | 44 / 40 MHz | 80 MHz PSC | off |
| AP4 | Conference Room | 60 / 40 MHz, low | 80 MHz PSC | off |
| AP5 | South Amenity reused | 153 / 40 MHz | 80 MHz PSC | ch 6, low |
| AP6 | Reception / Entrance | 157 / 40 MHz | 80 MHz PSC | off |
| AP7 | North Block / Meeting | 64 / 40 MHz | 80 MHz PSC | ch 11, low |
| GLOBAL | min-RSSI β75 dBm Β· band steering prefer 5/6 GHz Β· MLO on SWC-Corp Β· min basic rate 12 Mbps (2.4) / 24 Mbps (5) Β· TX power Medium (open-plan) / LowβMedium (meeting cells) Β· meshing off (all APs wired) | |||
4 Β· WAN & gateway
WAN design
- Primary: business fiber β SFP+ WAN port on the UCG-Fiber (direct or via ONU). Order in July β Cebu enterprise fiber installs run 4β8 weeks and are the #1 deadline risk.
- Secondary: 5G CPE (~β±8,000 estimate) on the 2.5GbE port as WAN failover β and as day-one internet if the fiber slips past mid-August.
UCG-Fiber capability check verified
5 Gbps IDS/IPS throughput Β· zone-based inter-VLAN L7 firewall, 55,000+ signatures Β· rated 500+ clients / 50+ UniFi devices Β· 2Γ 10G SFP+, 1Γ 10GbE RJ45 WAN, 4Γ 2.5GbE Β· native RadSec. This site is 9 UniFi devices and ~375 peak clients β full IPS at 1 Gbps line rate with ~5Γ headroom. Do not also route a future second floor through it (client ceiling).
5 Β· Switch port map β USW-Pro-XG-10-PoE
| Port | Type | Assignment | Notes |
|---|---|---|---|
| 1 | 10GbE PoE++ | AP1 β Open-plan North | Trunk: native VLAN 10, tag 20/30/40 |
| 2 | 10GbE PoE++ | AP2 β Open-plan Center | Trunk, as port 1 |
| 3 | 10GbE PoE++ | AP3 β Open-plan South | Trunk, as port 1 |
| 4 | 10GbE PoE++ | AP4 β Conference Room | Trunk, as port 1 |
| 5 | 10GbE PoE++ | AP5 β South Amenity (reused unit) | Trunk, as port 1 |
| 6 | 10GbE PoE++ | AP6 β Reception / Entrance | Trunk, as port 1 |
| 7 | 10GbE PoE++ | AP7 β North Block / Meeting | Trunk, as port 1 |
| 8 | 10GbE PoE++ | Spare drop C8 (conference room) | Patched, port disabled until used |
| 9 | 10GbE PoE++ | Spare β wired printer(s) | Access VLAN 40 |
| 10 | 10GbE PoE++ | Spare β meeting-room TV | Access VLAN 40 |
| SFP+ 1 | 10G SFP+ | UCG-Fiber uplink | DAC (UACC-DAC-SFP10), trunk all VLANs |
| SFP+ 2 | 10G SFP+ | Spare | Future second switch / NAS |
PoE budget: 7 Γ 29 W nameplate = 203 W of the switch's 400 W (51%). This is exactly why the original 8-port idea fails β the USW-Pro-XG-8-PoE's 155 W budget locks the design at 5 APs. Full comparison on the Hardware page.
Guest WiFi compliance β PH Data Privacy Act (RA 10173)
A guest portal that collects names/emails is "processing of personal information" under RA 10173 and the NPC's amended IRR: consent flow, privacy notice at collection, retention schedule, 72-hour breach notification, DPO obligations. verified The design avoids nearly all of it:
- Voucher system β reception prints time-limited codes; zero personal-data fields on the portal
- Guest/DHCP logs retained max 30 days (logs still count as limited processing)
- One paragraph added to the company privacy notice naming guest WiFi, purpose, retention
- Confirm the Cebu entity's existing NPC/DPO registration covers this site
6 Β· Firmware & management policy
Firmware
- Official release channel only β never Early Access in production
- APs + switch: auto-update window Sunday 02:00 PHT
- Gateway: manual update after a 2-week soak on the release
Remote access
- UniFi Site Manager (unifi.ui.com) for remote multi-site management β no inbound port-forwards
- MFA enforced on the Ubiquiti account; hardware key for admins
- Local-only fallback admin kept in the vault
Monitoring hooks
- Site Manager alerts webhooked into the existing Teams channel
- TRMM job archives the weekly .unf export off-box (existing Tactical RMM stack)
- XGS dedicated spectral-analysis radio β per-AP RF interference visibility from day one
Sources & data
UCG-Fiber / U7 Pro XGS / USW-Pro-XG-10-PoE: techspecs.ui.com Β· SSID & PPSK/RADIUS VLAN behavior: help.ui.com Β· Cloud PKI pricing: learn.microsoft.com/intune/cloud-pki Β· RADIUSaaS + RadSec: docs.radiusaas.com Β· RA 10173 + IRR: privacy.gov.ph Β· PH 6 GHz: NTC MC 002-07-2024. Full source list, propagation model and vendor quotes: knowledge base. Raw dataset: data-raw/network-architecture.json (2026-07).