Architecture

UniFi Reference Implementation — FMMN (Small Site)

Reference Implementation for a small facility (~20 cameras, several BMS/OT devices, 3–5 door readers, 4 APs), mirroring the FMMN standard with UniFi gear.

Published: August 2025

Scope

Implement the FMMN reference architecture using UniFi for a small facility. The design mirrors our standard: two diverse providers → two ISP (demarc) switches → two edge routers (UDM-SE) → two core PoE switches, with loop-free interconnects and strict VLAN/L3 segmentation.

Outcomes

No single point of failure in switching/PoE; dual provider entrances.
Clean L2/L3 segmentation and enforceable firewall boundaries.
VPN for admins, tested failover, and a complete handoff pack.

0) Bill of Materials (final)

Demarc / ISP fan-out

1× USW-WAN (CNR-A) — “USW-WAN-A”
1× USW-WAN (CNR-B) — “USW-WAN-B”

Edge routers / controllers

1× UDM-SE (CNR-A) — “UDM-A” (Primary)
1× UDM-SE (CNR-B) — “UDM-B” (Warm standby)

Core switching / PoE

1× USW-Pro-24-PoE (CNR-A) — “CORE-A”
1× USW-Pro-24-PoE (CNR-B) — “CORE-B”

Recording / Wi‑Fi / Endpoints

1× UNVR-Pro + HDDs (~25 TB usable for 30-day 1080p continuous)
~20× UniFi G4/G5 cameras (mix)
4× U6-Pro APs
(Optional) UniFi Access (UA-Hub + readers)

Out-of-Band

1× LTE router (different carrier) + tiny 5-port switch (console/OOB)

Power & optics

2× rack UPS (A/B), SFP+ DACs/optics, CAT6A to endpoints, OS2/OM4 trunks

1) Physical Layout, Power, and Labeling

Rooms: CNR-A and CNR-B on opposite sides (diagonally is ideal).
Racks: CNR-A: USW-WAN-A (top), UDM-A, CORE-A, UNVR-Pro. CNR-B: USW-WAN-B, UDM-B, CORE-B.
Power: UDM-A, USW-WAN-A, CORE-A → PDU-A (UPS-A). UDM-B, USW-WAN-B, CORE-B → PDU-B (UPS-B). UNVR-Pro → opposite PDU from majority of cameras.
Path diversity: Path-A tray to CNR-A; Path-B tray to CNR-B.
Labels: PATH(A|B)-ROOM(CNR-A|CNR-B)-RACK-U-PORT. Endpoints like CCTV-LOBBY-01, BMS-MECH-02.

2) Topology (wire‑level)

Provider A ─> ENP-A handoff ─> [USW-WAN-A] ──> UDM-A (WAN1 active)
                                          └──> UDM-B (WAN2 prewired, disabled)

Provider B ─> ENP-B handoff ─> [USW-WAN-B] ──> UDM-B (WAN1 active - standby role)
                                          └──> UDM-A (WAN2 prewired, disabled)

LAN side (10G trunks):
           UDM-A ──────────┐           ┌────────── UDM-B
                             └─[CORE-A]═[CORE-B]─┘
                        (RSTP root)  (RSTP secondary)

PoE endpoints (cams/AP/OT/Doors) split evenly across CORE-A and CORE-B
UNVR-Pro dual-trunked to both cores (records only from CCTV VLAN)

Note: UniFi lacks true VRRP/stateful HA on UDMs. Implement warm standby (UDM-B prewired,
VLANs present but disabled) and a promote-standby runbook.

3) Port-by-Port Wiring

3.1 USW-WAN-A (CNR-A, Provider A demarc)

Port 1: ← Provider-A handoff (untagged unless carrier requires a VLAN)
Port 2: → UDM-A WAN1 (Primary)
Port 3: → UDM-B WAN2 (Prewired standby; admin-disabled)
Port 1 settings: LLDP/CDP off; BPDU-Guard on; storm-control; MAC limit 1–2; fix speed/duplex if required

3.2 USW-WAN-B (CNR-B, Provider B demarc)

Port 1: ← Provider-B handoff
Port 2: → UDM-B WAN1 (Active link to standby UDM)
Port 3: → UDM-A WAN2 (Prewired standby; admin-disabled)
Security settings mirror USW-WAN-A

3.3 UDM-SEs (Edge Routers)

UDM-A (Primary): WAN1 from USW-WAN-A; WAN2 from USW-WAN-B (disabled). Two 10G LAN trunks to CORE-A and CORE-B.
UDM-B (Standby): WAN1 from USW-WAN-B (up, mgmt/VPN only); WAN2 from USW-WAN-A (disabled). Two 10G LAN trunks to CORE-B and CORE-A.

3.4 Cores (USW-Pro-24-PoE)

CORE-A SFP+ 1 ↔ UDM-A LAN SFP+ (TRUNK-CORE)
CORE-A SFP+ 2 ↔ UDM-B LAN (TRUNK-CORE)
CORE-B SFP+ 1 ↔ UDM-B LAN SFP+ (TRUNK-CORE)
CORE-B SFP+ 2 ↔ UDM-A LAN (TRUNK-CORE)
CORE-A SFP+ 3 ↔ CORE-B SFP+ 3 (single inter-core TRUNK-CORE)
Access ports: evenly spread cameras, APs, BMS/OT, Access Control; apply VLAN-specific profiles.

4) VLANs, Addressing, DHCP (authoritative)

Per-site IPv4 supernet (Small): 10.37.0.0/22

Per-site IPv6 /48: fdaa:1:37::/48 (ULA; replace with GUA when available)

VLAN	Name	Gateway (UDM-A)	DHCP Scope	IPv6 /64
10	OOB-MGMT	10.37.0.1/26	10.37.0.10–50	fdaa:1:37:10::/64
20	NET-MGMT	10.37.0.65/26	10.37.0.80–120	fdaa:1:37:20::/64
30	BMS/EPMS	10.37.0.129/25	10.37.0.140–250	fdaa:1:37:30::/64
40	CCTV	10.37.1.1/24	10.37.1.50–230	fdaa:1:37:40::/64
50	ACCESS-CTRL	10.37.2.1/26	10.37.2.10–40	fdaa:1:37:50::/64
70	OT-CONTROL	10.37.2.65/26	10.37.2.80–120	fdaa:1:37:70::/64
90	WLAN-CLIENT	10.37.2.129/25	10.37.2.140–250	fdaa:1:37:90::/64
100	GUEST	10.37.3.1/24	10.37.3.50–230	fdaa:1:37:100::/64

WAN VLANs (if required by carriers): 4090 (WAN-A) on USW-WAN-A; 4091 (WAN-B) on USW-WAN-B.

5) UniFi Controller — Exact Steps

5.1 Site & Adoption

Create site “SITE-37”. Adopt USW-WAN-A, USW-WAN-B, UDM-A, UDM-B, CORE-A, CORE-B, UNVR-Pro. Upgrade firmware.

5.2 Create Networks (VLANs & DHCP on UDM-A)

NET-MGMT (VLAN 20): 10.37.0.65/26, DHCP on (10.37.0.80–120), IPv6 /64 fdaa:1:37:20::/64
BMS/EPMS (VLAN 30): 10.37.0.129/25, DHCP on
CCTV (VLAN 40): 10.37.1.1/24, DHCP on
ACCESS-CTRL (VLAN 50): 10.37.2.1/26, DHCP on
OT-CONTROL (VLAN 70): 10.37.2.65/26, DHCP on
WLAN-CLIENT (VLAN 90): 10.37.2.129/25, DHCP on
GUEST (VLAN 100): 10.37.3.1/24, DHCP on
OOB-MGMT (VLAN 10): usually separate via LTE/OOB; only create if you run OOB through UniFi
On UDM-B: mirror networks but disable “DHCP” and “Router Interface” for each (enable only during DR).

5.3 WAN Networks (if tagged by carrier)

Create VLAN-only WAN-A (4090) on USW-WAN-A and WAN-B (4091) on USW-WAN-B. Tag carrier ports accordingly.

5.4 Switch Port Profiles

TRUNK-CORE: Tagged 10/20/30/40/50/70/90/100; Native none
CCTV-PoE: Untagged 40; PoE on; Port Isolation on
AP-TRUNK: Tagged 90,100; Management VLAN 20; PoE on
OT-CONTROL: Untagged 70; optional rate limit; Isolation on
ACCESS-CTRL: Untagged 50; PoE as needed; Isolation on
WAN-A-CARRIER / WAN-B-CARRIER: LLDP/CDP off; BPDU-Guard on; MAC limit 1–2

5.5 STP & Root

Set CORE-A as RSTP root primary, CORE-B as secondary. Verify one redundant path blocks.

5.6 Wireless

SSID Corp-WiFi → VLAN 90 (WPA2/3-Enterprise if RADIUS; else strong WPA2)
SSID Guest → VLAN 100 (client isolation; rate limits)

5.7 Firewall Rules

Default posture: Drop inter-VLAN by default; add explicit allows.

Allow NETMGMT → infra mgmt (SSH/HTTPS/SNMP/Syslog)
Allow CCTV → NVR (RTSP/HTTPS)
Allow ACCESS → auth/NTP/Syslog (narrow)
Allow Jump → OT via jump host only; deny direct corp → OT
Deny GUEST → RFC1918; allow only DNS/HTTP/HTTPS to internet

5.8 VPN

Site-to-Site: IKEv2/IPsec to DC/HQ; advertise only 10.37.0.0/22. Prefer active UDM-A; add a second tunnel from UDM-B if possible.
Remote Admin: L2TP/IPsec on UDM-A; MFA; pool inside NET-MGMT; jump-only to OT.

5.9 NTP, Syslog, Telemetry

NTP: UDM-A as LAN NTP + a lightweight secondary in CNR-B.
Syslog: send UDMs/switches/UNVR-Pro to collector in NET-MGMT (TLS if supported).
SNMPv3/Telemetry: enable and export NetFlow/IPFIX if available.

6) UNVR-Pro & Cameras

UNVR-Pro uplinks: 2×10G trunks (one to each core), TRUNK-CORE profile.
Recording network: only VLAN 40 (CCTV); DHCP from 10.37.1.0/24.
Profiles: H.265; ~3–6 Mb/s per camera; motion zones to reduce storage.
Storage math (20 cams @ 1080p continuous): ~24.7 TB / 30 days → provision ≥25 TB usable.

7) PoE & Power Budgets

Cameras 20× @ 8–10 W ⇒ 160–200 W
APs 4× @ ~13 W ⇒ ~52 W
Doors/OT misc ⇒ 40–60 W
Total PoE ≈ 260–310 W → two USW-Pro-24-PoE (400 W each) provide headroom and A/B spread.
Separate PDUs/UPS for CORE-A and CORE-B.

8) Failover & DR (Warm Standby UDM)

Goal: If UDM-A fails, UDM-B becomes gateway with the same VLAN IPs/DHCP in ≤10 minutes—no recabling.

Prepare: UDM-B has identical VLANs as UDM-A but Router Interface + DHCP disabled. WANs prewired on both.
Promote-Standby runbook:
- If UDM-A reachable, disable LAN gateways/DHCP there; otherwise power it off.
- On UDM-B, enable LAN gateways and DHCP for 20/30/40/50/70/90/100.
- Bounce UDM-B uplink ports or toggle interfaces to force GARP/ARP refresh.
Verify: clients use UDM-B as GW; VPN terminates on UDM-B; egress via Provider-B; optionally reprioritize to Provider-A.
Quarterly drill: execute steps in a window; capture timings and gaps.

9) Acceptance Tests (Handoff Checklist)

WAN Diversity: Pull Provider-A at USW-WAN-A; observe continuity via B.
Core Failure: Power off CORE-A; ~50% PoE endpoints continue via CORE-B (and vice versa).
UDM Promote: Execute runbook; verify GWs, DHCP, VPN, routes.
Firewall Boundaries: Corp Wi‑Fi cannot reach CCTV/OT; Jump host can reach OT only on allowed mgmt ports; Guest internet-only.
NVR Resilience: Disconnect one core uplink; NVR still records from surviving paths.
Time/Logs: NTP in sync; syslog receiving; alarms configured.

10) Ops, Backups, and Security Hygiene

Backups: Export UDM-A/UDM-B configs after any change; weekly switch backups; store encrypted.
Golden Configs in Git; PR + peer review; break-glass with post-mortem.
Patch cadence: quarterly; stage in CNR-B first.
AAA: Per-user accounts; strong MFA on controller; rotate local device creds quarterly.
Hardening: Disable UPnP; DHCP snooping on client VLANs; port isolation on CCTV/Guest; lock management to NET-MGMT.
Monitoring: Page on ENP link down, UDM interface down, inter-core link down, NVR storage degraded, time drift >2 s.

11) Port & Object Tables (quick reference)

Device Type	Count	Core-A Ports	Core-B Ports	Profile
Cameras	20	3–12 (10)	3–12 (10)	CCTV-PoE
APs	4	13–14 (2)	13–14 (2)	AP-TRUNK
OT/BMS	10	15–19 (5)	15–19 (5)	OT-CONTROL
Door gear	4	20–21 (2)	20–21 (2)	ACCESS-CTRL

Firewall object recap: Subnets — NETMGMT_SUBNET, CCTV_SUBNET, OT_SUBNET, ACCESS_SUBNET, WLAN_SUBNET, GUEST_SUBNET. Hosts — NVR_HOST, MGMT_JUMPHOST. Services — SSH(22), HTTPS(443), SNMP(161/UDP), Syslog(514/UDP/TLS), RTSP/Protect, NTP(123/UDP).

12) Known Limits & Notes (UniFi-specific)

No true stateful HA on UDMs: mitigated via warm standby and runbook; consider a cold spare on-site.
No MLAG: rely on RSTP with clear root election and loop-free trunks.
Protect on UDM-SE viable for very small camera counts; UNVR-Pro recommended here (~20 cams @ 30 days).