Environment: USW-Lite-8-PoE (v7.2.123 / v8.x tested) | UniFi Network Controller 9.5.21
📌 1. Background
In an enterprise network, a switch should operate purely at Layer 2 and never assign IP addresses.
However, after upgrading UniFi Switch firmware to 8.x, the following issues appeared:
- The switch occasionally enables its built-in DHCP server after being adopted by the controller.
- This rogue DHCP server starts handing out IPs (usually 192.168.1.x/24), causing address conflicts and user disconnections.
- Once the controller detects the conflict or loses communication, the switch enters fallback mode, resets itself, and the loop repeats.
This behavior is particularly common on USW-Lite 8 PoE and USW-Flex Mini models running firmware 8.x.
🔍 2. Root-Cause Analysis
1️⃣ Version Differences
| Feature | UniFi 7.x | UniFi 8.x and later |
|---|---|---|
| Provisioning logic | Legacy inform-based | New UDAPI Provisioning |
| DHCP mode | Enabled only in Standalone | May start incorrectly if Provisioning fails |
| SSH account | ubnt/ubnt (default) | Overwritten by controller during Provision |
When a v8.x switch times out or fails during provisioning, it wrongly assumes a stand-alone role and starts its DHCP daemon, disrupting the LAN.
2️⃣ SSH Behavior Change
- Factory state (before adoption):
Default login →ubnt / ubnt. - After adoption:
SSH credentials are replaced by those defined in the controller. - After forget or provision failure:
The switch is semi-managed, yet still locked out — controller credentials lost,ubntdisabled.
⚠️ That’s why you can log in with
ubnt/ubntimmediately after a hardware reset,
but lose access as soon as the controller re-adopts the device.
🧰 3. Troubleshooting & Verification Steps
(1) Stop the Built-in DHCP Process
ssh <controller_ssh_username>@<switch_ip>
ps | grep udhcpd
killall udhcpd
pgrep udhcpd # confirm none remain
If no udhcpd process exists, DHCP is already stopped.
(2) Confirm Controller DHCP Settings
In Settings → Networks, if each VLAN lists Third-party Gateway,
the controller itself is not running any DHCP service.
Thus, any active DHCP must originate from the switch.
(3) Verify No More DHCP Traffic
On your management host:
sudo tcpdump -n -i eth0 port 67 or port 68
If no DHCP replies appear within 20 seconds, the rogue DHCP is gone.
🧩 4. Stable Firmware and Operational Strategy
| Firmware Version | Status | Notes |
|---|---|---|
| 7.2.123 | ✅ Stable – no DHCP issue | Recommended production version |
| 8.0 – 8.1 | ❌ Contains DHCP fallback bug | Avoid deployment |
| 9.3 + | ⚠️ Partially fixed | Test before mass upgrade |
The 7.x firmware remains fully compatible with UniFi Network Controller versions 7.x through 9.x and operates reliably in production.
⚙️ 5. Recommended Configuration
1️⃣ Lock Firmware Version
- Disable automatic updates:
Settings → System → Updates → Disable automatic firmware updates - Or per-device:
Devices → Switch → Config → Firmware → Lock Version 7.2.123
2️⃣ Maintain SSH Credential Control
Settings → System → Device SSH Authentication → Custom per device
Use a custom admin account (e.g., nufaceadmin) to prevent credential overwrites.
3️⃣ Enable Rogue DHCP Detection
Settings → Networks → Global Switch Settings → ☑ Rogue DHCP Server Detection
The controller will alert you if any new DHCP server appears on the LAN.
4️⃣ Regular Backups
Export or schedule automatic backups from/opt/unifi/config/data/backup/autobackup.
🧭 6. Long-Term Guidelines
- Keep switches on 7.x until 9.x DHCP fixes are proven stable.
- Use version groups if multiple models exist (e.g., Lite = 7.x, Pro = 9.x).
- Test new firmware in a lab before enterprise-wide rollout.
- Employ upgrade white-lists or YAML policies to define which models auto-update.
✅ 7. Summary
| Item | Status | Comment |
|---|---|---|
| Root cause | Provisioning bug in 8.x enabling DHCP | Confirmed |
| Stable fix | Stay on 7.2.123 firmware | Proven solution |
| Long-term | Upgrade to ≥ 9.6 after validation | Planned |
| SSH behavior | Credentials managed by controller | Normal |
| Best practice | Disable auto-update + Enable Rogue DHCP Detection | Secure |
💬 Author’s Note
In enterprise networks, stability always outweighs new features.
After extensive field testing, UniFi Switch firmware 7.2.123 delivers full VLAN, PoE, STP, and Rogue DHCP Detection capabilities without unexpected DHCP activation.
Locking firmware versions and controlling upgrade timing remain the most reliable operational approach.