Creating Virtual Networks (VLANs)

Virtual Networks (VLANs) segment networks to improve performance, security, and traffic management. They help isolate devices and users, reducing the risk of unauthorized access and limiting the spread of potential threats within a network. This guide covers VLAN creation and device assignment using UniFi and third-party gateways.

Creating VLANs

UniFi allows VLAN creation on UniFi Gateways and third-party gateways, with VLAN Magic as an alternative for smaller sites.

VLANs on UniFi Gateways

This is the default VLAN creation method for UniFi deployments.

1. In UniFi Network, navigate to Settings > Networks and create a new virtual network.
2. Name the network.
3. Optionally configure settings such as VLAN ID, subnet range, DHCP, isolation, content filtering, and DNS.
4. Click Apply Changes.

By default, VLANs created on UniFi Gateways do not automatically assign devices to VLANs. See the next section for assignment options.

VLANs on Third-Party Gateways

If using a third-party gateway, VLANs must first be created on the gateway before being recognized in UniFi.

1. Configure your network’s subnet, VLAN ID, and DHCP settings on your third-party gateway.
2. In UniFi, navigate to Settings > Networks and create a new virtual network.
3. Under Router, select Third-party Gateway.
   • Use the same VLAN ID as on the third-party gateway for consistency.
4. Click Apply Changes.

Most third-party gateways block inter-VLAN communication by default. If needed, configure VLAN routing and firewall rules on the third-party gateway.

VLAN Magic: a Shortcut for Smaller Sites

VLAN Magic simplifies VLAN creation by assigning VLANs directly via MAC address, all at once.

1. In Network, click Topology on the left navigation bar.
2. Click the “⊕” symbol to open the Create Virtual Network panel.
3. Name the VLAN and select devices from the topology.
4. (Optional) Enable network isolation or block internet access.
5. Click Apply Changes.

VLAN Magic is not supported downstream of the following switches:

• USW Flex
• USW Flex Mini
• USW Ultra
• USW Flex 2.5G series
• ECS Aggregation

Assigning Devices to VLANs

VLANs segment a network to improve security, optimize traffic, and simplify management. UniFi provides both static and dynamic VLAN assignment methods, depending on network requirements.

To set up VLANs, follow our guide on Creating Virtual Networks. Below are VLAN assignment methods categorized by complexity and use case.

Simple/Static VLAN Assignments

These methods assign VLANs based on SSIDs or switch ports, ensuring devices remain on a fixed VLAN without requiring authentication.

Assign VLANs to WiFi SSIDs

Each SSID can be mapped to a single VLAN, ensuring that all connected devices remain within the designated VLAN. For more flexibility, PPSK (Per-Password VLAN) allows multiple VLANs on the same SSID, where the password used determines the VLAN assignment.

This method is best for environments needing basic wireless segmentation without complex authentication. Learn more here.

Assign VLANs to Wired Clients

VLANs can be assigned directly to switch ports, ensuring that any device connected to a specific port is placed on the designated VLAN. This method is ideal for wired devices that remain in fixed locations, such as servers, printers, or workstations that require a consistent VLAN assignment. Learn more here.

Advanced/Dynamic VLAN Assignments

Dynamic VLAN assignments allow greater flexibility by using authentication mechanisms to assign VLANs based on user credentials or device properties.

These methods are best for networks where users or devices may move between access points or switch ports but still need to retain specific VLAN assignments.

Username & Password-Based VLAN Assignment

RADIUS authentication (802.1X) allows VLANs to be assigned based on user credentials. When a user logs in, the RADIUS server determines which VLAN they should be placed in.

This approach is ideal for organizations where users need different VLAN access based on role, such as placing accounting staff in an "Accounting VLAN." Learn more here.

MAC-Based VLAN Assignment via RADIUS

Instead of user credentials, VLANs can be assigned based on a device’s MAC address. This method ensures that a specific device always connects to the same VLAN, even when moving between different access points, switch ports, or users. This is useful for IoT devices, security cameras, or any client that must retain a consistent VLAN assignment. Learn more here.

This requires a UniFi Gateway, and is the most common method of assigning VLANs based on MAC address.

MAC-Based VLAN Assignment via Virtual Network Override

UniFi Gateways support Virtual Network Override (VNO), which dynamically assigns VLANs based on a device’s MAC address at the gateway level. This method simplifies VLAN segmentation without requiring configuration on switches or access points.

This also requires a UniFi Gateway, and is a simplified method of assigning VLANs based on MAC address, useful for cases such as when WPA3 Enterprise is not supported, or as an alternative to PPSK, which is unavailable on 6 GHz networks.

Get the Most out of VLANs

VLANs enhance network segmentation, security, and traffic management. Understanding how to apply these principles ensures you get the most out of your VLAN setup:

• Network Segmentation: Keep devices and services separate to improve performance and reduce congestion. Learn more about network isolation.
• Security: Restrict access between VLANs to enhance network protection. Learn more about Network Security.
• Traffic Management: Control inter-VLAN traffic for better efficiency. Learn more about Traffic Management.