UniFi Gateway Consoles WiFi Switching Cameras & Security New Integrations Accessory Tech Identity UISP
Support
UniFi Help Articles UISP Help Articles Video Tutorials Community Forums UniFi Design Center UISP Design Center RMA and Warranty Contact Support
Store
Support
UniFi Help Articles UISP Help Articles Video Tutorials Community Forums UniFi Design Center UISP Design Center RMA and Warranty Contact Support
UniFi Gateway Consoles WiFi Switching Cameras & Security New Integrations Accessory Tech Identity UISP Store
  1. Ubiquiti Support and Help Center
  2. UniFi
  3. Network
  4. Features & Configuration
Help Center
Back to Top

UniFi Network - Creating Virtual Networks (VLANs)

2023-06-09 21:06:50 UTC

Before you read, please note that we always recommend using UniFi gateways and switches to ensure your best, most streamlined experience. 

A virtual network, also referred to as VLAN, allows you to partition your devices while keeping them connected to the same networking infrastructure. This is typically done to increase overall network security. 

For example, if a company wants to separate the devices and applications used to conduct secure business operations, like accounting, from those connected to unsecured guest hotspots, it could create two separate virtual networks. 

Note: Some have used VLAN segmentation to improve overall network performance. However, with the evolving speed capabilities of modern clients, VLAN configuration should not be necessary to ensure sufficient network coverage and speed, unless you are regularly supporting several-hundred, simultaneously connected devices.

Creating a Virtual Network

A UniFi Gateway, or a UniFi Gateway Console, is required to create a virtual network. If you have a third-party gateway, please see Virtual Networks and Third-Party Gateways for more information.

UniFi gateways have a built-in DHCP server to automatically optimize your virtual network settings, allowing you to create and configure new networks with a single click. We also allow advanced users to configure different VLAN IDs, or use their own external DHCP servers.

image1.png

Connecting to Your Virtual Networks

  • To connect wireless clients, enable your WiFi SSID’s  Virtual Network Binding setting.
  • To connect wired clients, enable the same setting on their respective switch port(s).

Wireless Clients

By default, each UniFi AP can support up to four dual-band SSIDs (i.e., each SSID broadcasts 2.4 and 5 GHz bands). This means you can create multiple SSIDs and bind them to a different virtual network. When a client connects to an SSID, it becomes a member of the SSID’s virtual network, and adheres to all associated Traffic Management and Network Isolation rules.

image3.png

Wired Clients

Unlike UniFi APs, which support multiple SSIDs bound to different virtual networks, a switch port can only be bound to a single one. This is often referred to as its native network. Any device directly connected to a switch port will become a member of its native network, and will adhere to all associated Traffic Management and Network Isolation rules.

Despite binding being limited to a single virtual network, UniFi allows ports to pass traffic from all virtual networks. This is because businesses typically have several virtual networks, and link their gateway with multiple switches and APs. In this case, it would be incredibly inconvenient to require a separate port for each virtual network. 

Some third-party vendors refer to these “allowed” networks (i.e., virtual networks other than the port’s native one) as tagged networks. Ports that allow multiple networks are called Trunk Ports.

The settings pictured above can be accessed by selecting a UniFi Switch from your UniFi Devices list and opening its Port Configuration menu. 

Note: By default, most third-party switches only allow traffic from a single VLAN, often VLAN 1. If you create additional virtual networks, you must manually configure each switch port to allow traffic from that network. Please see Virtual Network Connectivity and Isolation for more information.

Virtual Networks and Network Isolation

Virtual networks improve your security by segmenting connected devices. This is done with a combination of Traffic Rules and/or switch port network restrictions. 

See Virtual Network Connectivity and Isolation for more information.

Virtual Networks and Third-Party Gateways

Users with a third-party gateway must configure all networks and VLANs on the gateway itself. However, we provide a convenient way of obtaining your third-party network’s VLAN ID when creating a WiFi SSID on a UniFi APs, or a port profile on a UniFi Switch. 

Selecting Third-party Gateway from the Router drop-down will create a network associated with a VLAN, but you must use a third-party gateway and DHCP server to provide IP addresses and route traffic. 

image2.png

Note: All network and DHCP configurations must be made on your third-party gateway. To avoid configuration conflicts or communication issues, we recommend using UniFi Switches and APs together with a UniFi gateway.

Was this article helpful?
143 out of 285 found this helpful