The UniFi product line is ready to be used with VLANs. This article will discuss how to use VLANs with UniFi products. Find a link to an introductory article on VLANs in the Related Articles below.
Table of Contents
- UniFi Device Management
- UniFi Access Points (UAP)
- UniFi Switch (USW)
- UniFi Security Gateway (USG)
- Related Articles
UniFi Device Management
Initially you need to adopt your UniFi access points or switches over the native untagged VLAN, and this will be the continued requirement. That being said, they do support L3 management, so your controller can be on a different L3 network (or remote, etc.). At this time UniFi APs are only managed via an untagged VLAN.
Currently, UniFi switches are a little different. After you adopt it over the untagged VLAN, you can define a tagged management VLAN to use. This is found under the device property window>Configuration>Services>MGMT VLAN. This feature will be expanded to UAP-IW with the initial release of UniFi controller v5, and expanded to other models at a later time.
UniFi Access Points (UAP)
You can have upwards of one tagged VLAN per SSID, and 4 SSIDs per radio. You can set the VLAN that a SSID users by going to Settings>Wireless Networks>Advanced Options. The advanced options area is shown either when you create a new wireless network (SSID), or when you edit an existing SSID. You can use VLANs on standard or guest SSIDs.
Currently the only VLAN you can’t tag to a SSID is 1, although that may change in the future, once we expand the ability to define a management VLAN to all UAPs.
With the upcoming UniFi controller v5, and subsequent releases, you will be able to use RADIUS controlled VLANs with UAPs. Instead of defining a VLAN, you check the box to enable RADIUS VLANs.
You'll see this under the advanced options for the SSID:
Set the following RADIUS attributes in the RADIUS server for each user or group based on your RADIUS configuration:
- Tunnel-Type = 13,
- Tunnel-Medium-Type = 6,
- Tunnel-Private-Group-Id = "149" # <=== add your vlan id for each user.
At the time of writing, one known limitation with RADIUS controlled VLANs is that you can't share a VLAN ID between RADIUS users and a static VLAN assignment on another SSID on that AP. So, if SSID1 has a static VLAN assignment of 10, and SSID2 is configured for RADIUS controlled VLANs, the users on SSID2 cannot use the VLAN ID of 10, but they can use any other VLAN ID. If you had a 3rd SSID, that also used RADIUS controlled VLANs, you can use the same VLAN IDs as you would for the users on SSID 2 (except for 10). This applies on a per AP basis.
UniFi Switch (USW)
As with UAPs, you can use VLANs with USW. By default your ports are set to all, so it'll have a native subnet (ideally 1), and then the rest will be tagged. VLANs need to be defined in the UniFi controller under Settings>Networks. To simply set up a VLAN you would set a network as VLAN only.
To change the profile on a port, or port group, you go to the switch properties window>Ports> and either choose the edit button on the right, or select the desired ports and edit selected on the bottom. Once in there you can choose the profile for the port(s). The Networks/VLANs profile on a port can be used to define the native and tagged networks on the port(s) it's that profile is used on.
You can create network profiles within the switch properties window. You go to Configuration>Networks/VLANs. Currently UniFi switch is difference in the sense that you can tag VLAN 1 on a port.
The UniFi switch is currently the only device where you can tag VLAN 1, if needed. The default LAN network in the controller is VLAN 1. So to tag it, you would create a custom profile and tag it. VLAN 1 is the default LAN network in Settings>Networks in a fresh controller. In my example it is the MGMT VLAN.
In UniFi controller v5 support for RADIUS controlled VLANs will also be added to USW. First you have to enable 802.1x control, then you can enable RADIUS controlled VLANs. This is found under the switch properties Window>Configuration>Services.
UniFi Security Gateway (USG)
The USG can be used to manage DHCP, routing, and VLANs on your network. It would also use the Settings>Networks area to define subnets. A corporate network has no restrictions, whereas a guest network cannot communicate with other subnets on your network. The guest control settings are also applied to guest networks (i.e. wired guest portal).
There is a native subnet, and vifs (VLANs) per LAN interface. You cannot edit the VLAN ID of the native subnet (it is 1 or 4010, depending on if it's LAN or VoIP subnet). The settings window looks similar for both corporate and guest networks, so we'll only picture a corporate network. Basically enter the desired IP with CIDR, and then choose your VLAN ID.