UniFi - Using VLANs with UniFi Wireless, Routing & Switching Hardware


This article discusses how to use VLANs with UniFi products. Find a link to an introductory article on VLANs in the Related Articles below.

Table of Contents

  1. UniFi Device Management
  2. UniFi Access Points (UAP)
  3. UniFi Switch (USW)
  4. UniFi Security Gateway (USG)
  5. Related Articles

UniFi Device Management

Back to Top

Initially, you need to adopt your UniFi access points or switches over the native, or untagged, VLAN, and this will be the continued requirement. That being said, they do support L3 management, so your controller can be on a different L3 network (or remote, etc.). See more about that on our UniFi - Device Adoption Methods for Remote UniFi Controllers article. At this time UniFi APs are only managed via an untagged VLAN.

Currently, UniFi switches are a little different. After you adopt it over the untagged VLAN, you can define a tagged management VLAN to use. This is found under the device Properties window (click on the device to reveal) > Configuration > Services > MGMT VLAN.

UniFi Access Points (UAP)

Back to Top

You can have upwards of one tagged VLAN per SSID, and 4 SSIDs per radio. You can set the VLAN that a SSID users by going to Settings > Wireless Networks > Advanced Options. The advanced options area is shown either when you create a new wireless network (SSID), or when you edit an existing SSID. You can use VLANs on standard or guest SSIDs.

Currently the only VLAN you can’t tag to a SSID is 1, although that may change in the future, once we expand the ability to define a management VLAN to all UAPs.

Within UniFi controller v5, and subsequent releases, you will be able to use RADIUS controlled VLANs with UniFi APs and Switches. Instead of defining a VLAN, you enable this within the RADIUS profile. You can find this section under Settings > Profiles. Below is an example of the RADIUS profile section.


Set the following RADIUS attributes in the RADIUS server for each user or group, based on your RADIUS configuration:

  • Tunnel-Type = 13,
  • Tunnel-Medium-Type = 6,
  • Tunnel-Private-Group-Id = "149"   # <=== add your vlan id for each user.

At the time of writing, one known limitation with RADIUS controlled VLANs is that you can't share a VLAN ID between RADIUS users and a static VLAN assignment on another SSID on that AP. So, if SSID1 has a static VLAN assignment of 10, and SSID2 is configured for RADIUS controlled VLANs, the users on SSID2 cannot use the VLAN ID of 10, but they can use any other VLAN ID. If you had a 3rd SSID, that also used RADIUS controlled VLANs, you can use the same VLAN IDs as you would for the users on SSID 2 (except for 10). This applies on a per AP basis.

NOTE: Where using RADIUS-assinged VLANs, the UAP's switch port must have all the RADIUS-assigned VLANs configured as tagged VLANs on its switch port. With UniFi switches, the default "All" network assignment on the UAP's switch port covers that requirement, as long as those VLAN IDs are defined in the controller under Settings > Networks, as either a VLAN-only, corporate, or guest network.

UniFi Switch (USW)

Back to Top

As with UAPs, you can use VLANs with UniFi Switches. By default, your ports are set to All, so it'll have an untagged VLAN (ideally 1), and then the rest will be tagged. VLANs need to be defined in the UniFi Controller under Settings > Networks. To simply set up a VLAN you would set a network as VLAN only.

To change the profile on a port, or port group, you would click on the Switch in the Devices tab to reveal the Properties window, then go to Ports, and either choose the edit button on the right, or select the desired ports and click "edit selected" on the bottom. In editing mode, you can choose the profile for the port(s). The Networks/VLANs profile on a port can be used to define the untagged and tagged networks on the selected port(s).

You can create port profiles in the controller's Settings > Profiles > Switch ports > Add new Profile. Currently, UniFi switches are different from UAPs in the sense that you can tag VLAN 1 on a port.

The UniFi switch is currently the only device where you can tag VLAN 1, if needed. The default LAN network in the controller is VLAN 1. So to tag it, you would create a custom profile and tag it. VLAN 1 is the default LAN network in Settings > Networks in a fresh controller. 

In UniFi controller 5.5.x+ versions, support for RADIUS controlled VLANs was added. You would first have to enable 802.1x control and choose a RADIUS profile. This is found under the switch Properties Window > Configuration > Services. You then need to either create a new RADIUS profile, with it RADIUS VLAN enabled for the switch, or make sure it's enabled on an existing profile. 

You may also need to configure the switch port profile for 802.1x, in Settings > Profiles > Switch Ports > "Add New Port Profile" or edit existing. 802.1x Settings can be found under "Advanced Settings".


You can manage RADIUS profiles from Settings > Profiles.


UniFi Security Gateway (USG)

Back to Top

The USG can be used to manage DHCP server, routing, and VLANs on your network. It would also use the Settings > Networks area to define subnets. A corporate network has no restrictions, whereas a guest network cannot communicate with other subnets on your network. The guest control settings are also applied to guest networks (i.e. wired guest portal).

The default physical LAN interface's network is, by default, using untagged vlan 1. There can be multiple vifs (virtual interface/VLANs) per physical LAN interface. You cannot edit the VLAN ID of the untagged subnet (it is 1 or 4010, depending on if it's LAN or VoIP subnet). The settings window looks similar for both corporate and guest networks, so we'll only picture a corporate network. Basically, enter the desired IP with CIDR, and then choose your VLAN ID.

Related Articles

Back to Top

Intro to Networking - Introduction to Virtual LANs (VLANs) and Tagging

UniFi - How Does VLAN traffic get tagged

UniFi - Device Adoption Methods for Remote UniFi Controllers

UniFi - How to Implement RADIUS Authentication