Table of Contents
Ubiquiti - VLAN
VLANs (Virtual Local Area Networks), segregate traffic within a network.
They allow a single physical Ethernet network to appear to be multiple logical networks.
Benefits for using VLANs include:
- VLANs keep traffic from different networks separated from each other.
- They enhance network security by preventing wireless devices from accessing LAN resources.
- Increased performance by limiting broadcast domains.
While VLAN's are effective for separating network segments and limiting broadcast traffic, it is often a requirement for subnets separated by VLAN's to be able to communicate. This can be accomplished only through a Layer 3 enabled device that can route between the VLAN's. Even if both VLAN's exist on a device, their traffic will be segregated unless mediated by a layer 3 routing device.
VLAN enabled ports are generally categorized in one of two ways, tagged or untagged.
- VLANs can be port-based (assigning a physical port on a device to a VLAN) or tag-based (tagging particular kinds of traffic with a VLAN tag, as defined by 802.1q).
Unifi, usually by default, have all switch ports able to consume both tagged and untagged traffic, but this can be modified. This is known as trunking, i.e. to have a specific port enabled for VLAN tagging, and the other ports for general access.
Other Considerations
- For greater security, no SSID should be untagged, i.e. be on the “native VLAN”.
- The amount of broadcast traffic on the trunk port to which an AP is attached should be limited.
- Limiting broadcast traffic improves wireless performance.
Common Terms
| VLAN | Virtual Local Area Network, logical identifier for isolating a network. |
| Trunk | A port enabled for VLAN tagging. |
| Access | A port that does not tag and only accepts a single VLAN. |
| Encapsulation | The process of modifying frames of data to include additional information. |
| 802.1Q | The most common encapsulation method for VLAN tagging. |
| Native VLAN | The VLAN associated with all untagged traffic on a trunk. |
VLAN's and IP-intefaces
- VLAN is a Layer 2 (L2) technology; data is sent between clients using mac-addresses.
- VLANs limits broadcast/flooding a domain.
- Only clients in the same VLAN and with IP-addresses in the same subnet, can send data to each other.
- It is not possible to configure any DHCP on A VLAN, since VLAN is a L2 technology and DHCP requires an IP-interface, which is a L3 technology, so this VLAN should either be connected to an external DHCP-server or use static IP-addresses on the clients.
- IP-interfaces is a Layer 3 (L3) technology; data is send between clients using IP-addresses.
Summary of VLANs
Ubiquiti always uses VLAN 1 as the untagged native VLAN.
- Each VLAN is identified by a unique 802.1Q ID.
- VLAN IDs are 1 through 4094.
NOTE: There are many different network types that can be created:
Any of these networks can be allocated to a VLAN.
- Corporate is a general purpose network and by default is assigned to LAN.
- The UniFi controller will provision not only the VLAN itself but also a matching IP subnet for this VLAN.
- Clients associated to the VLAN uses the IP-interface as a default gateway to reach anything outside the VLAN, like other hosts on other VLAN's, the internet and so on.
- On this VLAN it's possible to configure a DHCP-server locally on the switch to provide IP-addresses to clients.
- IP subnets exist at Layer 3, whereas UniFi switches are purely Layer 2.
- Therefore, if you have no USG, there's no point in creating a “Corporate” VLAN.
- Guest will apply the Guest Control setting if you enable the Guest Portal.
- VLAN Only will remove any subnet options and can be used to define VLANs for pure VLAN tagging purposes by Unifi switches.
- This allows you to add/remove a VLAN tag to network packets on a switch port (for instance) connected to another, non-Unifi network device that expects/sends these.
- It is not possible to configure any DHCP on this, since VLAN is a L2 technology and DHCP requires an IP-interface, which is a L3 technology, so this VLAN should either be connected to an external DHCP-server or use static IP-addresses on the clients.
- This is the best choice to use for a VLAN, if not using a USG.
- VPN Client is USG specific.
- Site-to-Site VPN is USG specific.
- Remote user VPN is USG specific.