Everything you need to know about VLAN tagging in UniFi

VLAN tagging sounds intimidating if you’re not knee-deep in networking every day. But if you're managing networks using UniFi gear, it's a concept you’ll want to get familiar with. Whether you're segmenting guest Wi-Fi, isolating IoT devices, or setting up a multi-tenant network, VLAN tagging is going to be your best friend.

Let’s break it all down so you can make sense of what VLAN tagging actually does in UniFi and how you can use it without losing your mind.

Let's dive !!

Before we dive in, please don't self-host your UniFi Controller if you take care of client networks. Sooner or later this will cause issues! It's fine for home users, but definitely not recommended for IT service businesses and MSPs. If you want secure, reliable and a scalable hosting solution check out UniHosted.

What is VLAN tagging anyway?

At the core, VLAN (Virtual Local Area Network) tagging is a way to separate different kinds of network traffic, even if it’s traveling over the same physical cable. You attach a little label (a tag) to the data packets to say, “Hey, I belong to VLAN 10,” or whatever number you’re using. Your switch then knows where to send it.

In the UniFi world, VLANs are usually used to split up different kinds of traffic: say, regular office devices, security cameras, guest Wi-Fi users, or printers.

Why you should care about VLAN tagging

Most folks get into VLANs when they need to:

  • Isolate IoT devices from the rest of the network.
  • Set up a separate Wi-Fi network for guests that doesn’t touch internal resources.
  • Segment VoIP phones and give them higher priority using QoS rules.
  • Serve multiple businesses or offices using the same physical infrastructure.

Basically, it's about organizing traffic and keeping things secure and efficient. In UniFi, you can do this easily through the controller interface.

How VLAN tagging works in UniFi

In UniFi, the magic of VLAN tagging happens when you configure networks and assign VLAN IDs. Here’s the general process:

1. Set up your networks

In UniFi Network (via the controller), go to Settings > Networks, then create a new network.

You’ll see a field labeled VLAN ID. This is where you define which VLAN tag should be applied. If you set VLAN 20, then all devices on that network will have their traffic tagged with 20.

UniFi will handle the rest: ensuring traffic is marked, and routing/switching is done correctly if you’ve set up your infrastructure properly.

2. Configure your switch ports

Next up, make sure your UniFi switches know which ports are carrying VLAN-tagged traffic.

  • If a port is connecting to another switch or to an access point, it should be set to trunk mode. This means it can carry multiple VLANs.
  • If a port connects to a client device (say, a desktop or printer), it usually needs to be set to an access port, tagged with one VLAN only.

You can configure this under Devices > [Switch Name] > Ports > Profile Overrides. Choose a profile that includes the VLAN you want, or create a new one under Profiles.

3. Set VLANs for wireless networks

When creating or editing a Wi-Fi network under Settings > Wi-Fi, there’s also an option to apply a VLAN ID.

This means you can run multiple SSIDs on the same AP, and each one is mapped to a different VLAN. Perfect for separating office, guest, and IoT traffic without extra wiring.

4. Route and firewall between VLANs

UniFi’s routing gear (like a Dream Machine or USG) can route between VLANs, but you’ll often want to restrict traffic between them. That’s where firewall rules come in.

You can create rules like:

  • Block VLAN 30 (IoT) from accessing VLAN 10 (Internal)
  • Allow VLAN 20 (VoIP) to talk to VLAN 10 (Internal)

Head over to Settings > Firewall & Security > Rules to set this up.

VLAN tagging gotchas

Here’s where folks run into trouble with VLAN tagging:

Misconfigured switch ports

If your switch port isn’t set to carry the right VLAN, nothing will work. You might end up wondering why your devices can’t connect.

DHCP issues

Each VLAN should have its own DHCP scope. Make sure your UniFi gateway (or another DHCP server) is set to hand out addresses for each VLAN. If not, clients won’t get an IP.

AP trunk ports

Remember: if an AP is broadcasting multiple SSIDs on different VLANs, the switch port it connects to must be a trunk port that allows all relevant VLANs.

Using unmanaged switches

Don’t plug VLAN-tagged traffic into a dumb (unmanaged) switch. It will strip or drop the tags, and your setup won’t work.

VLAN tagging in action: a real-life example

Let’s say you're running an office with these needs:

  • Staff network (VLAN 10)
  • Guest Wi-Fi (VLAN 20)
  • Security cameras (VLAN 30)

You set up three networks in UniFi:

  • “Staff LAN” with VLAN 10
  • “Guest” with VLAN 20
  • “CCTV” with VLAN 30

Your switch port going to the AP is a trunk that allows VLANs 10, 20, and 30. The AP broadcasts two SSIDs:

  • Office Wi-Fi → VLAN 10
  • Guest Wi-Fi → VLAN 20

The NVR is plugged into a switch port tagged with VLAN 30. Done. Each device is isolated, but still connected through the same physical network.

When to use untagged VLANs

Sometimes you don’t need to tag. For instance, your default VLAN (usually VLAN 1) might be for general use, and devices on it don’t need a tag at all.

In UniFi, an untagged VLAN just means you’re not explicitly applying a VLAN ID. Switch ports can be configured to accept both tagged and untagged traffic.

Pro tip: use descriptive VLAN IDs

Sure, VLAN 10 works, but it helps to document things with labels. In UniFi, give your networks descriptive names like “IoT Network” or “Voice VLAN.” It saves time when you come back to troubleshoot.

Final thoughts

VLAN tagging in UniFi isn't just for big enterprise networks. It’s a solid way to keep your setup clean, efficient, and secure, even in smaller environments. Once you understand how to assign VLANs to networks, ports, and SSIDs, you can do some pretty powerful things without spending a fortune on gear.

If you're experimenting with VLANs or running multiple networks in one place, take some time to plan out your VLAN layout. It’ll save you a lot of pain down the road.

And if you’re tired of self-hosting your UniFi controller or messing with port forwards, we’ve got an easier way. At Unihosted, we take care of the hosting, updates, and backups for your UniFi controller so you can spend less time on maintenance and more time actually using your network. You can try it out completely free with up to 5 devices, no strings attached.