After watching several YT’s on VLANS, I give kudos to Chris for doing a better job than all the others combined. Historically, I sparingly used vlans due to weak knowledge. Now, I’ll use them more. His examples and analogies are superb. It’s so good, I watched it twice.

Greatest video I ever saw on KZbin. You are the most articulate person I have ever encountered on a complex subject like this. I found you by accident and I will continue with your other videos. I wasn't even looking for a Vlan video but I really did understand 80% of what you talked about. You made a place on my google Drive :) Thanks much

I find one the biggest points of confusion people have about a layer 2 VLAN is that they think it is synonymous to a layer 3 Network. One can have multiple VLANs on the same piece of wire. One can have multiple layer 3 Networks on the same piece of wire. One can have a VLAN with multiple layer 3 Networks and vice versa they are independent of each other.

Very good video. Now a video about firewall rules for the vlans. For example how to stream from your secure vlan to the iot lan. How will the Sonos app act on a phone vlan when it needs to stream to the iot vlan and the homeassistant app the same way. 😊💪🏼

Best VLAN principles explanation I have seen on YT. Thank you.

Superb! 👏 I have finally properly understood setting tagged vs. untagged VLANs on ports. It's the best explanation I have ever come across so far with multiple real world examples. Very informative video. Kudos and thank you! 🌟 Keep up the good work.

Great presentation. I'm thinking of getting into Unifi in my new house so I've saved this to watch it all again later when trying to set it up as a nooob. 👍

Thank You especially for the practical examples on how to configure at the end.

Nicely done Chris, thoroughly enjoyed!

Okayyyy Now that is an excellent tutorial video. Leaving here ready to go setup my home VLANs; just need to get up to speed with firewalls.

Thank you for this excellent explanation...

Again one of the great explaining videos 🎉. Q: Is it also possible to push a device to a VLAN by it’s MAC address? Let’s take the doctors waiting room. Here all devices normally connect to the guests network. But sometimes the doctor itself is in the waiting room and his computer should always connect to the main network. Is that possible (Unifi) ? Other questions: which devices do know / can I train to connect to a special VLAN?

Thank you!

Thank you for great explanation. I have a question - at 19:00, there is trunk port with all VLAN on it. If we plug device in this port, how does switch determine what VLAN needs to be assosiated to this device - by default, LAN is untagged, but if deice is 'guest' device, how it will be assosiated to VLAN 10? Thanks again.

Excellent. Now just need firewall rules for IOT.

I think these videos of yours are gonna get me a promotion! =D They are awesome in so many ways! You are realy good when talking, don dont say words like "eeeh.. uuuh.. Uhm.." etc. Great content. Fun to listen to, you make this very very clear! thank you for your work!

excellent!

30:37 you meant green TAGGED, right? Would be important to make that correction in the description. Will be confusing to someone learning. Other than that, really great video!

Yoo that shirt is sick 😂. FW rules is where it gets really confusing

What do you need to do to do configure a device (like the phone or IoT device) to ask for a specific VLAN? Also, what happens if you use a switch that knows about VLANs with a router that does not?

Great video, thanks for taking the time. What are your thoughts on a home network, should the printer and NAS be on the main (secure) network or on the IoT Network. I do have my TVs, Roku, ACs and camera on VLANS but some things break when do this. Like the Roku application for TV control on Android.

I'm here kicking rocks trying to figure out how I can configure my FreeBSD jails to use specific VLANs each through a single trunked port 😆

Love the office building analogy - really - but where it gets complicated (REALLY complicated) for me (continuing the analogy, here) is with things like the mail room. Better still/more importantly - let’s say our “office building” is the county courthouse - where tons of legal records are kept (which should be kept private - yet available to anyone who has a reasonable right to them)……… How in the world do I setup that kind of security?! Assuming I want to have things that I share with ANYONE (e.g. publicly available websites), a select/defined/semi-public subset of people (e.g. my media library, made available to friends and family members who MAY/not use good/long/random passwords and/or may choose to share my media library with their friends who MAY/not use good/long/random passwords…) and/or a very abstract group of people (i.e. torrents) who are completely anonymous/unknown???

After watching this video from beginning to end, I feel foolish about the earlier question I asked. Do you have someplace where there is a list of unify equipment for us home users that will not break our piggyback. I realize that’s a very subjective question.

Thanks for a great video Chris. Does one have to tag the default lan with tag 1?

Hi . Thanks for the video. I have a question: just to clarify, you manually set up the vlan tag id on the phone to 30 and use dhcp. You can also set this on windows in NIC settings. What would happen if a user connects to a tagged port (exposed waiting room example) and starts guessing and testing IDs until he finds ID 30. Now he has access to the Voip network. What is the best practice to avoid this? Can a hacker scan and test a range of vlan tag id's? Should the id's be random large multiple digit numbers? Also, what happens if a user manually inputs default network (192.168.1/24) Tcp/ip address while connected to iot or guest port. Will they have acces to the main network?

19:15 / 21:05 - LLDP/CDP is the viable key here ... the phone itself does not know about a voice lan OOB

so what's required is that your router and switch must support VLANs? If I have a router that does NOT support VLAN and a managed switch that does, I still would not be able to get my network to have VLAN correct?

LOL, "kick rocks". I've only ever heard that from military or Vets. Did you serve?

to creat vlans with omada system do I have to have manged switch?

Nice, but how do set a device to use a specific vlan? Like here, the IP phone is always using 30

11:22 VLAN aware issues in Windows! I had the problem that my internet setting in Windows was defaulting every restart to public and did not keep private network. So i looked into my 2,5GbE interface settings and I had to set the setting 'package priority and vlan' to a setting that is not vlan - so i choose 'package priority' - why, because Windows was defaulting the network to public network and did not keep it private network setting as this happens when VLAN aware for security measures as i have found out.

I guess it's challenging since it's an abstract concept - the solution would be to program more often, particular with parameterized things.

You never AFAICR explicitly mentioned it to drive the point home, but: without VLANs, to achieve the same logical separation of networks, the networks need to be physically separated (dedicated cable runs and switches for each network so that the packets of two networks "never meet"), and that the whole point of VLANs is that there is only one physical network needed, where the separation of the logical networks is achieved "in software" by having the VLAN-aware routers and switches enforce on port-level the logical separation, based on the VLAN tags of the network packets that pass through.

Excellent presentation. Lots of work went into making this video.

This is hands down the best VLAN explanation video I have ever seen 🤩. Thanks to this video I finally have a full understanding of VLANs. 🥳

How does the IP phone know that needs to ask for VLAN 30 only? Great video as always!!!

Honestly the best explanation of VLANs I have seen, especially the difference between tagged and untagged VLANs. Saved me days of going back and fourth on a help forum

This is one of the most well done VLAN instructional videos I have ever seen. Is there any chance you can make a tutorial for Chromecast Multicast DNS over VLAN with Ubiquiti? Something that should be easy but never works as expected.

I would love a video explaining layer 3 vs layer 2.

Well explained video, would love to see an extensive video with firewall rules using vlan

Just... WOW! Such clear, precise explanations delivered with a beautifully pleasant voice. Thank you, sir!

This met me right where i needed. There are plenty of videos on either side of the subject. Either they're too high level, just explaining the concept of VLANs, or too fine grained, for those who already were very familiar with all the terminology and just needed to know a specific ecosystem. This one video bridged the gaps in my skillset perfectly! Thank you!

Would love a follow up video on firewall rules and making sure cloud and local only devices work properly across the vlans. Thanks Chris!

Great video. I thought of some questions while watching, hopefully you (or someone!) can answer: Can you disallow untagged VLAN devices on a port? I.e, require that a VLAN is configured on a device (so someone can't plug in a random device) How do static IPs play into all this? What if you configured a device with a VLAN (or let it default) but set a static IP in the wrong subnet? (I.e, the hacker in the lobby tries to circumvent the allowed VLAN tags by setting a static IP) Can multiple VLANs have the same subnet? What effects would that have?

Great video. Do you have any videos on VLAN and firewall settings on a UDM for PCI compliance?

The amount of videos I’ve watched on tagged, untagged and trunk ports FINALLY I now understand it thanks to this ❤

I wish you had made this video 5 years ago. Great job, sir! Thank you.

What about communication between vlans? I need my phone to be able to communicate with devices on my IoT network. Also some devices on my IoT network I would like to enable wan and others I don't.

Vlan is a complicated topic that requires at least some prior understanding of network administration.

Possible update to the beginning - show 4 switches as the "old school" way we would segregate networks physically for each dedicated usage (maybe use different colours of cables for each). Then show a single "VLAN-enabled" switch with all of those cables plugged into it.

great shirt! should have added "off the LAN" quote though :D

I might have missed it, but it seems that there was no mention of PVID values, which are the standard way of indicating the "native VLAN" for a given port. If you aren't using Unifi, PVID is probably the way that the interface refers to the native VLAN ID.

I have nearly 40 years experience with computers. I have various certifications for networking and I was a senior network engineer for a Fortune 100 company for decades. Here's something I hate to admit: I can never seem to get VLANS to work reliably in my own home network. At work, it's part of the job and works fine. At home, it's hit or miss with some devices and it rarely works. For the life of me, I can't figure out why, so I just gave up on it and use isolated physical networks instead.

volume up. your videos are lower than others

dude!!! the vlan "vans" theme shirt is really cool!

where to buy your shirt?

I have a similar set up of a LAN and three VLANS just like your example. I have our main LAN, IOT, camera and a guest. Firewall is OPNsense, a windows server doing DHCP for all LANs, DNS and print server. I use Cisco small business devices, a CBS250 24port with poe and two CBW150ax APs. I have a few ports untagged on the switch for some IOT hubs. The camera VLAN does not go through the APs only LAN, IOT and Guest. On occasion IOT devices don’t renew their IP and I have to manually power cycle them to acquire it. Other than that issue that happens seldomly everything works fine.

This video is going to help soooo many people, including myself! :) I know how vlans work, but this just simplifies it and will help me help others.

This is by far THE BEST VLAN tutorial I've come across, I was so confused by Untagged/tagged VLAN, you are the only one who explain it clear as day (not mud 😅). Thank you so much for this! You are THE BEST!

Absolutely incredible video! Well done. I believe you may have misspoke between 30:38 and 30:47. I may be wrong, but I believe you referred to tagged ports as untagged. Easy to do, especially given the number of times you had to say tagged and untagged.

Lots a work on that video, great job! thanks for sharing your knownedge

There are scenarios not mentioned. Most ip phones have 2 ports. The 1st (with PoE in) connected to the switch, and the 2nd connected to a pc (in case there are not enough wall outlets or switch ports. If the phone is connected to switch port 1, the phone should get connected to vlan 30, while the pc gets connected to vlan 1. If the phone is connected to unifi switch port 2, the phone gets connected to vlan 30, while the pc gets connected to vlan 20. If the phone gets connected to unifi switch port 3, the phone does not get connected. But what happens to the pc? Assuming most phones are like dumb switches, or just bridging the 2nd port, the pc still should get connected to vlan 10. If not, the pc should be connected either.

When you were talking about VoIP phones, you could have mentioned the phones can also pass through the default LAN, so that a computer can be plugged into the back, so the computer and phone can share a single switch port.

One bugbear I often see with VLANs are switches. You know, the cheap and nasty kind that dont understand VLAN tags. Or the worse ones that actively strip the tags.

This is why network engineering is sorcery to most people. Thanks for giving it a shot though. Still confusing as ever.

Very well explained. VLANs for dummies. Impossible does not understand. Thanks for this video

Very nice. Perhaps you can elaborate how you can talk across Vlans or manage an iot vlan device from your safe vlan

Great up until the Unifi stuff. I love their products, but they’re not good for teaching people about something complex like Vlans, as Unifi’s interface guides you *way* more than something actually affordable by most people.

Excellent video! Glad you showed UniFi and then also a hodge podge of equipment as well. I am all UniFi here and have noticed my Flex-Mini is VLAN aware and configurable, but like that router you showed, if you configure a port as Native to a VLAN (not 1/default), you can't have tagged traffic.

Excellent video, thank you! Some clarification on Network Isolation on Unifi that you mention here: kzbin.info/www/bejne/gKTdeJiHhbmiatksi=RMyI4hjiaTqBAQt7&t=1571 I believe the Isolation check box under VLAN means it isolates the VLAN from other *networks* on your LAN. I don't think this is where you isolate clients on the VLAN from each other. The tip that comes up when I hover over Isolation says "Your guest hotspot profile will automatically be applied to this Guest Network. Connected clients will be isolated from all other internal networks. These restrictions can be modified in your Guest Hotspot Profile." For client isolation, there is a checkbox under the wifi networks that says "Client Device Isolation." That's where you could click to isolate the clients from each other. The tip that comes up says "Prevents wireless clients on the same AP from communicating with each other. This may inhibit the functionality of AirPlay, Chromecast, Sonos devices, screen mirroring, and wireless printers."

Highly informative! Easy to follow, thanks!

This is the BEST VLAN guide available not just on YT!!! Thank you so much!!!

Yeah I didn't follow this one. I think there are some fundamentals to understand about the physical layer and the IP layer and what exactly the switch does with the tag that would greatly help understand the rest of this. Bottom line, the "security" doesn't come from the vlan per se, it comes from the configuration of the switch port to only allow traffic for a particular vlan. What I don't get is since vlans have to be on their own subnet, why are they needed at all? Or are vlans just a hack to bridge the gap between level 2 and level 3 switching?

Thank you so much for the amazing video; I've watched it many times now. I am looking for a router that can do everything the Synology can (Mesh and VLANS) as I already have a mesh setup with Asus RT_AX88U Pro but it's VLAN software is very unstable. From what I've read the Synology range is very limited compared to the Asus. What would be your recommendation for a router that can achieve this? I have all of the hardware (POE and a managed switched) so going to Unifi would be an extremely costly redo. Thank you!

quick note from a stupid person who clicked on your video first while trying to learn this for my new job. i got lost with what the numbers in a IP address mean as far as how many are available in the network? and the amount of subsets? gonna go learn about IP addresses first ig, that would have been the perfect time to say, "if you are unfamiliar with IP addresses, you might wanna click this video" and plug your video (oh yeah, came back to edit and say this video is very, very quiet compared to most youtube videos, run it through a compressor or limiter and turn the gain up a bit! *im a producer moving into the IT field because I cant make money with my audio knowledge*) ok ill be back, thanks for your help

Thanks but... Is the VLAN Tag assigned to the switch port, to the device, or to the VLAN when it is set up. I did not understand your explanation on that.

Can you bridge vlans? For example, can a PC on 1 vlan talk to an iot device on another VLAN?

This is a great video, thank you. But you refer to devices (such as the VoIP phone) as being "aware of VLANs". What makes them aware? Is it manually setting a static IP address on the device (client) itself, rather than in the UniFi console? I have a device (Home Assistant Yellow, essentially a Raspberry Pi) I have manually assigned in UniFi Network as being on my IoT VLAN (VLAN ID=3) and also specified a static IP within that VLAN (192.168.3.22). My understanding is that this means that any packets coming from this device will have VLAN 3 within the packet. I have that device plugged into port 48 of my USW-Pro-48-PoE switch. My understanding of untagged traffic means traffic coming from a client/device that doesn't have a VLAN ID associated with it (i.e. the "virtual network override" is disabled). By selecting the client device in the Clients screen and selecting the network it should be connected to (in this instance, IoT), the packets sent by the client will then have the VLAN ID added to the packet by the switch, therefore making it "tagged traffic". In the settings for port 48 in the port manager screen, it is my understanding that I should be able to have the native VLAN set to anything (not necessarily VLAN ID 3), as long as I have "tagged VLAN management" set to custom and the VLAN ID 3 ("IoT") selected. This should then allow the device to connect to the network as the IoT VLAN is set as a tagged VLAN on that port 48. However, if I do this, the device is unable to connect (at first, I got a loop error displayed on the port. Then after I restarted the switch, instead it didn't show any error, but the latency test fails). Then I spoke to a friend of mine (a network engineer), and he said "no the UniFi interface is crazy, you gotta block all tagged VLANs and instead set the native VLAN to IoT for that port". I did that and then everything worked fine. This makes no sense to me whatsoever. It's the complete opposite of what I expected. What key piece of information am I missing here? Thanks.

Probably a dumb question, but how do you VLAN tag a device? Like the VOIP phone in the example. If someone plugs in a device and you want that device to either be tagged if it's a known device or untagged if it's not, how do you set that at the device level? I've never needed too advanced VLANs and typically set them up on my router and then just set the VLAN ID on the switch port itself and then it's done. I assumed that would just mean anything plugged into that switch port got tagged with whatever VLAN ID I set that that port to.

Howdy. I appreciate your videos. I'm late to the party. I have a Protectli with Pfsense on it. And a tplink tl-sg1024DE behind it. At this point I think I want/need 5 or 6 VLANS. Would you recommend having pfsense to control the vlans and trunk to the tp link switch OR have the switch to handle the vlans?

Chris, you got me confused with your explanation of "ISOLATION". Actually "ISOLATION" in NETWORKS is not for preventing a client to see other clients, its to prevent the (VLAN) network to go and see other networks in the neighbourhood. The "CLIENT ISOLATION" function you explain at kzbin.info/www/bejne/gKTdeJiHhbmiatk is under the WIFI section called "Client Device Isolation".

Thank you for the detailed explanation. I was wondering about a possible typo at kzbin.info/www/bejne/gKTdeJiHhbmiatk, wouldn't PC/Mac fetch IP from 192.168.1.0/24 subnet instead of 192.168.1.100/24?

FW rules next PLEASE and thank you!

So, this is theowing me for a loop. Ive been studying for my ccna for a while (and am about ready, i think), but in their curriculum, there arent switch ports that have tagged AND untagged traffic; it's either an access port, assigned to ONE vlan (with the exception of VoIP phones, where the port can be config'd as 'switchport access vlan x' AND 'switchport voice vlan y'), OR it's a trunk port carrying whatever vlans you allow/specify (or all). Can anyone help me sort out what im missing here, seeing that these ports here and allowing both tagged and untagged traffic? Thanks.

Honestly I was looking forward watching this because your previous videos were extremely clear, but I lost it at the 13 mins mark. I guess wrapping my head around the tagged/untagged notion on a switch is too much for my brain.

So, here's where I am in my UniFi rollout of VLANs. I haven't gotten too far before I got royally stuck. I created my VLANs in the UniFi Network App. All my switch ports are default/trunked. If I give a device an IP address on, say, the Storage VLAN, I can't reach it from anywhere and nothing on the network can reach it. Inter-VLAN routing may be working, I am not sure. IP routing is definitely not working. Further, DHPC, DNS, and domain services are all on the default network and I have no idea how to make all devices able to reach those important hosts. Finally, the each subnet needs to use a Sophos firewall sitting on the default network as its gateway to the Internet. Do I need static routes on the switch or...? The switch, by the way, is a Ubiquiti USW-Pro-Aggregation switch. Help!

I had a Blu ray player once i was watching movies on my LAN with via the player, it called home (sony) and it said, Hey this is not a legit copy, and stopped playback> So now i make sure i just let devices only access the PORT for say PLEX on the private servers. Also NOTHING on the network can see the security cam VLAN except one access terminal. Its amazing how many things scan a network, Robot vacums, doorbells and more.

..." the phone knows about it and specifically asked for the vlan in that other vlan" --- does this mean you are setting static IPs in the device prior to plugging in?

Do all the VLANS share the same DHCP instance? In general how do you configure your DHCP service to know which ip's to assign based on VLAN tags (or the absence of VLAN tags)?

I have a question: is it possible for a UniFy routeur (or a switch) to load a different VLAN configuration for a port, based on the Mac address of the device I plug into this port? For instance, let say I plug my personal computer into any port, which means the router knows its Mac address, then, based on the Mac address, it loads the "secure/default" profile for this port. That is the untagged vlan id is the '1'. But if I plug any other computer (that is a device I don't know the Mac address) then the "guest" profile is loaded. That is the untagged vlan id is '20'. Is it currently possible with a UniFy router (or switch)? If not, wouldn't it be a great feature to have?

Here’s my idea for a “made easy” explanation: - Think of a switch as a house with multiple doors (ports) and of each device as a person. - Each person wears a T-shirt, and it can have a number printed on it (tagged) or not (untagged). - An access system at each door (port) checks the number on the shirt and dispenses a badge (think DHCP) based on the number on the T-shirt. - Persons with tagged shirts having a number that is allowed entry will get a badge (think IP address) for that group. - Persons with no number on the shirt will get another (default) badge. - Persons with a number that is not whitelisted will not get a badge, and cannot enter.

Love your videos - thanks for the effort In this video at 26:40 you say .... Devices can only see internet and not other devices on the same VLan network? But clicking on the little blue "i"next to isolations it says Isolates this network from all other Virtual Networks using firewall rules on the Unifi Gateway. Devices on this network ARE ABLE to communicate with each other.

Thanks, data tagged into brain-lan successfully!

Thank you so much. You are a great teacher. I've learned so much from you these past 3 years. Your customers must love you.

Thank you for video lesson. I want to have the following: a guest, adult child, IOT and a separate secure network for wife and I. we are running 200mb cable speed. What hardware and best set up would you suggest? I hope i am not asking too much. Thank you in advance.

Has anyone had experience getting vlans for the RAX200 going? I find the docuementation lacking :-/

Im using a Opnsense firewall with multiple nics and vlans configured, I want to get a new wifi AP/Router to use. Which brand/model do you recommend for the wifi?

I guess its kinda of unclear for me, is tagged ports only for physcial machines? Does unifi support tagging for VMs?

thanks for that, helped me understand vlans and tagging in the unifi, especially the new interface, a little better