Configure VLANs for WatchGuard AP Devices

If you enable VLAN tagging for SSIDs on a WatchGuard AP device, or you enable management VLAN tagging for an AP device, you must also enable VLANs on the network that the AP device connects to.

By default, management traffic to the AP device is untagged, so we recommend that you add an untagged VLAN for management traffic, as described here. If you prefer to use a tagged VLAN for management traffic, make sure that you configure the AP device to tag management traffic, and set the management VLAN ID in the Access Point configuration to the VLAN you want to use for management traffic.

The tagged management VLAN is used only after the AP device is paired to the AP device. An unpaired AP device cannot respond to tagged VLAN traffic.

When to Enable VLAN Tagging in SSIDs

There are a couple of reasons you might want to enable VLAN tagging on your AP SSIDs:

To configure different firewall policies for SSIDs that connect to the same network

If you configure multiple SSIDs for your AP devices and you want to set different firewall policies for each SSID, you can enable VLAN tagging in the SSID and then use the VLAN ID associated with each SSID in policies specific to each SSID. For example, you could add a different HTTP packet filter policy for each SSID that specifies the VLAN associated with that SSID.

To separate the traffic on the same physical network to different logical networks

If you have several AP devices connected to the same physical network, VLAN tagging gives you the ability to separately examine traffic for the wireless clients connected to each SSID. For example, if you run a network analyzer, you can use the VLAN tags to see the traffic for the VLAN ID associated with an SSID.

Or, you can set up all of your AP devices with one SSID for the trusted network and a different SSID for the optional network. You can set up a trusted VLAN and an optional VLAN to separate the traffic for the wireless clients that connect to the trusted and optional networks.

Configure VLANs on the XTM Device

To enable VLAN tagging in your AP device SSIDs, you must configure VLANs on the XTM device interface where you plan to connect your AP devices.

For the XTM device interface where you plan to connect your AP device, set the Interface Type to VLAN. Then, configure the VLANs to use for the AP device.

For example, if you want to create two SSIDs that use VLAN tags, you can create three VLANs with the VLAN IDs 10, 20, and 30.

Screen shot of the VLAN page with three VLANs configured

For information about how to create a VLAN, see Define a New VLAN.

For more information about how to configure the VLAN interface, see Assign Interfaces to a VLAN.

Configure VLANs on a Managed Switch

If you enable VLAN tagging and want to connect your AP device to a managed switch, you must also configure VLANs on the switch. The switch must support 802.1Q VLAN tagging.

On the switch, you must:

  1. Add VLANs with the same IDs as the VLANs you configured on the XTM device.
  2. Configure the switch interfaces that connect to the XTM device and the AP device to send and receive tagged traffic for the VLANs assigned to each SSID.
  3. Configure the switch interfaces that connect to the XTM device and the AP device to send and receive tagged or untagged traffic for the AP device management .

For instructions to enable and configure the VLANs on your switch, see the documentation for your switch.

If you have enabled VLAN tagging in the SSIDs on your AP device, do not connect your AP device to a switch that does not support 802.1Q VLAN tagging.

For a list of switches that WatchGuard has tested with the WatchGuard AP device, see the WatchGuard Knowledge Base at

See Also

WatchGuard AP Device Deployment Overview

AP Device Deployment with Simple Roaming

Add an HTTPS Policy for Access Point Web UI Connections

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base